Project

General

Profile

action #67804

use non-personal account and key for pushing needles on osd to gitlab.suse.de

Added by okurz over 1 year ago. Updated 12 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Target version:
Start date:
2020-05-25
Due date:
2020-11-05
% Done:

0%

Estimated time:

Description

Motivation

See #67213

Acceptance criteria

  • AC1: For pushing needles on osd to gitlab.suse.de a non-personal account (different to "nicksinger") is used

Related issues

Related to openQA Infrastructure - action #89047: Failed to commit needles, gitlab account blocked 2021-02-24Resolved2021-02-24

Copied from openQA Infrastructure - action #67213: pushing needles on osd to gitlab.suse.de failsResolved2020-05-25

History

#1 Updated by okurz over 1 year ago

  • Copied from action #67213: pushing needles on osd to gitlab.suse.de fails added

#2 Updated by okurz about 1 year ago

  • Priority changed from Normal to Low

#3 Updated by okurz 12 months ago

  • Target version set to Ready

#4 Updated by okurz 12 months ago

  • Status changed from Workable to In Progress
  • Assignee set to okurz

on osd in the home directory of "geekotest" there is a directory ~/.ssh which contains:

authorized_keys  config  id_rsa  id_rsa.gitlab  id_rsa.gitlab.pub  id_rsa.pub  known_hosts  known_hosts.old

IIUC nicksinger has added the key "id_rsa.gitlab id_rsa.gitlab.pub" under the account "nicksinger" on gitlab.suse.de so logging in to gitlab.suse.de greets with "nicksinger" but that account is blocked at time of writing, see #75067

I just commented out the section in ~/.ssh/config to use ~/.ssh/id_rsa.gitlab so git+ssh uses "id_rsa" which is already supplied as a valid key for the gitlab user "openqa-pusher". Then in ~/share/tests/sle/products/sle/needles the command git pull --rebase origin master && git push worked because the account "openqa-pusher" is not blocked.

EDIT:
I don't think we actually currently need the specific "gitlab" ssh keys as we have the generic one already added to gitlab and renamed the gitlab one to make it obvious it's unused:

mv id_rsa.gitlab{,.unused}
mv id_rsa.gitlab.pub{,unused}

However to include that into salt I think it's safer to use a dedicated key anyway. On osd as geekotest I did ssh-keygen -t ed25519 -N '' -C 'geekotest@openqa.suse.de, openqa-pusher needle pushing to gitlab' -f id_ed25519.gitlab,
added the public key in https://openqa-pusher@gitlab.suse.de/profile/keys and included the files into the pillars repo

cd ~/local/openqa/salt-pillars-openqa/hosts/openqa.suse.de
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/id_ed25519.gitlab.pub" > id_ed25519.gitlab.pub
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/id_ed25519.gitlab" > id_ed25519.gitlab

and reference in salt-states-openqa, e.g.

105 {% for i in ['', '.pub'] %}
106 /var/lib/openqa/.ssh/id_ed25519.gitlab{{i}}:
107   file.managed:
108     - contents_pillar: id_ed25519.gitlab{{i}}

cat config 
Host gitlab.suse.de
  User gitlab
  IdentityFile ~/.ssh/id_ed25519.gitlab
  IdentitiesOnly yes

#6 Updated by okurz 12 months ago

  • Status changed from Feedback to Resolved

generated config on osd looks fine, everything seems to work as expected.

#7 Updated by okurz 8 months ago

  • Related to action #89047: Failed to commit needles, gitlab account blocked 2021-02-24 added

Also available in: Atom PDF