Project

General

Profile

Actions

action #67804

closed

use non-personal account and key for pushing needles on osd to gitlab.suse.de

Added by okurz over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
-
Start date:
2020-05-25
Due date:
2020-11-05
% Done:

0%

Estimated time:

Description

Motivation

See #67213

Acceptance criteria

  • AC1: For pushing needles on osd to gitlab.suse.de a non-personal account (different to "nicksinger") is used

Related issues 2 (0 open2 closed)

Related to openQA Infrastructure (public) - action #89047: Failed to commit needles, gitlab account blocked 2021-02-24Resolvednicksinger2021-02-24

Actions
Copied from openQA Infrastructure (public) - action #67213: pushing needles on osd to gitlab.suse.de failsResolvedokurz2020-05-25

Actions
Actions #1

Updated by okurz over 4 years ago

  • Copied from action #67213: pushing needles on osd to gitlab.suse.de fails added
Actions #2

Updated by okurz over 4 years ago

  • Priority changed from Normal to Low
Actions #3

Updated by okurz about 4 years ago

  • Target version set to Ready
Actions #4

Updated by okurz about 4 years ago

  • Status changed from Workable to In Progress
  • Assignee set to okurz

on osd in the home directory of "geekotest" there is a directory ~/.ssh which contains:

authorized_keys  config  id_rsa  id_rsa.gitlab  id_rsa.gitlab.pub  id_rsa.pub  known_hosts  known_hosts.old

IIUC nicksinger has added the key "id_rsa.gitlab id_rsa.gitlab.pub" under the account "nicksinger" on gitlab.suse.de so logging in to gitlab.suse.de greets with "nicksinger" but that account is blocked at time of writing, see #75067

I just commented out the section in ~/.ssh/config to use ~/.ssh/id_rsa.gitlab so git+ssh uses "id_rsa" which is already supplied as a valid key for the gitlab user "openqa-pusher". Then in ~/share/tests/sle/products/sle/needles the command git pull --rebase origin master && git push worked because the account "openqa-pusher" is not blocked.

EDIT:
I don't think we actually currently need the specific "gitlab" ssh keys as we have the generic one already added to gitlab and renamed the gitlab one to make it obvious it's unused:

mv id_rsa.gitlab{,.unused}
mv id_rsa.gitlab.pub{,unused}

However to include that into salt I think it's safer to use a dedicated key anyway. On osd as geekotest I did ssh-keygen -t ed25519 -N '' -C 'geekotest@openqa.suse.de, openqa-pusher needle pushing to gitlab' -f id_ed25519.gitlab,
added the public key in https://openqa-pusher@gitlab.suse.de/profile/keys and included the files into the pillars repo

cd ~/local/openqa/salt-pillars-openqa/hosts/openqa.suse.de
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/id_ed25519.gitlab.pub" > id_ed25519.gitlab.pub
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/id_ed25519.gitlab" > id_ed25519.gitlab

and reference in salt-states-openqa, e.g.

105 {% for i in ['', '.pub'] %}
106 /var/lib/openqa/.ssh/id_ed25519.gitlab{{i}}:
107   file.managed:
108     - contents_pillar: id_ed25519.gitlab{{i}}

cat config 
Host gitlab.suse.de
  User gitlab
  IdentityFile ~/.ssh/id_ed25519.gitlab
  IdentitiesOnly yes
Actions #6

Updated by okurz about 4 years ago

  • Status changed from Feedback to Resolved

generated config on osd looks fine, everything seems to work as expected.

Actions #7

Updated by okurz almost 4 years ago

  • Related to action #89047: Failed to commit needles, gitlab account blocked 2021-02-24 added
Actions

Also available in: Atom PDF