feat(gerrit) adding pipeline to automatically merge submittable patchsets

This 'jarvis-merge' pipeline reruns validation of a submittable
patchset and upon success, will submit the patchset, integrating it to
the main branch.

It will also promote a repository's artifacts from their respective -staging
areas to their non-staging counterparts.

Change-Id: I2e46d95543c6a835f7c17c1097a7ea84b1092f4d

charts/jarvis-project/templates/Job-project.yaml

@@ -51,16 +51,19 @@ spec:
             - -cex
             - |
               # Create gerrit repo
-              ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
+              ( \
-                -p 29418 \
+                ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
-                -i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
+                  -p 29418 \
-                gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" \
+                  -i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
-              &&
+                  gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" \
-              ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
+                &&
-                -p 29418 \
+                ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
-                -i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
+                  -p 29418 \
-                gerrit set-project-parent \
+                  -i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
-                {{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
+                  gerrit set-project-parent \
+                  {{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
+                  --children-of Non-Verified-Label-Projects \
+              ) \
               || \
               ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
                 -p 29418 \

charts/jarvis-system/templates/EventListener-system.yaml

@@ -7,6 +7,7 @@ metadata:
 spec:
   serviceAccountName: {{ template "helpers.labels.fullname" . }}-el
   triggers:
+    # Gating Pipeline
     - name: jarvis-create
       interceptors:
         - cel:
@@ -36,6 +37,37 @@ spec:
         - ref: {{ template "helpers.labels.fullname" . }}-createresult
       template:
         ref: {{ template "helpers.labels.fullname" . }}-createfailure
+
+    # Integration Pipeline
+    - name: jarvis-merge
+      interceptors:
+        - cel:
+            filter: >-
+              header.match('X-Jarvis', 'merge')
+      bindings:
+        - ref: {{ template "helpers.labels.fullname" . }}-merge
+      template:
+        ref: {{ template "helpers.labels.fullname" . }}-merge
+    - name: jarvis-merge-success
+      interceptors:
+        - cel:
+            filter: >-
+              header.match('Ce-Type', 'dev.tekton.event.pipelinerun.successful.v1') &&
+              body.pipelineRun.metadata.labels['triggers.tekton.dev/trigger'] == 'jarvis-merge'
+      bindings:
+        - ref: {{ template "helpers.labels.fullname" . }}-mergeresult
+      template:
+        ref: {{ template "helpers.labels.fullname" . }}-mergesuccess
+    - name: jarvis-merge-failure
+      interceptors:
+        - cel:
+            filter: >-
+              header.match('Ce-Type', 'dev.tekton.event.pipelinerun.failed.v1') &&
+              body.pipelineRun.metadata.labels['triggers.tekton.dev/trigger'] == 'jarvis-merge'
+      bindings:
+        - ref: {{ template "helpers.labels.fullname" . }}-mergeresult
+      template:
+        ref: {{ template "helpers.labels.fullname" . }}-mergefailure
 ...
 {{- end -}}
 {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "EventListener-system" ) }}

charts/jarvis-system/templates/Pipeline-create.yaml

@@ -40,9 +40,11 @@ spec:
           value: $(params.changeNumber)
         - name: patchSetNumber
           value: $(params.patchSetNumber)
+        - name: pipeline
+          value: "create"
       workspaces:
         - name: output
           workspace: output
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Pipeline-create" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Pipeline-create" ) }}

charts/jarvis-system/templates/Pipeline-merge.yaml

@@ -0,0 +1,36 @@
+{{- define "Pipeline-merge" -}}
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-merge
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+  workspaces:
+    - name: output
+  tasks:
+    - name: createprojectaccess
+      taskRef:
+        name: {{ template "helpers.labels.fullname" . }}-createprojectaccess
+      params:
+        - name: repoRoot
+          value: $(params.repoRoot)
+        - name: project
+          value: $(params.project)
+        - name: changeNumber
+          value: $(params.changeNumber)
+        - name: patchSetNumber
+          value: $(params.patchSetNumber)
+        - name: pipeline
+          value: "merge"
+      workspaces:
+        - name: output
+          workspace: output
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Pipeline-merge" ) }}

