#14 Allow logging into kerberos directly from the python code
Merged 4 years ago by pingou. Opened 4 years ago by pingou.
fedora-ci/ pingou/monitor-gating master  into  master

file modified
-2
@@ -10,12 +10,10 @@ 

  if [ -z ${PRODUCTION+x} ]; then

  # Staging info

  echo "Running in staging"

- kinit monitor-gating/os-master01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG -kt /etc/keytabs/koji-keytab

  ssh-keyscan pkgs.stg.fedoraproject.org >> /.ssh/known_hosts

  else

  # Prod info

  echo "Running in production"

- kinit packagerbot/os-master01.phx2.fedoraproject.org@FEDORAPROJECT.ORG -kt /etc/keytabs/monitor-gating-keytab

  ssh-keyscan pkgs.fedoraproject.org >> /.ssh/known_hosts

  fi

  

file modified
+6
@@ -20,3 +20,9 @@ 

  branch = "master"

  pagure_token = "<to edit>"

  koji_end_tag = "f33"

+ 

+ # Those values are commented out as they will not work in a dev environment

+ # where it is advised that the developer runs kinit manually before running the

+ # project.

+ # kb_principal = "packagerbot/os-master01.phx2.fedoraproject.org@FEDORAPROJECT.ORG"

+ # kb_keytab_file = "/etc/keytabs/monitor-gating-keytab"

file modified
+7
@@ -17,6 +17,7 @@ 

  

  import monitor_gating_single_build

  import monitor_gating_multi_builds

+ from utils import run_command

  

  s = sched.scheduler(time.time, time.sleep)

  conf = toml.load
@@ -52,6 +53,12 @@ 

  

  def schedule(conf):

      """ Run the test and schedules the next one. """

+ 

+     if conf.get("kb_principal") and conf.get("kb_keytab_file"):

+         print(f"Logging into kerberos using: {conf['kb_keytab_file']}")

+         cmd = ["kinit", conf["kb_principal"], "-kt", conf["kb_keytab_file"]]

+         run_command(cmd)

+ 

      delay = conf["delay"]

      delay_when_failing = conf["delay_when_failing"]

      blocker_tags = conf["blocker_tags"]

This solves the issue of ticket expiring underneath us, this
way each run will have re-logged in using the keytab thus
ensuring that we are good to proceed in that front.

Signed-off-by: Pierre-Yves Chibon pingou@pingoured.fr

I like we use kb_principal config instead of having it hardcoded in the entrypoint :-)

Based on my knowledge of kerberos, this should work, I am not entirely sure though.

Still lgtm.

I'm not sure either tbh, but I plan on using staging to test this :)

Thanks for the review!

Pull-Request has been merged by pingou

4 years ago