airship/charts
Code Issues Proposed changes

Add image CVE scan report link to Gerrit

Browse Source 
A link to the change's built image CVE scan report is added
to "Checks->Message" section in Gerrit. The link is posted in both
success and failure result of the 'jarvispipeline' check.

For the Task-createFailure and Task-createSuccess, the taskRun uid
is obtained from the 'microflow-setup-image' pod in the
corresponding namespace.

Additionally, the 800 script is updated to immediately fail the
CI pipeline if the development pipeline fails.

Change-Id: I9be8a486d71247385280a863f22a9bf9973333bb
This commit is contained in:
Bartra, Rick (rb560u) 2021-02-24 23:52:34 -05:00
parent d55c4271b4
commit e2a4819184
6 changed files with 70 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
charts/jarvis-system/templates/Task-createFailure.yaml
View File

@ -16,15 +16,41 @@ spec:
- name: pipelineRunNamespace - name: pipelineRunNamespace
steps: steps:
- name: createfailure - name: createfailure
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_curl" ) }} image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_results" ) }}
volumeMounts: volumeMounts:
- name: gerrit-netrc - name: gerrit-netrc
mountPath: /run/jarvis/gerrit-netrc mountPath: /run/jarvis/gerrit-netrc
subPath: gerrit-netrc subPath: gerrit-netrc
script: | script: |
#!/bin/sh #!/bin/bash
set -eu -o pipefail -x set -eu -o pipefail -x
# Get project information from Harbor
PROJECT_INFO=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json")
PROJECT_ID=$(echo $PROJECT_INFO | jq -r '.project'[0].'project_id')
# Get the taskRun uid from the microflow-setup-image pod
TASK_RUN_NAMESPACE="jarvis-$(params.changeNumber)-$(params.patchSetNumber)"
TASK_RUN_DEV_PIPELINE=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" | grep microflow-setup-image | awk '{print $1}') || true
if [[ -z "$TASK_RUN_DEV_PIPELINE" ]]; then
# Do not append the CVE report link, if there is no 'microflow-setup-image' pod to get the taskRun uid from
REPO_COUNT=0
else
TASK_RUN_UID=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" "${TASK_RUN_DEV_PIPELINE}" -o jsonpath='{.metadata.uid}')
# For first time run, there may be no repositories, so only check for artifacts if the project has repositories
REPO_COUNT=$(echo $PROJECT_INFO | jq -r '.project'[0].'repo_count')
fi
MESSAGE="Jarvis failed to process the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project)"
if [ $REPO_COUNT -gt 0 ]; then
REPOSITORY_NAME=$(echo $PROJECT_INFO | jq -r '.repository'[0].'repository_name' | awk -F"/" '{print $2}')
# Grabs the SHA256 of the corresponding artifact based off taskrun uid
SHA256=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest')
MESSAGE="${MESSAGE}\n\n----- Image Scan Report -----\nhttps://{{ .Values.params.harbor.dashboard.host }}/harbor/projects/${PROJECT_ID}/repositories/${REPOSITORY_NAME}/artifacts/${SHA256}"
fi
curl \ curl \
--netrc-file /run/jarvis/gerrit-netrc \ --netrc-file /run/jarvis/gerrit-netrc \
--fail \ --fail \
@ -37,7 +63,7 @@ spec:
"checker_uuid": "$(params.checkerUUID)", "checker_uuid": "$(params.checkerUUID)",
"state": "FAILED", "state": "FAILED",
"url": "https://{{ .Values.params.grafana.dashboard.host }}/d/{{ .Values.params.grafana.dashboard.uid }}/{{ .Values.params.grafana.dashboard.title }}?orgId={{ .Values.params.grafana.dashboard.orgid }}&var-namespace=$(params.pipelineRunNamespace)&var-tekton_dev_pipeline=$(params.pipelineName)&var-tekton_dev_pipelineRun=$(params.pipelineRunName)&var-tekton_dev_taskRun=All", "url": "https://{{ .Values.params.grafana.dashboard.host }}/d/{{ .Values.params.grafana.dashboard.uid }}/{{ .Values.params.grafana.dashboard.title }}?orgId={{ .Values.params.grafana.dashboard.orgid }}&var-namespace=$(params.pipelineRunNamespace)&var-tekton_dev_pipeline=$(params.pipelineName)&var-tekton_dev_pipelineRun=$(params.pipelineRunName)&var-tekton_dev_taskRun=All",
"message": "Jarvis failed to process the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project) repo", "message": "${MESSAGE}",
"finished": "$(date --utc '+%F %T.%N')" "finished": "$(date --utc '+%F %T.%N')"
} }
EOF EOF

