From 2545dfd73aea96d65270eb0cc93ba9e66cf29b9e Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Tue, 31 Mar 2020 20:06:34 -0400
Subject: [PATCH] vexxhost: move base-jobs to config-project

Inside the VEXXHOST tenant, we have a need to be able to use build
Docker images in many different places.  Therefore, we need the
ability to have secrets inside of a repository which other repos
can just use the jobs for, avoiding the need of encrypting the
Docker credentials for every single repository.

However, due to the current limitation in Zuul, it's not possible
to accomplish this without having a config-project, and by being
a config-project, that provides an elevated set of access.  As
an interim solution until Zuul has the ability to do this without
using a config-project, this change makes the project a config
project however changes the ACLs to include project-config-core.

The rationale was that I (mnaser) is already part of that group
and therefore this wouldn't be providing me any more access to
make changes to config projects.  This would be an interim solution
until we're able to do this natively with Zuul and the ACLs can
return to VEXXHOST.

In this change, we also move opendev/project-config to only load
jobs, secrets and nodesets and to avoid loading the project so we
don't end up reporting to changes to opendev/project-config.

Change-Id: I6baefcae3e23767aeeaa2d572b1a17fd2aa5ebe6
---
 gerrit/projects.yaml |  2 +-
 zuul/main.yaml       | 12 +++++-------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/gerrit/projects.yaml b/gerrit/projects.yaml
index efc590164c..144e1865dd 100644
--- a/gerrit/projects.yaml
+++ b/gerrit/projects.yaml
@@ -6135,7 +6135,7 @@
   acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config
 - project: vexxhost/base-jobs
   description: Base jobs for VEXXHOST tenant
-  acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config
+  acl-config: /home/gerrit2/acls/opendev/project-config.config
 - project: vexxhost/kue
   description: Tooling for Kubernetes deployment on OpenStack
   acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config
diff --git a/zuul/main.yaml b/zuul/main.yaml
index d2a3bdcfeb..d6ada325f5 100644
--- a/zuul/main.yaml
+++ b/zuul/main.yaml
@@ -1522,20 +1522,18 @@
     source:
       gerrit:
         config-projects:
-          - opendev/project-config
           # Only use jobs and secrets from this repo, we do not want
           # the project definition.
-          - opendev/base-jobs:
-              include:
-                - job
-                - secret
-                - nodeset
+          - include: [job, secret, nodeset]
+            projects:
+              - opendev/base-jobs
+              - vexxhost/base-jobs
+              - opendev/project-config
         untrusted-projects:
           - zuul/zuul-jobs
           - vexxhost/ansible-role-docker-distribution
           - vexxhost/ansible-role-openmanage
           - vexxhost/ansible-role-wireguard
-          - vexxhost/base-jobs
           - vexxhost/kue
           - vexxhost/libvirtd_exporter
           - vexxhost/lodgeit-helm