crawler build fails because azcopy sync returns a 403

[NotMyFault]

Service(s)

trusted.ci.jenkins.io

Summary

The crawler job is failing again, this time azcopy sync yields a 403, causing the job to fail.

Reproduction steps

No response

[dduportal]

Audit:

• https://github.com/jenkins-infra/crawler/blob/5afc48fa2cd3a7b225e8ef53b2815391f7c712cd/Jenkinsfile#L83
• Most probably linked to a task of Check if we could replace blobxfer by azcopy #3414

Checking...

[dduportal]

As I don't know what @lemeurherve did in #3414 except the linked terraform PRs (see #3875 (comment))

As we're in holidays for the next week, I've commented out the azcopy command jenkins-infra/crawler@d0efde1 and a build is currently running (I'll watch it).~

We'll work on this in January then

[dduportal]

And now

$ aws s3 sync ./updates/ s3://westeurope-updates-jenkins-io/updates/ --no-progress --no-follow-symlinks --size-only --exclude .svn --endpoint-url https://8d1838a43923148c5cee18ccc356a594.r2.cloudflarestorage.com/
09:50:50  fatal error: An error occurred (Unauthorized) when calling the ListObjectsV2 operation: Unauthorized

New hotfix incoming

[dduportal]

jenkins-infra/crawler@e196bb7 (watching build on trusted)

[dduportal]

Finished: SUCCESS we can finish 2023 in this state \o/

[NotMyFault]

Thanks for checking 🎄

[dduportal]

As I don't know what @lemeurherve did in #3414 except the linked terraform PRs, and because we're in holidays for the next week, I've commented out the azcopy command jenkins-infra/crawler@d0efde1 and a build is currently running (I'll watch it).

We'll work on this in January then

Nothing done in #3414 explains the HTTP/403. I've reopened #3818 and I'll check if I did not forget a firewall rule somewhere. That could also explain the aws s3 errors after the first hotfix.

[dduportal]

Resuming analysis on this topic.

• https://github.com/jenkins-infra/azure/blob/240beb8f6f96fdf3bb114f66091120a971938481/updates.jenkins.io.tf#L15 shows that the bucket access is public. The 403 error cannot be caused by a storage account network restriction
• Enabling again the azcopy on the crawler job to test: the mian branch job might have failure due to my tests. I'll also mention this in jenkins-infra (no status.jenkins.io as it is not a public thing)

[dduportal]

Retried and got the following detailed error message for the azcopy operation:

Time:2024-01-02T13:25:44.6252585Z</Message><AuthenticationErrorDetail>Signature not valid in the specified time frame: Start [Fri, 06 Oct 2023 00:00:00 GMT] - Expiry [Fri, 22 Dec 2023 00:00:00 GMT] - Current [Tue, 02 Jan 2024 13:25:44 GMT]</AuthenticationErrorDetail></Error>

[dduportal]

https://github.com/jenkins-infra/azure/blob/240beb8f6f96fdf3bb114f66091120a971938481/updates.jenkins.io.tf#L44 => gotcha.

[dduportal]

jenkins-infra/azure#565 to rotate expiry

[dduportal]

Update:

• Rotated the expiry of the SAS credential:
  • feat(updates.jenkins.io) rotate SAS with new expiry date azure#565
  • jenkins-infra/azure@e86e885

WiP:

• Retrieve the new credential and apply it in trusted.ci
• Check it work again for azcopy
• Check error for the aws s3 sync and fix it if still present
• Test access restriction for the SA

[dduportal]

Update:

• Retrieve the new credential and apply it in trusted.ci ✅
• Check it work again for azcopy ✅
• Test access restriction for the SA => see [INFRA-3100] Migrate updates.jenkins.io to another Cloud #2649 (comment)

WiP:

• Check error for the aws s3 sync and fix it if still present
• Add a calendar/updatecli process

[dduportal]

WiP: Check error for the aws s3 sync and fix it if still present

• The error is fatal error: An error occurred (Unauthorized) when calling the ListObjectsV2 operation: Unauthorized when trying to S3-sync to the cloudflare bucket
• There is no credential IaC configuration (AFAIR the cloudflare provider for terraform does not support - yet?- credentials generation) in https://github.com/jenkins-infra/cloudflare/blob/main/updates.jenkins.io.tf
  => next step, checking in the Cloudflare UI

[dduportal]

Gotcha: all API tokens have reached their TTL in Cloudflare. It also breaks the jenkins-infra/cloudflare project since last month (at least).

See #2649 (comment)

[dduportal]

Update:

• My hotfixes were reverted in crawler: rsync and azcopy are working fine, but aws s3 fails with UnAuthorized error
• After [INFRA-3100] Migrate updates.jenkins.io to another Cloud #2649 (comment), a manual replay worked with success
• It's failing again because I've added the IP restriction to the R2 token:
  • If the requests come from trusted controller or permanent agent then it is fine
  • However, the outbound IP for the ephemeral agents, since [Sponsorships] Setup the secondary Azure subscription to consume the sponsor credits #3818, is changing. it means we have to add an outbound gateway in the new virtual network or link it to the existing gateway.

[dduportal]

Update:

• Set up custom NAT gateways for the trusted.ci (and cert.ci) sponsored networks to keep the same outbound IP in cleanup(cert,trusted) migrate NAT gateway management to azure-net azure#567, feat(vnets) import existing NAT gateways for cert and trusted networks azure-net#187 and feat(gateways) migrate to module azure-net#188
• Ensured the R2 token can be used from the (new) outbound IP of trusted sponsored NAT gateway: https://github.com/jenkins-infra/terraform-states/commit/31b1e007037338d5aa5134feb106ed0da8cc45e6
• Verified with a set manual build on crawler (2 build to check the outbound IP does not change and is the NAT gateway's, then 1 full build with success)
• Automated SAS expiration date should be prepared (and notified) by updatecli with chore(updatecli): add expiry manifest with date bash scripts azure#566

Todo:

• Ensure crawler still works with SAS Ip restriction to be added

[dduportal]

Job still failing: #2649 (comment)

[dduportal]

Last steps: #2649 (comment)

Last build of crawler built without any problem