From 74ae2b6f628956dfa2cf39c8961076f79d5e9c7b Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Oct 27 2022 15:07:30 +0000 Subject: Added centos-cert STG note and cbs.stg config snippet Signed-off-by: Fabian Arrotin --- diff --git a/docs/auth.md b/docs/auth.md index 0a2af93..e7143de 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -39,14 +39,17 @@ More informations about 2FA is available on specific [portal documentation](http There is no current form that you can use to be added in a SIG group but you have to reach out to a SIG chair (having delegated rights to add/remove people in the SIG group you want to join) and he can then add you, after having confirmed that you can be onboarded in the SIG -To know people who can "sponsors" you in a SIG/group, you can , once authenticated, search for a group on the portal and then see people listed under the "Sponsors" area (for example, consider the [Automotive SIG](https://accounts.centos.org/group/sig-automotive/) +To know people who can "sponsors" you in a SIG/group, you can , once authenticated, search for a group on the portal and then see people listed under the "Sponsors" area (for example, consider the [Automotive SIG](https://accounts.centos.org/group/sig-automotive/) ) ## Retrieving your TLS certificate To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back. -Supported Linux distributions: CentOS 8/8-s , Fedora 32,33,34 +Supported Linux distributions: CentOS Stream 8 (or el8 variant) , Fedora 33 and beyond + +!!! warning + There is currently no centos-packager pkg in epel9 so if you're using el9 (variant) you'll have to use a centos stream 8 or Fedora container ``` sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora @@ -82,6 +85,47 @@ If you've signed up with the account name `tuser`, you can generate your new cer !!! warning Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See details on the [Fedora Accounts Documentation](https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor) for this +### TLS part for Staging env + +In case you'd need to interact with .stg. services (like [https://cbs.stg.centos.org](https://cbs.stg.centos.org)) that are relying on TLS auth, it's worth knowing that you'd need to get a different TLS cert. + +That means that you need an account from [https://accounts.stg.centos.org](https://accounts.stg.centos.org) , which isn't linked to production accounts.centos.org IPA backend. + +It's adviced to use a different container or home directory to retrieve your STG cert, and you can just point to [https://fasjson.stg.fedoraproject.org](https://fasjson.stg.fedoraproject.org) url (option `-f` for centos-cert) + +You can manually create (nothing -yet- in `centos-packager` for it) a ~/.koji/cbs-stg.conf that looks like this : + +``` +[cbs-stg] + +;url of XMLRPC server +server = https://cbs.stg.centos.org/kojihub/ + +;url of web interface +weburl = https://cbs.stg.centos.org/koji + +;url of package download site +topurl = http://cbs.stg.centos.org/kojifiles + +;path to the koji top directory +topdir = /mnt/koji + +;client certificate +cert = ~/.centos-stg.cert + +;certificate of the CA that issued the HTTP server certificate +serverca = /etc/pki/tls/certs/ca-bundle.trust.crt + +``` + +!!! warning + You have to also ensure that your TLS file is renamed to correct filename ! + +And you can then call koji like this : + +``` +koji -c ~/.koji/cbs-stg.conf -p cbs-stg +``` ## Linking your CentOS account to gitlab diff --git a/docs/img/favicon.png b/docs/img/favicon.png index a383f5e..907e1fb 100755 Binary files a/docs/img/favicon.png and b/docs/img/favicon.png differ