00:19 <jekstrand> https://downforeveryoneorjustme.com/cgit.freedesktop.org?proto=https

00:19 <jekstrand> cgit's down again. :-(

07:40 <MrCooper> bentiss daniels can one of you kick cgit?

07:40 <bentiss> MrCooper: I don't have the credentials for this one (and I don't want them)

07:40 <MrCooper> fair enough

08:28 <daniels> MrCooper: done

08:32 <MrCooper> thanks, still timing out though

08:40 <bentiss> daniels: FWIW, I have been trying to enable STS with ceph yesterday...

08:40 <daniels> MrCooper: applied a much harder hammer

08:40 <daniels> bentiss: oh?

08:40 <bentiss> if I use keycloak as the identity provider, I can finally get some short tokens

08:41 <daniels> oh that's neat, we're just starting to roll out Keycloak at Collabora too

08:41 <bentiss> but I can not use gitlab as the identity provider because it doesn't provide the x509 cert in its JWKS :(

08:42 <bentiss> daniels: once that is done, it should be easier to support OPA too (because I finally found how I can configure the individual S3 radosgw)

08:43 <bentiss> but right now, unless I can get keycloak to vouch for gitlab JWT tokens and provide an other one, we are stuck

08:44 <bentiss> the second option would be to patch ceph to handle JWKS without x5c, but... meh

08:44 <MrCooper> cgit works again, cheers

08:44 <bentiss> the third option is to have a man in the middle like I mentioned just above gitlab JWT => keycloak JWT => ceph

08:45 <daniels> oh right ... I haven't used Keycloak to proxy JWTs yet

08:46 <daniels> (haven't done much of anything lately - being on painkillers and trying to think is not a good combination)

08:47 <bentiss> ouch :(

08:47 <daniels> the joys of being tall (and old)

08:47 <bentiss> honestly, I thing patching gitlab to also export the x509 cert would be easier

08:47 <bentiss> *think

08:50 <daniels> not making ceph understand a jwk endpoint?

08:52 <bentiss> daniels: AFAIU, the spec says that the "all-in-one" x509 cert is optional, because you can rebuild it from the JWKS data

08:52 <bentiss> but ceph and many other JWT libs don't know how to rebuild this

08:52 <bentiss> we were lucky that minio does

08:53 <bentiss> so my idea is to see if I can not export that cert in the keys so gitlab can use a broader JWT libs, and ceph would be one of those

08:55 <daniels> it makes sense to me

08:55 <bentiss> me too :)

08:55 <bentiss> though not sure if this will work :)

09:54 <Adrinael> bentiss, daniels: can I have an acked-by from you for https://patchwork.freedesktop.org/patch/449194/?series=93504&rev=1

09:54 <daniels> Adrinael: sure, ack

09:54 <daniels> (however again noting that we do have aarch64 runners that also execute armv7 just fine, so you can run them natively rather than qemu ...)

09:55 <Adrinael> Yes, that's on TODO

09:55 <bentiss> yeah, that would leave mips that needs qemu-user

09:55 <bentiss> but that also means building igt images for arm

09:56 <bentiss> Adrinael: if the IRC ack works, ack from me too

09:57 <Adrinael> bentiss, sure, thanks. What's that in the form of $name <$email> ?

09:57 <MrCooper> I'd also recommend consolidating common stuff into a .template which is extended by the jobs

09:58 <bentiss> daniels: sadly, adding x5c to the openid jwks endpoint seems like a rabbit hole: patching /-/jwks is easy enough, but not the one from /oauth/discovery/keys (advertized by /.well-known/openid-configuration), because it uses doorkeeper-openid_connect ruby gem, and the RSA implementation of Ruby doesn't easily gives the x5c, but the pem you have to tweak :(

09:59 <bentiss> Adrinael: Acked-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>

10:00 <daniels> bentiss: blargh

10:01 <daniels> MrCooper: you forgot 'properly using ci-templates' ;)

10:02 <MrCooper> that's kind of another story, wouldn't automagically add the gstreamer tag :)

10:03 <bentiss> daniels: for /-/jwks I have https://paste.centos.org/view/acf5f7c1

10:04 <Adrinael> Alright that's pushed and I hunted down last few pipelines that were using jamming runners

10:05 <Adrinael> fdo-packet-m1xl runners might still have zombies

10:12 <daniels> bentiss: oh that's nice

10:12 <daniels> I wonder why the call was unused before ... ?

10:13 <bentiss> daniels: on minio-packet we use that URL, but ceph is using the .well-known to retrieve the jwks url, which points at the doorkeeper ruby gem internal

10:13 <bentiss> and that's where we are screwed

10:15 <daniels> nginx rewrite the .well-known path?

10:25 <bentiss> well, if I have to patch gitlab, I can also patch the internal route redirect :)

10:33 <daniels> heh, true

12:29 <karolherbst> oh no 502 :(

12:29 <karolherbst> ahh back again

12:31 <mupuf> yep...

12:32 <karolherbst> but overall a bit slow atm

13:02 <bentiss> daniels: I'm dumb and I don't understand a bit about crypto... :( -> the 'to_pem' function was not exporting the cert, but the key itself :/ so it doesn't work

13:09 <bentiss> and https://myarch.com/oauth2-jwt-verification-best-practices/ -> "Avoiding creating the x509 cert for each key allows for easier update/more frequent rotation of the keys and usually, resource servers rotate keys on a frequent basis, e.g., every three months." so not having x5c is a feature :(

13:11 <daniels> right, that's why I was suggesting to use the JWK endpoint, else we have to maintain & distribute the cert chain

13:14 <bentiss> well, in amy cases, even the jwk endpoint doesn't have a cert

13:15 <bentiss> so ceph can not work without it :( https://github.com/ceph/ceph/blob/master/src/rgw/rgw_rest_sts.cc#L271

13:55 <daniels> my brain can't do C++ right now sorry

14:03 <bentiss> daniels: I don't expect you to fix that. Just that the code path only checks for x5c, so it's not compatible with gitlab

15:52 <thaytan> gitlab is being weird and slow again

16:04 <bentiss> thaytan: not much I can do right now

16:05 <bentiss> "Slow OSD heartbeats on back" on ceph

16:05 <bentiss> so the usual ceph is lagging so is everything :(

16:23 <bentiss> daniels: unbeliveable, I followed https://www.keycloak.org/docs/latest/securing_apps/#external-token-to-internal-token-exchange and was able to convert the gitlab token to a keycloak token

16:33 <daniels> bentiss: :o

16:34 <bentiss> daniels: do you know if we can configure keycloak from a file, or we have to go through the admin UI or the REST API?

16:35 <daniels> https://github.com/adorsys/keycloak-config-cli/

16:36 <bentiss> thanks!

16:36 <daniels> np!

16:36 <bentiss> something to work on tomorrow :)

16:38 <daniels> fun!