From 5713e28c3385305d3fb5571dd909e1abe36b2e88 Mon Sep 17 00:00:00 2001 From: Denys Fedoryshchenko Date: Fri, 1 May 2026 13:39:26 +0300 Subject: [PATCH] config: Enable AWS/rpm testing on staging Signed-off-by: Denys Fedoryshchenko --- config/jobs.yaml | 1 + doc/install.md | 15 +++++++++++++++ kube/aks/kernelci-secrets.toml.example | 10 ++++++++++ 3 files changed, 26 insertions(+) diff --git a/config/jobs.yaml b/config/jobs.yaml index 45ad2aa9c..9b10647e7 100644 --- a/config/jobs.yaml +++ b/config/jobs.yaml @@ -1591,6 +1591,7 @@ jobs: - 'stable' - 'stable-rc' - 'next' + - 'kernelci' blktests-ddp-x86: template: blktests-ddp.jinja2 diff --git a/doc/install.md b/doc/install.md index d2f27d45e..5fa83976e 100644 --- a/doc/install.md +++ b/doc/install.md @@ -34,8 +34,23 @@ In the configuration file, you need to have the following section: ``` [jwt] secret = "ABCDEFGH..." +# Optional: shared HS256 key accepted as a fallback alongside `secret`. +# Set to the same value used by kernelci-api (UNIFIED_SECRET), +# kernelci-storage (unified_secret) and kcidb-restd-rs (UNIFIED_SECRET) +# so a single token authenticates a user across all KernelCI services. +# See UNIFIED_TOKEN.md in the kernelci-deploy repo for the full spec. +#unified_secret = "ABCDEFGH..." ``` +Generate either secret with: +``` +openssl rand -hex 32 +``` + +The pipeline `lava-callback` validates incoming JWTs against `secret` first +and falls back to `unified_secret` on signature failure (see +`decode_jwt()` in `src/lava_callback.py`). + ## Generating tokens for user You can use the `jwt_generator.py` script in the tools directory to generate user tokens. diff --git a/kube/aks/kernelci-secrets.toml.example b/kube/aks/kernelci-secrets.toml.example index 1498213e6..294e83602 100644 --- a/kube/aks/kernelci-secrets.toml.example +++ b/kube/aks/kernelci-secrets.toml.example @@ -25,6 +25,16 @@ origin = "kernelci_api" [timeout] +# JWT secret used by lava-callback to validate incoming Pipeline API tokens. +# `secret` is the legacy per-service key; `unified_secret` is the shared +# HS256 key also installed on kernelci-api (UNIFIED_SECRET), +# kernelci-storage (unified_secret) and kcidb-restd-rs (UNIFIED_SECRET). +# Generate either with `openssl rand -hex 32`. See UNIFIED_TOKEN.md in +# the kernelci-deploy repo for the full spec. +#[jwt] +#secret = "REPLACE-WITH-PIPELINE-JWT-SECRET" +#unified_secret = "REPLACE-WITH-UNIFIED-SECRET" + [storage.staging] storage_cred = "/home/kernelci/data/ssh/id_rsa_tarball"