diff --git a/docs/configuration_file.md b/docs/configuration_file.md
index 3ea34af..c200e86 100644
--- a/docs/configuration_file.md
+++ b/docs/configuration_file.md
@@ -53,6 +53,12 @@ Some options are also mandatory.
* `koji_certs_secret` (*optional*, `string`) — name of [kubernetes secret](https://github.com/kubernetes/kubernetes/blob/master/docs/design/secrets.md) to use for koji authentication
+* `koji_use_kerberos` (*optional*, `boolean`) — will set [atomic-reactor](https://github.com/projectatomic/atomic-reactor) plugins to use kerberos to authenticate to koji.
+
+* `koji_kerberos_keytab` (*optional*, `string`) - location of the keytab that will be used to initialize kerberos credentials for [atomic-reactor](https://github.com/projectatomic/atomic-reactor) plugins - usually in the form `FILE:<absolute_path>`, see [kerberos documentation](http://web.mit.edu/Kerberos/krb5-latest/doc/basic/keytab_def.html) for other possible values
+
+* `koji_kerberos_principal` (*optional*, `string`) - kerberos principal for the keytab provided in `koji_kerberos_keytab`
+
* `sources_command` (*optional*, `string`) — command to use to get dist-git artifacts from lookaside cache (e.g. `fedpkg sources`)
* `username`, `password` (*optional*, `string`) — when OpenShift is hidden behind authentication proxy, you can specify username and password for basic authentication
diff --git a/inputs/prod_inner.json b/inputs/prod_inner.json
index 306ac89..d2b5b4e 100644
--- a/inputs/prod_inner.json
+++ b/inputs/prod_inner.json
@@ -154,7 +154,9 @@
"kojihub": "{{KOJI_HUB}}",
"url": "{{OPENSHIFT_URI}}",
"verify_ssl": false,
- "blocksize": 10485760
+ "blocksize": 10485760,
+ "koji_keytab": false,
+ "koji_principal": false
}
},
{
diff --git a/osbs/api.py b/osbs/api.py
index 1a8e5c5..8d1883c 100644
--- a/osbs/api.py
+++ b/osbs/api.py
@@ -393,6 +393,9 @@ class OSBS(object):
koji_target=target,
koji_certs_secret=self.build_conf.get_koji_certs_secret(),
koji_task_id=koji_task_id,
+ koji_use_kerberos=self.build_conf.get_koji_use_kerberos(),
+ koji_kerberos_keytab=self.build_conf.get_koji_kerberos_keytab(),
+ koji_kerberos_principal=self.build_conf.get_koji_kerberos_principal(),
architecture=architecture,
vendor=self.build_conf.get_vendor(),
build_host=self.build_conf.get_build_host(),
diff --git a/osbs/build/build_request.py b/osbs/build/build_request.py
index a890d0b..9f9824a 100644
--- a/osbs/build/build_request.py
+++ b/osbs/build/build_request.py
@@ -486,7 +486,13 @@ class BuildRequest(object):
if use_auth is not None:
self.dj.dock_json_set_arg('exit_plugins', 'koji_promote',
- 'use_auth', use_auth)
+ 'use_auth', use_auth)
+
+ if self.spec.koji_use_kerberos.value:
+ self.dj.dock_json_set_arg('exit_plugins', 'koji_promote',
+ 'koji_principal', self.spec.koji_kerberos_principal.value)
+ self.dj.dock_json_set_arg('exit_plugins', 'koji_promote',
+ 'koji_keytab', self.spec.koji_kerberos_keytab.value)
else:
logger.info("removing koji_promote from request as no kojihub "
"specified")
diff --git a/osbs/build/spec.py b/osbs/build/spec.py
index 1f68281..bcab0fe 100644
--- a/osbs/build/spec.py
+++ b/osbs/build/spec.py
@@ -147,6 +147,9 @@ class BuildSpec(object):
kojihub = BuildParam("kojihub", allow_none=True)
koji_certs_secret = BuildParam("koji_certs_secret", allow_none=True)
koji_task_id = BuildParam("koji_task_id", allow_none=True)
+ koji_use_kerberos = BuildParam("koji_use_kerberos", allow_none=True)
+ koji_kerberos_principal = BuildParam("koji_kerberos_principal", allow_none=True)
+ koji_kerberos_keytab = BuildParam("koji_kerberos_keytab", allow_none=True)
image_tag = BuildParam("image_tag")
pulp_secret = BuildParam("pulp_secret", allow_none=True)
pulp_registry = BuildParam("pulp_registry", allow_none=True)
@@ -197,7 +200,8 @@ class BuildSpec(object):
sources_command=None, architecture=None, vendor=None,
build_host=None, authoritative_registry=None, distribution_scope=None,
koji_target=None, kojiroot=None, kojihub=None, koji_certs_secret=None,
- koji_task_id=None,
+ koji_use_kerberos=None, koji_kerberos_keytab=None,
+ koji_kerberos_principal=None, koji_task_id=None,
source_secret=None, # compatibility name for pulp_secret
pulp_secret=None, pulp_registry=None, pdc_secret=None, pdc_url=None,
smtp_uri=None, nfs_server_path=None,
@@ -240,6 +244,9 @@ class BuildSpec(object):
self.kojiroot.value = kojiroot
self.kojihub.value = kojihub
self.koji_certs_secret.value = koji_certs_secret
+ self.koji_use_kerberos.value = koji_use_kerberos
+ self.koji_kerberos_principal.value = koji_kerberos_principal
+ self.koji_kerberos_keytab.value = koji_kerberos_keytab
self.koji_task_id.value = koji_task_id
self.pulp_secret.value = pulp_secret or source_secret
self.pulp_registry.value = pulp_registry
diff --git a/osbs/conf.py b/osbs/conf.py
index bb92ca7..324fdbf 100644
--- a/osbs/conf.py
+++ b/osbs/conf.py
@@ -211,6 +211,15 @@ class Configuration(object):
def get_koji_certs_secret(self):
return self._get_value("koji_certs_secret", self.conf_section, "koji_certs_secret")
+ def get_koji_use_kerberos(self):
+ return self._get_value("koji_use_kerberos", self.conf_section, "koji_use_kerberos", is_bool_val=True)
+
+ def get_koji_kerberos_keytab(self):
+ return self._get_value("koji_kerberos_keytab", self.conf_section, "koji_kerberos_keytab")
+
+ def get_koji_kerberos_principal(self):
+ return self._get_value("koji_kerberos_principal", self.conf_section, "koji_kerberos_principal")
+
def get_sources_command(self):
return self._get_value("sources_command", self.conf_section, "sources_command")
diff --git a/tests/build/test_build_request.py b/tests/build/test_build_request.py
index add97d3..c10de7e 100644
--- a/tests/build/test_build_request.py
+++ b/tests/build/test_build_request.py
@@ -1279,6 +1279,57 @@ class TestBuildRequest(object):
koji_certs_secret_name)
assert get_plugin(plugins, 'exit_plugins', 'koji_promote')['args']['koji_ssl_certs'] == mount_path
+ def test_render_prod_request_with_koji_kerberos(self, tmpdir):
+ self.create_image_change_trigger_json(str(tmpdir))
+ build_request = BuildRequest(str(tmpdir))
+ name_label = "fedora/resultingimage"
+ push_url = "ssh://{username}git.example.com/git/{component}.git"
+ koji_task_id = 1234
+ koji_use_kerberos = True
+ koji_kerberos_keytab = "FILE:/tmp/fakekeytab"
+ koji_kerberos_principal = "myprincipal@OSBSDOMAIN.COM"
+ kwargs = {
+ 'git_uri': TEST_GIT_URI,
+ 'git_ref': TEST_GIT_REF,
+ 'git_branch': TEST_GIT_BRANCH,
+ 'user': "john-foo",
+ 'component': TEST_COMPONENT,
+ 'base_image': 'fedora:latest',
+ 'name_label': name_label,
+ 'registry_uri': "example.com",
+ 'openshift_uri': "http://openshift/",
+ 'builder_openshift_url': "http://openshift/",
+ 'koji_target': "koji-target",
+ 'kojiroot': "http://root/",
+ 'kojihub': "http://hub/",
+ 'sources_command': "make",
+ 'koji_task_id': koji_task_id,
+ 'koji_use_kerberos': koji_use_kerberos,
+ 'koji_kerberos_keytab': koji_kerberos_keytab,
+ 'koji_kerberos_principal': koji_kerberos_principal,
+ 'vendor': "Foo Vendor",
+ 'authoritative_registry': "registry.example.com",
+ 'distribution_scope': "authoritative-source-only",
+ 'registry_api_versions': ['v1'],
+ 'git_push_url': push_url.format(username='', component=TEST_COMPONENT),
+ 'git_push_username': 'example',
+ }
+ build_request.set_params(**kwargs)
+ build_json = build_request.render()
+
+ assert build_json["metadata"]["labels"]["koji-task-id"] == str(koji_task_id)
+
+ plugins = get_plugins_from_build_json(build_json)
+ assert get_plugin(plugins, "exit_plugins", "koji_promote")
+ assert plugin_value_get(plugins, "exit_plugins", "koji_promote",
+ "args", "kojihub") == kwargs["kojihub"]
+ assert plugin_value_get(plugins, "exit_plugins", "koji_promote",
+ "args", "url") == kwargs["openshift_uri"]
+
+ assert get_plugin(plugins, 'exit_plugins', 'koji_promote')['args']['koji_principal'] == koji_kerberos_principal
+ assert get_plugin(plugins, 'exit_plugins', 'koji_promote')['args']['koji_keytab'] == koji_kerberos_keytab
+
+
@pytest.mark.parametrize(('base_image', 'is_custom'), [
('fedora', False),
('fedora:latest', False),