Check if we could replace blobxfer by azcopy
#3414
Comments
lemeurherve
added
site:archives.jenkins.io
smerle33
modified the milestones:
infra-team-sync-2023-02-28,
infra-team-sync-2023-03-07
|
Current references to
Corresponding storage accounts:
To replace The plan is to:
Note: if time permits, we should also replace |
Ideally a service principal / managed identity / workload identity should be used instead. |
|
Oh... I'll look into that instead then, thanks for the info @timja |
|
This plan looks good and exhaustive. The only (blocking) point will be the credential: we need to document what is the exact kind of token required and what is the process to revoke it |
Unfortunately azcopy supports only SAS token for File Share: https://learn.microsoft.com/en-gb/azure/storage/common/storage-use-azcopy-v10#authorize-azcopy According to https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#manually-rotate-access-keys and https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas#revoke-a-sas, it's possible to revoke SAS tokens by rotating or regenerating the storage account access key. |
|
Depending on how the file share is being used you can still use a service principal to generate a SaS on demand: |
dduportal
modified the milestones:
infra-team-sync-2023-12-19,
infra-team-sync-2024-01-02
This PR uses jenkins-infra/shared-tools#131 to allow trusted.ci.jenkins.io to manipulate the File Share content of updates.jenkins.io Ref: - jenkins-infra/helpdesk#3414 (comment)
|
PRs for cleanup of |
Deployed with success and ran the cleanup process. Watching update center and sync.sh |
Looks good! |
|
Managing |
|
Update: jenkins-infra/jenkins-infra#3357 (comment) was successfully deployed. @lemeurherve I'm handing over to you for the SA token cleanup you mentioned as I have no idea what to cleanup and this nis the last step before closing this issue. |
dduportal
modified the milestones:
infra-team-sync-2024-04-02,
infra-team-sync-2024-04-09
Here are the last cleanup tasks remaining before we can close this issue:
|
…uts (#654) This PR removes `mirrorbits` file share long-lived SAS token and related outputs, replaced by the use of a storage key stored in jenkins-infra hieradata & charts-secrets. Verification procedure after merging this PR: ensure update_center job still passes on trusted.ci.jenkins.io (file share used in sync.sh & sync-recent-releases.sh scripts) Ref: - jenkins-infra/helpdesk#3414 (comment)
…ibutors_jenkins_io` output (#655) This PR removes this output, superseded by the use of https://github.com/jenkins-infra/pipeline-library/blob/master/resources/get-fileshare-signed-url.sh to get the file share URL including a SAS token. Verification procedure after merging this PR: ensure https://infra.ci.jenkins.io/job/website-jobs/job/contributor-spotlight/ job passes. Ref: - jenkins-infra/helpdesk#3414 (comment)
|
blobxfer completely replaced by azcopy, cleanup done, all concerned jobs green, closing this issue. |
As we've encountered some issues with blobxfer recently (#3411), and as its last release is quite dated, check if we could replace it with an
az-clicommand like what's done in the pipeline library: https://github.com/jenkins-infra/pipeline-library/blob/93b13be5d876d90d8cd145b11c9f9fe457239db9/vars/publishReports.groovy#L55-L59Related:
The text was updated successfully, but these errors were encountered: