Thursday, 2025-02-27

« Wednesday, 2025-02-26 Index Friday, 2025-02-28 »
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 941235: Implement command for deleting OIDC signing keys https://review.opendev.org/c/zuul/zuul/+/94123506:44
-@gerrit:opendev.org- Dong Zhang proposed wip: [zuul/zuul] 942169: WIP: test fix fd leak https://review.opendev.org/c/zuul/zuul/+/94216906:50
-@gerrit:opendev.org- Dong Zhang proposed wip: [zuul/zuul] 942169: WIP: test fix fd leak https://review.opendev.org/c/zuul/zuul/+/94216907:12
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 940872: Implement keystore functions for OIDC RS256 https://review.opendev.org/c/zuul/zuul/+/94087207:12
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 941235: Implement command for deleting OIDC signing keys https://review.opendev.org/c/zuul/zuul/+/94123509:01
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 942886: Prepare oidc token for playbook execution in executor. https://review.opendev.org/c/zuul/zuul/+/94288610:01
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 942886: Prepare oidc token for playbook execution in executor. https://review.opendev.org/c/zuul/zuul/+/94288612:21
@joao15130:matrix.orgHello, I'm trying to enable the Auto-hold feature wihci requires if my understanding is correct, keycloak12:28
@joao15130:matrix.orghowever, and even if I have now access to the keycloak UI, it looks like the sign in button in the Zuul UI isn't effective12:29
@mhuin:matrix.orgnot necessarily, you need an external OpenID Connect-compatible Identity Provider service (such as keycloak) if you want to enable users to autohold from the web ui12:30
@joao15130:matrix.orgok in my case I'm just following the doc from zuul, and I use keycloak in a container12:30
@mhuin:matrix.orgotherwise you can also generate a token with the zuul-admin cli that can be used in turn with the zuul-client CLI to autohold12:30
@joao15130:matrix.orgI'd like to use the zuul UI to manage the auto-hold, is that possible?12:31
@joao15130:matrix.orgthere is a tabl called autoholds12:31
@joao15130:matrix.org* there is a tab called autoholds12:31
@mhuin:matrix.orgyou can, as I said you need an OpenID Connect-compatible Identity Provider such as keycloak, then configure Zuul to authenticate with that IdP, and configure admin rules in Zuul's main.yaml to let Zuul know who is allowed to autohold on which tenant12:32
@mhuin:matrix.orgthe quickstart compose should have everything set up for you I believe12:33
@joao15130:matrix.orgCan I follow https://zuul-ci.org/docs/zuul/latest/howtos/openid-with-keycloak.html ?12:33
@mhuin:matrix.orgI'd say that's the right doc, yeah12:34
@mhuin:matrix.orghow have you deployed keycloak? Did you create a realm and users?12:35
@joao15130:matrix.orgfor now there's only a keycloak container12:35
@joao15130:matrix.organd I sue the quickstart compose file12:35
@joao15130:matrix.org* and I used the quickstart compose file12:36
-@gerrit:opendev.org- Simon Westphahl proposed: [zuul/zuul] 942896: Respect replication delay in event pre-processing https://review.opendev.org/c/zuul/zuul/+/94289612:36
@mhuin:matrix.orgthis compose? https://opendev.org/zuul/zuul/src/branch/master/doc/source/examples/keycloak/docker-compose.yaml12:37
@joao15130:matrix.orgAnd I can successfully login with admin on the keycloak UI12:37
@joao15130:matrix.orgyes12:38
@mhuin:matrix.orgso it's a demo setup, I think you should follow https://zuul-ci.org/docs/zuul/latest/tutorials/keycloak.html as some changes need to be applied to the zuul containers' config in order for authentication to be enabled12:39
@joao15130:matrix.orgok12:40
@mhuin:matrix.orgIf all goes well by https://zuul-ci.org/docs/zuul/latest/tutorials/keycloak.html#log-into-zuul you should be able to test admin rules in the GUI12:40
@joao15130:matrix.orgin this doc, I was unable to do the hosts change12:40
@joao15130:matrix.orgIf I do it, nothing is working12:40
@mhuin:matrix.orgupdating /etc/hosts you mean?12:41
@joao15130:matrix.org$HOME/.config/containers/containers.conf12:41
@mhuin:matrix.orgare you deploying your containers with podman?12:41
@joao15130:matrix.orgI'm using podman-compose12:43
@joao15130:matrix.organd for now everything is working correctly12:43
@mhuin:matrix.orgmaybe this option is not needed anymore, I'm not sure the tutorial has been updated in a while12:44
@joao15130:matrix.orgok12:44
@joao15130:matrix.orghowever I'm not able to perform the last action12:44
