diff --git a/.github/workflows/build-push-images.yaml b/.github/workflows/build-push-images.yaml index 4dbcac0a0..027e1fd06 100644 --- a/.github/workflows/build-push-images.yaml +++ b/.github/workflows/build-push-images.yaml @@ -22,18 +22,10 @@ jobs: id: filter with: filters: | - access-setup: - - '.github/workflows/build-push-images.yaml' - - 'operator/images/access-setup/**' - - 'shared/**' ci-runner: - '.github/workflows/build-push-images.yaml' - 'ci/images/ci-runner/**' - 'shared/**' - cluster-setup: - - '.github/workflows/build-push-images.yaml' - - 'operator/images/cluster-setup/**' - - 'shared/**' dependencies-update: - '.github/workflows/build-push-images.yaml' - 'developer/images/dependencies/**' @@ -57,42 +49,6 @@ jobs: - '.github/workflows/build-push-images.yaml' - 'ci/images/vulnerability-scan/**' - # Build and push access-setup image, tagged with latest and the commit SHA. - - name: Build access-setup Image - id: build-image-access-setup - if: steps.filter.outputs.access-setup == 'true' - uses: redhat-actions/buildah-build@v2 - with: - image: access-setup - context: . - tags: latest ${{ steps.vars.outputs.sha_short }} ${{ github.ref_name }} - containerfiles: | - ./operator/images/access-setup/Dockerfile - - name: Push to quay.io - id: push-to-quay-access-setup - if: steps.filter.outputs.access-setup == 'true' - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build-image-access-setup.outputs.image }} - tags: ${{ steps.build-image-access-setup.outputs.tags }} ${{ github.ref_name }} - registry: quay.io/redhat-pipeline-service - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Print image url - if: steps.filter.outputs.access-setup == 'true' - run: | - echo "Image pushed to ${{ steps.push-to-quay-access-setup.outputs.registry-paths }}" - - name: Tag latest commit ID to quay.io - id: tag-commit-quay-access-setup - if: steps.filter.outputs.access-setup != 'true' - env: - image: access-setup - registry: quay.io/redhat-pipeline-service - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - run: | - ./ci/images/quay-upload/image-upload.sh --debug - # Build and push ci-runner image, tagged with latest and the commit SHA. - name: Build ci-runner Image id: build-image-ci-runner @@ -129,42 +85,6 @@ jobs: run: | ./ci/images/quay-upload/image-upload.sh --debug - # Build and push cluster-setup image, tagged with latest and the commit SHA. - - name: Build cluster-setup Image - id: build-image-cluster-image - if: steps.filter.outputs.cluster-setup == 'true' - uses: redhat-actions/buildah-build@v2 - with: - image: cluster-setup - context: . - tags: latest ${{ steps.vars.outputs.sha_short }} ${{ github.ref_name }} - containerfiles: | - ./operator/images/cluster-setup/Dockerfile - - name: Push to quay.io - id: push-to-quay-cluster-setup - if: steps.filter.outputs.cluster-setup == 'true' - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build-image-cluster-image.outputs.image }} - tags: ${{ steps.build-image-cluster-image.outputs.tags }} ${{ github.ref_name }} - registry: quay.io/redhat-pipeline-service - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - - name: Print image url - if: steps.filter.outputs.cluster-setup == 'true' - run: | - echo "Image pushed to ${{ steps.push-to-quay-cluster-setup.outputs.registry-paths }}" - - name: Tag latest commit ID to quay.io - id: tag-commit-quay-cluster-setup - if: steps.filter.outputs.cluster-setup != 'true' - env: - image: cluster-setup - registry: quay.io/redhat-pipeline-service - username: ${{ secrets.QUAY_USERNAME }} - password: ${{ secrets.QUAY_TOKEN }} - run: | - ./ci/images/quay-upload/image-upload.sh --debug - # Build and push quay-upload image, tagged with latest and the commit SHA. - name: Build quay-upload Image id: build-image-quay-upload diff --git a/.github/workflows/individual-image-scanner-quay.yaml b/.github/workflows/individual-image-scanner-quay.yaml index 3ef0299d5..3d3c99898 100644 --- a/.github/workflows/individual-image-scanner-quay.yaml +++ b/.github/workflows/individual-image-scanner-quay.yaml @@ -22,9 +22,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'success' }} outputs: - access-setup-output: ${{ steps.access-setup-scan.outputs.VULNERABILITIES_EXIST }} ci-runner-output: ${{ steps.ci-runner-scan.outputs.VULNERABILITIES_EXIST }} - cluster-setup-output: ${{ steps.cluster-setup-scan.outputs.VULNERABILITIES_EXIST }} dependencies-update-output: ${{ steps.dependencies-update-scan.outputs.VULNERABILITIES_EXIST }} e2e-test-runner-output: ${{ steps.e2e-test-runner-scan.outputs.VULNERABILITIES_EXIST }} devenv-output: ${{ steps.devenv-scan.outputs.VULNERABILITIES_EXIST }} @@ -38,15 +36,9 @@ jobs: id: filter with: filters: | - access-setup: - - 'operator/images/access-setup/**' - - 'shared/**' ci-runner: - 'ci/images/ci-runner/**' - 'shared/**' - cluster-setup: - - 'operator/images/cluster-setup/**' - - 'shared/**' dependencies-update: - '.github/workflows/build-push-images.yaml' - 'developer/images/dependencies/**' @@ -65,16 +57,6 @@ jobs: vulnerability: - 'ci/images/vulnerability-scan/**' - - name: access-setup scan - continue-on-error: true - id: access-setup-scan - if: steps.filter.outputs.access-setup == 'true' - run: | - ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log - echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT - env: - IMAGE_NAME: access-setup - - name: ci-runner scan continue-on-error: true id: ci-runner-scan @@ -85,16 +67,6 @@ jobs: env: IMAGE_NAME: ci-runner - - name: cluster-setup scan - continue-on-error: true - id: cluster-setup-scan - if: steps.filter.outputs.cluster-setup == 'true' - run: | - ./ci/images/vulnerability-scan/scan-image.sh | tee /tmp/clair-scan.log - echo "VULNERABILITIES_EXIST=$(tail -1 /tmp/clair-scan.log)" >> $GITHUB_OUTPUT - env: - IMAGE_NAME: cluster-setup - - name: dependencies-update scan continue-on-error: true id: dependencies-update-scan @@ -160,18 +132,6 @@ jobs: needs: scans if: always() steps: - - name: Check access-setup results - id: check-access-setup-results - if: always() - run: | - res=${{ needs.scans.outputs.access-setup-output }} - res=${res:=0} - if [[ $res != 0 ]]; then - echo "Vulnerabilities found with access-setup image. Please check scans job for more details." - exit 1 - else - echo "No