Correct use of system-scoped tokens in CI #3064
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@dtantsur for review, please |
We were setting OS_SYSTEM_SCOPE in some of the functional ironic tests.
This was resulting in the following errors when attempting to create
resources:
Authentication cannot be scoped to multiple targets. Pick one of:
project, domain, trust, system or unscoped
Unfortunately, because we weren't setting 'errexit' ('set -e') this
wasn't being noticed, but we can "correct" things now. I say "correct"
because, adding to the misfortune, how we fix this is technically
incorrect - you should have project-scoped configuration *or*
system-scoped, not both - but since we don't yet have the infrastructure
to switch between sets of auth info on a test-by-test basis, we need to
do a Bad Thing. Hopefully this will be a short-lived thing.
Signed-off-by: Stephen Finucane <[email protected]>
Signed-off-by: Stephen Finucane <[email protected]>
|
So the initial attempt at this failed CI because while some of our tests require system-scoped tokens, others require project-scoped tokens. I've removed some of the rework here and added a large |
dtantsur
approved these changes
May 28, 2024
EmilienM
approved these changes
May 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Per the commit message in the first commit here, we are currently seeing the following error messages in some baremetal jobs:
The only reason these are not causing failures yet is because we're not setting
errexitin the scripts. Once we do (as we're doing in #3046), we get failures.The fix is unset any project- or domain-specific envvars once we detect we are using system-scoped tokens.Edit: The fix is to set both configuration for both project- and system-scoped tokens but only after we've completed all of our OSC invocations, side-stepping the above issue.
We also run the whole script through shellcheck to prevent further issues like this creeping in.