PR#225: Add OIDC config - fedpkg

fedpkg

#225 Add OIDC config

Merged 5 years ago by cqi. Opened 5 years ago by puiterwijk.

puiterwijk/fedpkg oidc into master

Patrick Uiterwijk • 5 years ago

1e18e3e

file modified

		`@@ -16,6 +16,10 @@`
		`distgit_namespaced = True`
		`lookaside_namespaced = True`
		`kerberos_realms = STG.FEDORAPROJECT.ORG`
		`+ oidc_id_provider = https://id.stg.fedoraproject.org/openidc/`
		`+ oidc_client_id = fedpkg`
		`+ oidc_client_secret = notsecret`
		`+ oidc_scopes = openid,https://id.fedoraproject.org/scope/groups,https://mbs.fedoraproject.org/oidc/submit-build,https://src.fedoraproject.org/push`

		`[fedpkg-stage.bodhi]`
		`# Refer to fedpkg.conf`

conf/etc/rpkg/fedpkg.conf

file modified

		`@@ -16,6 +16,10 @@`
		`distgit_namespaced = True`
		`lookaside_namespaced = True`
		`kerberos_realms = FEDORAPROJECT.ORG`
		`+ oidc_id_provider = https://id.fedoraproject.org/openidc/`
		`+ oidc_client_id = fedpkg`
		`+ oidc_client_secret = notsecret`
		`+ oidc_scopes = openid,https://id.fedoraproject.org/scope/groups,https://mbs.fedoraproject.org/oidc/submit-build,https://src.fedoraproject.org/push`
cqi commented 5 years ago Why `submit-build` here? Does it also work for the `module-build` command?

		`[fedpkg.bodhi]`
		`# This is for the bodhi-client 1.x. that accepts --bodhi-dir option to switch`

puiterwijk commented 5 years ago

Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com

puiterwijk commented 5 years ago

Goes together with https://pagure.io/rpkg/pull-request/322 to enable https pushing.

rebased onto 1e18e3e

5 years ago

cqi commented on line 8 of conf/etc/rpkg/fedpkg.conf 5 years ago

Why submit-build here? Does it also work for the module-build command?

puiterwijk commented 5 years ago

My plan is to also update rpkg to use the same oidc_client for MBS.
So that users just grant fedpkg access once for all its tasks.

(but that's slightly down the road, after this stuff lands)

Edited 5 years ago by puiterwijk

cqi commented 5 years ago

Commit ab319fb fixes this pull-request

Pull-Request has been merged by cqi

5 years ago

Pull-Request has been merged by cqi

5 years ago

psss commented 5 years ago

Hi we would like to test the https-pushing feature. Could you please help me with the setup needed to make this working? Is there any special fedpkg config required? Shall we test with python setup.py install from the master branch or are there any packages available for testing? Thanks.

lsedlar commented 5 years ago

@psss I have a COPR with packages from git, but they are quite likely broken (wrong requires).

You could test it with virtualenv

$ virtualenv --system-site-packages venv
$ . venv/bin/activate
$ python setup.py install # in rpkg clone
$ python setup.py install # in fedpkg clone

That should give you the latest git version of the code, and dependencies from system. You may need to update /etc/rpkg/fedpkg.conf with the changes from this PR, or use fedpkg -C path/to/modified/config.

psss commented 5 years ago

Thanks for the hint. I was not able to install rpkg/fedpkg under virtualenv but I tested with root on a virtual machine and was able to push.