charts/jarvis-system/templates/Pipeline-mergeFailure.yaml

@@ -0,0 +1,40 @@
+{{- define "Pipeline-mergeFailure" -}}
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-mergefailure
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+    - name: pipelineName
+    - name: pipelineRunName
+    - name: pipelineRunNamespace
+  tasks:
+    - name: mergefailure
+      taskRef:
+        name: {{ template "helpers.labels.fullname" . }}-mergefailure
+      params:
+        - name: repoRoot
+          value: $(params.repoRoot)
+        - name: project
+          value: $(params.project)
+        - name: changeNumber
+          value: $(params.changeNumber)
+        - name: patchSetNumber
+          value: $(params.patchSetNumber)
+        - name: checkerUUID
+          value: $(params.checkerUUID)
+        - name: pipelineName
+          value: $(params.pipelineName)
+        - name: pipelineRunName
+          value: $(params.pipelineRunName)
+        - name: pipelineRunNamespace
+          value: $(params.pipelineRunNamespace)
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Pipeline-mergeFailure" ) }}

charts/jarvis-system/templates/Pipeline-mergeSuccess.yaml

@@ -0,0 +1,40 @@
+{{- define "Pipeline-mergeSuccess" -}}
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-mergesuccess
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+    - name: pipelineName
+    - name: pipelineRunName
+    - name: pipelineRunNamespace
+  tasks:
+    - name: mergesuccess
+      taskRef:
+        name: {{ template "helpers.labels.fullname" . }}-mergesuccess
+      params:
+        - name: repoRoot
+          value: $(params.repoRoot)
+        - name: project
+          value: $(params.project)
+        - name: changeNumber
+          value: $(params.changeNumber)
+        - name: patchSetNumber
+          value: $(params.patchSetNumber)
+        - name: checkerUUID
+          value: $(params.checkerUUID)
+        - name: pipelineName
+          value: $(params.pipelineName)
+        - name: pipelineRunName
+          value: $(params.pipelineRunName)
+        - name: pipelineRunNamespace
+          value: $(params.pipelineRunNamespace)
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Pipeline-mergeSuccess" ) }}

charts/jarvis-system/templates/Task-createProjectAccess.yaml

@@ -10,6 +10,7 @@ spec:
     - name: project
     - name: changeNumber
     - name: patchSetNumber
+    - name: pipeline
   workspaces:
     - name: output
       description: The git repo will be cloned onto the volume backing this workspace
@@ -231,8 +232,7 @@ spec:
 
         kubectl create \
           -n jarvis-$(params.changeNumber)-$(params.patchSetNumber) \
-          -f "$(workspaces.output.path)"/jarvis/development-pipeline/pipelinerun-validation.yaml
+          -f "$(workspaces.output.path)"/jarvis/development-pipeline/pipelinerun-$(params.pipeline).yaml
-
             # Default wait timeout is 1000 seconds
             end=$(date +%s)
             timeout=${3:-3000}

charts/jarvis-system/templates/Task-createRegisterScheduled.yaml

@@ -30,7 +30,6 @@ spec:
       script: |
         #!/bin/sh
         set -eu -o pipefail -x
-
         curl \
           --netrc-file /run/jarvis/gerrit-netrc \
           --fail \
@@ -46,7 +45,6 @@ spec:
           "message": "Jarvis has started to process the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project) repo"
         }
         EOF
-
         curl \
           --netrc-file /run/jarvis/gerrit-netrc \
           --fail \
@@ -71,4 +69,4 @@ spec:
             path: gerrit-netrc
 ...
 {{- end -}}
-{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-createRegisterScheduled" ) }}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-createRegisterScheduled" ) }}

