Jacamar CI v0.4.0
Release: v0.4.0
Date: 01/25/2021
General Notes
Migrated two internal packages to now support a public API for key functionality used across multiple EPC CI projects (!58):
pkg/gitlabjwt: Supported workflow for validating both the signature and key claims found in the CI_JOB_JWT. This JWT is validated against your GitLab instances JWKS endpoint (e.g., https://gitlab.com/-/jwks).pkg/rules: Validation for shared variables relating to either Jacamar specifically or the ECP CI effort as a whole. All checks that have been defined realize the validator.
Addresses potential case in which failed Cobalt/Slurm jobs did not observe a defined NFS timeout/delay (!81).
This could only have occurred when artifacts are defined to occur
on_failure.
Admin Notes
The cleanup stage (
cleansubcommand) will now require the configuration file be provided with the--configurationargument (!71).This change is important to aligning with the custom executor’s implementation of logging in the
cleanup_execstage.Previously deployed instances of Jacamar-Auth did not require a second
--configurationargument and will need manually updated to align with new requirement.
Integrated all Federation information/context into the RunAs validation scripts, removing Federation only scripting requirements (!65, !86).
See the updated federated documentation for details.
This is a potentially important change for deployments that are either leveraging Federation functionality. As it alters and, to a greater degree, simplifies the authorization flow.
Pre-RunAs list (allow/block) validation can now optionally be enabled via the configuration (!68).
[auth] lists_pre_validation = true ...
In previous iterations this ran regardless of configuration immediately prior to RunAs validation. By integration Federation validation into RunAs maintaining the separate lists is no longer required.
Jacamar subcommand (
jacamar translate) added to “translate” a runner configuration from the forked deployment to a currently observed Jacamar configuration (!63).$ jacamar translate --help Usage: jacamar translate SOURCE TARGET Positional arguments: SOURCE The GitLab configuration TOML you wish to translate (default: /etc/gitlab-runner/config.toml). TARGET Optional target file for the newly generated Jacamar configuration file, default to current working directory when not provided. Options: --help, -h display this help and exit --version display version and exit
Added experimental plugin support for RunAs validation (!76).
To avoid Go issues shared context between Jacamar and an admin defined plugin is established via the Jacamar Plugins project.
jacamar--authnow supports an--unobfuscatedflag that allows all errors to appear regardless of stage. (!83)[runners.custom] config_args = ["--unobfuscated", "config", ...] ...
All errors relating to authorization, job context identification, user downscoping, and JWT validation are replaced in the user job log with generic error messages by default.
Update supported GitLab-Runner to version
13.7.0, with minimized patching requirements (!72).Added configurable timeout for Jacamar-Auth to wait before sending
SIGKILL(!71).Updated OLCF focused testing structure for Ascent (!62).
Bug & Development Fixes
Updated to Go release 1.15.6 (!64).
Correctly establish default values for configuration in all cases (!71).
Cleaner error handling within
jacamar-authto enforce default obfuscation for any potentially sensitive error (!74).Correctly leverage
_prefixmacro in RPM spec (!79).Added Go/GCC to Pavilion containers and updated associated test scripts to build Jacamar requirements (!78, !80).
System logging of
jacamar-authnow handled through the Logrus packages (!82).Improve RPM related make commands (!85).