feat: Add secret for pilots in CI

Robin-Van-de-Merghel · Robin-Van-de-Merghel · commit 9f3cefd3b56b · 2025-08-07T08:55:55.000+02:00
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -62,7 +62,7 @@ jobs:
     - name: Building wheels
       run: |
         # Clone diracx
-        git clone --single-branch --branch robin-pilot-management https://github.com/Robin-Van-de-Merghel/diracx.git $GITHUB_WORKSPACE/diracx
+        git clone --single-branch --branch robin-pilot-registrations https://github.com/Robin-Van-de-Merghel/diracx.git $GITHUB_WORKSPACE/diracx
 
         # Create dist dir
         mkdir -p $GITHUB_WORKSPACE/diracx-dist
diff --git a/tests/.dirac-ci-config.yaml b/tests/.dirac-ci-config.yaml
@@ -4,7 +4,7 @@ config:
   CLIENT_UPLOAD_BASE64: SSBsaWtlIHBpenphIQo=
   CLIENT_UPLOAD_LFN: LFN:/vo/test_lfn.txt
   CLIENT_UPLOAD_FILE: test_lfn.txt
-  PILOT_INSTALLATION_COMMAND: dirac-pilot.py --modules /home/dirac/LocalRepo/ALTERNATIVE_MODULES/DIRAC -M 2 -N jenkins.cern.ch -Q jenkins-queue_not_important -n DIRAC.Jenkins.ch --pilotUUID=whatever12345 --CVMFS_locations=/home/dirac/ -o diracInstallOnly --wnVO=vo --debug
+  PILOT_INSTALLATION_COMMAND: dirac-pilot.py --modules /home/dirac/LocalRepo/ALTERNATIVE_MODULES/DIRAC -M 2 -N jenkins.cern.ch -Q jenkins-queue_not_important -n DIRAC.Jenkins.ch --pilotUUID=whatever12345 --CVMFS_locations=/home/dirac/ -o diracInstallOnly --wnVO=vo --debug --diracx_URL=http://diracx:8000 --clientID=072afab5-ed92-46e0-a61d-4ecbc96e0770
   PILOT_JSON: "{
         \"timestamp\": \"2023-02-13T14:34:26.725499\",
         \"CEs\": {
@@ -37,7 +37,7 @@ config:
                 \"https://server:9135/Configuration/Server\"
         ]
 }"
-  PILOT_DOWNLOAD_COMMAND: "git clone --single-branch --branch master https://github.com/DIRACGrid/Pilot.git && mv Pilot/Pilot/*.py . && rm -rf Pilot"
+  PILOT_DOWNLOAD_COMMAND: "git clone --single-branch --branch adding-jwt-support https://github.com/Robin-Van-de-Merghel/Pilot.git && mv Pilot/Pilot/*.py . && rm -rf Pilot"
 
 # List of feature variables which must be passed when preparing
 required-feature-flags: []
diff --git a/tests/CI/install_client.sh b/tests/CI/install_client.sh
@@ -94,4 +94,14 @@ if [[ -z "${INSTALLATION_BRANCH}" ]]; then
     echo "    JobName = \"${GITHUB_JOB}_$(date +"%Y-%m-%d_%T" | sed 's/://g')\"" >> test_dl.jdl
     echo "]" >> test_dl.jdl
     dirac-wms-job-submit test_dl.jdl "${DEBUG}" |& tee -a clientTestOutputs.txt
+
+    #-------------------------------------------------------------------------------#
+    if [[ "${TEST_DIRACX:-}" = "Yes" ]]; then
+	    echo -e "*** $(date -u) **** Creates DiracX credentials to run commands ****\n"
+	    installDIRACX cli
+	    setDiracXCreds prod
+	    # Generate secrets
+	    secret=$(dirac pilots generate-pilot-secrets vo 1 | jq -r '.[0].pilot_secret')
+	    echo "$secret" > /ca/certs/pilot_secret.txt
+    fi
 fi
diff --git a/tests/CI/run_pilot.sh b/tests/CI/run_pilot.sh
@@ -42,5 +42,13 @@ elif command -v python2 &> /dev/null; then
   py='python2'
 fi
 
+additional_params=""
+
+if [[ -n "$TEST_DIRACX" && "$TEST_DIRACX" == "Yes" ]]; then
+    # Read the pilot secret from file
+    secret=$(cat /ca/certs/pilot_secret.txt)
+    additional_params="--pilotSecret $secret"
+fi
+
 # shellcheck disable=SC2086
-$py ${PILOT_INSTALLATION_COMMAND}
+$py ${PILOT_INSTALLATION_COMMAND} ${additional_params}
diff --git a/tests/Jenkins/utilities.sh b/tests/Jenkins/utilities.sh
@@ -729,3 +729,45 @@ stopRunsv() {
 
   echo '==> [Done stopRunsv]'
 }
+
+
+
+#.............................................................................
+#
+# setDiracXCreds
+#
+#   gets creds from x509, extract token, and put it in the right place
+#
+#.............................................................................
+setDiracXCreds() {
+    # $1 = DIRAC group
+    local group="$1"
+    local cache_dir="$HOME/.cache/diracx"
+    local creds_file="$cache_dir/credentials.json"
+    local tmpfile
+
+    if [[ -z "$group" ]]; then
+        echo "Usage: setDiracXCreds <DIRAC_GROUP>" >&2
+        return 1
+    fi
+
+    # 1. Init DIRAC proxy
+    dirac-proxy-init -g "$group"
+
+    # 2. Extract DiracX token from proxy PEM
+    tmpfile=$(mktemp)
+    python - <<'EOF' > "$tmpfile"
+from DIRAC.Core.Security.DiracX import diracxTokenFromPEM
+from DIRAC.Core.Security.Locations import getProxyLocation
+import json
+pem_location = getProxyLocation()
+token = diracxTokenFromPEM(pem_location)
+if token:
+    print(json.dumps(token))
+EOF
+
+    # 3. Move to ~/.cache/diracx/credentials.json
+    mkdir -p "$cache_dir"
+    mv "$tmpfile" "$creds_file"
+    echo "DiracX credentials updated at $creds_file"
+}