charts/jarvis-system/templates/Task-mergeFailure.yaml

@@ -0,0 +1,111 @@
+{{- define "Task-mergeFailure" -}}
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-mergefailure
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+    - name: pipelineName
+    - name: pipelineRunName
+    - name: pipelineRunNamespace
+  steps:
+    - name: mergefailure
+      image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_results" ) }}
+      volumeMounts:
+        - name: gerrit-netrc
+          mountPath: /run/jarvis/gerrit-netrc
+          subPath: gerrit-netrc
+      script: |
+        #!/bin/bash
+        set -eu -o pipefail -x
+
+        # Get project information from Harbor
+        PROJECT_INFO=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H  "accept: application/json")
+        PROJECT_ID=$(echo $PROJECT_INFO | jq -r '.project'[0].'project_id')
+
+        # Get the taskRun uid from the microflow-setup-image pod
+        TASK_RUN_NAMESPACE="jarvis-$(params.changeNumber)-$(params.patchSetNumber)"
+        TASK_RUN_DEV_PIPELINE=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" | grep microflow-setup-image | awk '{print $1}') || true
+
+        if [[ -z "$TASK_RUN_DEV_PIPELINE" ]]; then
+            # Do not append the CVE report link, if there is no 'microflow-setup-image' pod to get the taskRun uid from
+            REPO_COUNT=0
+        else
+            TASK_RUN_UID=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" "${TASK_RUN_DEV_PIPELINE}" -o jsonpath='{.metadata.uid}')
+            # For first time run, there may be no repositories, so only check for artifacts if the project has repositories
+            REPO_COUNT=$(echo $PROJECT_INFO | jq -r '.project'[0].'repo_count')
+        fi
+
+        MESSAGE="Jarvis failed to process the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project)"
+
+        if [ $REPO_COUNT -gt 0 ]; then
+            REPOSITORY_NAME=$(echo $PROJECT_INFO | jq -r '.repository'[0].'repository_name' | awk -F"/" '{print $2}')
+            # Grabs the SHA256 of the corresponding artifact based off taskrun uid
+            SHA256=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H  "accept: application/json" | jq -r '.digest')
+            MESSAGE="${MESSAGE}\n\n----- Image Scan Report -----\nhttps://{{ .Values.params.harbor.dashboard.host }}/harbor/projects/${PROJECT_ID}/repositories/${REPOSITORY_NAME}/artifacts/${SHA256}"
+        fi
+
+        curl \
+          --netrc-file /run/jarvis/gerrit-netrc \
+          --fail \
+          --insecure \
+          -L \
+          -H "Content-Type: application/json; charset=UTF-8" \
+          $(params.repoRoot)/a/changes/$(params.changeNumber)/revisions/$(params.patchSetNumber)/checks/ \
+          --data-binary @- << EOF
+        {
+          "checker_uuid": "$(params.checkerUUID)",
+          "state": "FAILED",
+          "url": "https://{{ .Values.params.grafana.dashboard.host }}/d/{{ .Values.params.grafana.dashboard.uid }}/{{ .Values.params.grafana.dashboard.title }}?orgId={{ .Values.params.grafana.dashboard.orgid }}&var-namespace=$(params.pipelineRunNamespace)&var-tekton_dev_pipeline=$(params.pipelineName)&var-tekton_dev_pipelineRun=$(params.pipelineRunName)&var-tekton_dev_taskRun=All",
+          "message": "${MESSAGE}",
+          "finished": "$(date --utc '+%F %T.%N')"
+        }
+        EOF
+
+        curl \
+          --netrc-file /run/jarvis/gerrit-netrc \
+          --fail \
+          --insecure \
+          -L \
+          -H "Content-Type: application/json; charset=UTF-8" \
+          $(params.repoRoot)/a/changes/$(params.changeNumber)/revisions/$(params.patchSetNumber)/review/ \
+          --data-binary @- << EOF
+        {
+          "labels": {
+            "Verified": "-1"
+          }
+        }
+        EOF
+
+        curl \
+          --netrc-file /run/jarvis/gerrit-netrc \
+          --fail \
+          --insecure \
+          -L \
+          -H "Content-Type: application/json; charset=UTF-8" \
+          $(params.repoRoot)/a/changes/$(params.changeNumber)/hashtags/ \
+          --data-binary @- << EOF
+        {
+          "add": [],
+          "remove": [
+              "jarvis-merge"
+          ]
+        }
+        EOF
+  volumes:
+    - name: gerrit-netrc
+      secret:
+        secretName: {{ template "helpers.labels.fullname" . }}-gerrit
+        defaultMode: 0444
+        items:
+          - key: gerrit-netrc
+            path: gerrit-netrc
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-mergeFailure" ) }}

