mirror of https://gitlab.freedesktop.org/mesa/mesa
ci: Use id_tokens for JWT auth
Fixes: #9180 Signed-off-by: Guilherme Gallo <guilherme.gallo@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/28916>
This commit is contained in:
parent
2639c91052
commit
7101aecc53
|
@ -72,7 +72,7 @@ variables:
|
|||
bash download-git-cache.sh
|
||||
rm download-git-cache.sh
|
||||
set +o xtrace
|
||||
CI_JOB_JWT_FILE: /minio_jwt
|
||||
S3_JWT_FILE: /s3_jwt
|
||||
S3_HOST: s3.freedesktop.org
|
||||
# per-pipeline artifact storage on MinIO
|
||||
PIPELINE_ARTIFACTS_BASE: ${S3_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}
|
||||
|
@ -101,8 +101,8 @@ default:
|
|||
export SCRIPTS_DIR=$(mktemp -d) &&
|
||||
curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" &&
|
||||
. ${SCRIPTS_DIR}/setup-test-env.sh &&
|
||||
echo -n "${CI_JOB_JWT}" > "${CI_JOB_JWT_FILE}" &&
|
||||
unset CI_JOB_JWT # Unsetting vulnerable env variables
|
||||
echo -n "${S3_JWT}" > "${S3_JWT_FILE}" &&
|
||||
unset CI_JOB_JWT S3_JWT # Unsetting vulnerable env variables
|
||||
|
||||
after_script:
|
||||
# Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338
|
||||
|
@ -111,9 +111,9 @@ default:
|
|||
- >
|
||||
set +x
|
||||
|
||||
test -e "${CI_JOB_JWT_FILE}" &&
|
||||
export CI_JOB_JWT="$(<${CI_JOB_JWT_FILE})" &&
|
||||
rm "${CI_JOB_JWT_FILE}"
|
||||
test -e "${S3_JWT_FILE}" &&
|
||||
export S3_JWT="$(<${S3_JWT_FILE})" &&
|
||||
rm "${S3_JWT_FILE}"
|
||||
|
||||
# Retry when job fails. Failed jobs can be found in the Mesa CI Daily Reports:
|
||||
# https://gitlab.freedesktop.org/mesa/mesa/-/issues/?sort=created_date&state=opened&label_name%5B%5D=CI%20daily
|
||||
|
@ -266,8 +266,7 @@ make git archive:
|
|||
# compress the current folder
|
||||
- tar -cvzf ../$CI_PROJECT_NAME.tar.gz .
|
||||
|
||||
- ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz
|
||||
|
||||
- ci-fairy s3cp --token-file "${S3_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz
|
||||
|
||||
# Sanity checks of MR settings and commit logs
|
||||
sanity:
|
||||
|
|
|
@ -13,7 +13,7 @@ date +'%F %T'
|
|||
|
||||
# Make JWT token available as file in the bare-metal storage to enable access
|
||||
# to MinIO
|
||||
cp "${CI_JOB_JWT_FILE}" "${rootfs_dst}${CI_JOB_JWT_FILE}"
|
||||
cp "${S3_JWT_FILE}" "${rootfs_dst}${S3_JWT_FILE}"
|
||||
|
||||
date +'%F %T'
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ VARS=(
|
|||
CI_COMMIT_REF_NAME
|
||||
CI_COMMIT_TITLE
|
||||
CI_JOB_ID
|
||||
CI_JOB_JWT_FILE
|
||||
S3_JWT_FILE
|
||||
CI_JOB_STARTED_AT
|
||||
CI_JOB_NAME
|
||||
CI_JOB_URL
|
||||
|
|
|
@ -217,7 +217,7 @@ cleanup
|
|||
# upload artifacts
|
||||
if [ -n "$S3_RESULTS_UPLOAD" ]; then
|
||||
tar --zstd -cf results.tar.zst results/;
|
||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst;
|
||||
ci-fairy s3cp --token-file "${S3_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst;
|
||||
fi
|
||||
|
||||
# We still need to echo the hwci: mesa message, as some scripts rely on it, such
|
||||
|
|
|
@ -365,8 +365,8 @@ popd
|
|||
|
||||
. .gitlab-ci/container/container_post_build.sh
|
||||
|
||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \
|
||||
ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \
|
||||
https://${S3_PATH}/"${ROOTFSTAR}"
|
||||
|
||||
touch /lava-files/done
|
||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/done https://${S3_PATH}/done
|
||||
ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/done https://${S3_PATH}/done
|
||||
|
|
|
@ -30,7 +30,7 @@ artifacts/ci-common/generate-env.sh | tee results/job-rootfs-overlay/set-job-env
|
|||
section_end variables
|
||||
|
||||
tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ .
