Skip to content

CI: Use skc-ci-aio user for aio jobs #943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 20, 2024
Merged

CI: Use skc-ci-aio user for aio jobs #943

merged 1 commit into from
Feb 20, 2024

Conversation

markgoddard
Copy link
Contributor

This user only has read-only access to the package and container
repositories, so is safer than using the release-train-ci user which has
read/write permissions.

For the container image build job we can use the skc-ci-aio user to
access the package repositories, but must use the release-train-ci user
to push container images.

@markgoddard markgoddard self-assigned this Feb 14, 2024
@Alex-Welsh
Copy link
Member

If ci-builder needs to be able to push, why not just use the release train user for it?

@markgoddard
Copy link
Contributor Author

If ci-builder needs to be able to push, why not just use the release train user for it?

It uses the release train user as the docker registry user, but not for package repos.

@markgoddard
CI: Use skc-ci-aio user for aio jobs
c338dd9 
This user only has read-only access to the package and container
repositories, so is safer than using the release-train-ci user which has
read/write permissions.

For the container image build job we can use the skc-ci-aio user to
access the package repositories, but must use the release-train-ci user
to push container images.
@markgoddard
Copy link
Contributor Author

Fixed up trailing newline in password 🤦

@markgoddard
Copy link
Contributor Author

Looks like container access is not working. Doing a bit of local debugging, the skc-ci-aio user cannot pull images in the stackhpc-dev namespace, even though it is in the container.namespace.consumers.stackhpc-dev group in Pulp. If I add the container.namespace.collaborators.stackhpc-dev group it still does not work, but if I add container.namespace.owners.stackhpc-dev then it does. This is an improvement over using the release-train-ci user, which has lot of roles assigned to it, however it is not ideal.

@markgoddard
Copy link
Contributor Author

Looks like container access is not working. Doing a bit of local debugging, the skc-ci-aio user cannot pull images in the stackhpc-dev namespace, even though it is in the container.namespace.consumers.stackhpc-dev group in Pulp. If I add the container.namespace.collaborators.stackhpc-dev group it still does not work, but if I add container.namespace.owners.stackhpc-dev then it does. This is an improvement over using the release-train-ci user, which has lot of roles assigned to it, however it is not ideal.

This issue does not seem to affect the stackhpc namespace. The main difference is that it does not contain container-push repositories.

@markgoddard markgoddard marked this pull request as ready for review February 20, 2024 09:41
@markgoddard markgoddard requested a review from a team as a code owner February 20, 2024 09:41
@markgoddard
Copy link
Contributor Author

markgoddard commented Feb 20, 2024
edited
Loading

Manually fixed permissions in Ark with the following command:

pulp container namespace role add --role container.containernamespace_consumer --group container.namespace.consumers.stackhpc-dev --name stackhpc-dev

This is necessary due to RBAC changes in pulp_container 2.11

@markgoddard markgoddard merged commit a679cd4 into stackhpc/yoga Feb 20, 2024
@markgoddard markgoddard deleted the yoga-aio-user branch February 20, 2024 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Alex-Welsh Alex-Welsh Alex-Welsh approved these changes

Assignees

@markgoddard markgoddard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markgoddard @Alex-Welsh