#9619 Create service account/bot for Fedora CI
Opened 3 years ago by bookwar. Modified 2 years ago

  • Describe the issue

To run koji builds for Fedora CI (scratch builds for testing and regular builds for ELN) we need a service account.

Currently we use bpeck/jenkins-continuous-infra.apps.ci.centos.org user, see https://koji.fedoraproject.org/koji/userinfo?userID=3978

But we would like to have a dedicated bot account for Fedora CI SIG, owned by fedora-ci-admin FAS group.

  • When do you need this? (YYYY/MM/DD)

Not urgent, as we currently use the existing account.

  • When is this no longer needed or useful? (YYYY/MM/DD)

--

  • If we cannot complete your request, what is the impact?

Fedora CI infra uses user account with no clear ownership.


Metadata Update from @mohanboddu:
- Issue tagged with: groomed, medium-gain, medium-trouble

3 years ago

So, you should be able to create the fas account yourself... the only caveats:

  • You can't use a @fedoraproject.org email address for it at least initially... if you would like us to set it to fedora-ci-admin-users@fedoraproject.org or something, we can do that after the initial creation?

  • Please make sure it has 'bot' in the name or description so it's obvious it's a non human account.

Metadata Update from @kevin:
- Issue untagged with: groomed, medium-gain, medium-trouble

3 years ago

Metadata Update from @pingou:
- Issue tagged with: groomed, medium-gain, medium-trouble

3 years ago

@kevin With the Fedora account system updated, can we reset this conversation and try again?

So we need credentials to run builds in Fedora Koji on behalf of Fedora CI SIG as a replacement for bpeck's account we use now.

Also we run builds for Fedora ELN SIG, but i think it is ok to reuse Fedora CI credentials for that.

Do I still need to register fedora ci bot or can you create service account for us?

We could make a service keytab for this now, sure. :)

For that we need to know:

  • Contacts for the keytab. Who do we notify if we need to expire it or push a new one?
  • An agreement from those people that they are responsible for any actions taken by that keytab, and they will keep it secure.

If you can add those, we can make a stg one and test out things, then send you a prod one?

We have fedora-ci-admins group, can it be made the owner of the service account?

https://accounts.fedoraproject.org/group/fedora-ci-admins/

Other options could be:

  • Use osci-admins+fedoraci@redhat.com This is a dedicated private mailing list for the OSCi team admins at Red Hat. While bot will operate for the Fedora CI SIG, OSCI team can manage the account for that purpose.

  • My personal mail

  • Maybe some kind of dedicated private mailing list like fedora-ci-admins@fedoraproject.org ?

Well, I don't care too much what it is as long as we can contact people...

How about we add these to ansible with a comment containing the contact info (all be it mailing list or alias or list of account names)?

Then we know who we have issued them to, how to contact them and can regenerate them again if needed via ansible.

There is another case of this in releng #10374

Take a look at https://pagure.io/releng/issue/10374#comment-761424 there. I am hoping to use that to base a doc from and make it all as self service as possible.

Login to comment on this ticket.

Metadata