@joao15130:matrix.org`Visit http://localhost:9000/t/example-tenant/autoholds and click the login icon on the top right. You will be directed to Keycloak, where you can log into the Zuul realm with the user admin and password admin.`12:45
@mhuin:matrix.orgwhat matters is that you should be able to reach the keycloak server from your web browser using the `keycloak` FQDN instead of localhost12:45
@joao15130:matrix.orgWhen I click on the login button, nothing happens12:45
@joao15130:matrix.orgI'm able to login to the keycloak UI12:46
@mhuin:matrix.orgcan you reach http://keycloak:8082/ ?12:46
@joao15130:matrix.orgyes12:46
@joao15130:matrix.orgI'm reaching keycloak from my laptop so I'm typing the IP instead of keycloak12:47
@joao15130:matrix.orgbut I'm on the UI12:47
@joao15130:matrix.orgit seems to work12:47
@mhuin:matrix.orgso the keycloak container is NOT running on your local machine? ie your browser, zuul and keycloak are not all running on the same laptop?12:48
@joao15130:matrix.orgzuul and keycloak are running on a VM12:48
@joao15130:matrix.organd I'm accessing them via my laptop12:48
@joao15130:matrix.orgthrough my browser12:48
@mhuin:matrix.orgwell that's a pretty important detail, the instructions are for a setup where everything is running locally. I guess the doc needs patching to clarify that12:49
@mhuin:matrix.orgso try to edit your laptop's /etc/hosts so that there's an entry for keycloak pointing at your VM's IP12:50
@mhuin:matrix.orgBecause here's what's happening: both zuul and keycloak are running on a shared internal network created via the compose, with resolution mapped to the containers' names (zuul, keycloak etc)12:51
@mhuin:matrix.orgthis network (and name resolution) is strictly limited to the compose's context on your VM12:51
@mhuin:matrix.orgzuul is configured to forward auth queries, and check the validity of claims, against a host called "keycloak" - which it can reach on the internal network12:52
@joao15130:matrix.orgok I'm now accessing the keycloak via its name definition via the hosts file on the laptop12:53
@mhuin:matrix.orgbut it's also sending your browser for authentication on a host called "keycloak" - for which you don't have name resolution unless you configure your laptop's /etc/hosts properly12:53
@mhuin:matrix.orgok that sounds like progress12:53
@joao15130:matrix.orgok now when I click on sign in, it redirects me to a keycloak page which says Inavlid parameter: redirect_url12:55
@joao15130:matrix.orgI think I need to change something from the zuul conf12:55
@joao15130:matrix.org```12:55
[auth keycloak]
default=true
driver=OpenIDConnect
realm=zuul-demo
issuer_id=http://keycloak:8082/realms/zuul-demo
client_id=zuul
```
@joao15130:matrix.orgprobably12:56
@mhuin:matrix.orgyou need to change the client config in keycloak actually12:56
@joao15130:matrix.orgBut I need this snippet of config right?12:56
@mhuin:matrix.orglog in as admin on keycloak, pick the zuul-demo realm, check clients and pick "zuul"12:56
@mhuin:matrix.orgthis snippet of config is correct12:56
@joao15130:matrix.orgOK I'm on zuul client 12:58
@mhuin:matrix.orgcheck the client config and edit the redirect url parameter to match your VM's ip or fqdn12:58
@mhuin:matrix.orgadd one that doesn't refer to localhost12:59
@joao15130:matrix.orgok I've added two redirect URL13:00
@joao15130:matrix.orgone for 3000 and one for 900013:00
@joao15130:matrix.orgdidin't touch the localhost one13:00
@mhuin:matrix.orggood, you don't have to13:00
@joao15130:matrix.orgok so now redirect works13:00
@joao15130:matrix.orgit prompts me for creds13:01
@mhuin:matrix.orgthey're mentioned in the tutorial doc13:01
@joao15130:matrix.orgyes I got it13:02
@joao15130:matrix.orgok I'm now able to create a request13:02
@mhuin:matrix.orgcongrats!13:03
@joao15130:matrix.orgthanks13:03
@joao15130:matrix.orgso now let's say I want to use a realm called zuul instead of zuul-demo13:03
@joao15130:matrix.orgI just need to create a new realm?13:03
@joao15130:matrix.orgThat's an environment we'll use for our CI and I'd like something more informal than zuul-demo13:04
@mhuin:matrix.orgyeah, and you'll need to follow the actual documentation about interfacing zuul with keycloak13:04
@joao15130:matrix.orgok13:04
@joao15130:matrix.orgthank you13:04
@mhuin:matrix.orgyou shouldn't use the compose example as is for a production deployment anyway13:04
@joao15130:matrix.orgwhat change do you suggest?13:05