charts/jarvis-system/templates/Task-mergeSuccess.yaml

@@ -0,0 +1,61 @@
+{{- define "Task-mergeSuccess" -}}
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-mergesuccess
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+    - name: pipelineName
+    - name: pipelineRunName
+    - name: pipelineRunNamespace
+  steps:
+    - name: mergesuccess
+      image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_results" ) }}
+      volumeMounts:
+        - name: gerrit-netrc
+          mountPath: /run/jarvis/gerrit-netrc
+          subPath: gerrit-netrc
+      script: |
+        #!/bin/bash
+        set -eu -o pipefail -x
+
+        curl \
+          -X POST \
+          --fail \
+          --netrc-file /run/jarvis/gerrit-netrc \
+          --insecure \
+          -L \
+          $(params.repoRoot)/a/changes/$(params.changeNumber)/submit/
+
+        curl \
+          --netrc-file /run/jarvis/gerrit-netrc \
+          --fail \
+          --insecure \
+          -L \
+          -H "Content-Type: application/json; charset=UTF-8" \
+          $(params.repoRoot)/a/changes/$(params.changeNumber)/hashtags/ \
+          --data-binary @- << EOF
+        {
+          "add": [],
+          "remove": [
+              "jarvis-merge"
+          ]
+        }
+        EOF
+  volumes:
+    - name: gerrit-netrc
+      secret:
+        secretName: {{ template "helpers.labels.fullname" . }}-gerrit
+        defaultMode: 0444
+        items:
+          - key: gerrit-netrc
+            path: gerrit-netrc
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Task-mergeSuccess" ) }}

charts/jarvis-system/templates/TriggerBinding-merge.yaml

@@ -0,0 +1,21 @@
+{{- define "TriggerBinding-merge" -}}
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerBinding
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-merge
+spec:
+  params:
+    - name: repoRoot
+      value: $(body.repoRoot)
+    - name: project
+      value: $(body.project)
+    - name: changeNumber
+      value: $(body.changeNumber)
+    - name: patchSetNumber
+      value: $(body.patchSetNumber)
+    - name: checkerUUID
+      value: $(body.checkerUUID)
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "TriggerBinding-merge" ) }}

charts/jarvis-system/templates/TriggerBinding-mergeResult.yaml

@@ -0,0 +1,27 @@
+{{- define "TriggerBinding-mergeResult" -}}
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerBinding
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-mergeresult
+spec:
+  params:
+    - name: repoRoot
+      value: $(body.pipelineRun.spec.params[?(@.name=='repoRoot')].value)
+    - name: project
+      value: $(body.pipelineRun.spec.params[?(@.name=='project')].value)
+    - name: changeNumber
+      value: $(body.pipelineRun.spec.params[?(@.name=='changeNumber')].value)
+    - name: patchSetNumber
+      value: $(body.pipelineRun.spec.params[?(@.name=='patchSetNumber')].value)
+    - name: checkerUUID
+      value: $(body.pipelineRun.spec.params[?(@.name=='checkerUUID')].value)
+    - name: pipelineName
+      value: $(body.pipelineRun.spec.pipelineRef.name)
+    - name: pipelineRunName
+      value: $(body.pipelineRun.metadata.name)
+    - name: pipelineRunNamespace
+      value: $(body.pipelineRun.metadata.namespace)
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "TriggerBinding-mergeResult" ) }}

