Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion integration-tests/scripts/.ci-env
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ export ACS__API_TOKEN=
export ACS__CENTRAL_PASSWORD=

#### Jenkins
# https://github.com/redhat-appstudio/rhtap-utils/blob/main/jenkins/README-JENKINS.md
# https://github.com/redhat-appstudio/tssc-cli/tree/main/integration-tests/utils/jenkins/README-JENKINS.md (migrated from rhtap-utils)
export JENKINS_API_TOKEN=
export JENKINS_URL=
export JENKINS_USERNAME=
Expand Down
2 changes: 1 addition & 1 deletion integration-tests/scripts/.env.template
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ export ACS__API_TOKEN=
export ACS__CENTRAL_PASSWORD=

#### Jenkins
# https://github.com/redhat-appstudio/rhtap-utils/blob/main/jenkins/README-JENKINS.md
# https://github.com/redhat-appstudio/tssc-cli/tree/main/integration-tests/utils/jenkins/README-JENKINS.md (migrated from rhtap-utils)
export JENKINS_API_TOKEN=
export JENKINS_URL=
export JENKINS_USERNAME=
Expand Down
19 changes: 19 additions & 0 deletions integration-tests/utils/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Test and infrastructure utilities (migrated from rhtap-utils)

This directory mirrors the [rhtap-utils](https://github.com/redhat-appstudio/rhtap-utils) repository layout. Content was migrated under `tssc-cli/integration-tests/utils/` with the **same folder structure** as in rhtap-utils.

## Directories

| Directory | Purpose |
|-----------|---------|
| `artifactory/` | JFrog Artifactory integration |
| `azure-pipelines/` | Azure Pipelines / DevOps helpers |
| `git-org-cleanup/` | Git org/repo cleanup scripts |
| `gitlab-runners/` | GitLab runner configs |
| `jenkins/` | Jenkins deployment and configs |
| `nexus/` | Nexus deployment and configs |
| `quay/` | Quay deployment (e.g. with ODF) |
| `rhtap-cli/` | Local install wrapper scripts |
| `rhtap-cli-release/` | Konflux MR/release automation scripts |
| `service-jenkins-cleanup/` | Service/Jenkins cleanup utilities |

69 changes: 69 additions & 0 deletions integration-tests/utils/artifactory/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Install Artifactory(JFrog Container Registry) on openshift cluster

1. Login to OpenShift

2. Deploy Artifactory on Openshift

```
$ helm repo add jfrog https://charts.jfrog.io
$ helm repo update
$ helm upgrade --install jfrog-container-registry jfrog/artifactory-jcr --version 107.98.11 --namespace artifactory-jcr -f values.yaml --create-namespace

$ oc -n artifactory-jcr create route edge artifactory-ui --service=jfrog-container-registry-artifactory --port=http-router
$ oc -n artifactory-jcr create route edge artifactory-docker --service=jfrog-container-registry-artifactory --port=http-artifactory
```

3. Login to Artifactory-JCR console
you can perform the following command to get console url

```
$ echo "https://$(kubectl -n artifactory-jcr get route artifactory-web -o jsonpath='{.spec.host}')"
```

The default username and password for the built-in administrator user are:
admin/password

You just need to fill in a new password, others can be skipped in the navigation windows when you first login to Artifactory-JCR console.

4. Create a Local Docker Repository

Go to `Administration` -> `Repositories` -> `Create a Repository` -> `Local`, Select Package Type `Docker`, fill in `Repository Key` field with `rhtap`, finally click button `Create Local Repository`.


5. Set Me Up - Docker Repository

Go to `Application` -> `JFrog Container Registry` -> `Artifacts`, Click the Docker Repository created at step `4. Create a Local Docker Repository`, Click `Set Me Up` to set up a generic client
![Set Me Up](./images/set_me_up.png)

When you input JFrog account password, it generates an identity token and Docker auth contenxt, such like below

```
{
"auths": {
"https://artifactory-web-artifactory-jcr.apps.rosa.xjiang0212416.jgt9.p3.openshiftapps.com" : {
"auth": "xxxxxxxxxxxxxxx",
"email": "youremail@email.com"
}
}
}
```

<span style="color:red"> Notice: Once `Set Me Up` is done , don't click it again, otherwise the token will be changed. Maybe images cannot show up on the Image Registry tab on existing RHTAP integrating with Artifactory.</span>

6. Verify pushing image to Artifactory
Perform the following command to get registry hostname.

```
$ kubectl -n artifactory-jcr get route artifactory -o jsonpath='{.spec.host}'
```

Push image to `rhtap` repository on Artifactory server

```
$ podman tag docker.io/mysql:latest <registry hostname>/rhtap/mysql:latest
$ <Copy the Docker auth content into a file, for instance auth.json>
$ podman push --authfile <registry hostname>/rhtap/mysql:latest
```



Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
84 changes: 84 additions & 0 deletions integration-tests/utils/artifactory/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
---
# Default values for artifactory-jcr.
# This is a YAML-formatted file.

