| @jjbeckman:matrix.org | > <@clarkb:matrix.org> The application key is used to sign web auth tokens for API requests. I don't know that it is a valid ssh key. I suspect you may also need to set the ssh key value so that repos can be cloned via ssh. But I'm not 100% certain of that. | 06:37 |
|---|---|---|
| Hi Clark, | ||
| Thanks for your input. | ||
| > The application key is used to sign web auth tokens for API requests. | ||
| Yes, this is my understanding as well. | ||
| > I don't know that it is a valid ssh key. | ||
| > I suspect you may also need to set the ssh key value so that repos can be cloned via ssh. But I'm not 100% certain of that. | ||
| When I set the GitHub App Private key as the key that the executor uses to `git clone` repos, authentication fails. So it appears to me that it's not a valid SSH key. | ||
| @jjbeckman:matrix.org | > <@jim:acmegating.com> jjbeckman: in addition to what clarkb wrote, the scheduler doesn't do anything with git repos, and the log message you pasted is not from the scheduler, but rather the executor, so i think you may have gotten something confused there. if it's adding an ssh key to an agent, it's adding the *nodepool* key to a build. | 06:38 |
| Hi Corvus, | ||
| Thanks for the advice. | ||
| > in addition to what clarkb wrote, the scheduler doesn't do anything with git repos, and the log message you pasted is not from the scheduler, but rather the executor, so i think you may have gotten something confused there. | ||
| Ah, my bad. Sorry, I meant to type executor. | ||
| > if it's adding an ssh key to an agent, it's adding the nodepool key to a build. | ||
| I see. | ||
| @jjbeckman:matrix.org | > <@jim:acmegating.com> jjbeckman: oh i had one other thought: even though you already have things set up, you might want to try the configurator here: https://acmegating.com/acme-enterprise-zuul/#start it supports azure and github -- it'll walk through the required values and output config files; you can at least compare that to what you have and see if anything's missing. | 06:44 |
| Ah, thank you. Have done so, and apparently my current config is missing `name=github` under `[connection "github"]` in `zuul.conf`. Will check and see if this makes the difference. | ||
| @jjbeckman:matrix.org | > <@jim:acmegating.com> jjbeckman: also, friendly reminder in case you aren't aware that in addition to the general directions for self-help from volunteers in channel here, there are commercial support offerings for zuul, including my own at https://acmegating.com/ for more detailed and responsive help. :) | 06:44 |
| Thanks, will keep this in mind :) | ||
| @jjbeckman:matrix.org | > <@jjbeckman:matrix.org> Ah, thank you. Have done so, and apparently my current config is missing `name=github` under `[connection "github"]` in `zuul.conf`. Will check and see if this makes the difference. | 09:39 |
| Tweaking the setting according to what the configurator suggested, I ended up with this. | ||
| ``` | ||
| [connection "github"] | ||
| app_id={redacted} | ||
| app_key=/etc/zuul/github_app/id_rsa | ||
| driver=github | ||
| name=github | ||
| server=github.com | ||
| webhook_token={redacted} | ||
| ``` | ||
| This changed the behavior of the executor in the following way(Now, tries to `git clone` using HTTPS instead of SSH, but fails novertheless). | ||
| ``` | ||
| File "/usr/local/lib/python3.11/site-packages/git/cmd.py", line 1109, in execute | ||
| raise GitCommandError(redacted_command, status, stderr_value, stdout_value) | ||
| git.exc.GitCommandError: Cmd('git') failed due to: exit code(128) | ||
| cmdline: git clone https://github.com/{redacted}/test1 /var/lib/zuul/executor-git/github.com/{redacted}/{redacted}%2Ftest1 | ||
| stderr: 'Cloning into '/var/lib/zuul/executor-git/github.com/{redacted}/{redacted}%2Ftest1'... | ||
| fatal: could not read Username for 'https://github.com': No such device or address' | ||
| Update of '{redacted}/test1' failed | ||
| ``` | ||
| So to me, it appears that this chunk of code is not being executed, despite `app_id` is being set. | ||
| https://opendev.org/zuul/zuul/src/commit/6479892b9c41fb818b2a6ead14c0239bf33d6481/zuul/driver/github/githubconnection.py#L907-L916 | ||
| And this line of code, is being executed instead. | ||
