ci/lava: Pass JWT separately from environment variables

As the JWT is sensitive, we don't want to record or leak it anywhere.
Doing this lets us run --dump-yaml in normal execution so we can
artifact the result, as well as bringing us into line with bare-metal.

Signed-off-by: Daniel Stone <daniels@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/11309>

diff --git a/.gitlab-ci/lava/lava-gitlab-ci.yml b/.gitlab-ci/lava/lava-gitlab-ci.yml
index f633019..c7d001c 100644 (file)
--- a/.gitlab-ci/lava/lava-gitlab-ci.yml
+++ b/.gitlab-ci/lava/lava-gitlab-ci.yml
@@ -6,7 +6,7 @@
   variables:
     GIT_STRATEGY: none # testing doesn't build anything from source
     ENV_VARS: "DEQP_PARALLEL=6"
-    FIXED_ENV_VARS: "CI_PIPELINE_ID=${CI_PIPELINE_ID} CI_JOB_ID=${CI_JOB_ID} CI_PAGES_DOMAIN=${CI_PAGES_DOMAIN} CI_PROJECT_NAME=${CI_PROJECT_NAME} CI_PROJECT_DIR=${CI_PROJECT_DIR} CI_PROJECT_PATH=${CI_PROJECT_PATH} CI_PROJECT_ROOT_NAMESPACE=${CI_PROJECT_ROOT_NAMESPACE} CI_JOB_JWT=${CI_JOB_JWT} CI_SERVER_URL=${CI_SERVER_URL} DRIVER_NAME=${DRIVER_NAME} FDO_UPSTREAM_REPO=${FDO_UPSTREAM_REPO} PIGLIT_NO_WINDOW=1 PIGLIT_REPLAY_UPLOAD_TO_MINIO=1 MINIO_HOST=${MINIO_HOST} LAVA_TEST_SCRIPT=${LAVA_TEST_SCRIPT} VK_DRIVER=${VK_DRIVER} FLAKES_CHANNEL=${FLAKES_CHANNEL}"
+    FIXED_ENV_VARS: "CI_PIPELINE_ID=${CI_PIPELINE_ID} CI_JOB_ID=${CI_JOB_ID} CI_PAGES_DOMAIN=${CI_PAGES_DOMAIN} CI_PROJECT_NAME=${CI_PROJECT_NAME} CI_PROJECT_DIR=${CI_PROJECT_DIR} CI_PROJECT_PATH=${CI_PROJECT_PATH} CI_PROJECT_ROOT_NAMESPACE=${CI_PROJECT_ROOT_NAMESPACE} CI_SERVER_URL=${CI_SERVER_URL} DRIVER_NAME=${DRIVER_NAME} FDO_UPSTREAM_REPO=${FDO_UPSTREAM_REPO} PIGLIT_NO_WINDOW=1 PIGLIT_REPLAY_UPLOAD_TO_MINIO=1 MINIO_HOST=${MINIO_HOST} LAVA_TEST_SCRIPT=${LAVA_TEST_SCRIPT} VK_DRIVER=${VK_DRIVER} FLAKES_CHANNEL=${FLAKES_CHANNEL}"
     DEQP_VERSION: gles2
     ARTIFACTS_PREFIX: "https://${MINIO_HOST}/mesa-lava"
     MESA_URL: "http://caching-proxy/cache/?uri=https://${MINIO_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}/mesa-${ARCH}.tar.gz"
@@ -29,6 +29,7 @@
         --device-type ${DEVICE_TYPE} \
         --dtb ${DTB} \
         --env-vars "${ENV_VARS} ${FIXED_ENV_VARS}" \
+        --jwt "${CI_JOB_JWT}" \
         --deqp-version ${DEQP_VERSION} \
         --kernel-image-name ${KERNEL_IMAGE_NAME} \
         --kernel-image-type "${KERNEL_IMAGE_TYPE}" \

diff --git a/.gitlab-ci/lava/lava.yml.jinja2 b/.gitlab-ci/lava/lava.yml.jinja2
index 9c7a379..f0f98a5 100644 (file)
--- a/.gitlab-ci/lava/lava.yml.jinja2
+++ b/.gitlab-ci/lava/lava.yml.jinja2
@@ -96,6 +96,7 @@ actions:
 {% if env_vars %}
           - export {{ env_vars }}
 {% endif %}
+          - export CI_JOB_JWT="{{ jwt }}"
 
           # runner script assumes some stuff is in pwd
           - cd /

diff --git a/.gitlab-ci/lava/lava_job_submitter.py b/.gitlab-ci/lava/lava_job_submitter.py
index 0978c5c..5fee2d7 100755 (executable)
--- a/.gitlab-ci/lava/lava_job_submitter.py
+++ b/.gitlab-ci/lava/lava_job_submitter.py
@@ -67,10 +67,13 @@ def generate_lava_yaml(args):
     values['env_vars'] = env_vars
     values['deqp_version'] = args.deqp_version
 
-    yaml = template.render(values)
-
     if args.dump_yaml:
-        print(yaml)
+        dump_values = values
+        dump_values['jwt'] = 'xxx'
+        print(template.render(dump_values))
+
+    values['jwt'] = args.jwt
+    yaml = template.render(values)
 
     return yaml
 
@@ -208,6 +211,7 @@ if __name__ == '__main__':
     parser.add_argument("--boot-method")
     parser.add_argument("--lava-tags", nargs='?', default="")
     parser.add_argument("--env-vars", nargs='?', default="")
+    parser.add_argument("--jwt")
     parser.add_argument("--deqp-version")
     parser.add_argument("--ci-node-index")
     parser.add_argument("--ci-node-total")