# Beware when changing values here. You should know what you are doing!
# Access the values with {{ .Values.key.subkey }}

# This chart is based on the main artifactory chart with some customizations.
# See all supported configuration keys in https://github.com/jfrog/charts/tree/master/stable/artifactory


## All values are under the 'artifactory' sub chart.
artifactory:
containerSecurityContext:
enabled: false
## Artifactory
## See full list of supported Artifactory options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
artifactory:
podSecurityContext:
enabled: false
## Default tag is from the artifactory sub-chart in the requirements.yaml
image:
registry: releases-docker.jfrog.io
repository: jfrog/artifactory-jcr
# tag: 7.98.11
## Uncomment the following resources definitions or pass them from command line
## to control the cpu and memory resources allocated by the Kubernetes cluster
resources: {}
# requests:
# memory: "1Gi"
# cpu: "500m"
# limits:
# memory: "4Gi"
# cpu: "1"
## The following Java options are passed to the java process running Artifactory.
## You should set them according to the resources set above.
## IMPORTANT: Make sure resources.limits.memory is at least 1G more than Xmx.
javaOpts: {}
# xms: "1g"
# xmx: "3g"
# other: ""

installer:
platform: jcr-helm

installerInfo: '{"productId":"Helm_artifactory-jcr/{{ .Chart.Version }}","features":[{"featureId":"Platform/{{ printf "%s-%s" "kubernetes" .Capabilities.KubeVersion.Version }}"},{"featureId":"Database/{{ .Values.database.type }}"},{"featureId":"PostgreSQL_Enabled/{{ .Values.postgresql.enabled }}"},{"featureId":"Nginx_Enabled/{{ .Values.nginx.enabled }}"},{"featureId":"ArtifactoryPersistence_Type/{{ .Values.artifactory.persistence.type }}"},{"featureId":"SplitServicesToContainers_Enabled/{{ .Values.splitServicesToContainers }}"},{"featureId":"UnifiedSecretInstallation_Enabled/{{ .Values.artifactory.unifiedSecretInstallation }}"},{"featureId":"Filebeat_Enabled/{{ .Values.filebeat.enabled }}"},{"featureId":"ReplicaCount/{{ .Values.artifactory.replicaCount }}"}]}'

## Nginx
## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
nginx:
enabled: false
tlsSecretName: ""
service:
type: LoadBalancer

## Ingress
## See full list of supported Ingress options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
ingress:
enabled: false
tls:

## PostgreSQL
## See list of supported postgresql options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
## Configuration values for the PostgreSQL dependency sub-chart
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
postgresql:
enabled: true
securityContext:
enabled: false
containerSecurityContext:
enabled: false
## This key is required for upgrades to protect old PostgreSQL chart's breaking changes.
databaseUpgradeReady: "yes"

## If NOT using the PostgreSQL in this chart (artifactory.postgresql.enabled=false),
## specify custom database details here or leave empty and Artifactory will use embedded derby.
## See full list of database options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
# database:

jfconnect:
enabled: false

federation:
enabled: false
25 changes: 25 additions & 0 deletions integration-tests/utils/azure-pipelines/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Host Azure Pipelines build agent on openshift cluster

## Prerequisites

1. OpenShift 4 cluster

2. Azure DevOps organization

## Install Azure build agent on OpenShift

1. Follow the documentation to [Set up a Personal Access Token](https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/linux-agent?view=azure-devops#authenticate-with-a-personal-access-token-pat) in Azure. Save the token for later use in installation.
2. Create a new Agent Pool or configure an existing Agent Pool by navigating to Organization Settings -> Agent Pools.
- Click on Add pool
- Pool type: Self-hosted
- Name: <any-name>
- Pipeline permissions: Grant access permission to all pipelines
3. Login to OpenShift cluster
4. `cd` to the directory that contains this README
5. Navigate to the [Azure Pipeline Agent](https://github.com/Microsoft/azure-pipelines-agent/releases) and check for Linux x86 Agent download url latest version. Modify [AZP_AGENT_PACKAGE_LATEST_URL](./azure-buildconfig.yaml#L44) accordingly.
6. Replace the dummy required credential for Azure DevOps in [./azure-deploy.sh](./azure-deploy.sh#L21-L23) for authentication.
7. Run the [./azure-deploy.sh](./azure-deploy.sh) script.
8. Verify the azure build agent is running
- In Azure DevOps portal, navigate to Organization Settings -> Agent Pools -> Default (or your own pool) -> Agents
- You should now see the build agent with Online status.
- To deploy additional agents, you can scale up the pod replicas.
46 changes: 46 additions & 0 deletions integration-tests/utils/azure-pipelines/azure-buildconfig.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
name: azure-build-agent
namespace: azure-build
spec:
output:
to:
kind: ImageStreamTag
name: azure-build-agent:latest
source:
type: Dockerfile
dockerfile: |
FROM quay.io/redhat-appstudio/rhtap-task-runner:latest
ENV _BUILDAH_STARTED_IN_USERNS="" \
BUILDAH_ISOLATION=chroot \
STORAGE_DRIVER=vfs