33
charts/jarvis-system/templates/Task-createSuccess.yaml
View File

@ -16,15 +16,41 @@ spec:
- name: pipelineRunNamespace - name: pipelineRunNamespace
steps: steps:
- name: createsuccess - name: createsuccess
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_curl" ) }} image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_results" ) }}
volumeMounts: volumeMounts:
- name: gerrit-netrc - name: gerrit-netrc
mountPath: /run/jarvis/gerrit-netrc mountPath: /run/jarvis/gerrit-netrc
subPath: gerrit-netrc subPath: gerrit-netrc
script: | script: |
#!/bin/sh #!/bin/bash
set -eu -o pipefail -x set -eu -o pipefail -x
# Get project information from Harbor
PROJECT_INFO=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json")
PROJECT_ID=$(echo $PROJECT_INFO | jq -r '.project'[0].'project_id')
# Get the taskRun uid from the microflow-setup-image pod
TASK_RUN_NAMESPACE="jarvis-$(params.changeNumber)-$(params.patchSetNumber)"
TASK_RUN_DEV_PIPELINE=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" | grep microflow-setup-image | awk '{print $1}') || true
if [[ -z "$TASK_RUN_DEV_PIPELINE" ]]; then
# Do not append the CVE report link, if there is no 'microflow-setup-image' pod to get the taskRun uid from
REPO_COUNT=0
else
TASK_RUN_UID=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" "${TASK_RUN_DEV_PIPELINE}" -o jsonpath='{.metadata.uid}')
# For first time run, there may be no repositories, so only check for artifacts if the project has repositories
REPO_COUNT=$(echo $PROJECT_INFO | jq -r '.project'[0].'repo_count')
fi
MESSAGE="Jarvis has successfully processed the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project) repo"
if [ $REPO_COUNT -gt 0 ]; then
REPOSITORY_NAME=$(echo $PROJECT_INFO | jq -r '.repository'[0].'repository_name' | awk -F"/" '{print $2}')
# Grabs the SHA256 of the corresponding artifact based off taskrun uid
SHA256=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest')
MESSAGE="${MESSAGE}\n\n----- Image Scan Report -----\nhttps://{{ .Values.params.harbor.dashboard.host }}/harbor/projects/${PROJECT_ID}/repositories/${REPOSITORY_NAME}/artifacts/${SHA256}"
fi
curl \ curl \
--netrc-file /run/jarvis/gerrit-netrc \ --netrc-file /run/jarvis/gerrit-netrc \
--fail \ --fail \
@ -37,7 +63,8 @@ spec:
"checker_uuid": "$(params.checkerUUID)", "checker_uuid": "$(params.checkerUUID)",
"state": "SUCCESSFUL", "state": "SUCCESSFUL",
"url": "https://{{ .Values.params.grafana.dashboard.host }}/d/{{ .Values.params.grafana.dashboard.uid }}/{{ .Values.params.grafana.dashboard.title }}?orgId={{ .Values.params.grafana.dashboard.orgid }}&var-namespace=$(params.pipelineRunNamespace)&var-tekton_dev_pipeline=$(params.pipelineName)&var-tekton_dev_pipelineRun=$(params.pipelineRunName)&var-tekton_dev_taskRun=All", "url": "https://{{ .Values.params.grafana.dashboard.host }}/d/{{ .Values.params.grafana.dashboard.uid }}/{{ .Values.params.grafana.dashboard.title }}?orgId={{ .Values.params.grafana.dashboard.orgid }}&var-namespace=$(params.pipelineRunNamespace)&var-tekton_dev_pipeline=$(params.pipelineName)&var-tekton_dev_pipelineRun=$(params.pipelineRunName)&var-tekton_dev_taskRun=All",
"message": "Jarvis has successfully processed the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project) repo" "message": "${MESSAGE}",
"finished": "$(date --utc '+%F %T.%N')"
} }
EOF EOF

1
charts/jarvis-system/templates/TriggerTemplate-createFailure.yaml
View File

@ -20,6 +20,7 @@ spec:
metadata: metadata:
generateName: {{ template "helpers.labels.fullname" . }}-createfailure- generateName: {{ template "helpers.labels.fullname" . }}-createfailure-
spec: spec:
serviceAccountName: jarvis-system-el
pipelineRef: pipelineRef:
name: {{ template "helpers.labels.fullname" . }}-createfailure name: {{ template "helpers.labels.fullname" . }}-createfailure
params: params:

1
charts/jarvis-system/templates/TriggerTemplate-createSuccess.yaml
View File

@ -20,6 +20,7 @@ spec:
metadata: metadata:
generateName: {{ template "helpers.labels.fullname" . }}-createsuccess- generateName: {{ template "helpers.labels.fullname" . }}-createsuccess-
spec: spec:
serviceAccountName: jarvis-system-el
pipelineRef: pipelineRef:
name: {{ template "helpers.labels.fullname" . }}-createsuccess name: {{ template "helpers.labels.fullname" . }}-createsuccess
params: params:

9
charts/jarvis-system/values.yaml
View File

@ -20,6 +20,10 @@ images:
tag: "1.0" tag: "1.0"
name: standard-container name: standard-container
repo: docker.io repo: docker.io
task_results:
tag: "1.0"
name: standard-container
repo: docker.io
task_curl: task_curl:
tag: "3.8" tag: "3.8"
name: evl.ms/curl name: evl.ms/curl
@ -54,4 +58,7 @@ params:
host: grafana.jarvis.local host: grafana.jarvis.local
title: loki-pipeline-logs-dashboard title: loki-pipeline-logs-dashboard
uid: lokiPipelineDash uid: lokiPipelineDash
orgid: 1 orgid: 1
harbor:
dashboard:
host: harbor-core.jarvis.local

1
tools/gate/jarvis/800-deploy-jarvis-projects.sh
View File

@ -78,6 +78,7 @@ for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth
while true; do while true; do
result="$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/checks | tail -1 | jq -r .[].state)" result="$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/checks | tail -1 | jq -r .[].state)"
[ $result == "SUCCESSFUL" ] && break || true [ $result == "SUCCESSFUL" ] && break || true
[ $result == "FAILED" ] && exit 1 || true
sleep 25 sleep 25
now=$(date +%s) now=$(date +%s)
if [ $now -gt $end ] ; then if [ $now -gt $end ] ; then