Take a root URL as configuration, required Pass root URL to taskcluster-proxy pass TASKCLUSTER_PROXY_URL and TASKCLUSTER_ROOT_URL to tasks

> Take a root URL as configuration, required - bug 1469617 > Pass root URL to taskcluster-proxy > pass TASKCLUSTER_PROXY_URL and TASKCLUSTER_ROOT_URL to tasks - https://github.com/taskcluster/docker-worker/pull/418 (Note that this can't land until bug 1460015 does..)

I know at least one user of Taskcluster is creating artifacts on the current task directly from within the task, via tc-proxy. The problem is, this functionality depends on a bug in an old version of tc-proxy, and docker-worker was never upgraded to use newer versions. Docker-worker invokes tc-proxy as --client-id=.. --access-token=.. --certificate=.. <scope1> <scope2> .. where the <scope1> .. come from task.scopes. Here's the bug: in taskcluster-proxy-4.0.1, if `--task-id` is not given, then the additional scopes are ignored and the proxy uses the full credentials of the task claim, which include queue:create-artifact:<taskId>/<runId>. This bug was fixed in 4.1.0 (https://github.com/taskcluster/taskcluster-proxy/pull/31) but that was never deployed. So tasks have been running with additional scopes available via the proxy, specifically allowing those tasks to upload artifacts. And at least some tasks have taken advantage of that functionality. To make matters worse, the current queue API requires the following for createArtifact: any of queue:create-artifact:<taskId>/<runId> or all of queue:create-artifact:<name> and assume:worker-id:<workerGroup>/<workerId> and neither the <taskId> nor <workerGroup> are known at task creation time, so those cannot be hard-coded into the task definition. In other words, if we "fix" this bug, then it's impossible to upload artifacts during task execution -- and that's a feature we do not want to remove. I am going to apply the following solution: workers will supply the task's scopes to the proxy, as well as queue:create-artifact:<taskId>/<runId>. I'll do the same in generic-worker.

https://github.com/taskcluster/docker-worker/pull/421 is somewhat related here, too..

Commits pushed to master at https://github.com/taskcluster/docker-worker https://github.com/taskcluster/docker-worker/commit/5fc3ef962587c6e1ed69b163f9c9e5027f5b89a7 Bug 1508383 - set TASKCLUSTER_{ROOT,PROXY}_URL for tasks https://github.com/taskcluster/docker-worker/commit/0f8016f9f41ab5837f9e7923b4948b1d44dc5746 Bug 1508383 - pass --root-url to taskcluster-proxy https://github.com/taskcluster/docker-worker/commit/e27ee553976bfd0c3be567516267cd2f4671d758 Bug 1508383 - allow proxy to create artifacts, too https://github.com/taskcluster/docker-worker/commit/415273af4820e926cc861cb115d8e88d13291f30 Bug 1508383 - update docs https://github.com/taskcluster/docker-worker/commit/9dbb6d7377b033ecf2179ce3dac9ea3350c11498 Merge pull request #418 from djmitche/bug1508383 Bug 1508383 - pass TASKCLUSTER_{ROOT,PROXY}_URL to tasks

Wander, did this end up getting deployed? If not, what do you think is the best approach to getting it deployed?

No. I will deploy next week.

my hero!