@mhuin:matrix.orgwith that said would like like to patch the keycloak tutorial documentation to clarify that it's intended for local deployment? Or shall I do it?13:05
@mhuin:matrix.orgI haven't checked the compose in a while but it was never intended to be production-ready IIRC13:06
@joao15130:matrix.orgok for now it's enough for us but I'd appreciate any advice from you guys13:07
@joao15130:matrix.orgoh spoke too fast13:08
@joao15130:matrix.orgdoesn't work when I create a request13:09
@joao15130:matrix.orgit says unable to fetch URL13:09
@mhuin:matrix.orglet me guess, it starts with localhost13:09
@joao15130:matrix.orgit's not mentioned13:10
@joao15130:matrix.org> Unable to fetch URL, check your network connectivity, browser plugins, ad-blockers, or try to refresh this page13:10
@mhuin:matrix.orgI'm like 95% sure that's the issue - again that compose is meant for local testing, but since it's running on a VM there's going to be issues with URLs starting with `localhost`13:11
@mhuin:matrix.orgI strongly suggest testing that compose on your laptop or where you're running your browser if it's only for testing things out13:12
@mhuin:matrix.orgif you want to confirm the issue, open your browser's developer tools (ctrl+I usually) while you reproduce the autohold request, and check the networking panel13:14
@joao15130:matrix.orgit says status 404 autohold to domain <IP>:900013:16
@mhuin:matrix.orgwhat's the exact API call made ?13:22
@joao15130:matrix.org{"change":null,"job":"powerflex-v4-cinder-tempest","ref":null,"reason":"Requested from the web UI by admin","count":1,"node_hold_expiration":86400}13:24
@joao15130:matrix.org```13:25
POST
http://10.x.x.x:9000/api/tenant/openstack/project/openstack/autohold
```
@mhuin:matrix.orgdo you have a tenant named openstack? a project named openstack within that tenant?13:26
@joao15130:matrix.orgyes that's our tenant13:26
@mhuin:matrix.orgwhat about the project, is it correct?13:27
@joao15130:matrix.orgOh I see13:27
@joao15130:matrix.orgproject for now is opendev/ci-sandbox13:28
@joao15130:matrix.orgwe're still testing13:28
@joao15130:matrix.orgproject should be updated to openstack/cinder when we'll be ready13:28
@joao15130:matrix.orgok13:29
@joao15130:matrix.orgI just replaced the project name and it works13:29
@mhuin:matrix.orggood13:30
@joao15130:matrix.orgI'm still leaning all that stuff13:30
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 942432: Implement zuul-web OIDC endpoints https://review.opendev.org/c/zuul/zuul/+/94243213:30
-@gerrit:opendev.org- Dong Zhang proposed: [zuul/zuul] 942886: Prepare oidc token for playbook execution in executor. https://review.opendev.org/c/zuul/zuul/+/94288613:31
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed:17:07
- [zuul/zuul] 942158: Add a test for Gerrit merge event order https://review.opendev.org/c/zuul/zuul/+/942158
- [zuul/zuul] 942159: Process gerrit change-merged events before ref-updated https://review.opendev.org/c/zuul/zuul/+/942159
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 942938: Add test for locked branch filtering on validation https://review.opendev.org/c/zuul/zuul/+/94293818:11
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/zuul] 942938: Add test for locked branch filtering on validation https://review.opendev.org/c/zuul/zuul/+/94293818:13
-@gerrit:opendev.org- James E. Blair https://matrix.to/#/@jim:acmegating.com proposed: [zuul/nodepool] 942939: Clear allocation when unlocking failed node requests https://review.opendev.org/c/zuul/nodepool/+/94293918:57
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/nodepool] 942939: Clear allocation when unlocking failed node requests https://review.opendev.org/c/zuul/nodepool/+/94293920:23
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [zuul/nodepool] 942945: Pin grpcio and revert googleapis-common-protos pin https://review.opendev.org/c/zuul/nodepool/+/94294520:23
-@gerrit:opendev.org- Clark Boylan proposed on behalf of Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org: [zuul/nodepool] 942945: Pin grpcio and revert googleapis-common-protos pin https://review.opendev.org/c/zuul/nodepool/+/94294522:36
-@gerrit:opendev.org- Clark Boylan proposed on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/nodepool] 942939: Clear allocation when unlocking failed node requests https://review.opendev.org/c/zuul/nodepool/+/94293922:36
« Wednesday, 2025-02-26 Index Friday, 2025-02-28 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!