[ Bug ] Disabling email login break Python token generation script - Githubissues

seqeralabs / cx-field-tools-installer

Unofficial Terraform solution to help clients install Seqera Platform

Apache License 2.0

3 stars 1 forks source link

[ Bug ] Disabling email login break Python token generation script #136

Open gwright99 opened 3 months ago

gwright99 commented 3 months ago

Setting flag_disable_email_login = true in terraform.tfvars appears to cause the _get_access_token.py script to fail.

The script does not fail when email is allowed.

gwright99 commented 3 months ago

As per Seqera Engineering:

Setting flag_disable_email_login = true causes an error to be returned by the {TOWER_API_ENDPOINT}/gate/access endpoint if called with an email address.
The token script calls this endpoint to initiate the token generation.
OIDC flow as a replacement is a non-starter -- this would be happening on an instance with a pre-existing IDP session.

Potential Short-Term Workarounds

Don't allow flag_run_seqerakit = true if flag_disable_email_login = true Automation logic would not need to change, but it means seqerakit could not be run on the very first deployment.
Boot Tower with email enabled, generate a token, stop Tower, update tower.yml to disable email, reboot Tower, run Seqerakit. This is super clunky and I hate it. Multiple new branches of logic will need to be created.
Other solution?

Potential Long-Term Workarounds

Have Tower generate a root PAT on first invocation (like Gitlab).