From bb608b558f58e2091f512d3461cad0546c605755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Fri, 15 Jul 2022 18:57:52 +0200 Subject: [PATCH] Explain how to regenerate the OIDC token for ODCS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- modules/sysadmin_guide/pages/odcs.adoc | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/modules/sysadmin_guide/pages/odcs.adoc b/modules/sysadmin_guide/pages/odcs.adoc index 7592c23..e24fe69 100644 --- a/modules/sysadmin_guide/pages/odcs.adoc +++ b/modules/sysadmin_guide/pages/odcs.adoc @@ -137,3 +137,27 @@ https://odcs.fedoraproject.org/composes/ by sorting by Last modified fields. * Decrease the *max_seconds_to_live* in ODCS configuration file. + +=== The OIDC token expires + +This will cause the cron job to fail on the backend. Tokens have a lifetime of one year, and should be therefore periodically regenerated. + +To regenerate the token, run the following command in the ansible repo: + +.... +scripts/generate-oidc-token odcs-prod -e 365 -s https://id.fedoraproject.org/scope/groups -s https://pagure.io/odcs/new-compose -s https://pagure.io/odcs/renew-compose -s https://pagure.io/odcs/delete-compose +.... + +Follow the instructions given by the script: run the SQL command on the Ipsilon database server: + +.... +ssh db-fas01.iad2.fedoraproject.org +sudo -u postgres -i ipsilon +ipsilon=# BEGIN; +[...] +ipsilon=# COMMIT; +.... + +Save the value of the token generated by the script in the ansible-private repo under `files/releng/production/releng-odcs-oidc-token`. + +Deploy the change by running the `playbooks/groups/odcs.yml` playbook.