charts/jarvis-system/templates/TriggerTemplate-merge.yaml

@@ -0,0 +1,39 @@
+{{- define "TriggerTemplate-merge" -}}
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerTemplate
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-merge
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1beta1
+      kind: PipelineRun
+      metadata:
+        generateName: {{ template "helpers.labels.fullname" . }}-merge-
+      spec:
+        serviceAccountName: jarvis-system-el
+        pipelineRef:
+          name: {{ template "helpers.labels.fullname" . }}-merge
+        params:
+          - name: repoRoot
+            value: $(tt.params.repoRoot)
+          - name: project
+            value: $(tt.params.project)
+          - name: changeNumber
+            value: $(tt.params.changeNumber)
+          - name: patchSetNumber
+            value: $(tt.params.patchSetNumber)
+          - name: checkerUUID
+            value: $(tt.params.checkerUUID)
+        workspaces:
+          - name: output
+            emptyDir: {}
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "TriggerTemplate-merge" ) }}

charts/jarvis-system/templates/TriggerTemplate-mergeFailure.yaml

@@ -0,0 +1,45 @@
+{{- define "TriggerTemplate-mergeFailure" -}}
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerTemplate
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-mergefailure
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+    - name: pipelineName
+    - name: pipelineRunName
+    - name: pipelineRunNamespace
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1beta1
+      kind: PipelineRun
+      metadata:
+        generateName: {{ template "helpers.labels.fullname" . }}-mergefailure-
+      spec:
+        serviceAccountName: jarvis-system-el
+        pipelineRef:
+          name: {{ template "helpers.labels.fullname" . }}-mergefailure
+        params:
+          - name: repoRoot
+            value: $(tt.params.repoRoot)
+          - name: project
+            value: $(tt.params.project)
+          - name: changeNumber
+            value: $(tt.params.changeNumber)
+          - name: patchSetNumber
+            value: $(tt.params.patchSetNumber)
+          - name: checkerUUID
+            value: $(tt.params.checkerUUID)
+          - name: pipelineName
+            value: $(tt.params.pipelineName)
+          - name: pipelineRunName
+            value: $(tt.params.pipelineRunName)
+          - name: pipelineRunNamespace
+            value: $(tt.params.pipelineRunNamespace)
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "TriggerTemplate-mergeFailure" ) }}

charts/jarvis-system/templates/TriggerTemplate-mergeSuccess.yaml

@@ -0,0 +1,45 @@
+{{- define "TriggerTemplate-mergeSuccess" -}}
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerTemplate
+metadata:
+  name: {{ template "helpers.labels.fullname" . }}-mergesuccess
+spec:
+  params:
+    - name: repoRoot
+    - name: project
+    - name: changeNumber
+    - name: patchSetNumber
+    - name: checkerUUID
+    - name: pipelineName
+    - name: pipelineRunName
+    - name: pipelineRunNamespace
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1beta1
+      kind: PipelineRun
+      metadata:
+        generateName: {{ template "helpers.labels.fullname" . }}-mergesuccess-
+      spec:
+        serviceAccountName: jarvis-system-el
+        pipelineRef:
+          name: {{ template "helpers.labels.fullname" . }}-mergesuccess
+        params:
+          - name: repoRoot
+            value: $(tt.params.repoRoot)
+          - name: project
+            value: $(tt.params.project)
+          - name: changeNumber
+            value: $(tt.params.changeNumber)
+          - name: patchSetNumber
+            value: $(tt.params.patchSetNumber)
+          - name: checkerUUID
+            value: $(tt.params.checkerUUID)
+          - name: pipelineName
+            value: $(tt.params.pipelineName)
+          - name: pipelineRunName
+            value: $(tt.params.pipelineRunName)
+          - name: pipelineRunNamespace
+            value: $(tt.params.pipelineRunNamespace)
+...
+{{- end -}}
+{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "TriggerTemplate-mergeSuccess" ) }}

