This patchset adds the LDAP connector in the dex chart value where it
can be customized to connect to the lab's ITTESTSERVICES LDAP instance.
The certificates needed by Dex is generated by Cert-Manager in the Ephemeral cluster (Secret named
dex-apiserver-secret) and this Secret is then moved to the Target cluster through the command
"airshipctl phase run clusterctl-move".
This Secret (i.e., tls.crt) is used by API server for the OIDC plugin configuration, which MUST
be done on the KubeadmControlPlane resource in the Ephemeral cluster.
This patchset implements the Approach 1 described in https://hackmd.io/bdPFHBBSQy-IrpPe1U9itg.
Change-Id: I58419cad6b8d770285ceb84a3a3a0e8b3380ef15
This commit adds a test to verify that pre-defined image tags are
preserved during development pipeline runs. The deployment-flow configmap
is checked which would contain the original image tag and the image.json
is also checked which would contain the image tag that is actually used.
The test checks if the configmap tag matches the image.json tag, which it
should. The test skips if there is no pre-defined tag.
Change-Id: Ic7661dfc23bc92a460b3b0d5328a6f85b42a6ed4
This updates the tekton charts' default image to the latest
version available.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I71f76bc0448441d22b49b91ca12d0712bb3cd30d
The CVE report link is generated by queries against harbor
including getting the SHA of the image based off the image tag
which is the pipeline run task ID. In cases where an image can't be
found via the tag, the CVE link report should not display. As an
example, the image does not exists in Harbor if the docker build
for the image failed, so in this case no CVE link should be
displayed in Gerrit as the image scan never took place.
Change-Id: I48d7160834f33426dc283c8f8dfa24872929551a
In an effort to avoid hitting dockerhub pull rate limit, the goharbor
images have been added to quay and will be pulled from there. The images
for Harbor are currently pinned and if a new image is needed it can be
added to quay in the future.
Change-Id: I0b51df27327fdfc666c9354c3588d17acc8a859b
This commit does a number of things to enable this functionality.
Regex for variables using $namespace were removed as this assumed
pipeline names were prefixed with the namespace, which is only true for
`jarvis-system`. Instead allow all matches based on the variable query.
Before the variables queried the Loki source, but Loki does not support
filtering like this [1]. The loki service with /loki endpoint can be
additionally added as a Prometheus source and this API is compatible
with filtering as desired.
With this combined, logs for development pipeline are viewable and
dropdowns now are limited in scope to what actually exists. Before all
taskruns were displayed in the dropdown, but now only the taskruns for
the given pipelinerun are selectable.
1 - https://github.com/grafana/grafana/issues/25205
Change-Id: I1b7094947bcad71c40425c3bdab22fabdcd45884
This enables rebooting the Vagrant VM during local development and
having the Kubernetes cluster persist.
Without this change, the etcd data directory does not persist during
reboots, meaning all Kubernetes resources (besides static pods) are
lost.
Change-Id: I3538491ee69fbb955049130634d7b03ed520403f
Some charts' image pull policies are set to "Always". This causes
unnecessary pulls and can trip Dockerhub's rate limit. This patch set
moves the default to IfNotPresent to mitigate.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: Ib16333f1c80c2871ea88f2d66fdce45567e34993
If a chart has a image tag, it should persists and not be overwritten
by the dev pipeline. If there are no tags or empty tags, then the
context taskrun uuid is used as the tag as it currently is.
Change-Id: Ic687a8998b73c574a9d0857075c11c9205d5cbdc
This ps allows for the cleanup of components to be controlled using
the configmap for each sample cNF.
This ps also changes the order of promote and functional stages to
occur after merge.
This ps also updates mongodb to use an upstream image and helm chart.
Temporarily allows for anonymous access to images.
Change deployment to use promoted image.
Add remote_namespace to the config_map of mongodb to be deployed into external cluster.
Change-Id: I70f095b6e54d1452dca93b2889d0d937b366a765
Before, invoking the Loki Helm test was skipped if the environment had a
proxy configured.
Now, the configmap for the test is modified with the proxy vars. The
Loki stach Helm chart does not provide any configuration around this, so
we can modify the configmap.
