action #67804: use non-personal account and key for pushing needles on osd to gitlab.suse.de - openQA Infrastructure - openSUSE Project Management Tool

Custom queries

openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (dev)
QE tools team - backlog (ready issues)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (dev)
QE tools team - non-estimated (unblocked) issues (infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #67804

closed

use non-personal account and key for pushing needles on osd to gitlab.suse.de

Added by okurz about 4 years ago. Updated over 3 years ago.

Status:

Resolved

Priority:

Low

Assignee:

okurz

Category:

Target version:

openQA Project - Ready

Start date:

2020-05-25

Due date:

2020-11-05

% Done:

Estimated time:

Description

Motivation¶

See #67213

Acceptance criteria¶

AC1: For pushing needles on osd to gitlab.suse.de a non-personal account (different to "nicksinger") is used

Related issues 2 (0 open — 2 closed)

Related to openQA Infrastructure - action #89047: Failed to commit needles, gitlab account blocked 2021-02-24

Resolved

nicksinger

2021-02-24

Actions

Copied from openQA Infrastructure - action #67213: pushing needles on osd to gitlab.suse.de fails

Resolved

okurz

2020-05-25

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by okurz about 4 years ago

Copied from action #67213: pushing needles on osd to gitlab.suse.de fails added

Actions

Copy link

Updated by okurz almost 4 years ago

Priority changed from Normal to Low

Actions

Copy link

Updated by okurz over 3 years ago

Target version set to Ready

Actions

Copy link

Updated by okurz over 3 years ago

Status changed from Workable to In Progress
Assignee set to okurz

on osd in the home directory of "geekotest" there is a directory ~/.ssh which contains:

authorized_keys  config  id_rsa  id_rsa.gitlab  id_rsa.gitlab.pub  id_rsa.pub  known_hosts  known_hosts.old

IIUC nicksinger has added the key "id_rsa.gitlab id_rsa.gitlab.pub" under the account "nicksinger" on gitlab.suse.de so logging in to gitlab.suse.de greets with "nicksinger" but that account is blocked at time of writing, see #75067

I just commented out the section in ~/.ssh/config to use ~/.ssh/id_rsa.gitlab so git+ssh uses "id_rsa" which is already supplied as a valid key for the gitlab user "openqa-pusher". Then in ~/share/tests/sle/products/sle/needles the command git pull --rebase origin master && git push worked because the account "openqa-pusher" is not blocked.

EDIT:
I don't think we actually currently need the specific "gitlab" ssh keys as we have the generic one already added to gitlab and renamed the gitlab one to make it obvious it's unused:

mv id_rsa.gitlab{,.unused}
mv id_rsa.gitlab.pub{,unused}

However to include that into salt I think it's safer to use a dedicated key anyway. On osd as geekotest I did ssh-keygen -t ed25519 -N '' -C 'geekotest@openqa.suse.de, openqa-pusher needle pushing to gitlab' -f id_ed25519.gitlab,
added the public key in https://openqa-pusher@gitlab.suse.de/profile/keys and included the files into the pillars repo

cd ~/local/openqa/salt-pillars-openqa/hosts/openqa.suse.de
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/id_ed25519.gitlab.pub" > id_ed25519.gitlab.pub
ssh osd "sudo -u geekotest cat /var/lib/openqa/.ssh/id_ed25519.gitlab" > id_ed25519.gitlab

and reference in salt-states-openqa, e.g.

105 {% for i in ['', '.pub'] %}
106 /var/lib/openqa/.ssh/id_ed25519.gitlab{{i}}:
107   file.managed:
108     - contents_pillar: id_ed25519.gitlab{{i}}

cat config 
Host gitlab.suse.de
  User gitlab
  IdentityFile ~/.ssh/id_ed25519.gitlab
  IdentitiesOnly yes

Actions

Copy link