tools/gate/jarvis/500-deploy-gerrit.sh

@@ -161,36 +161,14 @@ function gerrit_bootstrap() {
     forgeCommitter = group Administrators
     forgeCommitter = group Project Owners
     push = group Administrators
-    push = group Project Owners
     submit = group Administrators
-    submit = group Project Owners
-    label-Code-Review = -2..+2 group Administrators
-    label-Code-Review = -2..+2 group Project Owners
-    label-Code-Review = -1..+1 group Registered Users
-    label-Verified = -1..+1 group Administrators
-    label-Verified = -1..+1 group Service Users
-    label-Verified = -1..+1 group Project Owners
-    label-Workflow = -1..+1 group Administrators
-    label-Workflow = -1..+1 group Service Users
-    label-Workflow = -1..+1 group Project Owners
 [access "refs/meta/config"]
     exclusiveGroupPermissions = read
     create = group Administrators
     push = group Administrators
-    push = group Project Owners
     read = group Administrators
     read = group Project Owners
     submit = group Administrators
-    submit = group Project Owners
-    label-Code-Review = -2..+2 group Administrators
-    label-Code-Review = -2..+2 group Project Owners
-    label-Code-Review = -1..+1 group Registered Users
-    label-Verified = -1..+1 group Administrators
-    label-Verified = -1..+1 group Service Users
-    label-Verified = -1..+1 group Project Owners
-    label-Workflow = -1..+1 group Administrators
-    label-Workflow = -1..+1 group Service Users
-    label-Workflow = -1..+1 group Project Owners
 [access "refs/tags/*"]
     create = group Administrators
     create = group Project Owners
@@ -220,11 +198,26 @@ EOF
   git checkout meta/config
   rm project.config || true
   rm rules.pl || true
+  tee --append groups <<EOF
+global:Project-Owners                   	Project Owners
+EOF
   tee project.config << EOF
 [access]
     inheritFrom = All-Projects
 [access "refs/*"]
     owner = group Administrators
+[access "refs/heads/*"]
+    label-Code-Review = -2..+2 group Administrators
+    label-Code-Review = -2..+2 group Project Owners
+    label-Verified = -1..+1 group Administrators
+    label-Workflow = -1..+1 group Administrators
+    label-Workflow = -1..+1 group Project Owners
+[access "refs/meta/config"]
+    label-Code-Review = -2..+2 group Administrators
+    label-Code-Review = -2..+2 group Project Owners
+    label-Verified = -1..+1 group Administrators
+    label-Workflow = -1..+1 group Administrators
+    label-Workflow = -1..+1 group Project Owners
 [label "Code-Review"]
     function = MaxWithBlock
     defaultValue = 0
@@ -250,29 +243,30 @@ EOF
     value = +1 Approved
 
