New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
protected runner jobs at uo: trust e4s-uo signing key #34828
protected runner jobs at uo: trust e4s-uo signing key #34828
Conversation
The last time I was thinking about this, I thought we were only having UO signing to support the power builds, so #32710 had a bit to support it, but only for that stack. Based on this PR and the conversation I saw in slack today though, it seems like the plan is to have UO do builds for all stacks? |
Well, the thing is, we need at least a couple of our X86_64 machines in the protected runner pool in order to start running GPU tests using our GPUs. We would like to leverage the existing Maybe we could flesh this out more in one of the CI meetings if there are some aspects we need to consider prior to merge? Bottom line I think we need to have at least a couple of our X86_64 GPU instances in the protected runner pool, as well as our power runners to support (a) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can move ahead with letting UO pick up any protected jobs (instead of restricting it to just power builds). But before we merge this, we'll need to coordinate a PR on spack/spack-infrastructture to provision the UO public key to aws protected runners, and make sure we add that secret wherever it belongs.
fc38366
to
8e54c67
Compare
@scottwittenburg I updated this PR to address your comments. Can you review? Is this OK? |
8e54c67
to
c9e7ced
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thank you! I think this could be merged now, although we can't make the change to actually let UO runners pick up protected jobs until we get the UO public key mounted onto our runners.
Sounds great. Thanks for the quick review. I'm thinking it might be best to keep this one open until the other work is done, in case we realize we could tweak this to be better. I'm not saying that will happen, but by leaving this open we keep our options open. And since merging now won't have an effect until the other work is done, there is no cost to leaving it open. What do you think? |
Yeah, that makes sense. |
K8S infrastructure has been updated to include the e4s.gpg public key which means dependencies built on UO infrastructure should now verify in AWS. I believe once this is rebased on |
c9e7ced
to
5964bfe
Compare
Just re-based this on develop. Hoping we get a green CI pipeline here and we can proceed with merge. |
Looks like this is all green and ready to go. @scottwittenburg What do you think? |
Just waiting for some protected build jobs to run so I can validate the e4s key mounted on the image, then I'll approve again and merge. Thanks for the reminder! |
I tested trusting the key that gets mounted in the protected runners now (thanks @kotfic), this is what I see:
So the key is properly formatted and I'll merge this now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @eugeneswalker and @kotfic!
Excluding these changes from the
aarch64
stacks as we do not plan to provideaarch64
runners for the protected pool.@kotfic @scottwittenburg