Closed Bug 1584321 Opened 5 years ago Closed 5 years ago

Automatically update static clients on deployment

Categories

(Taskcluster :: Services, defect)

Product:
Taskcluster
Component:
Services
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

https://github.com/taskcluster/taskcluster/pull/1365/files/0f0f2a5485dd58cf1b8d5a317a4e28440a2127df..af5381ebdb07fd805fe6ef53b02fa8acac6c4acf#diff-8fb74efc55050197900dd231b08db5d4R5

Static clients need to be updated in deployments.

We really shouldn't have to include this in our changelogs :)

Brian, what would be involved in fixing this?

iirc you would have to fix how helm merges configs. I believe it doesn't actually deep merge but rather overwrites everything inside default auth.static_clients with whatever is in the dev-config.yml. We need to put accessToken in dev-config but the rest of this (e.g. scopes) should come from defaults.

You could also pre-process things or switch off helm but I liked it being just plain helm because it keeps us closest to what cloudops does

Maybe we could do that merging as part of the dev-deploy process (so dev-config has auth.static_client_tokens, and that gets merged into the default auth.static_clients). In fact, maybe we could generate the static clients's names and scopes dynamically based on metadata from each service..

Assignee: nobody → dustin

You're right, it's hard :)

https://github.com/taskcluster/taskcluster/pull/1415 at least checks things..

Another thing we might do is just use * patterns for the Azure tables for each service.. at least for new tables. Like owlish did for worker (WM*). That would at least reduce the churn on these scopes.

Another idea: don't allow anyone to specify scopes for static/taskcluster/* clients, and bake those into the auth service using yarn generate.

We can also include a link to a diff of the example dev config into the release notes.

Another idea: don't allow anyone to specify scopes for static/taskcluster/* clients, and bake those into the auth service using yarn generate.
We can also include a link to a diff of the example dev config into the release notes.

+1 this is great.

Blocks: 1574666
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.