As of right now, the certificates are not needed for `apk add` and only
proxy vars are required.
Change-Id: If58d99555ed299b99bd9bda441856aac326d8379
This adds LDAP group as memeber to the gerrit project in the repository.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I8e619a9033b9a25d546a458225b921b18222a8f8
This patch places back in functionality introduced in [0] that were lost
from refactoring.
[0] https://review.opendev.org/c/airship/charts/+/775065
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I6671fcf36c2fe0867c7bb7886cf24d50c09cfad0
This 'jarvis-merge' pipeline reruns validation of a submittable
patchset and upon success, will submit the patchset, integrating it to
the main branch.
It will also promote a repository's artifacts from their respective -staging
areas to their non-staging counterparts.
Change-Id: I2e46d95543c6a835f7c17c1097a7ea84b1092f4d
Before Helm would fail to deploy the release if the namespace was
missing in the cluster. Now Helm will create the namespace if missing.
This isn't hit when the target cluster is the same cluster running the
tekton pipelines. This issue is only hit when the kubeconfig provided
via jarvis.yaml is for another cluster which might not have the
namespace created.
Change-Id: I3fdc6b353a2af2a667884c3250108b9f6c6b9a02
Unauthenticated GET calls to Harbor are no longer supported, so
the build out of the CVE report link was not working due to the
empty information behind retrieved from Harbor. This commit updates
the GET calls to Harbor to use a netrc for authentication.
Change-Id: I65a8ecf2d567f4ac9293dc8d5f39ab40cdca4c84
Each CNF project now has a jarvis.yaml defining credentials for
harbor and docker, kubeconfig, and certs. The existing ldap
users are used in the jarvis.yaml for both the staging and
non-staging phases of the CI.
The kubeconfig and harbor-ca entries of the jarvis.yaml are
populated during the 800 script and adds those entries as
base64 encoded data so that the required format (indentations and
spacing) is maintained. The Task-createProjectAccess then decodes
the kubeconfig and harbor-ca and creates the secrets for them in
the correct namespace. Secret creation all takes place in the
Task-createProjectAccess.
Change-Id: If0c243416323e36a6f7797d8d378961552193c0d
This remvoes the notary/DCT environment variables. This currently has no
effect on the Ansible docker module and may potentially introduce issues
when the Ansible task is migrated to use shell: docker run.
This will be re-introduced in later patch.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: Ic0924bba94912680ea0ea775d9b08964fcafd4dc
Adds Workflow to Gerrit submission rules. This addtional submission rule applies to both non-verified projects and verified-projects. All repositories now require Workflow and Code-Review, while the Verified label is optional.
Change-Id: Ide975ee757271e8ecb37bfaf471f91d5caf202a6
If behind a vpn, port forwarding is most likely required, so add a note.
Specify environment variables required to use a certificate for a
corporate proxy to download vagrant plugins and boxes.
Change-Id: Ie1f1e709ba9f5ab0a614daaf6d771a904e749bd6
This is a squashed commit, keeping messages intact for history.
- feat(charts/development-pipeline): work behind corporate proxy
dockerd sidecar works behind proxy with cert. Proxy is only needed on
the sidecar to pull public images. The cert is mounted via a host path
so that the proxy may be trusted.
- fix(standard-container/roles): remove installing Helm push plugin
The standard-container Dockerfile already installs the Helm push plugin,
so no reason to try to install it in multiple ansible roles.
I suspect this was originally done because someone tried to use `helm
push` in the ansible role, but Helm couldn't find even though it was
installed in the image. But tekton defines a the HOME env var if you
describe the pod in a cluster. So if we just define HELM_DATA_HOME to
the location where the push plugin is installed we can remove having to
install it in the ansible roles.
- feat(standard-container/roles): use image.image_from for docker build
Change-Id: Ibc3c5f400978cb98d2d2a37b737b56125f4c2aa7
This patch fixes the securityContext for the tekton-pipeline charts to
unclog a gate failure.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I5a44f6ecd92c0800aa9f43206fd2c7621d7ac260