vulnerabilities found" - fi - name: Check ci-runner results id: check-ci-runner-results @@ -186,19 +146,6 @@ jobs: echo "No vulnerabilities found" fi - - name: Check cluster-setup results - id: check-cluster-setup-results - if: always() - run: | - res=${{ needs.scans.outputs.cluster-setup-output }} - res=${res:=0} - if [[ $res != 0 ]]; then - echo "Vulnerabilities found with cluster-setup image. Please check scans job for more details." - exit 1 - else - echo "No vulnerabilities found" - fi - - name: Check dependencies-update results id: check-dependencies-update-results if: always() diff --git a/.github/workflows/periodic-scanner-quay.yaml b/.github/workflows/periodic-scanner-quay.yaml index 44a8db7dd..1185d9b26 100644 --- a/.github/workflows/periodic-scanner-quay.yaml +++ b/.github/workflows/periodic-scanner-quay.yaml @@ -23,9 +23,7 @@ jobs: env: AUTH_BEARER_TOKEN: ${{ secrets.AUTH_BEARER_TOKEN }} images: ( - "access-setup" "ci-runner" - "cluster-setup" "dependencies-update" "devenv" "e2e-test-runner" diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index 4003746ba..39990948d 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -23,7 +23,7 @@ | **Component** | **Version** | **Purpose** | **Comments** | |------------------------------|-----------------------------------------|-------------|--------------| | OpenShift Pipelines Operator | openshift-pipelines-operator-rh.v1.12.0 | | | -| OpenShift GitOps Operator | openshift-gitops-operator.v1.5.6 | | | +| OpenShift GitOps Operator | openshift-gitops-operator.v1.5.10 | | | ### **Tools** diff --git a/ci/images/ci-runner/hack/sidecar/bin/plnsvc_setup.sh b/ci/images/ci-runner/hack/sidecar/bin/plnsvc_setup.sh index fb5211ce8..2813462d2 100755 --- a/ci/images/ci-runner/hack/sidecar/bin/plnsvc_setup.sh +++ b/ci/images/ci-runner/hack/sidecar/bin/plnsvc_setup.sh @@ -13,7 +13,7 @@ git config --global --add safe.directory "$PWD" # Checkout the branch we want to setup git fetch origin "$REPO_REVISION" -git checkout "$REPO_REVISION" +git checkout --force "$REPO_REVISION" OPENSHIFT_DIR=$(find "$PWD" -type f -name dev_setup.sh -exec dirname {} +) CONFIG="$OPENSHIFT_DIR/../config.yaml" diff --git a/developer/config.yaml b/developer/config.yaml index 22d17fd58..89b60ab12 100644 --- a/developer/config.yaml +++ b/developer/config.yaml @@ -14,7 +14,7 @@ git_ref: main # Applications to be deployed on the cluster apps: - openshift-gitops # openshift-gitops is a pre-requisite for Pipeline Service - - pipeline_service # pipeline_service sets up Pipeline Service on the cluster. + - pipeline-service # pipeline-service sets up Pipeline Service on the cluster. # Tekton results database credentials tekton_results_db: diff --git a/developer/openshift/apps/openshift-gitops.sh b/developer/openshift/apps/openshift-gitops.sh new file mode 100755 index 000000000..ea86a73cd --- /dev/null +++ b/developer/openshift/apps/openshift-gitops.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +set -o errexit +set -o nounset +set -o pipefail + +install() { + app="openshift-gitops" + local ns="$app" + + ############################################################################# + # Install the gitops operator + ############################################################################# + echo -n "- OpenShift-GitOps: " + kubectl apply -k "$DEV_DIR/operators/$app" >/dev/null + echo "OK" + + # Subscription information for potential debug + mkdir -p "$WORK_DIR/logs/$app" + kubectl get subscriptions $app-operator -n openshift-operators -o yaml >"$WORK_DIR/logs/$app/subscription.yaml" + + ############################################################################# + # Wait for the URL to be available + ############################################################################# + echo -n "- Argo CD dashboard: " + test_cmd="kubectl get route/openshift-gitops-server --ignore-not-found -n $ns -o jsonpath={.spec.host}" + argocd_hostname="$(${test_cmd})" + until curl --fail --insecure --output /dev/null --silent "https://$argocd_hostname"; do + echo -n "." + sleep 2 + argocd_hostname="$(${test_cmd})" + done + echo "OK" + echo "- Argo CD URL: https://$argocd_hostname" + + ############################################################################# + # Post install + ############################################################################# + # Log into Argo CD + echo -n "- Argo CD Login: " + local argocd_password + argocd_password="$(kubectl get secret openshift-gitops-cluster -n $ns -o jsonpath="{.data.admin\.password}" | base64 --decode)" + argocd login "$argocd_hostname" --grpc-web --insecure --username admin --password "$argocd_password" >/dev/null + echo "OK" + + # Register the host cluster as pipeline-cluster + local cluster_name="plnsvc" + if ! argocd cluster get "$cluster_name" >/dev/null 2>&1; then + echo "- Register host cluster to ArgoCD as '$cluster_name': " + argocd cluster add "$(yq e ".current-context" <"$KUBECONFIG")" --name="$cluster_name" --upsert --yes >/dev/null + echo " OK" + else + echo "- Register host cluster to ArgoCD as '$cluster_name': OK" + fi +} + +main() { + if [ -n "${DEBUG:-}" ]; then + set -x + fi + install +} + +if [ "${BASH_SOURCE[0]}" == "$0" ]; then + main "$@" +fi diff --git a/developer/openshift/apps/pipeline-service.sh b/developer/openshift/apps/pipeline-service.sh new file mode 100755 index 000000000..c800c13e5 --- /dev/null +++ b/developer/openshift/apps/pipeline-service.sh @@ -0,0 +1,119 @@ +#!/usr/bin/env bash +set -o errexit +set -o nounset +set -o pipefail + +# shellcheck source=developer/openshift/utils.sh +source "$DEV_DIR/utils.sh" + +setup_work_dir() { + manifests_dir="$WORK_DIR/environment/compute/" + + echo "- Setup working directory:" + mkdir -p "$manifests_dir" + rsync --archive --delete "$DEV_DIR/gitops/local/" "$manifests_dir" + + configure_argocd_apps | indent + setup_tekton_results | indent +} + +configure_argocd_apps(){ + echo -n "- Updating source repository to '${GIT_URL}/tree/$GIT_REF': " + # Patch the url/branch to target the expected repository/branch + yq --inplace ".resources[1] = \"$GIT_URL/developer/openshift/gitops/argocd?ref=$GIT_REF\"" "$manifests_dir/kustomization.yaml" + yq ".patches[] | .path" "$manifests_dir/kustomization.yaml" | while read -r patch; do + yq --inplace ".spec.source.repoURL = \"$GIT_URL\", .spec.source.targetRevision = \"$GIT_REF\"" "$manifests_dir/$patch" + done + echo "OK" +} + +setup_tekton_results() { + echo -n "- Tekton Results: " + get_tekton_results_credentials + patch_tekton_results_manifests + echo "OK" +} + +get_tekton_results_credentials() { + tekton_results_credentials="$WORK_DIR/credentials/tekton-results/credentials.yaml" + mkdir -p "$(dirname "$tekton_results_credentials")" + if [ ! -e "$tekton_results_credentials" ]; then + TEKTON_RESULTS_DATABASE_USER="$(yq '.tekton_results_db.user // "tekton"' "$CONFIG")" + TEKTON_RESULTS_DATABASE_PASSWORD="$(yq ".tekton_results_db.password // \"$(openssl rand -base64 20)\"" "$CONFIG")" + TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "minio"' "$CONFIG")" + TEKTON_RESULTS_S3_PASSWORD="$(yq ".tekton_results_s3.password // \"$(openssl rand -base64 20)\"" "$CONFIG")" + cat << EOF > "$tekton_results_credentials" +--- +db_password: $TEKTON_RESULTS_DATABASE_PASSWORD +db_user: $TEKTON_RESULTS_DATABASE_USER +s3_password: $TEKTON_RESULTS_S3_PASSWORD +s3_user: $TEKTON_RESULTS_S3_USER +EOF + fi + TEKTON_RESULTS_DATABASE_USER="$(yq ".db_user" "$tekton_results_credentials")" + TEKTON_RESULTS_DATABASE_PASSWORD="$(yq ".db_password" "$tekton_results_credentials")" + TEKTON_RESULTS_S3_USER="$(yq ".s3_user" "$tekton_results_credentials")" + TEKTON_RESULTS_S3_PASSWORD="$(yq ".s3_password" "$tekton_results_credentials")" +} + +patch_tekton_results_manifests(){ + yq --inplace " + .data.[\"db.password\"]=\"$(echo -n "$TEKTON_RESULTS_DATABASE_PASSWORD" | base64)\", + .data.[\"db.user\"]=\"$(echo -n "$TEKTON_RESULTS_DATABASE_USER" | base64)\" + " "$WORK_DIR/environment/compute/tekton-results/tekton-results-db-secret.yaml" + yq --inplace " + .data.aws_access_key_id=\"$(echo -n "$TEKTON_RESULTS_S3_USER" | base64)\", + .data.aws_secret_access_key=\"$(echo -n "$TEKTON_RESULTS_S3_PASSWORD" | base64)\" + " "$WORK_DIR/environment/compute/tekton-results/tekton-results-s3-secret.yaml" + string_data="$(cat </dev/null - echo "OK" - - # Subscription information for potential debug - mkdir -p "$WORK_DIR/logs/$APP" - kubectl get subscriptions $APP-operator -n openshift-operators -o yaml >"$WORK_DIR/logs/$APP/subscription.yaml" - - ############################################################################# - # Wait for the URL to be available - ############################################################################# - echo -n "- Argo CD dashboard: " - test_cmd="kubectl get route/openshift-gitops-server --ignore-not-found -n $ns -o jsonpath={.spec.host}" - ARGOCD_HOSTNAME="$(${test_cmd})" - until curl --fail --insecure --output /dev/null --silent "https://$ARGOCD_HOSTNAME"; do - echo -n "." - sleep 2 - ARGOCD_HOSTNAME="$(${test_cmd})" - done - echo "OK" - echo "- Argo CD URL: https://$ARGOCD_HOSTNAME" - - ############################################################################# - # Post install - ############################################################################# - # Log into Argo CD - echo -n "- Argo CD Login: " - local argocd_password - argocd_password="$(kubectl get secret openshift-gitops-cluster -n $ns -o jsonpath="{.data.admin\.password}" | base64 --decode)" - argocd login "$ARGOCD_HOSTNAME" --grpc-web --insecure --username admin --password "$argocd_password" >/dev/null - echo "OK" - - # Register the host cluster as pipeline-cluster - local cluster_name="plnsvc" - if ! argocd cluster get "$cluster_name" >/dev/null 2>&1; then - echo "- Register host cluster to ArgoCD as '$cluster_name': " - argocd cluster add "$(yq e ".current-context" <"$KUBECONFIG")" --name="$cluster_name" --upsert --yes >/dev/null - echo " OK" - else - echo "- Register host cluster to ArgoCD as '$cluster_name': OK" - fi -} - -setup_compute_access() { - kustomization_dir="$GIT_URL/operator/gitops/compute/pipeline-service-manager?ref=$GIT_REF" - "$PROJECT_DIR/operator/images/access-setup/content/bin/setup_compute.sh" \ - ${DEBUG:+"$DEBUG"} \ - --kubeconfig "$KUBECONFIG" \ - --work-dir "$WORK_DIR" \ - --kustomization "$kustomization_dir" | - indent 2 -} - -install_pipeline_service() { - - echo "- Source: ${GIT_URL//.git/}/tree/$GIT_REF" - - ############################################################################# - # Setup working directory - ############################################################################# - - TEKTON_RESULTS_DATABASE_USER="$(yq '.tekton_results_db.user' "$CONFIG")" - TEKTON_RESULTS_DATABASE_PASSWORD="$(yq '.tekton_results_db.password' "$CONFIG")" - export TEKTON_RESULTS_DATABASE_USER - export TEKTON_RESULTS_DATABASE_PASSWORD - TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "minio"' "$CONFIG")" - TEKTON_RESULTS_S3_PASSWORD="$(yq ".tekton_results_s3.password // \"$(openssl rand -base64 20)\"" "$CONFIG")" - export TEKTON_RESULTS_S3_USER - export TEKTON_RESULTS_S3_PASSWORD - - echo "- Setup working directory:" - "$PROJECT_DIR/operator/images/access-setup/content/bin/setup_work_dir.sh" \ - ${DEBUG:+"$DEBUG"} \ - --work-dir "$WORK_DIR" \ - --kustomization "$GIT_URL/developer/openshift/gitops/argocd?ref=$GIT_REF" | - indent 2 - - # Patch the url/branch to target the expected repository/branch - manifest_dir="$(find "$WORK_DIR/environment/compute" -mindepth 1 -maxdepth 1 -type d)" - for app in "pipeline-service" "pipeline-service-storage" "pipeline-service-o11y"; do - cat << EOF >"$manifest_dir/patch-$app.yaml" ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: $app - namespace: openshift-gitops -spec: - source: - repoURL: $GIT_URL - targetRevision: $GIT_REF -EOF - yq -i ".patches += [{\"path\": \"patch-$app.yaml\"}]" "$manifest_dir/kustomization.yaml" - done - - ############################################################################# - # Deploy Applications - ############################################################################# - - echo "- Deploy applications:" - "$PROJECT_DIR/operator/images/cluster-setup/content/bin/install.sh" \ - ${DEBUG:+"$DEBUG"} \ - --workspace-dir "$WORK_DIR" | indent 2 + echo "- Enabling HTTP2 for ingress:" + oc annotate ingresses.config/cluster \ + ingress.operator.openshift.io/default-enable-http2=true \ + --overwrite=true \ + | indent 2 } main() { @@ -280,12 +174,10 @@ main() { init check_cluster_role cluster_setup - echo "[compute-access]" - setup_compute_access echo - for APP in "${APP_LIST[@]}"; do - echo "[$APP]" - install_"$(echo "$APP" | tr '-' '_')" | indent 2 + yq eval '.apps | .[] // []' "$CONFIG" | while read -r app; do + echo "[$app]" + "$PROJECT_DIR/developer/openshift/apps/$app.sh" echo done } diff --git a/developer/openshift/gitops/local/kustomization.yaml b/developer/openshift/gitops/local/kustomization.yaml new file mode 100644 index 000000000..7ea4295de --- /dev/null +++ b/developer/openshift/gitops/local/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - tekton-results + - https://github.com/owner/repository.git/path/gitops/argocd?ref=branch +patches: + - path: patch-pipeline-service.yaml + - path: patch-pipeline-service-storage.yaml + - path: patch-pipeline-service-o11y.yaml diff --git a/developer/openshift/gitops/local/patch-pipeline-service-o11y.yaml b/developer/openshift/gitops/local/patch-pipeline-service-o11y.yaml new file mode 100644 index 000000000..af9d2e047 --- /dev/null +++ b/developer/openshift/gitops/local/patch-pipeline-service-o11y.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pipeline-service-o11y + namespace: openshift-gitops +spec: + source: + repoURL: https://github.com/Roming22/pipeline-service.git + targetRevision: main diff --git a/developer/openshift/gitops/local/patch-pipeline-service-storage.yaml b/developer/openshift/gitops/local/patch-pipeline-service-storage.yaml new file mode 100644 index 000000000..354d0c7fb --- /dev/null +++ b/developer/openshift/gitops/local/patch-pipeline-service-storage.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pipeline-service-storage + namespace: openshift-gitops +spec: + source: + repoURL: https://github.com/Roming22/pipeline-service.git + targetRevision: main diff --git a/developer/openshift/gitops/local/patch-pipeline-service.yaml b/developer/openshift/gitops/local/patch-pipeline-service.yaml new file mode 100644 index 000000000..d7e1ab300 --- /dev/null +++ b/developer/openshift/gitops/local/patch-pipeline-service.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pipeline-service + namespace: openshift-gitops +spec: + source: + repoURL: https://github.com/Roming22/pipeline-service.git + targetRevision: main diff --git a/developer/openshift/gitops/local/tekton-results/kustomization.yaml b/developer/openshift/gitops/local/tekton-results/kustomization.yaml new file mode 100644 index 000000000..635a4badb --- /dev/null +++ b/developer/openshift/gitops/local/tekton-results/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - tekton-results-db-secret.yaml + - tekton-results-s3-secret.yaml + - tekton-results-minio-config.yaml diff --git a/developer/openshift/gitops/local/tekton-results/namespace.yaml b/developer/openshift/gitops/local/tekton-results/namespace.yaml new file mode 100644 index 000000000..ca77c1f12 --- /dev/null +++ b/developer/openshift/gitops/local/tekton-results/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-results diff --git a/developer/openshift/gitops/local/tekton-results/tekton-results-db-secret.yaml b/developer/openshift/gitops/local/tekton-results/tekton-results-db-secret.yaml new file mode 100644 index 000000000..be106b399 --- /dev/null +++ b/developer/openshift/gitops/local/tekton-results/tekton-results-db-secret.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +data: + # Host: postgres-postgresql.tekton-results.svc.cluster.local + db.host: cG9zdGdyZXMtcG9zdGdyZXNxbC50ZWt0b24tcmVzdWx0cy5zdmMuY2x1c3Rlci5sb2NhbA== + # Name: tekton_results + db.name: dGVrdG9uX3Jlc3VsdHM= + db.password: + db.user: +kind: Secret +metadata: + name: tekton-results-database + namespace: tekton-results diff --git a/developer/openshift/gitops/local/tekton-results/tekton-results-minio-config.yaml b/developer/openshift/gitops/local/tekton-results/tekton-results-minio-config.yaml new file mode 100644 index 000000000..12458f112 --- /dev/null +++ b/developer/openshift/gitops/local/tekton-results/tekton-results-minio-config.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +data: + config.env: +metadata: + name: minio-storage-configuration + namespace: tekton-results +type: Opaque diff --git a/developer/openshift/gitops/local/tekton-results/tekton-results-s3-secret.yaml b/developer/openshift/gitops/local/tekton-results/tekton-results-s3-secret.yaml new file mode 100644 index 000000000..af287a19d --- /dev/null +++ b/developer/openshift/gitops/local/tekton-results/tekton-results-s3-secret.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +data: + aws_access_key_id: + # Region: not-applicable + aws_region: bm90LWFwcGxpY2FibGU= + aws_secret_access_key: + # Bucket: bucket=tekton-results + bucket: dGVrdG9uLXJlc3VsdHM= + # Endpoint: https://minio.tekton-results.svc.cluster.local + endpoint: aHR0cHM6Ly9taW5pby50ZWt0b24tcmVzdWx0cy5zdmMuY2x1c3Rlci5sb2NhbA== +kind: Secret +metadata: + name: tekton-results-s3 + namespace: tekton-results diff --git a/operator/images/cluster-setup/content/bin/utils.sh b/developer/openshift/utils.sh similarity index 68% rename from operator/images/cluster-setup/content/bin/utils.sh rename to developer/openshift/utils.sh index 2e8d73b30..7e930bf36 100644 --- a/operator/images/cluster-setup/content/bin/utils.sh +++ b/developer/openshift/utils.sh @@ -117,7 +117,7 @@ check_crashlooping_pods() { local ns="$1" local crashlooping_pods - printf -- "- Checking for crashlooping pods in namespace %s: " "$ns" + printf -- "- Check for crashlooping pods in namespace %s: " "$ns" crashlooping_pods=$(kubectl get pods -n "$ns" --field-selector=status.phase!=Running -o jsonpath='{range .items[?(@.status.containerStatuses[*].state.waiting.reason=="CrashLoopBackOff")]}{.metadata.name}{","}{end}' 2>/dev/null) # Check if the any crashlooping pods found @@ -165,83 +165,7 @@ check_statefulsets() { done } -fetch_bitwarden_secrets() { - CREDENTIALS_DIR="$WORKSPACE_DIR/credentials" - BITWARDEN_CRED="$CREDENTIALS_DIR/secrets/bitwarden.yaml" - - setx_off - BW_CLIENTID="${BW_CLIENTID:-}" - BW_CLIENTSECRET="${BW_CLIENTSECRET:-}" - BW_PASSWORD="${BW_PASSWORD:-}" - setx_on - - if [ ! -e "$BITWARDEN_CRED" ]; then - echo "- No Bitwarden secrets" - return - fi - - printf "[Bitwarden]:\n" - printf "bitwarden config file found at '%s'.\n" "$BITWARDEN_CRED" | indent 2 - setx_off - if [ -z "$BW_CLIENTID" ]; then - printf "Error: BW_CLIENTID is unset.\n" >&2 | indent 2 - exit 1 - fi - if [ -z "$BW_PASSWORD" ]; then - printf "Error: BW_PASSWORD is unset.\n" >&2 | indent 2 - exit 1 - fi - setx_on - - printf "bitwarden credentials: OK\n" | indent 2 - if [ "$(bw logout >/dev/null 2>&1)$?" -eq 0 ]; then - printf "Logout successful.\n" >/dev/null - fi - if (setx_off; BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" bw login --apikey >/dev/null 2>&1); then - printf "Login successful.\n" >/dev/null - fi - - login_status=$(bw login --check 2>&1) - if [ "$login_status" = "You are not logged in." ]; then - printf "Error while logging into Bitwarden.\n" >&2 | indent 2 - return - fi - - setx_off - session=$(BW_PASSWORD="$BW_PASSWORD" bw unlock --passwordenv BW_PASSWORD --raw) - setx_on - - # process id/path pairs from bitwarden.yaml - secret_count=$(yq '.credentials | length' "$BITWARDEN_CRED") - for i in $(seq 0 "$((secret_count-1))"); do - id="$(yq ".credentials[$i].id" "$BITWARDEN_CRED")" - cred_path="$WORKSPACE_DIR/$(yq ".credentials[$i].path" "$BITWARDEN_CRED")" - - if ! mkdir -p "$(dirname "$cred_path")"; then - printf "Unable to create '%s'.\n" "$(dirname "$cred_path")" >&2 | indent 2 - exit 1 - fi - if ! (setx_off; bw get password "$id" --session "$session" | base64 -d > "$cred_path" ); then - printf "Unable to copy the contents of '%s' to '%s'. Exiting.\n" "$id" "$cred_path" >&2 | indent 2 - exit 1 - fi - printf "Extracted secret with the ID '%s' to '%s'.\n" "$id" "$cred_path" | indent 2 - done - printf "Extraction completed.\n" | indent 2 -} - indent () { - sed "s/^/$(printf "%$1s")/" -} - -# turns off tracing even with set -x mode enabled across the script to prevent secrets leaking -setx_off() { - set +x -} - -# turns on tracing -setx_on() { - if [ -n "$DEBUG" ]; then - set -x - fi + offset="${1:-2}" + sed "s/^/$(printf "%${offset}s")/" } diff --git a/operator/images/access-setup/Dockerfile b/operator/images/access-setup/Dockerfile deleted file mode 100644 index 662df748e..000000000 --- a/operator/images/access-setup/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -#@FROM registry.access.redhat.com/ubi9/ubi-minimal -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:0dfa71a7ec2caf445e7ac6b7422ae67f3518960bd6dbf62a7b77fa7a6cfc02b1 -WORKDIR / -RUN mkdir /workspace && chmod 777 /workspace && chown 65532:65532 /workspace -ENV HOME /tmp/home -RUN mkdir $HOME && chmod 777 $HOME && chown 65532:65532 $HOME - -RUN microdnf install -y \ - gzip-1.12 \ - tar-1.34 \ - && microdnf clean all - -COPY shared /tmp/image-build/shared -WORKDIR /tmp/image-build/shared/hack -RUN set -x \ - && ./install.sh --bin jq,kubectl \ - && rm -rf /tmp/image-build - -COPY operator/images/access-setup/content /opt/access-setup -RUN chmod 755 /opt/access-setup/bin/*.sh -ENV PATH="/opt/access-setup/bin:${PATH}" -USER 65532:65532 -ENV WORK_DIR /workspace -VOLUME /workspace -WORKDIR /workspace -CMD ["/opt/access-setup/bin/setup_compute.sh"] diff --git a/operator/images/access-setup/README.md b/operator/images/access-setup/README.md deleted file mode 100644 index dbb291afe..000000000 --- a/operator/images/access-setup/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Access Setup - -## Goals -Given a new compute cluster, deploy the minimum -amount of resources required to operate that cluster from a git repository -implementing a CD process (c.f. operator/gitops/sre). The CD process will then be -responsible for installing/registering all the required resources. - -This action needs to be performed only once in the lifetime of the resource -being initialized. If the resource creation is automated, the initialization -can be done using the `quay.io/redhat-pipeline-service/access-setup:main` image instead of -checking out the repository and running the script. - -## Definitions - -* Pipeline Service SRE team: The team responsible for deploying and managing - Pipeline Service and the life cycle of its components on one or more compute instances. - -## Compute -`setup_compute.sh` needs to be run once by the Pipeline Service SRE team for -each compute cluster operated by the Pipeline Service SRE team. - -The script will: -1. Create a `pipeline-service-manager` serviceaccount in the `pipeline-service` namespace. -2. Generate the kubeconfig for the serviceaccount. -3. Create a default `kustomization.yaml` for the cluster under `environment/compute -environment/compute`. -4. Create shared secrets for tekton-chains and tekton-results - -Example: `./setup_compute.sh --kubeconfig /home/.kube/mycluster.kubeconfig --work-dir /path/to/sre/repository` - -A pull request needs to be submitted on the SRE gitops repository to add: -* the generated kubeconfig to the `credentials/kubeconfig/compute` folder; -* the generated folder holding the `kustomization.yaml` to the `environment/compute` folder. -Merging the pull request will enable the automation of the deployment of the -Pipeline Service on the cluster. diff --git a/operator/images/access-setup/content/bin/common.sh b/operator/images/access-setup/content/bin/common.sh deleted file mode 100644 index a78eb98ea..000000000 --- a/operator/images/access-setup/content/bin/common.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2022 The Pipeline Service Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -exit_error() { - printf "[ERROR] %s\n" "$@" >&2 - usage - exit 1 -} - -get_context() { - # Helper function to generate a kubeconfig file for a service account - local sa_context="$1" - local namespace="$2" - local sa="$3" - local target="$4" - local current_context - - mkdir -p "$(dirname "$target")" - cp "$KUBECONFIG" "$target" - - current_context="$(KUBECONFIG="$target" kubectl config current-context)" - - if ! command -v jq &>/dev/null 2>&1; then - printf "[ERROR] Install jq\n" >&2 - exit 1 - fi - - for _ in {1..5} - do - mapfile -t sa_tokens < <(KUBECONFIG="$target" kubectl -n "$namespace" get secrets -o json| - jq -r --arg SA "$sa" '.items[] | select(.type=="kubernetes.io/service-account-token" and .metadata.annotations["kubernetes.io/service-account.name"]==$SA)| .metadata.name') - if [ ${#sa_tokens[@]} -ne 0 ]; then - break - fi - sleep 5 - done - if [ ${#sa_tokens[@]} -eq 0 ]; then - printf "Failed to get service account token\n" - exit 1 - fi - sa_token_data=$(KUBECONFIG="$target" kubectl get secret "${sa_tokens[0]}" -n "$namespace" -o jsonpath="{.data.token}"|base64 -d) - - current_cluster="$(KUBECONFIG="$target" kubectl config view \ - -o jsonpath="{.contexts[?(@.name==\"$current_context\")].context.cluster}")" - - KUBECONFIG="$target" kubectl config set-credentials "$sa" --token="$sa_token_data" &>/dev/null - KUBECONFIG="$target" kubectl config set-context "$sa_context" --user="$sa" --cluster="$current_cluster" &>/dev/null - KUBECONFIG="$target" kubectl config use-context "$sa_context" &>/dev/null - KUBECONFIG="$target" kubectl config view --flatten --minify >"$target.new" - mv "$target.new" "$target" -} - -function indent () { - sed "s/^/$(printf "%$1s")/" -} diff --git a/operator/images/access-setup/content/bin/setup_compute.sh b/operator/images/access-setup/content/bin/setup_compute.sh deleted file mode 100755 index 171954222..000000000 --- a/operator/images/access-setup/content/bin/setup_compute.sh +++ /dev/null @@ -1,133 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2022 The Pipeline Service Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -SCRIPT_DIR="$( - cd "$(dirname "$0")" >/dev/null - pwd -)" - -# shellcheck source=operator/images/access-setup/content/bin/common.sh -source "$SCRIPT_DIR/common.sh" - -usage() { - printf "Usage: - %s [options] - -Generate access credentials in order to manage cluster via gitops tools - -Mandatory arguments: - -k, --kubeconfig KUBECONFIG - kubeconfig to the compute instance to configure. - The current context will be used. - Default value: \$KUBECONFIG - -Optional arguments: - --kustomization KUSTOMIZATION - path to the directory holding the kustomization.yaml to create Pipeline Service SA. - Can be read from \$KUSTOMIZATION. - Default: %s - -w, --work-dir WORK_DIR - Directory into which the credentials folder will be created. - -d, --debug - Activate tracing/debug mode. - -h, --help - Display this message. -Example: - %s -d -k /path/to/compute.kubeconfig -" "${0##*/}" "$KUSTOMIZATION" "${0##*/}" >&2 -} - -parse_args() { - KUSTOMIZATION=${KUSTOMIZATION:-github.com/openshift-pipelines/pipeline-service/operator/gitops/compute/pipeline-service-manager?ref=main} - - while [[ $# -gt 0 ]]; do - case "$1" in - -k | --kubeconfig) - shift - KUBECONFIG="$1" - ;; - --kustomization) - shift - KUSTOMIZATION="$1" - ;; - -w | --work-dir) - shift - WORK_DIR="$1" - ;; - -d | --debug) - set -x - ;; - -h | --help) - usage - exit 0 - ;; - --) - # End of arguments - break - ;; - *) - exit_error "Unknown argument: $1" - ;; - esac - shift - done -} - -prechecks() { - KUBECONFIG=${KUBECONFIG:-} - if [[ -z "${KUBECONFIG}" ]]; then - exit_error "Missing parameter --kubeconfig" - fi - if [[ ! -f "$KUBECONFIG" ]]; then - echo "File not found: $KUBECONFIG" >&2 - exit 1 - fi - export KUBECONFIG -} - -init() { - WORK_DIR="${WORK_DIR:-$SCRIPT_DIR/work}" - credentials_dir="$WORK_DIR/credentials/kubeconfig" - mkdir -p "$credentials_dir" -} - -generate_compute_credentials() { - current_context=$(kubectl config current-context) - compute_name="$(yq '.contexts[] | select(.name == "'"$current_context"'") | .context.cluster' < "$KUBECONFIG" | sed 's/:.*//')" - kubeconfig="$credentials_dir/compute/$compute_name.kubeconfig" - - printf -- "- Create ServiceAccount for Pipeline Service:\n" - kubectl apply -k "$KUSTOMIZATION" | indent 4 - - printf -- "- Generate kubeconfig:\n" - get_context "pipeline-service-manager" "pipeline-service" "pipeline-service-manager" "$kubeconfig" - printf "KUBECONFIG=%s\n" "$kubeconfig" | indent 4 -} - -main() { - parse_args "$@" - prechecks - init - generate_compute_credentials -} - -if [ "${BASH_SOURCE[0]}" == "$0" ]; then - main "$@" -fi diff --git a/operator/images/access-setup/content/bin/setup_work_dir.sh b/operator/images/access-setup/content/bin/setup_work_dir.sh deleted file mode 100755 index 0f8500359..000000000 --- a/operator/images/access-setup/content/bin/setup_work_dir.sh +++ /dev/null @@ -1,256 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2022 The Pipeline Service Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -SCRIPT_DIR="$( - cd "$(dirname "$0")" >/dev/null - pwd -)" - -# shellcheck source=operator/images/access-setup/content/bin/common.sh -source "$SCRIPT_DIR/common.sh" - -usage() { - printf "Usage: - %s [options] - -Setup working directory for Pipeline Service - -Optional arguments: - --kustomization KUSTOMIZATION - path to the directory or manifest holding the configuration to deploy - Pipeline Service via ArgoCD. - Can be read from \$KUSTOMIZATION. - Default: %s - -w, --work-dir WORK_DIR - Directory into which the credentials folder will be created. - -d, --debug - Activate tracing/debug mode. - -h, --help - Display this message. -Example: - %s -d -" "${0##*/}" "$KUSTOMIZATION" "${0##*/}" >&2 -} - -parse_args() { - KUSTOMIZATION=${KUSTOMIZATION:-github.com/openshift-pipelines/pipeline-service/operator/gitops/argocd?ref=main} - - while [[ $# -gt 0 ]]; do - case "$1" in - --kustomization) - shift - KUSTOMIZATION="$1" - ;; - -w | --work-dir) - shift - WORK_DIR="$1" - ;; - -d | --debug) - set -x - ;; - -h | --help) - usage - exit 0 - ;; - --) - # End of arguments - break - ;; - *) - exit_error "Unknown argument: $1" - ;; - esac - shift - done -} - -# Checks if a binary is present on the local system -precheck_binary() { - for binary in "$@"; do - command -v "$binary" >/dev/null 2>&1 || { - echo "[ERROR] This script requires '$binary' to be installed on your local machine." >&2 - exit 1 - } - done -} - -init() { - WORK_DIR="${WORK_DIR:-./work}" - manifests_dir="$WORK_DIR/credentials/manifests" - mkdir -p "$manifests_dir" - - TEKTON_RESULTS_DATABASE_USER=${TEKTON_RESULTS_DATABASE_USER:="tekton"} - TEKTON_RESULTS_DATABASE_PASSWORD=${TEKTON_RESULTS_DATABASE_PASSWORD:=$(openssl rand -base64 20)} - - detect_container_engine -} - -detect_container_engine() { - CONTAINER_ENGINE="${CONTAINER_ENGINE:-}" - if [[ -n "${CONTAINER_ENGINE}" ]]; then - return - fi - CONTAINER_ENGINE=podman - if ! command -v podman >/dev/null; then - CONTAINER_ENGINE=docker - elif [[ "$OSTYPE" == "darwin"* && -z "$(podman ps)" ]]; then - # Podman machine is not started - CONTAINER_ENGINE=docker - elif [[ "$OSTYPE" == "darwin"* && -z "$(podman system connection ls --format=json)" ]]; then - CONTAINER_ENGINE=docker - fi - command -v "${CONTAINER_ENGINE}" >/dev/null -} - -generate_shared_manifests(){ - printf -- "- Generating shared manifests:\n" - printf -- " - tekton-chains manifest:\n" - tekton_chains_manifest 2>&1 | indent 4 - printf -- " - tekton-results manifest:\n" - tekton_results_manifest 2>&1 | indent 4 -} - -configure_argocd_apps(){ - printf -- "- Setting kustomize directory: " - current_context=$(kubectl config current-context) - compute_name="$(yq '.contexts[] | select(.name == "'"$current_context"'") | .context.cluster' < "$KUBECONFIG" | sed 's/:.*//')" - manifests_dir="$WORK_DIR/environment/compute/$compute_name" - mkdir -p "$manifests_dir" - echo -n "--- -resources: - - $KUSTOMIZATION -" >"$manifests_dir/kustomization.yaml" - printf "%s\n" "$manifests_dir" -} - -tekton_chains_manifest(){ - chains_kustomize="$manifests_dir/compute/tekton-chains/kustomization.yaml" - chains_namespace="$manifests_dir/compute/tekton-chains/namespace.yaml" - chains_secret="$manifests_dir/compute/tekton-chains/signing-secrets.yaml" - if [ ! -e "$chains_kustomize" ]; then - chains_tmp_dir="$(dirname "$chains_kustomize")/tmp" - mkdir -p "$chains_tmp_dir" - cosign_passwd="$( head -c 12 /dev/urandom | base64 )" - echo -n "$cosign_passwd" > "$chains_tmp_dir/cosign.password" - cosign_image="quay.io/redhat-appstudio/appstudio-utils:eb94f28fe2d7c182f15e659d0fdb66f87b0b3b6b" - $CONTAINER_ENGINE run \ - --rm \ - --env COSIGN_PASSWORD="$cosign_passwd" \ - --volume "$chains_tmp_dir":/workspace:z \ - --workdir /workspace \ - --entrypoint /usr/bin/cosign \ - "$cosign_image" generate-key-pair - kubectl create namespace openshift-pipelines --dry-run=client -o yaml > "$chains_namespace" - kubectl create secret generic -n openshift-pipelines signing-secrets --from-file="$chains_tmp_dir" --dry-run=client -o yaml | \ - yq '. += {"immutable" :true}' | \ - yq "sort_keys(.)" > "$chains_secret" - yq e -n '.resources += ["namespace.yaml", "signing-secrets.yaml"]' > "$chains_kustomize" - rm -rf "$chains_tmp_dir" - if [ "$(yq ".data" < "$chains_secret" | grep -cE "^cosign.key:|^cosign.password:|^cosign.pub:")" != "3" ]; then - printf "[ERROR] Invalid manifest: '%s'" "$chains_secret" >&2 - exit 1 - fi - fi - printf "OK\n" -} - -tekton_results_manifest(){ - miniosecret="$(kubectl get secrets minio-storage-configuration -o name -n tekton-results --ignore-not-found)" - if [ -z "$miniosecret" ]; then - printf "Need to create tekton results manifests for DB and S3 \n" - else - printf "Tekton results secrets already in place, returning from tekton_results_manifest \n" - # create minimal kustomization.yaml so calling function does not need to check for the secret as well - mkdir -p "$manifests_dir/compute/tekton-results" - kubectl create namespace tekton-results --dry-run=client -o yaml > "$manifests_dir/compute/tekton-results/namespace.yaml" - yq e -n '.resources += ["namespace.yaml"]' > "$manifests_dir/compute/tekton-results/kustomization.yaml" - printf "OK\n" - return - fi - - results_kustomize="$manifests_dir/compute/tekton-results/kustomization.yaml" - results_namespace="$manifests_dir/compute/tekton-results/namespace.yaml" - results_db_secret="$manifests_dir/compute/tekton-results/tekton-results-db-secret.yaml" - results_s3_secret="$manifests_dir/compute/tekton-results/tekton-results-s3-secret.yaml" - results_minio_config="$manifests_dir/compute/tekton-results/tekton-results-minio-config.yaml" - if [ ! -e "$results_kustomize" ]; then - results_dir="$(dirname "$results_kustomize")" - mkdir -p "$results_dir" - if [[ -z $TEKTON_RESULTS_DATABASE_USER || -z $TEKTON_RESULTS_DATABASE_PASSWORD ]]; then - printf "[ERROR] Tekton results database credentials are not set, either set the env variables using \n \ - the config.yaml under tekton_results_db \n \ - Or create '%s' \n" "$results_db_secret" >&2 - exit 1 - fi - if [[ -z $TEKTON_RESULTS_S3_USER || -z $TEKTON_RESULTS_S3_PASSWORD ]]; then - printf "[ERROR] Tekton results s3 credentials are not set, either set the variables using \n \ - the config.yaml under tekton_results_s3 \n \ - Or create '%s' \n" "$results_s3_secret" >&2 - exit 1 - fi - - kubectl create namespace tekton-results --dry-run=client -o yaml > "$results_namespace" - - kubectl create secret generic -n tekton-results tekton-results-database \ - --from-literal=db.user="$TEKTON_RESULTS_DATABASE_USER" \ - --from-literal=db.password="$TEKTON_RESULTS_DATABASE_PASSWORD" \ - --from-literal=db.host="postgres-postgresql.tekton-results.svc.cluster.local" \ - --from-literal=db.name="tekton_results" \ - --dry-run=client -o yaml > "$results_db_secret" - - kubectl create secret generic -n tekton-results tekton-results-s3 \ - --from-literal=aws_access_key_id="$TEKTON_RESULTS_S3_USER" \ - --from-literal=aws_secret_access_key="$TEKTON_RESULTS_S3_PASSWORD" \ - --from-literal=aws_region='not-applicable' \ - --from-literal=bucket=tekton-results \ - --from-literal=endpoint='https://minio.tekton-results.svc.cluster.local' \ - -n tekton-results --dry-run=client -o yaml > "$results_s3_secret" - - cat < "$results_minio_config" -apiVersion: v1 -kind: Secret -metadata: - name: minio-storage-configuration - namespace: tekton-results -type: Opaque -stringData: - config.env: |- - export MINIO_ROOT_USER="$TEKTON_RESULTS_S3_USER" - export MINIO_ROOT_PASSWORD="$TEKTON_RESULTS_S3_PASSWORD" - export MINIO_STORAGE_CLASS_STANDARD="EC:2" - export MINIO_BROWSER="on" -EOF - - yq e -n '.resources += ["namespace.yaml", "tekton-results-db-secret.yaml", "tekton-results-s3-secret.yaml", "tekton-results-minio-config.yaml"]' > "$results_kustomize" - fi - printf "OK\n" -} - -main() { - parse_args "$@" - precheck_binary "kubectl" "yq" - init - generate_shared_manifests - configure_argocd_apps -} - -if [ "${BASH_SOURCE[0]}" == "$0" ]; then - main "$@" -fi diff --git a/operator/images/cluster-setup/Dockerfile b/operator/images/cluster-setup/Dockerfile deleted file mode 100644 index 491789da9..000000000 --- a/operator/images/cluster-setup/Dockerfile +++ /dev/null @@ -1,37 +0,0 @@ -#@FROM registry.access.redhat.com/ubi9/ubi-minimal -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:0dfa71a7ec2caf445e7ac6b7422ae67f3518960bd6dbf62a7b77fa7a6cfc02b1 -LABEL build-date= \ - com.redhat.build-host= \ - description="This image provides binaries and a script to install tektoncd components on the workload clusters." \ - distribution-scope="public" \ - io.k8s.description="This image provides binaries and a script to install tektoncd components on the workload clusters." \ - io.k8s.display-name="cluster setup" \ - maintainer="Pipeline Service" \ - name="cluster-setup" \ - release="0.1" \ - summary="Provides the latest release of cluster-setup image." \ - url="https://github.com/openshift-pipelines/pipeline-service/tree/main/operator/images/cluster-setup" \ - vcs-ref= \ - vcs-type="git" \ - vendor="Pipeline Service" \ - version="0.1" -WORKDIR / -RUN mkdir /workspace && chmod 777 /workspace && chown 65532:65532 /workspace -RUN microdnf install -y \ - findutils-4.8.0 \ - git-2.39.3 \ - unzip-6.0 \ - && microdnf clean all - -COPY shared /tmp/image-build/shared -RUN /tmp/image-build/shared/hack/install.sh --bin bitwarden,jq,kubectl,yq \ - && rm -rf /tmp/image-build - -COPY operator/images/cluster-setup/content /opt/cluster-setup - -USER 65532:65532 -ENV HOME /tmp/home -RUN mkdir $HOME -VOLUME /workspace -WORKDIR /workspace -ENTRYPOINT ["/opt/cluster-setup/bin/install.sh"] diff --git a/operator/images/cluster-setup/content/bin/install.sh b/operator/images/cluster-setup/content/bin/install.sh deleted file mode 100755 index 9b7b0913a..000000000 --- a/operator/images/cluster-setup/content/bin/install.sh +++ /dev/null @@ -1,176 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2022 The Pipeline Service Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -SCRIPT_DIR="$( - cd "$(dirname "$0")" >/dev/null - pwd -)" - -# shellcheck source=operator/images/cluster-setup/content/bin/utils.sh -source "$SCRIPT_DIR/utils.sh" - -usage() { - - printf " -Usage: - %s [options] - -Deploy Pipeline Service on the clusters as per the configuration in -WORKSPACE_DIR. - -Optional arguments: - -w, --workspace-dir WORKSPACE_DIR - Location of the folder holding the clusters configuration. - Default: \$WORKSPACE_DIR or current directory if the environment - variable is unset. - -d, --debug - Activate tracing/debug mode. - -h, --help - Display this message. - -Example: - %s --workspace_dir WORKSPACE_DIR -" "${0##*/}" "${0##*/}" >&2 -} - -parse_args() { - WORKSPACE_DIR="${WORKSPACE_DIR:-$PWD}" - - while [[ $# -gt 0 ]]; do - case $1 in - -w | --workspace-dir) - shift - WORKSPACE_DIR="$1" - ;; - -d | --debug) - DEBUG="--debug" - set -x - ;; - -h | --help) - usage - exit 0 - ;; - *) - echo "Unknown argument: $1" - usage - exit 1 - ;; - esac - shift - done - DEBUG="${DEBUG:-}" -} - -# populate clusters with the cluster names taken from the kubeconfig -# populate contexts with the context name taken from the kubeconfig -# populate kubeconfigs with the associated kubeconfig for each cluster name -# only consider the first context for a specific cluster -get_clusters() { - clusters=() - contexts=() - kubeconfigs=() - mapfile -t files < <(find "$WORKSPACE_DIR/credentials/kubeconfig/compute/" -name \*.kubeconfig) - for kubeconfig in "${files[@]}"; do - mapfile -t subs < <(KUBECONFIG=${kubeconfig} kubectl config view -o jsonpath='{range .contexts[*]}{.name}{","}{.context.cluster}{"\n"}{end}') - for sub in "${subs[@]}"; do - context=$(echo -n "${sub}" | cut -d ',' -f 1) - cluster=$(echo -n "${sub}" | cut -d ',' -f 2 | cut -d ':' -f 1) - if ! (echo "${clusters[@]}" | grep "${cluster}"); then - clusters+=( "${cluster}" ) - contexts+=( "${context}" ) - kubeconfigs+=( "${kubeconfig}" ) - fi - done - done -} - -switch_cluster() { - # Sometimes the workspace is read-only, preventing the context switch - cp "${kubeconfigs[$i]}" "$KUBECONFIG" - - if ! kubectl config use-context "${contexts[$i]}" >/dev/null; then - exit_error "\nCannot use '${contexts[$i]}' context in '$KUBECONFIG'." - fi - - # Check that argocd has been installed - if [[ $(kubectl api-resources | grep -c "argoproj.io/") = "0" ]]; then - echo "[ERROR] Argo CD must be deployed on the cluster for kubeconfig/context: '${kubeconfigs[$i]}'/'${contexts[$i]}'" >&2 - exit 1 - fi -} - -install_clusters() { - export KUBECONFIG="/tmp/cluster.kubeconfig" - for i in "${!clusters[@]}"; do - switch_cluster | indent 2 - - printf -- "- Installing shared manifests... \n" - install_shared_manifests | indent 4 - - printf -- "- Installing applications via Openshift GitOps... \n" - install_applications | indent 4 - - printf -- "- Checking application status\n" - check_applications "openshift-gitops" "pipeline-service" | indent 4 - - printf -- "- Checking subscription status\n" - check_subscriptions "openshift-operators" "openshift-pipelines-operator" | indent 4 - - #checking if the pipelines and triggers pods are up and running - printf -- "- Checking deployment status\n" - tektonDeployments=("tekton-pipelines-controller" "tekton-triggers-controller" "tekton-triggers-core-interceptors" "tekton-chains-controller") - check_deployments "openshift-pipelines" "${tektonDeployments[@]}" | indent 4 - resultsDeployments=("tekton-results-api" "tekton-results-watcher") - check_deployments "tekton-results" "${resultsDeployments[@]}" | indent 4 - resultsStatefulsets=("postgres-postgresql" "storage-pool-0") - check_statefulsets "tekton-results" "${resultsStatefulsets[@]}" | indent 4 - - printf -- "- Checking pods status for controlplane namespaces\n" - # list of control plane namespaces - CONTROL_PLANE_NS=("openshift-apiserver" "openshift-controller-manager" "openshift-etcd" "openshift-ingress" "openshift-kube-apiserver" "openshift-kube-controller-manager" "openshift-kube-scheduler") - for ns in "${CONTROL_PLANE_NS[@]}"; do - check_crashlooping_pods "$ns" | indent 4 - done - done -} - -install_shared_manifests() { - CREDENTIALS_DIR="$WORKSPACE_DIR/credentials" - - kubectl apply -k "$CREDENTIALS_DIR/manifests/compute/tekton-results" -} - -install_applications() { - CONFIG_DIR=$(find "${WORKSPACE_DIR}/environment/compute" -type d -name "${clusters[$i]}") - kubectl apply -k "$CONFIG_DIR" -} - -main() { - parse_args "$@" - fetch_bitwarden_secrets - get_clusters - INSTALL_FAILED=0 - install_clusters - exit "$INSTALL_FAILED" -} - -if [ "${BASH_SOURCE[0]}" == "$0" ]; then - main "$@" -fi