| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 888916: Report error details on Ansible failure https://review.opendev.org/c/zuul/zuul/+/888916 | 05:54 | |
| -@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 888916: Report error details on Ansible failure https://review.opendev.org/c/zuul/zuul/+/888916 | 08:12 | |
| @jjbeckman:matrix.org | Hi folks, | 08:38 |
|---|---|---|
| I am observing some strange behavior with Zuul secrets. Any advice regarding correcting this behavior would be appreciated. | ||
| To be succinct, updating the secrets sometimes do not work. | ||
| In my untrusted project's `.zuul.yaml` file, I have a secret defined like for example, the following. | ||
| ``` | ||
| - secret: | ||
| name: foo | ||
| data: | ||
| url: https://domain1.com | ||
| ``` | ||
| In the pipeline, the following job's stdout would result in `https://domain1.com`, as expected. | ||
| ``` | ||
| ansible.builtin.command: > | ||
| echo {{ foo.url }} | ||
| ``` | ||
| However, sometimes, for some reason, updates to `.zuul.yaml` do not seem to be newly applied. | ||
| For example, if I update `foo.url` as follows, | ||
| ``` | ||
| - secret: | ||
| name: foo | ||
| data: | ||
| url: https://domain2.com # Updated from `https://domain1.com` | ||
| ``` | ||
| In the pipeline, the following job's stdout would result in `https://domain1.com`, not `https://domain2.com`. | ||
| ``` | ||
| ansible.builtin.command: > | ||
| echo {{ foo.url }} | ||
| ``` | ||
| Is there any mechanism where content of the secret is somehow cached somewhere? | ||
| I have Zuul deployed on a Kubernetes cluster, and I have tried: | ||
| - Restarting all Kubernetes pods | ||
| - Confirmed that there is not mention of `https://domain1.com` inside the build directory, inside the executor. | ||
| ``` | ||
| root@zuul-executor-0:/var/lib/zuul/builds/990172f9a44f495fb034cd61414926ac# grep -niIr domain1.com | ||
| root@zuul-executor-0:/var/lib/zuul/builds/990172f9a44f495fb034cd61414926ac# | ||
| ``` | ||
| Thank you for reading. | ||
| -@gerrit:opendev.org- Benjamin Schanzel proposed: [zuul/zuul] 890638: Add a config option to skip alembic migrations https://review.opendev.org/c/zuul/zuul/+/890638 | 09:02 | |
| @fungicide:matrix.org | jjbeckman: secrets are presented like ansible vars, but with some caveats to prevent security risks. only the merged versions of them are used, they can only be used in post-review pipelines, and unless they're defined in a trusted config repo they can only be used by playbooks that are in the repository they're defined in. also if you have branched configuration, having the same secret defined on multiple branches can behave in ways you may not expect | 17:40 |
| @fungicide:matrix.org | * jjbeckman: secrets are presented like ansible vars, but with some caveats to prevent security risks. only the merged versions of them are used, they can only be used in post-review pipelines, and they can only be used by playbooks that are in the repository they're defined in. also if you have branched configuration, having the same secret defined on multiple branches can behave in ways you may not expect | 17:40 |
| @fungicide:matrix.org | though a caveat to the "playbooks in the same repository" rule is if your job uses pass-to-parent, in which case the parent job's playbook is permitted access to the secret | 17:42 |
| @fungicide:matrix.org | since you don't mention how your jobs/repositories are laid out or mention whether your secret is defined in a branched repository, it's hard to guess whether what you're seeing is a misunderstanding or a bug | 17:43 |
| @fungicide:matrix.org | also whether you're trying to use the changed secret before the change for it merges | 17:44 |
| @fungicide:matrix.org | maybe run through https://zuul-ci.org/docs/zuul/latest/config/secret.html to check and make sure your use of the secret in question meets the expectations there | 17:48 |
| -@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 890702: Use tenant-level layout locks https://review.opendev.org/c/zuul/zuul/+/890702 | 22:20 | |
| @blaisepabon:matrix.org | Some of you who have been around for a while ( corvus , fungi ) will laugh when you read this.... | 23:51 |
| I'm still trying to promote zuul-ci out in the world. | ||
| Has anyone succeeded in moving an established project (eg. https://github.com/python/cpython ) to zuul-ci ? | ||
| Are there any things to look for that would make it unusually simple/complicated? | ||
| @blaisepabon:matrix.org | * Some of you who have been around for a while ( corvus , fungi ) will laugh when you read this.... | 23:52 |
| I'm still trying to promote zuul-ci out in the world. | ||
| Has anyone succeeded in moving an established project (eg. https://github.com/python/cpython ) to zuul-ci ? | ||
| Are there any things to look for that would make it unusually simple/complicated? | ||
| Or is it best to start with new projects only? | ||
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!