USER root
COPY start.sh .
RUN curl $AZP_AGENT_PACKAGE_LATEST_URL --output vsts-agent-linux-x64.tar.gz && \
tar zxvf vsts-agent-linux-x64.tar.gz && \
rm vsts-agent-linux-x64.tar.gz && id && \
chmod 755 *.sh && chown -R root:root . && microdnf install -y openssl-libs krb5-libs zlib libicu && microdnf install -y lttng-ust && \
touch /etc/containers/nodocker && \
usermod --add-subuids 100000-165535 root && \
usermod --add-subgids 100000-165535 root && \
setcap cap_setuid+eip /usr/bin/newuidmap && \
setcap cap_setgid+eip /usr/bin/newgidmap
USER 1001
ENTRYPOINT ["./start.sh"]
configMaps:
- configMap:
name: start-sh
strategy:
type: Docker
dockerStrategy:
from:
kind: DockerImage
name: 'quay.io/redhat-appstudio/rhtap-task-runner:latest'
env:
- name: AZP_AGENT_PACKAGE_LATEST_URL
value: >-
https://vstsagentpackage.azureedge.net/agent/4.253.0/vsts-agent-linux-x64-4.253.0.tar.gz
triggers:
- type: ConfigChange
26 changes: 26 additions & 0 deletions integration-tests/utils/azure-pipelines/azure-deploy.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/bin/bash
set -e

# Create new project 'azure-build'
oc new-project azure-build
# Create ConfigMap for wrapper script (configure and runs the container)
oc create configmap start-sh --from-file=start.sh
# Create imagestream and buildconfig
oc create -f azure-imagestream.yaml -f azure-buildconfig.yaml
# Start new build
oc start-build azure-build-agent
# Create service account for build agent
oc create -f azure-sa.yaml
# Upload new SecurityContextConstraints for azure build agent
oc apply -f azure-sa-scc.yaml
# Apply scc to the service account
oc adm policy add-scc-to-user azure-build-scc -z azure-build-sa

# Configure Azure DevOps credentials
oc create secret generic azdevops \
--from-literal=AZP_URL=https://dev.azure.com/yourOrg \
--from-literal=AZP_TOKEN=YourPAT \
--from-literal=AZP_POOL=NameOfYourPool

# Deploy the azure build agent
oc create -f azure-deployment.yaml
31 changes: 31 additions & 0 deletions integration-tests/utils/azure-pipelines/azure-deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-build-agent
namespace: azure-build
spec:
selector:
matchLabels:
app: azure-build-agent
replicas: 1
template:
metadata:
annotations:
alpha.image.policy.openshift.io/resolve-names: '*'
labels:
app: azure-build-agent
spec:
containers:
- name: azure-build-agent

Check warning on line 19 in integration-tests/utils/azure-pipelines/azure-deployment.yaml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Specify a memory limit for this container.

See more on https://sonarcloud.io/project/issues?id=redhat-appstudio_rhtap-cli&issues=AZzCg-ytXcQUkSMRZUdZ&open=AZzCg-ytXcQUkSMRZUdZ&pullRequest=1667

Check warning

Code scanning / SonarCloud

Memory limits should be enforced Medium

Specify a memory limit for this container. See more on SonarQube Cloud
image: azure-build-agent:latest
imagePullPolicy: Always
envFrom:
- secretRef:
name: azdevops
ports:
- containerPort: 8080
securityContext:
privileged: true
runAsUser: 1001
serviceAccount: azure-build-sa
serviceAccountName: azure-build-sa

Check warning

Code scanning / SonarCloud

Service account permissions should be restricted Medium

Bind this Service Account to RBAC or disable "automountServiceAccountToken". See more on SonarQube Cloud
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
name: azure-build-agent
namespace: azure-build
33 changes: 33 additions & 0 deletions integration-tests/utils/azure-pipelines/azure-sa-scc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
name: azure-build-scc
namespace: azure-build
priority: 5
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
runAsUser:
type: MustRunAs
uid: 1001
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
5 changes: 5 additions & 0 deletions integration-tests/utils/azure-pipelines/azure-sa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: azure-build-sa
namespace: azure-build
Loading