We are resigning in prep for branching next week, we need to also make
sure to sign things with the f45 ima key.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This role is intended to be run on a build{vm|hw} machine that is in the
secure-boot channel in koji. It sets up the siguldry pesign-bridge that
allows builds done there to call pesign to sign artifacts by bind
mounting a socket into the mock chroot.
This then calls sigul's pesign client which sends the artifact to the
sigul vault via the sigul bridge for signing. The vault has access to
a secure token to sign the artifact with.
This should (once confirmed working) replace the roles/bkernel role that
used a secure card that was directly attached to a buildhw device.
This should allow us to add support for aarch64 as well as more easily
use different hardware or vm's as any of them could be setup to query
the sigul server.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We only have two job groups, so the front page is a bit sad and
empty. Let's show 10 builds per group, not 3.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Seems like the proxies don't want to handle port 80 nicely, I get
errors in Zabbix for them using localhost:80/apache-status (which
works elsewhere, like sundries). However using https/443 seems to
work, so we'll do that instead.
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
I mistakenly changed the port in the fedora/non el one, that was
correct.
Need to add the port in the el one for selinux to allow httpd to work.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Fixed up a few things missed and caught in testing on dl01:
* need to setup subuid/subgid files for podman
* need to allow the right port for httpd to listen in selinux
* need httpd network connect to allow it to connect to anubis
* adjust worker values, we were not using prefork for a long time
so the values were just default up them a bunch.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Looks like the scrapers are hitting the download servers now.
So, look at setting up an anubis pod there like we did for pagure.
anubis package isn't available for epel9, so we just use the container.
Will test this with dl01 and tweak until it's working.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The flatpak-indexer-build needs to run only pytest as done in upstream.
Otherwise it fails on missing commands.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
Upstream repo doesn't have staging and production branches. So let's
just go with main. In case of redis use the branch where the fix is introduced.
Signed-off-by: Michal Konecny <mkonecny@redhat.com>
Per https://pagure.io/fedora-qa/issue/859 we want to drop the QA
landing page at qa.fedoraproject.org. This should turn it back
into a redirect to the wiki page. We also drop the certificate
for qa.fp.o (since blockerbugs uses the wildcard certificate
anyway) and remove a duplicate reverseproxy entry for blockerbugs
(we had two otherwise-identical entries that were restricted to
prod and stg with `when` conditions).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This is another attempt at 86696cf. Appearently the condition must be
set to "always" in order to for the header to be "persisted across
internal redirects".
Signed-off-by: Gregory Bartholomew <gregory.lee.bartholomew@gmail.com>
