Seems like a keytab issue? bodhi can't talk to koji...

2021-05-25 18:34:29,181 [ERROR] koji: (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.stg.fedoraproject.org/kojihub/ssllogin)

I tried to delete the keytab secret and re-run the playbook, but it didn't seem to help.

@pingou you have messed with keytabs in openshift... any ideas here?

I'd be very grateful if somebody could fix this... :-)

I see two keytabs in the web pod: /etc/keytabs/koji-keytab and /etc/krb5.bodhi_bodhi.stg.fedoraproject.org.keytab not quite sure which is being used.

The pod doesn't kinit or klist so I've not been able to check which principal they refer to.
On os-master01.stg I see a koji-keytab.kt which seems to have the right principal.

I'm not seeing anything in krb5.conf specifying a default keytab to use. Could this be it?

I see two keytabs in the web pod: /etc/keytabs/koji-keytab and /etc/krb5.bodhi_bodhi.stg.fedoraproject.org.keytab not quite sure which is being used.

Found the answer to that one:

# Set up krb5
RUN rm -f /etc/krb5.conf && \
    ln -sf /etc/bodhi/krb5.conf /etc/krb5.conf && \
    ln -sf /etc/keytabs/koji-keytab /etc/krb5.bodhi_bodhi{{ env_suffix }}.fedoraproject.org.keytab

Source: https://pagure.io/fedora-infra/ansible/blob/main/f/roles/openshift-apps/bodhi/templates/dockerfile-base

ah!

https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/base/templates/production.ini.j2#_432 vs /etc/krb5.bodhi_bodhi.stg.fedoraproject.org.keytab looks like it's missing the .stg

Looks like that was it https://bodhi.stg.fedoraproject.org/updates/new now shows for me :)

This was the fix: https://pagure.io/fedora-infra/ansible/c/94de49399ac7b579dc7e90bdc42f30044f1f60c0?branch=main

@kparal could you check on your side?

The "New Bodhi Update" page seems to show up fine now, thanks!