| https://opendev.org/zuul/zuul/src/commit/6479892b9c41fb818b2a6ead14c0239bf33d6481/zuul/driver/github/githubconnection.py#L918 | ||
| I will tweak the code to display the content of `self.add_id` in the logs tomorrow, but if the issue is obvious, I would be grateful if it was pointed out. | ||
| @flaper87:matrix.org | What's the recommended way to authenticate zuul-client without using `zuul-admin create-auth-token` I think I'm not approaching this properly :) | 15:21 |
| @clarkb:matrix.org | I think that is how you do it? You may need to use more words to explain why it isn't proper | 15:29 |
| @mhuin:matrix.org | > <@flaper87:matrix.org> What's the recommended way to authenticate zuul-client without using `zuul-admin create-auth-token` I think I'm not approaching this properly :) | 15:40 |
| if you have access to a zuul web UI that has authentication enabled, you can download a zuul.conf file by clicking on the user icon | ||
| @mhuin:matrix.org | The con is that usually the JWT in that file is short lived | 15:40 |
| @mhuin:matrix.org | flaper87: is auth configured on zuul web UI? | 15:41 |
| @flaper87:matrix.org | > <@clarkb:matrix.org> I think that is how you do it? You may need to use more words to explain why it isn't proper | 15:45 |
| Because `zuul-admin` is only available from the pod running Zuul, which means I need to attach to it. A user without access to the pod won't be able to do this. | ||
| @flaper87:matrix.org | > <@mhuin:matrix.org> flaper87: is auth configured on zuul web UI? | 15:46 |
| I do, yeah. I have Google configured, although the permissions may not be 100% working as I still need to figure some things out. Let me see if I can find the zuul.conf you mentioned | ||
| @flaper87:matrix.org | > <@flaper87:matrix.org> I do, yeah. I have Google configured, although the permissions may not be 100% working as I still need to figure some things out. Let me see if I can find the zuul.conf you mentioned | 16:05 |
| This works nicely, thanks. | ||
| @clarkb:matrix.org | ianw: the container build/promote stack lgtm now. Still two minor docs issues. One on https://review.opendev.org/c/zuul/zuul-jobs/+/878614/9/roles/remove-registry-tag/README.rst and the other on https://review.opendev.org/c/zuul/zuul-jobs/+/878740/9/roles/build-container-image/common.rst I'm happy for those to be fixed in a followup if we want to stop the restacking | 16:37 |
| @clarkb:matrix.org | corvus: ^ fyi | 16:37 |
| @jim:acmegating.com | Clark: ianw i agree we're 99% there -- i have some -1s that i think we should resolve one way or the other before merging, so i didn't approve. | 16:57 |
| @jim:acmegating.com | Clark: i'm confused by your first comment -- it's suggesting a no_log on a variable, not a task...? | 16:58 |
| @clarkb:matrix.org | corvus: ya I guess I was trying to express that whne invoking the role and passing those variables you should set no_log. I agree thats a bit awkward when simply describing the variable inputs to the role | 17:01 |
| @jim:acmegating.com | Clark: especially since you can invoke the role without passing the arguments (and that's how we do it) | 17:03 |
| @iwienand:matrix.org | thanks i'll loop over soon. i'm happy to use container_registry_credentials -- it was a 50/50 toss up to use the mis-named-for-the-role variable or use a new one named for the role. i was thinking it was a generic role, you might want to do this separately to container roles for other reasons. but it's also pretty tightly tied into those now | 21:30 |
| @jim:acmegating.com | agreed; i had similar thoughts. thinking about grepping for it in the future is what won me over to the "reuse" side. :) | 22:14 |
| -@gerrit:opendev.org- Ian Wienand proposed: | 23:56 | |
| - [zuul/zuul-jobs] 879009: promote-container-image: add promote_container_image_method https://review.opendev.org/c/zuul/zuul-jobs/+/879009 | ||
| - [zuul/zuul-jobs] 878614: remove-registry-tag: role to delete tags from registry https://review.opendev.org/c/zuul/zuul-jobs/+/878614 | ||
| - [zuul/zuul-jobs] 878740: promote-container-image: use generic tag removal role https://review.opendev.org/c/zuul/zuul-jobs/+/878740 | ||
| - [zuul/zuul-jobs] 878810: remove-registry-tag: update docker age match https://review.opendev.org/c/zuul/zuul-jobs/+/878810 | ||
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!