feat(CI) optional gating

This change adds two repositories intended to be used as templates to the Gerrit setup. One repository will utilize the 'Verified' label, one repository will not. This will divide the repositories into two groups, a group where the checks provided by Jarvis is enforced as CI, and a group where the checks provided by Jarvis are informational only, and do not block patch sets. This is configurable in the Jarvis-Project Helm chart. Change-Id: Iff8a2b1a29883837ac7dab49056fe0c64d675e10
2021-02-16 17:10:27 +00:00 · 2021-02-16 17:10:27 +00:00 · baec5970e5
commit baec5970e5
parent 890b6a7c3f
4 changed files with 82 additions and 22 deletions
--- a/charts/jarvis-project/templates/Job-project.yaml
+++ b/charts/jarvis-project/templates/Job-project.yaml
@ -40,10 +40,20 @@ spec:
            - sh
            - -cex
            - |
-
              # Create gerrit repo
-              ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null -p 29418 -i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" || \
-                ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null -p 29418 -i /run/jarvis/secret/gerrit-ssh-key ${GERRIT_USERNAME}@${GERRIT_HOST} gerrit create-project "${JARVIS_PROJECT_NAME}" --submit-type MERGE_IF_NECESSARY --owner Administrators --empty-commit
+              ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
+                -p 29418 \
+                -i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
+                gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" \
+              || \
+              ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
+                -p 29418 \
+                -i /run/jarvis/secret/gerrit-ssh-key ${GERRIT_USERNAME}@${GERRIT_HOST} \
+                gerrit create-project "${JARVIS_PROJECT_NAME}" \
+                --owner Administrators \
+                {{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
+                --submit-type MERGE_IF_NECESSARY \
+                --empty-commit

              # Set up checks on the repo
              jarvis-connector --auth_file /run/jarvis/gerrit-authfile --gerrit $GERRIT_URL --update --repo "${JARVIS_PROJECT_NAME}" --prefix jarvispipeline || \
--- a/charts/jarvis-project/values.yaml
+++ b/charts/jarvis-project/values.yaml
@ -35,6 +35,8 @@ params:
        kind: ClusterIssuer

 config:
+  ci:
+    verify: true
  test:
    ldap_username: jarvis
    ldap_password: password
--- a/tools/gate/jarvis/500-deploy-gerrit.sh
+++ b/tools/gate/jarvis/500-deploy-gerrit.sh
@ -127,17 +127,6 @@ function gerrit_bootstrap() {
  git fetch origin refs/meta/config:refs/remotes/origin/meta/config
  git checkout meta/config

-  # Configure Verified Label
-  tee --append project.config <<EOF
-[label "Verified"]
-        function = MaxWithBlock
-        defaultValue = 0
-        value = -1 Fails
-        value = 0 No score
-        value = +1 Verified
-        copyAllScoresIfNoCodeChange = true
-EOF
-
  # Give Admins, Service Users and Project Owners voting rights for the Verified Label
  sed -i '/\[access "refs\/heads\/\*"\]/a\ \ \ \ \ \ \ \ label-Verified = -1..+1 group Administrators\n\ \ \ \ \ \ \ \ label-Verified = -1..+1 group Service Users\n\ \ \ \ \ \ \ \ label-Verified = -1..+1 group Project Owners' project.config

