Launchpad itself

Merge ~pelpsi/launchpad:pass-information-via-XML-RPC-API-to-the-builders into launchpad:master

Git
lp:~pelpsi/launchpad
pass-information-via-XML-RPC-API-to-the-builders
Merge into master

Proposed by Simone Pelosi on 2024-04-15

Status:	Merged
Approved by:	Simone Pelosi on 2024-04-15
Approved revision:	c8a27b7b7e71b80d8454799f0f7f0d1a4d696154
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~pelpsi/launchpad:pass-information-via-XML-RPC-API-to-the-builders
Merge into:	launchpad:master
Diff against target:	138 lines (+56/-13) 5 files modified charm/launchpad-buildd-manager/config.yaml (+4/-0) lib/lp/buildmaster/builderproxy.py (+7/-0) lib/lp/buildmaster/tests/fetchservice.py (+12/-13) lib/lp/services/config/schema-lazr.conf (+6/-0) lib/lp/snappy/tests/test_snapbuildbehaviour.py (+27/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Jürgen Gmach		2024-04-15	Approve on 2024-04-15
Review via email: mp+464337@code.launchpad.net

Commit message

Pass certificate to the builders

The certificate will be installed on the builders to the fetch service can man in the middle requests.

Revision history for this message

Jürgen Gmach (jugmac00) wrote on 2024-04-15:

Awesome!

I only have a little suggestion for the commit message:

```
Pass certificate to the builders

The certificate will be installed on the builders to the fetch service can man in the middle requests.
```

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Launchpad Engineering

Christina A Reitbauer

Edson_g2020_ubuntuone Gomes

Jordan

Kevin bush

Maximiliano Bertacchini

Simone Pelosi

noômen

to status/vote changes:

asimbol83

 diff --git a/charm/launchpad-buildd-manager/config.yaml b/charm/launchpad-buildd-manager/config.yaml
 index caac316..630ce00 100644
 --- a/charm/launchpad-buildd-manager/config.yaml
 +++ b/charm/launchpad-buildd-manager/config.yaml
@@ -71,6 +71,10 @@ options:
        Fetch service host, it could be either a single instance
        or a load balancer in front.
      default: ""
++  fetch_service_mitm_certificate:
++    type: string
++    description: Fetch service certificate.
++    default: ""
    fetch_service_port:
      type: int
      description: Fetch service port.
 diff --git a/lib/lp/buildmaster/builderproxy.py b/lib/lp/buildmaster/builderproxy.py
 index 3375042..5f3cf5b 100644
 --- a/lib/lp/buildmaster/builderproxy.py
 +++ b/lib/lp/buildmaster/builderproxy.py
@@ -82,6 +82,13 @@ class BuilderProxyMixin:
                  session_id=session["id"],
+             )
++            # Append the fetch-service certificate to BuildArgs secrets.
++            if "secrets" not in args:
++                args["secrets"] = {}
++            args["secrets"]["fetch_service_mitm_certificate"] = (
++                _get_value_from_config("fetch_service_mitm_certificate")
++            )
++
      @defer.inlineCallbacks
      def _requestProxyToken(self):
          admin_username = _get_value_from_config(
 diff --git a/lib/lp/buildmaster/tests/fetchservice.py b/lib/lp/buildmaster/tests/fetchservice.py
 index 3fd879c..51f73e3 100644
 --- a/lib/lp/buildmaster/tests/fetchservice.py
 +++ b/lib/lp/buildmaster/tests/fetchservice.py
@@ -75,19 +75,18 @@ class InProcessFetchServiceAuthAPIFixture(fixtures.Fixture):
          self.addCleanup(site.stopFactory)
          port = yield endpoint.listen(site)
          self.addCleanup(port.stopListening)
--        config.push(
--            "in-process-fetch-service-api-fixture",
--            dedent(
--                """
--                [builddmaster]
--                fetch_service_control_admin_secret: admin-secret
--                fetch_service_control_admin_username: admin-launchpad.test
--                fetch_service_control_endpoint: http://{host}:{port}/session
--                fetch_service_host: {host}
--                fetch_service_port: {port}
--                """
--            ).format(host=port.getHost().host, port=port.getHost().port),
--        )
++        configs = dedent(
++            """
++            [builddmaster]
++            fetch_service_control_admin_secret: admin-secret
++            fetch_service_control_admin_username: admin-launchpad.test
++            fetch_service_control_endpoint: http://{host}:{port}/session
++            fetch_service_host: {host}
++            fetch_service_port: {port}
++            fetch_service_mitm_certificate: fake-cert
++            """
++        ).format(host=port.getHost().host, port=port.getHost().port)
++        config.push("in-process-fetch-service-api-fixture", configs)
          self.addCleanup(config.pop, "in-process-fetch-service-api-fixture")
 diff --git a/lib/lp/services/config/schema-lazr.conf b/lib/lp/services/config/schema-lazr.conf
 index 94ca842..07f04c6 100644
 --- a/lib/lp/services/config/schema-lazr.conf
 +++ b/lib/lp/services/config/schema-lazr.conf
@@ -178,6 +178,9 @@ fetch_service_control_admin_username: none
  # Endpoint for fetch service authentication service
  fetch_service_control_endpoint: none
++# Fetch service certificate
++fetch_service_mitm_certificate: none
++
  # Fetch service host, it could be either a single instance
  # or a load balancer in front
  fetch_service_host: none
@@ -1883,6 +1886,9 @@ fetch_service_control_admin_username: none
  # Endpoint for fetch service control service.
  fetch_service_control_endpoint: none
++# Fetch service certificate
++fetch_service_mitm_certificate: none
++
  # Fetch service host, it could be either a single instance
  # or a load balancer in front.
  fetch_service_host: none
 diff --git a/lib/lp/snappy/tests/test_snapbuildbehaviour.py b/lib/lp/snappy/tests/test_snapbuildbehaviour.py
 index 2ccc18d..d20bf33 100644
 --- a/lib/lp/snappy/tests/test_snapbuildbehaviour.py
 +++ b/lib/lp/snappy/tests/test_snapbuildbehaviour.py
@@ -303,6 +303,28 @@ class TestAsyncSnapBuildBehaviourFetchService(
          self.assertNotIn("revocation_endpoint", args)
      @defer.inlineCallbacks
++    def test_requestFetchServiceSession_no_certificate(self):
++        """Create a snap build request with an incomplete fetch service
++        configuration.
++
++        If `fetch_service_mitm_certificate` is not provided
++        the function raises a `CannotBuild` error.
++        """
++        self.pushConfig("builddmaster", fetch_service_mitm_certificate=None)
++        self.useFixture(
++            FeatureFixture({SNAP_USE_FETCH_SERVICE_FEATURE_FLAG: "on"})
++        )
++
++        snap = self.factory.makeSnap(use_fetch_service=True)
++        request = self.factory.makeSnapBuildRequest(snap=snap)
++        job = self.makeJob(snap=snap, build_request=request)
++        expected_exception_msg = (
++            "fetch_service_mitm_certificate is not configured."
++        )
++        with ExpectedException(CannotBuild, expected_exception_msg):
++            yield job.extraBuildArgs()
++
++    @defer.inlineCallbacks
      def test_requestFetchServiceSession_no_secret(self):
          """Create a snap build request with an incomplete fetch service
          configuration.
@@ -379,6 +401,11 @@ class TestAsyncSnapBuildBehaviourFetchService(
+         )
          self.assertIn("proxy_url", args)
          self.assertIn("revocation_endpoint", args)
++        self.assertIn("secrets", args)
++        self.assertIn("fetch_service_mitm_certificate", args["secrets"])
++        self.assertIn(
++            "fake-cert", args["secrets"]["fetch_service_mitm_certificate"]
++        )
      @defer.inlineCallbacks
      def test_requestFetchServiceSession_flag_off(self):

Launchpad itself

Merge ~pelpsi/launchpad:pass-information-via-XML-RPC-API-to-the-builders into launchpad:master

Commit message

Description of the change

Preview Diff

Subscribers