ci: Generate MinIO credentials within LAVA jobs
As these credentials are valid only for 15 minutes, generate them closer to when they are going to be used. Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com> Reviewed-by: Daniel Stone <daniels@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/6124>
This commit is contained in:
parent
cb82274538
commit
e933ac21cb
|
@ -43,7 +43,7 @@ kernel+rootfs_armhf:
|
|||
variables:
|
||||
GIT_STRATEGY: none # testing doesn't build anything from source
|
||||
ENV_VARS: "DEQP_PARALLEL=6"
|
||||
FIXED_ENV_VARS: "CI_PIPELINE_ID=${CI_PIPELINE_ID} CI_JOB_ID=${CI_JOB_ID} CI_PROJECT_PATH=${CI_PROJECT_PATH} TRACIE_NO_UNIT_TESTS=1 TRACIE_UPLOAD_TO_MINIO=1"
|
||||
FIXED_ENV_VARS: "CI_PIPELINE_ID=${CI_PIPELINE_ID} CI_JOB_ID=${CI_JOB_ID} CI_PROJECT_PATH=${CI_PROJECT_PATH} CI_JOB_JWT=${CI_JOB_JWT} TRACIE_NO_UNIT_TESTS=1 TRACIE_UPLOAD_TO_MINIO=1"
|
||||
DEQP_VERSION: gles2
|
||||
ARTIFACTS_PREFIX: "https://minio-packet.freedesktop.org/mesa-lava/"
|
||||
MESA_URL: "https://minio-packet.freedesktop.org/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}/mesa-${ARCH}.tar.gz"
|
||||
|
|
|
@ -38,10 +38,6 @@ cp -Rp .gitlab-ci/deqp-runner.sh install/
|
|||
cp -Rp .gitlab-ci/deqp-*-fails.txt install/
|
||||
cp -Rp .gitlab-ci/deqp-*-skips.txt install/
|
||||
|
||||
ci-fairy minio login $CI_JOB_JWT
|
||||
# These credentials will be used for uploading artifacts from test jobs
|
||||
cp .minio_credentials install/
|
||||
|
||||
# Tar up the install dir so that symlinks and hardlinks aren't each
|
||||
# packed separately in the zip file.
|
||||
mkdir -p artifacts/
|
||||
|
@ -55,5 +51,6 @@ if [ -n "$UPLOAD_FOR_LAVA" ]; then
|
|||
|
||||
gzip -c artifacts/install.tar > mesa-${DEBIAN_ARCH}.tar.gz
|
||||
MINIO_PATH=minio-packet.freedesktop.org/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}
|
||||
ci-fairy minio login $CI_JOB_JWT
|
||||
ci-fairy minio cp mesa-${DEBIAN_ARCH}.tar.gz minio://${MINIO_PATH}/mesa-${DEBIAN_ARCH}.tar.gz
|
||||
fi
|
||||
|
|
|
@ -31,9 +31,6 @@ export PAGER=cat
|
|||
RESULTS=`pwd`/results
|
||||
mkdir -p $RESULTS
|
||||
|
||||
# For artifact uploads to MinIO
|
||||
cp install/.minio_credentials .
|
||||
|
||||
# Perform a self-test to ensure tracie is working properly.
|
||||
if [ -z "$TRACIE_NO_UNIT_TESTS" ]; then
|
||||
TRACIE_UPLOAD_TO_MINIO=0 python3 -m pytest -v --pyargs $INSTALL/tracie/tests/test.py
|
||||
|
|
|
@ -20,9 +20,6 @@ export WINEESYNC=1
|
|||
export DXVK_LOG_LEVEL="none"
|
||||
export DXVK_STATE_CACHE=0
|
||||
|
||||
# For artifact uploads to MinIO
|
||||
cp install/.minio_credentials .
|
||||
|
||||
# Perform a self-test to ensure tracie is working properly.
|
||||
python3 -m pytest -v --pyargs $INSTALL/tracie/tests/test.py
|
||||
|
||||
|
|
|
@ -13,6 +13,7 @@ import tempfile
|
|||
import time
|
||||
import yaml
|
||||
import shutil
|
||||
import xml.etree.ElementTree as ET
|
||||
|
||||
from email.utils import formatdate
|
||||
from pathlib import Path
|
||||
|
@ -26,6 +27,8 @@ RESULTS_PATH = "./results/"
|
|||
MINIO_HOST = "minio-packet.freedesktop.org"
|
||||
DASHBOARD_URL = "https://tracie.freedesktop.org/dashboard"
|
||||
|
||||
minio_credentials = None
|
||||
|
||||
def replay(trace_path, device_name):
|
||||
success = dump_trace_images.dump_from_trace(trace_path, [], device_name)
|
||||
|
||||
|
@ -70,12 +73,38 @@ def sign_with_hmac(key, message):
|
|||
|
||||
return base64.encodebytes(signature).strip().decode()
|
||||
|
||||
def ensure_minio_credentials():
|
||||
global minio_credentials
|
||||
|
||||
if minio_credentials is None:
|
||||
minio_credentials = {}
|
||||
|
||||
params = {'Action': 'AssumeRoleWithWebIdentity',
|
||||
'Version': '2011-06-15',
|
||||
'RoleArn': 'arn:aws:iam::123456789012:role/FederatedWebIdentityRole',
|
||||
'RoleSessionName': '%s:%s' % (os.environ['CI_PROJECT_PATH'], os.environ['CI_JOB_ID']),
|
||||
'DurationSeconds': 900,
|
||||
'WebIdentityToken': os.environ['CI_JOB_JWT']}
|
||||
r = requests.post('https://%s' % (MINIO_HOST), params=params)
|
||||
if r.status_code >= 400:
|
||||
print(r.text)
|
||||
r.raise_for_status()
|
||||
|
||||
root = ET.fromstring(r.text)
|
||||
for attr in root.iter():
|
||||
if attr.tag == '{https://sts.amazonaws.com/doc/2011-06-15/}AccessKeyId':
|
||||
minio_credentials['AccessKeyId'] = attr.text
|
||||
elif attr.tag == '{https://sts.amazonaws.com/doc/2011-06-15/}SecretAccessKey':
|
||||
minio_credentials['SecretAccessKey'] = attr.text
|
||||
elif attr.tag == '{https://sts.amazonaws.com/doc/2011-06-15/}SessionToken':
|
||||
minio_credentials['SessionToken'] = attr.text
|
||||
|
||||
def upload_to_minio(file_name, resource, content_type):
|
||||
with open('.minio_credentials', 'r') as f:
|
||||
credentials = json.load(f)[MINIO_HOST]
|
||||
minio_key = credentials["AccessKeyId"]
|
||||
minio_secret = credentials["SecretAccessKey"]
|
||||
minio_token = credentials["SessionToken"]
|
||||
ensure_minio_credentials()
|
||||
|
||||
minio_key = minio_credentials['AccessKeyId']
|
||||
minio_secret = minio_credentials['SecretAccessKey']
|
||||
minio_token = minio_credentials['SessionToken']
|
||||
|
||||
date = formatdate(timeval=None, localtime=False, usegmt=True)
|
||||
url = 'https://%s%s' % (MINIO_HOST, resource)
|
||||
|
|
Loading…
Reference in New Issue