Add REST api auth rules

This allows locally generated (by infra-root) tokens to be used for admin commands. Change-Id: I452fc7863985c0d94a98440823fd0aa1d454ec31
2021-12-02 15:42:18 -08:00 · 2021-12-02 15:42:18 -08:00 · 3bc3b18f4d
commit 3bc3b18f4d
parent 000aadc414
2 changed files with 19 additions and 0 deletions
--- a/tools/check_valid_gerrit_projects.py
+++ b/tools/check_valid_gerrit_projects.py
@ -110,6 +110,8 @@ def check_zuul_main(zuul_main, projects):
    # Check that for each gerrit source, we have a project defined in gerrit.
    for tenant in main_content:
        t = tenant.get('tenant')
+        if not t:
+            continue
        sources = t.get('source')
        if sources and sources.get('gerrit'):
            for project_types in sources['gerrit']:
--- a/zuul/main.yaml
+++ b/zuul/main.yaml
@ -1,5 +1,12 @@
+- admin-rule:
+    name: local-admin
+    conditions:
+      - iss: zuul.opendev.org
+
 - tenant:
    name: opendev
+    admin-rules:
+      - local-admin
    max-nodes-per-job: 10
    source:
      gerrit:
@ -66,6 +73,8 @@

 - tenant:
    name: openstack
+    admin-rules:
+      - local-admin
    max-nodes-per-job: 10
    source:
      gerrit:
@ -1480,6 +1489,8 @@

 - tenant:
    name: vexxhost
+    admin-rules:
+      - local-admin
    max-nodes-per-job: 10
    source:
      gerrit:
@ -1578,6 +1589,8 @@

 - tenant:
    name: zuul
+    admin-rules:
+      - local-admin
    default-ansible-version: 2.9
    max-nodes-per-job: 10
    source:
@ -1654,6 +1667,8 @@
 # https://github.com/pyca
 - tenant:
    name: pyca
+    admin-rules:
+      - local-admin
    max-nodes-per-job: 1
    source:
      gerrit:
@ -1679,6 +1694,8 @@
 # https://github.com/pypa
 - tenant:
    name: pypa
+    admin-rules:
+      - local-admin
    max-nodes-per-job: 1
    source:
      gerrit: