-
Notifications
You must be signed in to change notification settings - Fork 40
[WIP] RHTAP-6148: Migrate content of rhtap-utils repo under the tssc-cli repo #1667
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
raisavarghese
wants to merge
1
commit into
redhat-appstudio:main
Choose a base branch
from
raisavarghese:RHTAP-6148
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Test and infrastructure utilities (migrated from rhtap-utils) | ||
|
|
||
| This directory mirrors the [rhtap-utils](https://github.com/redhat-appstudio/rhtap-utils) repository layout. Content was migrated under `tssc-cli/integration-tests/utils/` with the **same folder structure** as in rhtap-utils. | ||
|
|
||
| ## Directories | ||
|
|
||
| | Directory | Purpose | | ||
| |-----------|---------| | ||
| | `artifactory/` | JFrog Artifactory integration | | ||
| | `azure-pipelines/` | Azure Pipelines / DevOps helpers | | ||
| | `git-org-cleanup/` | Git org/repo cleanup scripts | | ||
| | `gitlab-runners/` | GitLab runner configs | | ||
| | `jenkins/` | Jenkins deployment and configs | | ||
| | `nexus/` | Nexus deployment and configs | | ||
| | `quay/` | Quay deployment (e.g. with ODF) | | ||
| | `rhtap-cli/` | Local install wrapper scripts | | ||
| | `rhtap-cli-release/` | Konflux MR/release automation scripts | | ||
| | `service-jenkins-cleanup/` | Service/Jenkins cleanup utilities | | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # Install Artifactory(JFrog Container Registry) on openshift cluster | ||
|
|
||
| 1. Login to OpenShift | ||
|
|
||
| 2. Deploy Artifactory on Openshift | ||
|
|
||
| ``` | ||
| $ helm repo add jfrog https://charts.jfrog.io | ||
| $ helm repo update | ||
| $ helm upgrade --install jfrog-container-registry jfrog/artifactory-jcr --version 107.98.11 --namespace artifactory-jcr -f values.yaml --create-namespace | ||
|
|
||
| $ oc -n artifactory-jcr create route edge artifactory-ui --service=jfrog-container-registry-artifactory --port=http-router | ||
| $ oc -n artifactory-jcr create route edge artifactory-docker --service=jfrog-container-registry-artifactory --port=http-artifactory | ||
| ``` | ||
|
|
||
| 3. Login to Artifactory-JCR console | ||
| you can perform the following command to get console url | ||
|
|
||
| ``` | ||
| $ echo "https://$(kubectl -n artifactory-jcr get route artifactory-web -o jsonpath='{.spec.host}')" | ||
| ``` | ||
|
|
||
| The default username and password for the built-in administrator user are: | ||
| admin/password | ||
|
|
||
| You just need to fill in a new password, others can be skipped in the navigation windows when you first login to Artifactory-JCR console. | ||
|
|
||
| 4. Create a Local Docker Repository | ||
|
|
||
| Go to `Administration` -> `Repositories` -> `Create a Repository` -> `Local`, Select Package Type `Docker`, fill in `Repository Key` field with `rhtap`, finally click button `Create Local Repository`. | ||
|
|
||
|
|
||
| 5. Set Me Up - Docker Repository | ||
|
|
||
| Go to `Application` -> `JFrog Container Registry` -> `Artifacts`, Click the Docker Repository created at step `4. Create a Local Docker Repository`, Click `Set Me Up` to set up a generic client | ||
|  | ||
|
|
||
| When you input JFrog account password, it generates an identity token and Docker auth contenxt, such like below | ||
|
|
||
| ``` | ||
| { | ||
| "auths": { | ||
| "https://artifactory-web-artifactory-jcr.apps.rosa.xjiang0212416.jgt9.p3.openshiftapps.com" : { | ||
| "auth": "xxxxxxxxxxxxxxx", | ||
| "email": "youremail@email.com" | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| <span style="color:red"> Notice: Once `Set Me Up` is done , don't click it again, otherwise the token will be changed. Maybe images cannot show up on the Image Registry tab on existing RHTAP integrating with Artifactory.</span> | ||
|
|
||
| 6. Verify pushing image to Artifactory | ||
| Perform the following command to get registry hostname. | ||
|
|
||
| ``` | ||
| $ kubectl -n artifactory-jcr get route artifactory -o jsonpath='{.spec.host}' | ||
| ``` | ||
|
|
||
| Push image to `rhtap` repository on Artifactory server | ||
|
|
||
| ``` | ||
| $ podman tag docker.io/mysql:latest <registry hostname>/rhtap/mysql:latest | ||
| $ <Copy the Docker auth content into a file, for instance auth.json> | ||
| $ podman push --authfile <registry hostname>/rhtap/mysql:latest | ||
| ``` | ||
|
|
||
|
|
||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| --- | ||
| # Default values for artifactory-jcr. | ||
| # This is a YAML-formatted file. | ||
|
|
||
| # Beware when changing values here. You should know what you are doing! | ||
| # Access the values with {{ .Values.key.subkey }} | ||
|
|
||
| # This chart is based on the main artifactory chart with some customizations. | ||
| # See all supported configuration keys in https://github.com/jfrog/charts/tree/master/stable/artifactory | ||
|
|
||
|
|
||
| ## All values are under the 'artifactory' sub chart. | ||
| artifactory: | ||
| containerSecurityContext: | ||
| enabled: false | ||
| ## Artifactory | ||
| ## See full list of supported Artifactory options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory | ||
| artifactory: | ||
| podSecurityContext: | ||
| enabled: false | ||
| ## Default tag is from the artifactory sub-chart in the requirements.yaml | ||
| image: | ||
| registry: releases-docker.jfrog.io | ||
| repository: jfrog/artifactory-jcr | ||
| # tag: 7.98.11 | ||
| ## Uncomment the following resources definitions or pass them from command line | ||
| ## to control the cpu and memory resources allocated by the Kubernetes cluster | ||
| resources: {} | ||
| # requests: | ||
| # memory: "1Gi" | ||
| # cpu: "500m" | ||
| # limits: | ||
| # memory: "4Gi" | ||
| # cpu: "1" | ||
| ## The following Java options are passed to the java process running Artifactory. | ||
| ## You should set them according to the resources set above. | ||
| ## IMPORTANT: Make sure resources.limits.memory is at least 1G more than Xmx. | ||
| javaOpts: {} | ||
| # xms: "1g" | ||
| # xmx: "3g" | ||
| # other: "" | ||
|
|
||
| installer: | ||
| platform: jcr-helm | ||
|
|
||
| installerInfo: '{"productId":"Helm_artifactory-jcr/{{ .Chart.Version }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}' | ||
|
|
||
| ## Nginx | ||
| ## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory | ||
| nginx: | ||
| enabled: false | ||
| tlsSecretName: "" | ||
| service: | ||
| type: LoadBalancer | ||
|
|
||
| ## Ingress | ||
| ## See full list of supported Ingress options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory | ||
| ingress: | ||
| enabled: false | ||
| tls: | ||
|
|
||
| ## PostgreSQL | ||
| ## See list of supported postgresql options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory | ||
| ## Configuration values for the PostgreSQL dependency sub-chart | ||
| ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md | ||
| postgresql: | ||
| enabled: true | ||
| securityContext: | ||
| enabled: false | ||
| containerSecurityContext: | ||
| enabled: false | ||
| ## This key is required for upgrades to protect old PostgreSQL chart's breaking changes. | ||
| databaseUpgradeReady: "yes" | ||
|
|
||
| ## If NOT using the PostgreSQL in this chart (artifactory.postgresql.enabled=false), | ||
| ## specify custom database details here or leave empty and Artifactory will use embedded derby. | ||
| ## See full list of database options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory | ||
| # database: | ||
|
|
||
| jfconnect: | ||
| enabled: false | ||
|
|
||
| federation: | ||
| enabled: false |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # Host Azure Pipelines build agent on openshift cluster | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| 1. OpenShift 4 cluster | ||
|
|
||
| 2. Azure DevOps organization | ||
|
|
||
| ## Install Azure build agent on OpenShift | ||
|
|
||
| 1. Follow the documentation to [Set up a Personal Access Token](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/linux-agent?view=azure-devops#authenticate-with-a-personal-access-token-pat) in Azure. Save the token for later use in installation. | ||
| 2. Create a new Agent Pool or configure an existing Agent Pool by navigating to Organization Settings -> Agent Pools. | ||
| - Click on Add pool | ||
| - Pool type: Self-hosted | ||
| - Name: <any-name> | ||
| - Pipeline permissions: Grant access permission to all pipelines | ||
| 3. Login to OpenShift cluster | ||
| 4. `cd` to the directory that contains this README | ||
| 5. Navigate to the [Azure Pipeline Agent](https://github.com/Microsoft/azure-pipelines-agent/releases) and check for Linux x86 Agent download url latest version. Modify [AZP_AGENT_PACKAGE_LATEST_URL](./azure-buildconfig.yaml#L44) accordingly. | ||
| 6. Replace the dummy required credential for Azure DevOps in [./azure-deploy.sh](./azure-deploy.sh#L21-L23) for authentication. | ||
| 7. Run the [./azure-deploy.sh](./azure-deploy.sh) script. | ||
| 8. Verify the azure build agent is running | ||
| - In Azure DevOps portal, navigate to Organization Settings -> Agent Pools -> Default (or your own pool) -> Agents | ||
| - You should now see the build agent with Online status. | ||
| - To deploy additional agents, you can scale up the pod replicas. |
46 changes: 46 additions & 0 deletions
46
integration-tests/utils/azure-pipelines/azure-buildconfig.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| kind: BuildConfig | ||
| apiVersion: build.openshift.io/v1 | ||
| metadata: | ||
| name: azure-build-agent | ||
| namespace: azure-build | ||
| spec: | ||
| output: | ||
| to: | ||
| kind: ImageStreamTag | ||
| name: azure-build-agent:latest | ||
| source: | ||
| type: Dockerfile | ||
| dockerfile: | | ||
| FROM quay.io/redhat-appstudio/rhtap-task-runner:latest | ||
| ENV _BUILDAH_STARTED_IN_USERNS="" \ | ||
| BUILDAH_ISOLATION=chroot \ | ||
| STORAGE_DRIVER=vfs | ||
|
|
||
| USER root | ||
| COPY start.sh . | ||
| RUN curl $AZP_AGENT_PACKAGE_LATEST_URL --output vsts-agent-linux-x64.tar.gz && \ | ||
| tar zxvf vsts-agent-linux-x64.tar.gz && \ | ||
| rm vsts-agent-linux-x64.tar.gz && id && \ | ||
| chmod 755 *.sh && chown -R root:root . && microdnf install -y openssl-libs krb5-libs zlib libicu && microdnf install -y lttng-ust && \ | ||
| touch /etc/containers/nodocker && \ | ||
| usermod --add-subuids 100000-165535 root && \ | ||
| usermod --add-subgids 100000-165535 root && \ | ||
| setcap cap_setuid+eip /usr/bin/newuidmap && \ | ||
| setcap cap_setgid+eip /usr/bin/newgidmap | ||
| USER 1001 | ||
| ENTRYPOINT ["./start.sh"] | ||
| configMaps: | ||
| - configMap: | ||
| name: start-sh | ||
| strategy: | ||
| type: Docker | ||
| dockerStrategy: | ||
| from: | ||
| kind: DockerImage | ||
| name: 'quay.io/redhat-appstudio/rhtap-task-runner:latest' | ||
| env: | ||
| - name: AZP_AGENT_PACKAGE_LATEST_URL | ||
| value: >- | ||
| https://vstsagentpackage.azureedge.net/agent/4.253.0/vsts-agent-linux-x64-4.253.0.tar.gz | ||
| triggers: | ||
| - type: ConfigChange |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| #!/bin/bash | ||
| set -e | ||
|
|
||
| # Create new project 'azure-build' | ||
| oc new-project azure-build | ||
| # Create ConfigMap for wrapper script (configure and runs the container) | ||
| oc create configmap start-sh --from-file=start.sh | ||
| # Create imagestream and buildconfig | ||
| oc create -f azure-imagestream.yaml -f azure-buildconfig.yaml | ||
| # Start new build | ||
| oc start-build azure-build-agent | ||
| # Create service account for build agent | ||
| oc create -f azure-sa.yaml | ||
| # Upload new SecurityContextConstraints for azure build agent | ||
| oc apply -f azure-sa-scc.yaml | ||
| # Apply scc to the service account | ||
| oc adm policy add-scc-to-user azure-build-scc -z azure-build-sa | ||
|
|
||
| # Configure Azure DevOps credentials | ||
| oc create secret generic azdevops \ | ||
| --from-literal=AZP_URL=https://dev.azure.com/yourOrg \ | ||
| --from-literal=AZP_TOKEN=YourPAT \ | ||
| --from-literal=AZP_POOL=NameOfYourPool | ||
|
|
||
| # Deploy the azure build agent | ||
| oc create -f azure-deployment.yaml |
31 changes: 31 additions & 0 deletions
31
integration-tests/utils/azure-pipelines/azure-deployment.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: azure-build-agent | ||
| namespace: azure-build | ||
| spec: | ||
| selector: | ||
| matchLabels: | ||
| app: azure-build-agent | ||
| replicas: 1 | ||
| template: | ||
| metadata: | ||
| annotations: | ||
| alpha.image.policy.openshift.io/resolve-names: '*' | ||
| labels: | ||
| app: azure-build-agent | ||
| spec: | ||
| containers: | ||
| - name: azure-build-agent | ||
|
Check warning on line 19 in integration-tests/utils/azure-pipelines/azure-deployment.yaml
|
||
| image: azure-build-agent:latest | ||
| imagePullPolicy: Always | ||
| envFrom: | ||
| - secretRef: | ||
| name: azdevops | ||
| ports: | ||
| - containerPort: 8080 | ||
| securityContext: | ||
| privileged: true | ||
| runAsUser: 1001 | ||
| serviceAccount: azure-build-sa | ||
| serviceAccountName: azure-build-sa | ||
Check warningCode scanning / SonarCloud Service account permissions should be restricted Medium
Bind this Service Account to RBAC or disable "automountServiceAccountToken". See more on SonarQube Cloud
|
||
5 changes: 5 additions & 0 deletions
5
integration-tests/utils/azure-pipelines/azure-imagestream.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| apiVersion: image.openshift.io/v1 | ||
| kind: ImageStream | ||
| metadata: | ||
| name: azure-build-agent | ||
| namespace: azure-build |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| allowHostPorts: false | ||
| allowPrivilegeEscalation: true | ||
| allowPrivilegedContainer: true | ||
| allowedCapabilities: null | ||
| apiVersion: security.openshift.io/v1 | ||
| defaultAddCapabilities: null | ||
| fsGroup: | ||
| type: RunAsAny | ||
| groups: [] | ||
| kind: SecurityContextConstraints | ||
| metadata: | ||
| name: azure-build-scc | ||
| namespace: azure-build | ||
| priority: 5 | ||
| readOnlyRootFilesystem: false | ||
| requiredDropCapabilities: | ||
| - KILL | ||
| - MKNOD | ||
| runAsUser: | ||
| type: MustRunAs | ||
| uid: 1001 | ||
| seLinuxContext: | ||
| type: MustRunAs | ||
| supplementalGroups: | ||
| type: RunAsAny | ||
| users: [] | ||
| volumes: | ||
| - configMap | ||
| - downwardAPI | ||
| - emptyDir | ||
| - persistentVolumeClaim | ||
| - projected | ||
| - secret |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: azure-build-sa | ||
| namespace: azure-build |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check warning
Code scanning / SonarCloud
Memory limits should be enforced Medium