 EOF
-  tee rules.pl << EOF
+# TODO enable rules.pl once more LDAP users are registered
-sum_list([], 0).
+#  tee rules.pl << EOF
-sum_list([H | Rest], Sum) :- sum_list(Rest,Tmp), Sum is H + Tmp.
+#sum_list([], 0).
-
+#sum_list([H | Rest], Sum) :- sum_list(Rest,Tmp), Sum is H + Tmp.
-add_category_min_score(In, Category, Min,  P) :-
+#
-    findall(2, gerrit:commit_label(label(Category,2),R),Z),
+#add_category_min_score(In, Category, Min,  P) :-
-    sum_list(Z, Sum),
+#    findall(2, gerrit:commit_label(label(Category,2),R),Z),
-    Sum >= Min, !,
+#    sum_list(Z, Sum),
-    gerrit:commit_label(label(Category, V), U),
+#    Sum >= Min, !,
-    V >= 1,
+#    gerrit:commit_label(label(Category, V), U),
-    !,
+#    V >= 1,
-    P = [label(Category,ok(U)) | In].
+#    !,
-
+#    P = [label(Category,ok(U)) | In].
-add_category_min_score(In, Category,Min,P) :-
+#
-    P = [label(Category,need(Min)) | In].
+#add_category_min_score(In, Category,Min,P) :-
-
+#    P = [label(Category,need(Min)) | In].
-submit_filter(In, Out) :-
+#
-    In =.. [submit | Ls],
+#submit_filter(In, Out) :-
-    gerrit:remove_label(Ls,label('Code-Review',_),NoCR),
+#    In =.. [submit | Ls],
-    add_category_min_score(NoCR,'Code-Review', 4, Labels),
+#    gerrit:remove_label(Ls,label('Code-Review',_),NoCR),
-    Out =.. [submit | Labels].
+#    add_category_min_score(NoCR,'Code-Review', 4, Labels),
-
+#    Out =.. [submit | Labels].
-EOF
+#
+#EOF
   git add .
   git commit -asm "Create Submission Rules"
   git push origin HEAD:refs/meta/config
@@ -287,11 +281,28 @@ EOF
   git checkout meta/config
   rm project.config || true
   rm rules.pl || true
+  tee --append groups <<EOF
+global:Project-Owners                   	Project Owners
+EOF
   tee project.config << EOF
 [access]
     inheritFrom = All-Projects
 [access "refs/*"]
     owner = group Administrators
+[access "refs/heads/*"]
+    label-Code-Review = -2..+2 group Administrators
+    label-Code-Review = -2..+2 group Project Owners
+    label-Verified = -1..+1 group Administrators
+    label-Verified = -1..+1 group Project Owners
+    label-Workflow = -1..+1 group Administrators
+    label-Workflow = -1..+1 group Project Owners
+[access "refs/meta/config"]
+    label-Code-Review = -2..+2 group Administrators
+    label-Code-Review = -2..+2 group Project Owners
+    label-Verified = -1..+1 group Administrators
+    label-Verified = -1..+1 group Project Owners
+    label-Workflow = -1..+1 group Administrators
+    label-Workflow = -1..+1 group Project Owners
 [label "Code-Review"]
     function = MaxWithBlock
     defaultValue = 0
@@ -302,6 +313,13 @@ EOF
     value = 0 No score
     value = +1 Looks good to me, but someone else must approve
     value = +2 Looks good to me, approved
+[label "Verified"]
+    function = MaxWithBlock
+    defaultValue = 0
+    value = -1 Fails
+    value = 0 No score
+    value = +1 Verified
+    copyAllScoresIfNoCodeChange = true
 [label "Workflow"]
     function = MaxWithBlock
     defaultValue = 0
@@ -310,29 +328,30 @@ EOF
     value = +1 Approved
 
 EOF
-  tee rules.pl << EOF
+# TODO enable rules.pl once more LDAP users are registered
-sum_list([], 0).
+#  tee rules.pl << EOF
-sum_list([H | Rest], Sum) :- sum_list(Rest,Tmp), Sum is H + Tmp.
+#sum_list([], 0).
-
+#sum_list([H | Rest], Sum) :- sum_list(Rest,Tmp), Sum is H + Tmp.
-add_category_min_score(In, Category, Min,  P) :-
+#
-    findall(2, gerrit:commit_label(label(Category,2),R),Z),
+#add_category_min_score(In, Category, Min,  P) :-
-    sum_list(Z, Sum),
+#    findall(2, gerrit:commit_label(label(Category,2),R),Z),
-    Sum >= Min, !,
+#    sum_list(Z, Sum),
-    gerrit:commit_label(label(Category, V), U),
+#    Sum >= Min, !,
-    V >= 1,
+#    gerrit:commit_label(label(Category, V), U),
-    !,
+#    V >= 1,
-    P = [label(Category,ok(U)) | In].
+#    !,
-
+#    P = [label(Category,ok(U)) | In].
-add_category_min_score(In, Category,Min,P) :-
+#
-    P = [label(Category,need(Min)) | In].
+#add_category_min_score(In, Category,Min,P) :-
-
+#    P = [label(Category,need(Min)) | In].
-submit_filter(In, Out) :-
+#
-    In =.. [submit | Ls],
+#submit_filter(In, Out) :-
-    gerrit:remove_label(Ls,label('Code-Review',_),NoCR),
+#    In =.. [submit | Ls],
-    add_category_min_score(NoCR,'Code-Review', 4, Labels),
+#    gerrit:remove_label(Ls,label('Code-Review',_),NoCR),
-    Out =.. [submit | Labels].
+#    add_category_min_score(NoCR,'Code-Review', 4, Labels),
-
+#    Out =.. [submit | Labels].
-EOF
+#
+#EOF
   git add .
   git commit -asm "Create Submission Rules"
   git push origin HEAD:refs/meta/config

