refactor: rewrite cert updater script to Python#605
Draft
okurz wants to merge 2 commits into
Draft
Conversation
These certificates are not published somewhere so we need to use `osc` to download them. This change adds a systemd unit and timer that are supposed to be used in user mode. It also contains an install target for the systemd units. It is not suited for packaging and mainly to make it clear where the unit should be placed to use them locally. It is also useful for local testing: ``` $ make install-systemd-local DESTDIR=/tmp/install $ cp -vR /tmp/install/etc/systemd/user/ ~/.config/systemd/ $ systemctl --user daemon-reload ``` Then the timer unit can be tested via: ``` $ systemctl --user start \ os-autoinst-scripts-update-factory-staging-cert.timer ``` The service units can be tested via: ``` $ systemctl --user start \ os-autoinst-scripts-update-cert-from-obs@factory-staging.service $ journalctl --user -u \ os-autoinst-scripts-update-cert-from-obs@factory-staging.service Starting Update a certificate from OBS... certificate written to …/factory/other/fixed/openSUSE-Factory-Staging.crt Finished Update a certificate from OBS. ``` ``` $ systemctl --user start \ os-autoinst-scripts-update-cert-from-obs@suse-unsupported.service $ journalctl --user -u \ os-autoinst-scripts-update-cert-from-obs@suse-unsupported.service Starting Update a certificate from OBS... certificate written to …/factory/other/fixed/suse-unsupported.crt Finished Update a certificate from OBS. ``` This works on my system. On the production hosts we should probably create a dedicated user account with the required osc config and write permissions in the assets directory. Related ticket: https://progress.opensuse.org/issues/200075
Motivation: Provide a robust command-line interface with proper --help documentation for the certificate updating script. Design Choices: Port the bash script to Python using typer for argument parsing. Relocate installation and usage documentation from README.md to the typer --help block. Add unit tests with 100% statement and branch coverage. Benefits: Easier maintenance, better command-line documentation, and rigorous test coverage.
Wabri
requested changes
Jun 17, 2026
|
|
||
| [Service] | ||
| Type=oneshot | ||
| ExecStart=/usr/bin/bash /opt/os-autoinst-scripts/openqa-update-staging-cert /opt/os-autoinst-scripts/config/obs-certs/%i.conf |
Member
There was a problem hiding this comment.
issue(blocking):
Suggested change
| ExecStart=/usr/bin/bash /opt/os-autoinst-scripts/openqa-update-staging-cert /opt/os-autoinst-scripts/config/obs-certs/%i.conf | |
| ExecStart=/usr/bin/bash /opt/os-autoinst-scripts/openqa-update-staging-cert-from-obs /opt/os-autoinst-scripts/config/obs-certs/%i.conf |
Contributor
There was a problem hiding this comment.
That's fixed in my version so this PR is probably not based on the current version of my PR.
Contributor
|
I don't think the additional 400 lines and additional dependencies are justified here. Let's merge my PR first and see how it works in production. |
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
Provide a robust command-line interface with proper --help documentation for
the certificate updating script.
Design Choices:
Port the bash script to Python using typer for argument parsing. Relocate
installation and usage documentation from README.md to the typer --help
block. Add unit tests with 100% statement and branch coverage.
Benefits:
Easier maintenance, better command-line documentation, and rigorous test
coverage.
After: