[FOLIO-2535] update pr preview pipeline to use authenticated requests to /_/discovery/interfaces Created: 25/Mar/20  Updated: 03/Jun/20  Resolved: 08/Apr/20

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: Ian Hardy Assignee: John Malconian
Resolution: Done Votes: 0
Labels: devops-backlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-2471 Test PR Preview Process for a Single ... Closed
Relates
relates to FOLIO-2536 update module deployment pipeline to ... Closed
Sprint: DevOps: sprint 85
Development Team: FOLIO DevOps

 Description   

Since we updated okpai, we also need to update any GET requests to /_/discovery/modules/... to use an x-okapi-tenant header for the supertenant user:

example error

[Pipeline] readJSON (hide)
[Pipeline] echo
Mod: mod-calendar-1.8.0
[Pipeline] httpRequest
HttpMethod: GET
URL: https://okapi-default.ci.folio.org/_/discovery/modules/mod-calendar-1.8.0
Content-Type: application/json; charset=UTF-8
Accept: application/json
Sending request to url: https://okapi-default.ci.folio.org/_/discovery/modules/mod-calendar-1.8.0
Response Code: HTTP/1.1 403 Forbidden


 Comments   
Comment by Ian Hardy [ 26/Mar/20 ]

Checked that x-okapi-token was getting passed in ansible role since okapi now requires a read permission for discovery/modules. Found that it was, and was still getting errors about missing okapi.discovery.get even when the super admin user has okapi.all.

Found that disablling mod-authtoken and mod-permissions and then re-enabling them picked up the new permission and now we can successfully complete the failing call.

Comment by Bohdan Suprun (Inactive) [ 26/Mar/20 ]

Hi Ian Hardy,

Is it already resolved? I'm able to reproduce it again:

Jenkins job: https://jenkins-aws.indexdata.com/blue/organizations/jenkins/folio-org%2Fplatform-core/detail/PR-554/4/pipeline
PR: https://github.com/folio-org/platform-core/pull/554
Branch: FOLIO-2471-item-mark-withdrawn-preview against platform-core repo.

Thank you,
Bohdan

Comment by Bohdan Suprun (Inactive) [ 26/Mar/20 ]

Reopening while waiting for clarification.

Comment by Ian Hardy [ 26/Mar/20 ]

You're right. User has required permissions now, but must not be including them in that request

Comment by John Malconian [ 26/Mar/20 ]

The PR preview pipeline has been updated to include supertenant authentication to /_/discovery endpoints. PR-554 in platform-core, however, still fails because the versions of mod-inventory and mod-inventory-storage artifact specified in .pr-custom-deps are specifiied incorrectly. More info in the PR comments. We may need to have Jenkins update the Github comments with the version of the artifact deployed so that developers don't need to dig out the version from the build logs.

Also fixed a bug where docker images tagged with PR preview versions were not cleaned up properly which left stray artifacts on Jenkins build nodes.

Comment by Bohdan Suprun (Inactive) [ 26/Mar/20 ]

Thanks Ian Hardy, John Malconian!

The authentication issue disappeared. However I'm getting No running instances for module mod-inventory-storage-19.2.0-SNAPSHOT.420.5. Can not invoke /_/tenant issue now.

But `https://okapi-preview.ci.folio.org/_/proxy/modules/mod-inventory-storage-19.2.0-SNAPSHOT.420.5` returns the descriptor. So the versions and descriptor should be correct.

Do I need to raise a separate issue for this?

Comment by John Malconian [ 26/Mar/20 ]

No separate issues. Let's keep everything related to this PR in this Jira. I'll look into the last reported error.

Comment by John Malconian [ 26/Mar/20 ]

There appears to be an issue with module deployment to the preview namespace. Working with Ian to resolve.

Comment by John Malconian [ 30/Mar/20 ]

Bohdan Suprun
Preview environment for this PR has been built.

Tenant: platform_core_554_9
URL: https://platform-core-554.s3.amazonaws.com/index.html

Comment by Bohdan Suprun (Inactive) [ 30/Mar/20 ]

Hi John Malconian,

Looks great, thank you!

Could you please advice what username/password should I use to log in?

Comment by Ian Hardy [ 30/Mar/20 ]

Hi Bohdan Suprun, Username will always be $SOMETENANT_admin and the password is just admin, so in this case: platform_core_554_9_admin / admin

Comment by Jakub Skoczen [ 01/Apr/20 ]

Blocked IN REVIEW until we get feedback from devs that the fix worked.

Comment by Bohdan Suprun (Inactive) [ 08/Apr/20 ]

Hi Ian Hardy, John Malconian,

Everything seems fine for now. Closing the issue. Will reopen if needed.

Thank you!

Generated at Thu Feb 08 23:21:22 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.