| @jjbeckman:matrix.org | Hi folks! Would appreciate some insight in what is going on with my Kubernetes/GitHub based Zuul deployment. | 04:09 |
|---|---|---|
| Observations: | ||
| 1. In `zuul.conf`, I can set any random string in`[keystore]\npassword=`, and find my Zuul deployment appears to work(Opening a GitHub pull request triggers a check pipeline) | ||
| 2. In `zuul/executor/server.py`, `def do_execute(self):` method, I find that `self.arguments.get('ssh_keys', [])` is empty. | ||
| https://opendev.org/zuul/zuul/src/branch/master/zuul/executor/server.py#L1133 | ||
| Questions: | ||
| 1. Why is Zuul seemingly functional despite setting an random `keystore.password`? | ||
| 2. Is `self.arguments.get('ssh_keys', [])` being empty expected? | ||
| Thank you. | ||
| @clarkb:matrix.org | The keystore password is used to encrypt your secret data including the project specific private ssh keys. If you change the password the previously encrypted data won't be accessible anymore. I suspect that results in keys being empty. But without actually looking at the code and having more context I can't be sure | 04:31 |
| @clarkb:matrix.org | Jobs can run without secrets which is probably why it works | 04:31 |
| @jjbeckman:matrix.org | > <@clarkb:matrix.org> The keystore password is used to encrypt your secret data including the project specific private ssh keys. If you change the password the previously encrypted data won't be accessible anymore. I suspect that results in keys being empty. But without actually looking at the code and having more context I can't be sure | 06:50 |
| Thanks for your input, Clark. | ||
| > The keystore password is used to encrypt your secret data including the project specific private ssh keys. If you change the password the previously encrypted data won't be accessible anymore. | ||
| I understand how `keystore.password` is being used now. | ||
| > I suspect that results in keys being empty. But without actually looking at the code and having more context I can't be sure | ||
| I have executed jobs multiple times with the same `keystore.password` multiple times, but have observed that `ssh_keys` is always empty. | ||
| > Jobs can run without secrets which is probably why it works | ||
| I see. | ||
| Could you please explain what exactly these SSH keys are used for? I am assuming that since my deployment is Kubernetes based, these keys are not required, hence the lack of keys. | ||
| @jjbeckman:matrix.org | Another question I have is, how is the SSH Private key configured in `executor.private_key_file` used? | 06:57 |
| Going through the source code, I see that it's added to the `ssh-agent`, but I can't follow through with how and where it's used to interact with the `nodepool`. | ||
| I want to know as no matter what SSH Private key I generate and set, Zuul just seems to function fine, which doesn't make sense to me, as I have not set any corresponding Public key in `nodepool`. | ||
| @mhuin:matrix.org | > <@clarkb:matrix.org> fungi and I are looking to update the zuul one pager and are looking for feedback. https://etherpad.opendev.org/p/zuul-one-pager-updates-april-2023 if you have time to take a look and leave your thoughts. In particular I think it would be good to update the git "url" there but sounds like there has been some question about that in the past. | 09:46 |
| left some suggestions | ||
| @b.schanzel:matrix.org | > <@clarkb:matrix.org> b.schanzel: ^ rebased I think if we merge that it should fix your issues. We'd also love to hear more about how you are running Zuul on arm :) | 12:41 |
| Cool, thank you, this will indeed solve my problem. | ||
| But to make sure there's no misunderstanding: my problem really is running a zuul dev env/unit tests on a local arm64 box, not running zuul in production on arm. | ||
| @clarkb:matrix.org | jjbeckman: zuul has per project private keys which the project can use to ssh to project specific resources (you have to fetch the public key from the zuul api and add that to authorized_keys on the destination). This is done regardless of the nodepool driver as it isn't used to talk to nodepool resources those ssh keys are managed by zuul and nodepool more direclty under the hood | 15:14 |
| @clarkb:matrix.org | for example if you wanted to push something to github you would use the project ssh keys. This is completely separate from accessing resources provided by nodepool | 15:15 |
| -@gerrit:opendev.org- Clark Boylan proposed: | 18:21 | |
| - [opendev/zone-zuul-ci.org] 879782: Update zuul dns records to the new static02 server https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/879782 | ||
| - [opendev/zone-zuul-ci.org] 879783: Revert short @ record TTLs https://review.opendev.org/c/opendev/zone-zuul-ci.org/+/879783 | ||
| -@gerrit:opendev.org- Clark Boylan proposed: [opendev/zone-gating.dev] 879784: Point gating.dev at the new static02 server https://review.opendev.org/c/opendev/zone-gating.dev/+/879784 | 18:25 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!