Fedora releng team (CCing @mohanboddu) is testing composes generation using the ODCS. We would like to use the same way for Fedora ELN too.
In order to build nightly composes automatically (by Jenkins job or some cron job on composer machine), we need "openidc service account" which can later be configured in the ODCS configuration and grant access to generate these composes.
The name is not that important, it can be "releng-odcs" or simply "releng" I guess.
The requested service account should have all the "odcs" scopes listed here:
https://fedoraproject.org/wiki/Infrastructure/Authentication#pagure.io.2Fodcs
Better be releng-odcs as I think there is already a releng service account for MBS. And if I am not wrong the service accounts end with @.
releng-odcs
releng
@
@mohanboddu if you want to take a look at this, there is a SOP (https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/ipsilon.html#generate-an-openid-connect-token) and also some more info in https://pagure.io/fedora-infrastructure/issue/7175.
Adding the token to ipsilon database will require an FBR tho.
I think we also want this in staging, right? We could do staging for now.
Metadata Update from @kevin: - Issue assigned to mohanboddu - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: authentication, odcs
When I ran the script:
./scripts/generate-oidc-token releng-odcs -e 365 -s https://id.fedoraproject.org/scope/groups -s https://pagure.io/odcs/new-compose -s https://pagure.io/odcs/renew-compose -s https://pagure.io/odcs/delete-compose
It generated username as releng-odcs@service and client_id as releng-odcs. I guess we have to use releng-odcs@service as the username.
releng-odcs@service
Anyway, the work is done. And I learned a new thing today.
Metadata Update from @mohanboddu: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.