We talked about this on the list and in the meeting and at the Raleigh hackathon.
The solution is to not have a FAS account, but to blacklist the account name in FAS.
We need to eventually be able to do several things (OSBS builds, MBS builds, dist-git commits). For the first round, we'll only need an ssh key created for this username in dist-git, with special privileges just to push to the modules/ namespace.
I filed this ticket to track discussion because I went to go look at this in staging today and got confused.
It looks like when I push to dist-git, I do it as myself with ssh://ralph@pkgs.stg.fedoraproject.org/modules/testmodule.
ssh://ralph@pkgs.stg.fedoraproject.org/modules/testmodule
Do we first need a shell account on the box(es) before figuring out the keys?
When we were in Raleigh, someone said something about being able to use the git user for ssh push access, which would mean we would not need a freshmaker shell account on pkgs01. Does anyone remember the details?
git
freshmaker
pkgs01
/cc @pingou and @puiterwijk
OK, the gist is that:
We can try setting this up in staging, but I'm going to wait a week or two until pagure there stabilizes.
I understand if we have a narrow need for a bot account to just make a keytab, etc, but in this case would it be less work to just make it in fas? Then it has an account and isn't special...
Yeah, that feels like much less work to me too.
@puiterwijk objected in that then we would have a real account that, if it got compromised, it would have access to more things than it should. FAS accounts get "personhood" everywhere.
Metadata Update from @ralph: - Issue tagged with: freshmaker
So, with some recent plans to change dist-git pushing, we are now not going to need a user and/or SSH key for this purpose, but instead just a long-lived OIDC token, probably we can use the same token as for speaking to MBS.
Metadata Update from @ralph: - Issue tagged with: authentication
Yeah, as soon as we roll out the token based access to pkgs via https we should be able to just use a OIDC token for this account. Is there a timeframe this is needed by?
Metadata Update from @kevin: - Issue priority set to: Waiting on External
Any news on token based access to src.fp.o?
@ralph It is already implemented and deployed in production. OIDC token alone is enough to push to dist-git and to authenticate to Pagure. Neither Kerberos ticket nor SSH key is needed.
Thanks @mizdebsk. I guess we still need a freshmaker account here and then a OIDC token granted for it added to the secrets repo.
Do you need both stg and prod?
I think the steps here are:
blacklist freshmaker user in fas ( roles/fas_server/templates/fas.cfg.j2 )
use scripts/generate-oidc-token to generate tokens and insert them in ipsilon prod/stg
profit
You want me to make those tokens? Or would you like to, you should have access.
@ralph any updates from you on this?
we might want to cc @lucarval too :)
@kevin, it would be great to have those tokens in place for Freshmaker. The steps you outlined seem reasonable to me. (I don't have access to do that myself though).
The community doesn't currently have the bandwidth to pursue deploying Freshmaker in Fedora to rebuild modules right now. Let's close out this issue until we're ready to do so.
ok. Should we keep our partial deployment alive for now, or remove those vm's/config from ansible as well?
Metadata Update from @kevin: - Issue close_status updated to: Will Not/Can Not fix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.