@ -149,6 +138,31 @@ EOF
  git commit -asm "Create Verified Label"
  git push origin HEAD:refs/meta/config
  popd
+
+  # Create template repositories for voting and non-voting CI
+  ssh -p 29418 ${ldap_username}@gerrit.jarvis.local gerrit create-project "Verified-Label-Projects" --submit-type MERGE_IF_NECESSARY --owner Administrators --empty-commit
+  ssh -p 29418 ${ldap_username}@gerrit.jarvis.local gerrit create-project "Non-Verified-Label-Projects" --submit-type MERGE_IF_NECESSARY --owner Administrators --empty-commit
+
+  # Configure Verified Label for the parent repository that will utilize it
+  verified_repo=$(mktemp -d)
+  git clone ssh://${ldap_username}@gerrit.jarvis.local:29418/Verified-Label-Projects.git "${verified_repo}"
+  pushd "${verified_repo}"
+  git fetch origin refs/meta/config:refs/remotes/origin/meta/config
+  git checkout meta/config
+  tee --append project.config <<EOF
+[label "Verified"]
+        function = MaxWithBlock
+        defaultValue = 0
+        value = -1 Fails
+        value = 0 No score
+        value = +1 Verified
+        copyAllScoresIfNoCodeChange = true
+EOF
+  # Commit and push config
+  git add .
+  git commit -asm "Create Submission Rules"
+  git push origin HEAD:refs/meta/config
+  popd
 }

 gerrit_bootstrap
--- a/tools/gate/jarvis/800-deploy-jarvis-projects.sh
+++ b/tools/gate/jarvis/800-deploy-jarvis-projects.sh
@ -16,7 +16,17 @@ EOF
 }
 generate_gerrit_creds_override

+COUNTER=0
 for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth 1 -type d -printf '%f\n'`; do
+  # Half of Jarvis-Projects will be made with required CI, half will be made with optional CI to
+  # offer examples to developers using Jarvis.
+  if (( COUNTER % 2 ));
+  then
+    voting_ci="true"
+  else
+    voting_ci="false"
+  fi
+
  # shellcheck disable=SC2046
  helm upgrade \
      --create-namespace \
@ -25,6 +35,7 @@ for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth
      "${jarvis_project}" \
      "./charts/jarvis-project" \
      --values="${gerrit_creds_override}" \
+      --set config.ci.verify="$voting_ci" \
      $(./tools/deployment/common/get-values-overrides.sh jarvis-project)

  ./tools/deployment/common/wait-for-pods.sh jarvis-projects
@ -69,18 +80,41 @@ EOF
    fi
  done

-  # Check that Jarvis-System has reported the success of the pipeline run to Gerrit
+  ### Ensure the repository is configured correctly ###
  end=$(date +%s)
  timeout="30"
  end=$((end + timeout))
  while true; do
-    VERIFIED="$(curl -L https://gerrit.jarvis.local/changes/${change_id}/revisions/1/review/ | tail -1 | jq -r .labels.Verified.all[0].value)"
-    [ "$VERIFIED" == 1 ] && break || true
-    sleep 5
-    now=$(date +%s)
-    if [ "$now" -gt "$end" ] ; then
-      echo "Jarvis-System has not verified the change"
-      exit 1
+    if [ "$voting_ci" = "true" ];
+    then
+      # Check that Jarvis-System has reported the success of the pipeline run to Gerrit, by checking the value of the Verified label
+      VERIFIED="$(curl -L https://gerrit.jarvis.local/changes/${change_id}/revisions/1/review/ | tail -1 | jq -r .labels.Verified.all[0].value)"
+      [ "$VERIFIED" == 1 ] && break || true
+      sleep 5
+      now=$(date +%s)
+      if [ "$now" -gt "$end" ] ; then
+        echo "Jarvis-System has not verified the change"
+        exit 1
+      fi
+    else
+      # Ensure that the patchset doesn't have the Verified label available to it.
+      LABELS=$(curl -L https://gerrit.jarvis.local/changes/${change_id}/revisions/1/review/ | tail -1 | jq -r .labels)
+      if [ -z "$LABELS" ]; then
+        # The curl request didn't give us the labels available to this revision, try again when Gerrit is ready
+        sleep 5
+        continue
+      fi
+      VERIFIED_NULL="$( jq -r .Verified <<< "$LABELS" )"
+      if [ -z "$VERIFIED_NULL" ]; then
+        echo "Verified label found"
+        # Verified label should not be found, exit.
+        exit 1
+      else
+        # Labels curl returned all the labels successfully, and Verified was not in the list. This is desired.
+        break
+      fi
    fi
  done
+
+  COUNTER=$((COUNTER+1))
 done