tools/gate/jarvis/800-deploy-jarvis-projects.sh

@@ -105,36 +105,14 @@ for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth
   timeout="120"
   end=$((end + timeout))
   while true; do
-    if [ $voting_ci = "true" ];
+    # Check that Jarvis-System has reported the success of the pipeline run to Gerrit, by checking the value of the Verified label
-    then
+    VERIFIED="$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/review/ | tail -1 | jq -r .labels.Verified.all[0].value)"
-      voting_ci="false"
+    [ "$VERIFIED" == 1 ] && break || true
-      # Check that Jarvis-System has reported the success of the pipeline run to Gerrit, by checking the value of the Verified label
+    sleep 5
-      VERIFIED="$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/review/ | tail -1 | jq -r .labels.Verified.all[0].value)"
+    now=$(date +%s)
-      [ "$VERIFIED" == 1 ] && break || true
+    if [ "$now" -gt "$end" ] ; then
-      sleep 5
+      echo "Jarvis-System has not verified the change"
-      now=$(date +%s)
+      exit 1
-      if [ "$now" -gt "$end" ] ; then
-        echo "Jarvis-System has not verified the change"
-        exit 1
-      fi
-    else
-      voting_ci="true"
-      # Ensure that the patchset doesn't have the Verified label available to it.
-      LABELS=$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/review/ | tail -1 | jq -r .labels)
-      if [ -z "$LABELS" ]; then
-        # The curl request didn't give us the labels available to this revision, try again when Gerrit is ready
-        sleep 5
-        continue
-      fi
-      VERIFIED_NULL="$( jq -r .Verified <<< "$LABELS" )"
-      if [ -z "$VERIFIED_NULL" ]; then
-        echo "Verified label found"
-        # Verified label should not be found, exit.
-        exit 1
-      else
-        # Labels curl returned all the labels successfully, and Verified was not in the list. This is desired.
-        break
-      fi
     fi
   done
   CHANGE_ID_COUNTER=$((CHANGE_ID_COUNTER+1))

tools/gate/jarvis/development-pipeline/pipelinerun-create.yaml

@@ -0,0 +1,24 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  generateName: development-pipeline-run
+spec:
+  params:
+    - name: pipeline
+      value: "create"
+  pipelineRef:
+    name: development-pipeline
+  serviceAccountName: sa-development-pipeline
+  workspaces:
+    - name: k8s_cluster_data
+      configMap:
+        name: deployment-flow
+    - name: development_pipeline_data
+      volumeClaimTemplate:
+        spec:
+          storageClassName: standard
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi

tools/gate/jarvis/development-pipeline/pipelinerun-merge.yaml

@@ -3,6 +3,9 @@ kind: PipelineRun
 metadata:
   generateName: development-pipeline-run
 spec:
+  params:
+    - name: pipeline
+      value: "merge"
   pipelineRef:
     name: development-pipeline
   serviceAccountName: sa-development-pipeline

tools/gate/jarvis/development-pipeline/templates/pipeline.yaml

@@ -4,6 +4,8 @@ metadata:
   name: development-pipeline
   namespace: {{ $.Release.Namespace }}
 spec:
+  params:
+    - name: pipeline
   workspaces:
     - name: k8s_cluster_data
     - name: development_pipeline_data
@@ -108,6 +110,10 @@ spec:
         name: functional
 
     - name: microflow-promote-artifacts
+      when:
+        - input: $(params.pipeline)
+          operator: in
+          values: ["merge"]
       runAfter:
         - microflow-functional
       workspaces: