Enable running kola AWS tests using separate credentials #130
Conversation
|
Any thoughts on using a different profile rather than a secondary credential file? It would allow us to not have to specify the export in every function context while still using the community account in |
I thought about something similar, which is just exporting the builds-bot config as There are 3 options:
|
|
We could also use a separate pod for testing, without the prod creds even mounted in. |
|
(I'd like to make more use of the fact that we're using Kubernetes, it's easy to run separated containers, rather than the "one big pod doing everything" flow we have today) |
|
I don't have a personal preference for any of the 3 options. Just wanted to throw out the idea to make sure that it was also considered. |
| aws_secret_access_key=key | ||
| EOF | ||
|
|
||
| oc create secret generic aws-fcos-kola-bot-config --from-file=config=/path/to/kola-secret |
There was a problem hiding this comment.
Is the IAM account called fcos-kola-bot? I'd like to keep the exact name of the IAM in the secret name to make things easier to track.
There was a problem hiding this comment.
yes the IAM user in the fedora community account is called fcos-kola-bot.
So no need for changes?
Yeah, I think we should do this eventually (I'd like to even make the building and uploading bits separate to narrow it down further -- related: #7). For reference, here's an approach where we edit the pod template on-the-fly based on some parameters: https://github.com/coreos/coreos-ci-lib/blob/67ec2b13db811ea9c601b210bd52aba51aa2791a/vars/coreos.groovy. Anyway, I don't think we should block on this, but should probably open a ticket (or we can just re-use #7 for it). |
dustymabe
force-pushed
the
kola-creds
branch
from
bd9b0ff
to
c5b9fb3
Compare
These help us understand why we chose the jnlp container and also why we don't block on the kola AWS runs.
Setting this is no longer needed after [1] was merged into the mantle codebase. [1] coreos/mantle#1028
This is prep to allow for us to have more than one AWS config. One for uploading/replicating/releasing builds and another one for testing those builds using kola. For now we'll use the AWS_FCOS_BUILDS_BOT_AWS_CONFIG var and explicitly set AWS_CONFIG_FILE each time we make a call that will use the AWS config for the fcos-builds-bot user in the prod Fedora AWS account.
In this PR we add the aws-fcos-kola-bot-config secret that represents credentials to use when running kola tests in AWS. This will allow us to upload builds to the prod Fedora Account (more locked down security) and do testing in our community Fedora Account where we have control over the credentials handed out.
dustymabe
force-pushed
the
kola-creds
branch
from
c5b9fb3
to
86557f5
Compare
We'd like to be able to run our kola AWS tests in a separate
account than the prod Fedora AWS account. The following
collection of commits enables us to specify different creds for
our build uploads and our kola tests.
Commit title summary: