| -@gerrit:opendev.org- Benjamin Schanzel proposed on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/nodepool] 871199: Add API timing debug statements to openstack driver https://review.opendev.org/c/zuul/nodepool/+/871199 | 06:50 | |
| -@gerrit:opendev.org- Benjamin Schanzel proposed on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/nodepool] 872255: Output rate information in load-test.py https://review.opendev.org/c/zuul/nodepool/+/872255 | 06:51 | |
| -@gerrit:opendev.org- Benjamin Schanzel proposed on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: | 06:51 | |
| - [zuul/nodepool] 872714: Add debug log messages to handler assignment/removal https://review.opendev.org/c/zuul/nodepool/+/872714 | ||
| - [zuul/nodepool] 872256: Offload openstack delete api calls to an executor https://review.opendev.org/c/zuul/nodepool/+/872256 | ||
| -@gerrit:opendev.org- Benjamin Schanzel proposed on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/nodepool] 874047: Move statemachine node init into TPE https://review.opendev.org/c/zuul/nodepool/+/874047 | 06:51 | |
| @vonschultz:matrix.org | It looks like Zuul doesn't work well with Gerrit 3.7. In the attached log, I'm trying to run the check pipeline using a "recheck" comment, but the event that Zuul sees has `'comment': 'Patch Set 1:\n\n(1 comment)'` — the contents of the comment isn't actually in there, and therefore the regex can't match. | 09:15 |
|---|---|---|
| @vonschultz:matrix.org | This is with Zuul version 8.2.0. | 09:17 |
| @avass:vassast.org | Christian von Schultz: that sounds like a bug or change in Gerrit. Have you checked what Gerrit sends if you check stream-events? https://gerrit-review.googlesource.com/Documentation/cmd-stream-events.html | 09:26 |
| @vonschultz:matrix.org | Yes, this is a change in Gerrit. It was working fine with Gerrit 3.6. I didn't find it mentioned in the release notes at https://www.gerritcodereview.com/3.7.html, but as you see in the log, the new version of Gerrit doesn't give us the contents of the comments when running `gerrit stream-events`. | 09:30 |
| @avass:vassast.org | Christian von Schultz: I can't easily find what broke it. But it looks like that would pass their acceptance tests: https://gerrit.googlesource.com/gerrit/+/refs/tags/v3.7.1/javatests/com/google/gerrit/acceptance/server/event/CommentAddedEventIT.java#223 | 10:12 |
| :) | ||
| @avass:vassast.org | That test looks wrong right? It should be checking for "a patch set level comment" unless I misunderstand the test. | 10:14 |
| @avass:vassast.org | Oh, the test above works as expected and I guess the annotation above it turns that off: https://gerrit.googlesource.com/gerrit/+/refs/tags/v3.7.1/javatests/com/google/gerrit/acceptance/server/event/CommentAddedEventIT.java#215 | 10:16 |
| Maybe that's a config you have somewhere? | ||
| @avass:vassast.org | * Oh, the test above works as expected and I guess the annotation removes the actual comment: https://gerrit.googlesource.com/gerrit/+/refs/tags/v3.7.1/javatests/com/google/gerrit/acceptance/server/event/CommentAddedEventIT.java#215 | 10:17 |
| Maybe that's a config you have somewhere? | ||
| @avass:vassast.org | * Oh, the test above works as expecte, I guess this annotation removes the actual comment: https://gerrit.googlesource.com/gerrit/+/refs/tags/v3.7.1/javatests/com/google/gerrit/acceptance/server/event/CommentAddedEventIT.java#215 | 10:23 |
| Maybe that's a config you have somewhere? | ||
| @avass:vassast.org | * Oh, the test above works as expected, I guess this annotation removes the actual comment: https://gerrit.googlesource.com/gerrit/+/refs/tags/v3.7.1/javatests/com/google/gerrit/acceptance/server/event/CommentAddedEventIT.java#215 | 10:23 |
| Maybe that's a config you have somewhere? | ||
| @avass:vassast.org | Christian von Schultz: This looks relevant:https://groups.google.com/g/repo-discuss/c/VJZqgYvZOqs | 10:25 |
| @avass:vassast.org | Looks like a fix is already merged: https://gerrit-review.googlesource.com/c/gerrit/+/353017 | 10:28 |
| and here's the issue: https://bugs.chromium.org/p/gerrit/issues/detail?id=16475 | ||
| @vonschultz:matrix.org | Ah! And it looks like there's a new release just a few days old, Gerrit 3.7.1, which seems to have the fix according to https://gerrit.googlesource.com/gerrit/+log/d49aaaaeb682fddf5b351d56cba20f4d952d3ec5. Many thanks for the digging, Albin Vass . | 10:34 |
| -@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 875633: Ignore fetch-ref-replicated gerrit event https://review.opendev.org/c/zuul/zuul/+/875633 | 10:39 | |
| -@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul] 874524: Re-enqueue changes if dequeued missing deps https://review.opendev.org/c/zuul/zuul/+/874524 | 10:55 | |
| -@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 875633: Ignore fetch-ref-replicated gerrit event https://review.opendev.org/c/zuul/zuul/+/875633 | 11:09 | |
| @flaper87:matrix.org | Is there a way to always require authentication? I mean, hide all the tenant status info and what not. I've enabled google_auth but the tenant info, pipelines, etc are still visible without auth | 14:20 |
| @jpew:matrix.org | flaper87: We added oauth authentication tied into keycloak in front of Zuul in our K8S ingress config and it seems to work well enough | 14:35 |
| @jpew:matrix.org | keycloak + oauth2-proxy that is | 14:36 |
| @jpew:matrix.org | with the important caveat that the /api route is _not_ protected because the zuul web UI calls into that all the time and the authentication isn't trasnferred, so it's not perfect | 14:37 |
| @jim:acmegating.com | flaper87: did you read https://zuul-ci.org/docs/zuul/latest/tenants.html#attr-tenant.access-rules and https://zuul-ci.org/docs/zuul/latest/tenants.html#api-root ? | 14:37 |
| @mhuin:matrix.org | is this a public facing zuul instance? maybe if its data isn't meant to be public it'd be better off behind a VPN or something? Auth is really just meant to allow some users to handle dequeues, enqueues and autoholds from the GUI | 14:39 |
| @jim:acmegating.com | mhu: that's really not the case any more :) | 14:40 |
| @jpew:matrix.org | corvus: Ah, nice. I'll have to look into that | 14:40 |
| @jim:acmegating.com | tenant and global read-only access are fully supported now. | 14:41 |
| @mhuin:matrix.org | oh ... guess I missed that | 14:41 |
| @flaper87:matrix.org | corvus: nope. I looked for this info in the web configs and the oauth configuration docs but not there. Let me read that. Thanks :) | 14:41 |
| @flaper87:matrix.org | jpew: yeah, did that too but I was hoping to know who performs actions through the UI, etc. | 14:41 |
| @mhuin:matrix.org | flaper: zuul-web logs should have a trace of that | 14:42 |
| @mhuin:matrix.org | but it'll just log the uuid claim so you'll need to find a way to link this info to a user | 14:43 |
| @flaper87:matrix.org | mhu: thanks! For now, I will be happy with just hiding everything behind oauth2. A very simple rule that will allow authenticated users to interact with zuul-web | 14:46 |
| @jpew:matrix.org | flaper87: Make sure to exclude /api | 14:56 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 15:31 | |
| - [zuul/zuul] 875574: Set layout state event ltime in delete-pipeline-state https://review.opendev.org/c/zuul/zuul/+/875574 | ||
| - [zuul/zuul] 875575: Avoid layout updates after delete-pipeline-state https://review.opendev.org/c/zuul/zuul/+/875575 | ||
| @vonschultz:matrix.org | I tried to set up Oauth with Google according to https://zuul-ci.org/docs/zuul/latest/howtos/openid-with-google.html, and it only sort of works. There's the option to sign in, I can select my user on the Oauth page Google gives me, and it redirects back to Zuul, the /auth_callback page. Then it just stands there "Fetching info..." If I then change the URL to the tenant status URL, it works again, and I can bring up a User Info box that has my name in it and a nice "Sign Out" button, so the login seems to have worked. Only, I have to manually leave the /auth_callback page. Did I miss something? | 15:48 |
| -@gerrit:opendev.org- Guillaume Chauvel proposed: | 19:54 | |
| - [zuul/zuul] 875056: tutorial: Update node to jammy https://review.opendev.org/c/zuul/zuul/+/875056 | ||
| - [zuul/zuul] 875057: quick-start: run additional tutorials using var run_playbooks https://review.opendev.org/c/zuul/zuul/+/875057 | ||
| - [zuul/zuul] 732067: tutorial: Add "gate your first patch" https://review.opendev.org/c/zuul/zuul/+/732067 | ||
| - [zuul/zuul] 732068: tutorial: Add "Use zuul jobs" https://review.opendev.org/c/zuul/zuul/+/732068 | ||
| - [zuul/zuul] 732069: tutorial: Add "gate pipeline" https://review.opendev.org/c/zuul/zuul/+/732069 | ||
| - [zuul/zuul] 732070: tutorial: Add "job secrets" https://review.opendev.org/c/zuul/zuul/+/732070 | ||
| - [zuul/zuul] 732071: tutorial: Add "job dependencies" https://review.opendev.org/c/zuul/zuul/+/732071 | ||
| - [zuul/zuul] 737656: Rename quick-start to zuul-tutorial-quick-start https://review.opendev.org/c/zuul/zuul/+/737656 | ||
| - [zuul/zuul] 875639: quick-start: Change Gerrit wait method & increase Scheduler gerrit wait time https://review.opendev.org/c/zuul/zuul/+/875639 | ||
| - [zuul/zuul] 875640: quick-start: recheck as PATCHSET_LEVEL comment https://review.opendev.org/c/zuul/zuul/+/875640 | ||
| @mhuin:matrix.org | > <@vonschultz:matrix.org> I tried to set up Oauth with Google according to https://zuul-ci.org/docs/zuul/latest/howtos/openid-with-google.html, and it only sort of works. There's the option to sign in, I can select my user on the Oauth page Google gives me, and it redirects back to Zuul, the /auth_callback page. Then it just stands there "Fetching info..." If I then change the URL to the tenant status URL, it works again, and I can bring up a User Info box that has my name in it and a nice "Sign Out" button, so the login seems to have worked. Only, I have to manually leave the /auth_callback page. Did I miss something? | 19:59 |
| I think google's implementation of OpenID Connect is slightly customized and the access token has a slightly different format than expected, IIRC. If you can afford the extra service, I'd advise spinning up a keycloak instance, configure auth for zuul with keycloak, and configure google auth as a social login on keycloak | ||
| @mhuin:matrix.org | next time you do the auth round trip you could also enable the debug console in your browser (Ctrl + I most of the time) and see if any error pops up | 20:01 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: | 23:04 | |
| - [zuul/zuul] 874718: Add GitHub pipeline trigger requirements https://review.opendev.org/c/zuul/zuul/+/874718 | ||
| - [zuul/zuul] 875790: Add Gerrit pipeline trigger requirements https://review.opendev.org/c/zuul/zuul/+/875790 | ||
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 875790: Add Gerrit pipeline trigger requirements https://review.opendev.org/c/zuul/zuul/+/875790 | 23:10 | |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 875790: Add Gerrit pipeline trigger requirements https://review.opendev.org/c/zuul/zuul/+/875790 | 23:45 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!