vexxhost: move base-jobs to config-project

Inside the VEXXHOST tenant, we have a need to be able to use build
Docker images in many different places.  Therefore, we need the
ability to have secrets inside of a repository which other repos
can just use the jobs for, avoiding the need of encrypting the
Docker credentials for every single repository.

However, due to the current limitation in Zuul, it's not possible
to accomplish this without having a config-project, and by being
a config-project, that provides an elevated set of access.  As
an interim solution until Zuul has the ability to do this without
using a config-project, this change makes the project a config
project however changes the ACLs to include project-config-core.

The rationale was that I (mnaser) is already part of that group
and therefore this wouldn't be providing me any more access to
make changes to config projects.  This would be an interim solution
until we're able to do this natively with Zuul and the ACLs can
return to VEXXHOST.

In this change, we also move opendev/project-config to only load
jobs, secrets and nodesets and to avoid loading the project so we
don't end up reporting to changes to opendev/project-config.

Change-Id: I6baefcae3e23767aeeaa2d572b1a17fd2aa5ebe6
changes/59/716459/2
Mohammed Naser 3 years ago
parent d1c645f6e6
commit 2545dfd73a
  1. 2
      gerrit/projects.yaml
  2. 12
      zuul/main.yaml

@ -6135,7 +6135,7 @@
acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config
- project: vexxhost/base-jobs
description: Base jobs for VEXXHOST tenant
acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config
acl-config: /home/gerrit2/acls/opendev/project-config.config
- project: vexxhost/kue
description: Tooling for Kubernetes deployment on OpenStack
acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config

@ -1522,20 +1522,18 @@
source:
gerrit:
config-projects:
- opendev/project-config
# Only use jobs and secrets from this repo, we do not want
# the project definition.
- opendev/base-jobs:
include:
- job
- secret
- nodeset
- include: [job, secret, nodeset]
projects:
- opendev/base-jobs
- vexxhost/base-jobs
- opendev/project-config
untrusted-projects:
- zuul/zuul-jobs
- vexxhost/ansible-role-docker-distribution
- vexxhost/ansible-role-openmanage
- vexxhost/ansible-role-wireguard
- vexxhost/base-jobs
- vexxhost/kue
- vexxhost/libvirtd_exporter
- vexxhost/lodgeit-helm

Loading…
Cancel
Save