Page MenuHomePhabricator

Build and import new release of jwt-authorizer (1.1.0)
Closed, ResolvedPublic

Description

Version 1.1.0 of jwt-authorizer includes token validation errors in the auth challenge which we need to debug GitLab-to-WMF-registry JWT auth failures (see T322453).

@Dzahn would you be able to build and import this version of the package for us? The main branch at https://gitlab.wikimedia.org/repos/releng/jwt-authorizer should be good to go and includes your prior fix to the control file. I hope the build goes smoother for you this time.

Event Timeline

@Dzahn you described the initial build process of jwt-authorizer package in T309646. I created docs in wikitech for jwt-authorizer and a short summary of the build process. Can you check https://wikitech.wikimedia.org/wiki/Docker-registry/jwt-authorizer? I guess the DIST=bullseye-backports and --ignore=wrongdistribution is obsolete now?

Let me know if I should try the build or if we should pair to check the build and docs together :)

LSobanski triaged this task as Medium priority.Nov 15 2022, 4:03 PM
LSobanski moved this task from Incoming to Backlog on the serviceops-collab board.

Mentioned in SAL (#wikimedia-operations) [2022-11-16T19:11:11Z] <jelto> Imported jwt-authorizer 1.1.0-1 to bullseye-wikimedia - T322691

Jelto claimed this task.

I built and published the new version jwt-authorizer | 1.1.0-1 for bullseye. I followed the docs in https://wikitech.wikimedia.org/wiki/Docker-registry/jwt-authorizer.

@dduvall @Dzahn I still got issues with the go package similar to T309646#7974869:

make[1]: Entering directory '/build/jwt-authorizer-1.1.0'
dh_auto_build -O--buildsystem=golang -- -ldflags "-X main.Version=1.1.0"
        cd obj-x86_64-linux-gnu && go install -trimpath -v -p 8 -ldflags "-X main.Version=1.1.0" gitlab.wikimedia.org/repos/releng/jwt-authorizer/cmd/jwt-authorizer
src/gitlab.wikimedia.org/repos/releng/jwt-authorizer/cmd/jwt-authorizer/main.go:7:2: cannot find package "io/fs" in any of:
        /build/jwt-authorizer-1.1.0/obj-x86_64-linux-gnu/src/gitlab.wikimedia.org/repos/releng/jwt-authorizer/vendor/io/fs (vendor tree)
        /usr/lib/go-1.15/src/io/fs (from $GOROOT)
        /build/jwt-authorizer-1.1.0/obj-x86_64-linux-gnu/src/io/fs (from $GOPATH)
dh_auto_build: error: cd obj-x86_64-linux-gnu && go install -trimpath -v -p 8 -ldflags "-X main.Version=1.1.0" gitlab.wikimedia.org/repos/releng/jwt-authorizer/cmd/jwt-authorizer returned exit code 1
make[1]: *** [debian/rules:10: override_dh_auto_build] Error 25
make[1]: Leaving directory '/build/jwt-authorizer-1.1.0'
make: *** [debian/rules:7: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
I: copying local configuration
E: Failed autobuilding of package

So we have to tweak the build a little bit more, but for now the new version should be available. I'm closing this task, as build and publish were successful using the bullseye backports version of golang.

$ apt-cache show jwt-authorizer
Package: jwt-authorizer
Version: 1.1.0-1
Architecture: amd64
Maintainer: Wikimedia Foundation Release Engineering <releng@wikimedia.org>
[...]

@Jelto or @Dzahn we'll need this built for buster as well since the registry hosts are all buster based.

Mentioned in SAL (#wikimedia-operations) [2022-11-30T22:13:40Z] <mutante> registry* - upgraded jwt-authorizer package on all 4 hosts to version 1.1.0-1 - T322691

@dduvall @Jelto So this was just missing the same import step of the same package but for buster instead of bullseye. I could just import straight from Jelto's homedir:

on apt1001:

$ sudo -i reprepro --ignore=wrongdistribution -C main include buster-wikimedia /home/jelto/jwt-authorizer_1.1.0-1_amd64.changes

and now it's 1.1.0 instead of 1.0.0 for both:

[apt1001:/home/jelto] $ sudo -E reprepro ls jwt-authorizer
jwt-authorizer | 1.1.0-1 |   buster-wikimedia | amd64, source
jwt-authorizer | 1.1.0-1 | bullseye-wikimedia | amd64, source

after this:

[registry2004:~] $ sudo apt-get update
...
[registry2004:~] $ sudo apt install jwt-authorizer
...

then did the same on the other 4 registry hosts and now:

[cumin1001:~] $ sudo cumin 'registry*' 'dpkg -l | grep jwt-auth'
4 hosts will be targeted:
registry[2003-2004].codfw.wmnet,registry[1003-1004].eqiad.wmnet
Ok to proceed on 4 hosts? Enter the number of affected hosts to confirm or "q" to quit 4
===== NODE GROUP =====                                                                                                                                                                                             
(4) registry[2003-2004].codfw.wmnet,registry[1003-1004].eqiad.wmnet                                                                                                                                                
----- OUTPUT of 'dpkg -l | grep jwt-auth' -----                                                                                                                                                                    
ii  jwt-authorizer                       1.1.0-1                      amd64