add krb5 auth params for exit_koji_promote (auth to koji with krb5)

[maxamillion]

Signed-off-by: Adam Miller maxamillion@fedoraproject.org

[lcarva]

Worth enforcing that if koji_use_kerberos is set to True, principal and keytab values are also set? Alternatively, we could remove the koji_use_kerberos setting and only assume its behavior if koji_kerberos_principal and koji_kerberos_keytab are set.

[maxamillion]

@lcarva I'm good either way, the only reasdon I added koji_use_kerberos was there is a use_kerberos config flag already for the client and I was aiming for consistency. Which ever you and @twaugh (and Co.) prefer, I'm happy to go that direction.

[twaugh]

If kerberos is in use for both, would the principal ever be different?

[maxamillion]

@twaugh Yes, this koji auth is being internally used by the system for the koji content generator metadata import, the krb5 keytab is expected to be in the buildroot (either via an openshift secret or just drop it in the image). This is to configure exit_koji_promote while running "inner" in order to enable that for Fedora's use case because as of December 12th, ssl cert based auth will be completely disabled in Fedora's koji. (Do note that this getting merged and released by Dec 12th is not a blocker, I can patch our package in the internal Infrastructure dnf repos if needed so there's no real urgency here).

[twaugh]

OK, so I prefer koji_use_kerberos and the koji_* keytab and principal parameters, and we just need to check that those parameters are set.

[maxamillion]

@twaugh when you say "need to check" is there something not currently being done in this pull request that you would like to see done in the code or is that just a general comment?

[twaugh]

From @lcarva's original comment, should we change this line to something like this?:

if (self.spec.koji_use_kerberos.value and
        self.spec.koji_kerberos_principal.value and
        self.spec.koji_kerberos_keytab.value):

[maxamillion]

Ah, ok. I follow. Thank you.

[lcarva]

LGTM