|
||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}"
|
||||
ci-fairy s3cp --token-file "${S3_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}"
|
||||
|
||||
ARTIFACT_URL="${FDO_HTTP_CACHE_URI:-}https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME:?}.tar.zst"
|
||||
|
||||
|
@ -50,7 +50,7 @@ PYTHONPATH=artifacts/ artifacts/lava/lava_job_submitter.py \
|
|||
--ci-project-dir "${CI_PROJECT_DIR}" \
|
||||
--device-type "${DEVICE_TYPE}" \
|
||||
--dtb-filename "${DTB}" \
|
||||
--jwt-file "${CI_JOB_JWT_FILE}" \
|
||||
--jwt-file "${S3_JWT_FILE}" \
|
||||
--kernel-image-name "${KERNEL_IMAGE_NAME}" \
|
||||
--kernel-image-type "${KERNEL_IMAGE_TYPE}" \
|
||||
--boot-method "${BOOT_METHOD}" \
|
||||
|
|
|
@ -193,7 +193,7 @@ class LAVAJobDefinition:
|
|||
"set +x # HIDE_START",
|
||||
f'echo -n "{jwt_file.read()}" > "{self.job_submitter.jwt_file}"',
|
||||
"set -x # HIDE_END",
|
||||
f'echo "export CI_JOB_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh',
|
||||
f'echo "export S3_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh',
|
||||
]
|
||||
else:
|
||||
download_steps += [
|
||||
|
|
|
@ -8,7 +8,7 @@ set -ex
|
|||
export PAGER=cat # FIXME: export everywhere
|
||||
|
||||
INSTALL=$(realpath -s "$PWD"/install)
|
||||
S3_ARGS="--token-file ${CI_JOB_JWT_FILE}"
|
||||
S3_ARGS="--token-file ${S3_JWT_FILE}"
|
||||
|
||||
RESULTS=$(realpath -s "$PWD"/results)
|
||||
mkdir -p "$RESULTS"
|
||||
|
|
|
@ -60,7 +60,7 @@ if [ -n "$S3_ARTIFACT_NAME" ]; then
|
|||
# Pass needed files to the test stage
|
||||
S3_ARTIFACT_NAME="$S3_ARTIFACT_NAME.tar.zst"
|
||||
zstd artifacts/install.tar -o ${S3_ARTIFACT_NAME}
|
||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME}
|
||||
ci-fairy s3cp --token-file "${S3_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME}
|
||||
fi
|
||||
|
||||
section_end prepare-artifacts
|
||||
|
|
|
@ -158,7 +158,7 @@ python-test:
|
|||
exclude:
|
||||
- results/*.shader_cache
|
||||
variables:
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${CI_JOB_JWT_FILE}
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${S3_JWT_FILE}
|
||||
# until we overcome Infrastructure issues, give traces extra 5 min before timeout
|
||||
DEVICE_HANGING_TIMEOUT_SEC: 600
|
||||
script:
|
||||
|
|
|
@ -89,7 +89,7 @@ radv-raven-traces-restricted:x86_64:
|
|||
PIGLIT_REPLAY_ANGLE_TAG: "2023-02-10-1"
|
||||
PIGLIT_TRACES_FILE: restricted-traces-amd.yml
|
||||
PIGLIT_REPLAY_DEVICE_NAME: "vk-${GPU_VERSION}"
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
|
||||
FDO_CI_CONCURRENT: 10
|
||||
|
||||
radeonsi-raven-piglit-quick_gl:x86_64:
|
||||
|
|
|
@ -268,7 +268,7 @@ a630-traces-restricted:
|
|||
- .google-freedreno-rules-restricted
|
||||
variables:
|
||||
PIGLIT_TRACES_FILE: restricted-traces-freedreno.yml
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}"
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}"
|
||||
allow_failure: true
|
||||
|
||||
a630-traces-performance:
|
||||
|
|
|
@ -78,7 +78,7 @@ zink-anv-tgl-traces-restricted:
|
|||
- .zink-anv-rules-restricted
|
||||
variables:
|
||||
PIGLIT_TRACES_FILE: traces-zink-restricted.yml
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}
|
||||
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
|
||||
allow_failure: true
|
||||
|
||||
zink-tu-a618:
|
||||
|
|
Loading…
Reference in New Issue