openstack
/
project-config
Code Issues Proposed changes

vexxhost: move base-jobs to config-project 

Inside the VEXXHOST tenant, we have a need to be able to use build
Docker images in many different places.  Therefore, we need the
ability to have secrets inside of a repository which other repos
can just use the jobs for, avoiding the need of encrypting the
Docker credentials for every single repository.

However, due to the current limitation in Zuul, it's not possible
to accomplish this without having a config-project, and by being
a config-project, that provides an elevated set of access.  As
an interim solution until Zuul has the ability to do this without
using a config-project, this change makes the project a config
project however changes the ACLs to include project-config-core.

The rationale was that I (mnaser) is already part of that group
and therefore this wouldn't be providing me any more access to
make changes to config projects.  This would be an interim solution
until we're able to do this natively with Zuul and the ACLs can
return to VEXXHOST.

In this change, we also move opendev/project-config to only load
jobs, secrets and nodesets and to avoid loading the project so we
don't end up reporting to changes to opendev/project-config.

Change-Id: I6baefcae3e23767aeeaa2d572b1a17fd2aa5ebe6
This commit is contained in:
Mohammed Naser 2020-03-31 20:06:34 -04:00
parent d1c645f6e6
commit 2545dfd73a
2 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gerrit/projects.yaml
View File

@ -6135,7 +6135,7 @@
acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config
- project: vexxhost/base-jobs - project: vexxhost/base-jobs
description: Base jobs for VEXXHOST tenant description: Base jobs for VEXXHOST tenant
acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config acl-config: /home/gerrit2/acls/opendev/project-config.config
- project: vexxhost/kue - project: vexxhost/kue
description: Tooling for Kubernetes deployment on OpenStack description: Tooling for Kubernetes deployment on OpenStack
acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config acl-config: /home/gerrit2/acls/vexxhost/vexxhost.config

12
zuul/main.yaml
View File

@ -1522,20 +1522,18 @@
source: source:
gerrit: gerrit:
config-projects: config-projects:
- opendev/project-config
# Only use jobs and secrets from this repo, we do not want # Only use jobs and secrets from this repo, we do not want
# the project definition. # the project definition.
- opendev/base-jobs: - include: [job, secret, nodeset]
include: projects:
- job - opendev/base-jobs
- secret - vexxhost/base-jobs
- nodeset - opendev/project-config
untrusted-projects: untrusted-projects:
- zuul/zuul-jobs - zuul/zuul-jobs
- vexxhost/ansible-role-docker-distribution - vexxhost/ansible-role-docker-distribution
- vexxhost/ansible-role-openmanage - vexxhost/ansible-role-openmanage
- vexxhost/ansible-role-wireguard - vexxhost/ansible-role-wireguard
- vexxhost/base-jobs
- vexxhost/kue - vexxhost/kue
- vexxhost/libvirtd_exporter - vexxhost/libvirtd_exporter
- vexxhost/lodgeit-helm - vexxhost/lodgeit-helm