I created and maintain the site with Fedora packager sponsors https://docs.pagure.org/fedora-sponsors/
It is a static site deployed on docs.pagure.org. Although it is a static site, it needs to be periodically rebuilt to display new sponsors or their settings. This can be done daily, or even weekly, both is fine.
Here is my deployment script https://gist.github.com/FrostyX/13fdf75cdab40087087f0f22bb45fef7
I would like to run this via Cron at frostyx@fedorapeople.org but the problem is that it requires running fkinit first.
frostyx@fedorapeople.org
fkinit
@mbooth mentioned "Kerberos service principals", which I assume, are basically application passwords, that can be generated and used instead of personal credentials. Can you please create something like this for me? Or anything else that would help my situation.
When it fits your schedule
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, medium-trouble, ops
So, thats not going to be an option here. Fedorapeople is a shared server and we do not want people to store private credentials there. :(
So, lets think of alternatives...
What are the requirements here? You need to build the site and push it to the repo? what exactly are the credentials needed for?
So, thats not going to be an option here. Fedorapeople is a shared server and we do not want people to store private credentials there. :( So, lets think of alternatives...
Alright :-)
What are the requirements here?
Very simple. I have a script that I want to be executed weekly. It doesn't really matter to me what server is going to run it.
You need to build the site and push it to the repo?
Indeed, the script pushes things to ssh://git@pagure.io/docs/fedora-sponsors.git. That shouldn't be a problem, I can AFAIK generate some application key for that.
ssh://git@pagure.io/docs/fedora-sponsors.git
what exactly are the credentials needed for?
This tracebacks if you don't do fkinit first.
from fasjson_client import Client Client("https://fasjson.fedoraproject.org/")
For the record, in fasjson_client version 1.0.1 (F35+) it is possible to specify auth=False when initializing the Client. https://github.com/fedora-infra/fasjson-client/pull/85 But it is meant only for testing purposes and it doesn't work for me on the production instance, so I guess this won't be an option.
fasjson_client
auth=False
Client
What about using @fedorathirdparty user for this? Purpose of this user is to give read-only access to the accounts system from scripts. Password for this user is widely-known, to all packagers, QA and sysadmins who know where to find it. You can create a Kerberos keytab from password using ktutil.
ktutil
Yes, I suppose that could work, but fedorapeople shouldn't be used here. It's not meant for building things, just sharing them.
What about using @fedorathirdparty user for this?
@mizdebsk sent me detailed instructions on how to set up the @fedorathirdparty user, and it worked perfectly, thank you very much.
but fedorapeople shouldn't be used here
No problem. I configured a cronjob on my personal server. It is not exclusive, so in case of a bus factor scenario, anybody can configure their own cronjob anywhere else. In case you ever decided that you want me to move the cronjob to some more official place, just let me know.
I wrote short information about the deployment here https://github.com/FrostyX/fedora-sponsors#deployment-automation
Metadata Update from @frostyx: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.