This is a squashed commit, keeping previous messages intact for history.
- chore(tools/gate/jarvis): remove unused http_proxy
- fix(tools/gate/deploy-k8s): pre-pull Calico images
By pre-pulling Calico images, we can better ensure the timeout for
`kubectl wait` for `k8s-app=kube-dns` is sufficient, since most of the
time spent is on pulling images.
- fix(tools/gate/jarvis): skip loki Helm test when proxy is set
The Loki test attempts to install `curl` and `jq`, which will fail when
a proxy is required since the pod doesn't setup proxy environment
variables.
- feat(tools/deployment/vagrant): support providing a cert for proxy
- feat(ubuntu-base/standard-container): support internal-certs
The Vagrant file mounts an additional synced folder to
/airship_charts/tools/gate/jarvis/ubuntu-base/internal-certs.
This internal-certs dir has been added to this Git repository using a
placeholder `.gitkeep` file to keep the directory non-empty. This
directory has also been added to .gitignore to prevent any changes such
as the mounted internal certs from being committed.
The ubuntu-base image sets the proxy env vars as well as contains the
internal certs. The standard container is then based on the ubuntu-base
image.
The ubuntu-base image is published as library/ubuntu:focal in harbor.
- fix(tools/gate/jarvis): support Harbor behind proxy with cert
Change-Id: I602dfa3b04b798a1a2096242ffb6dfe7f2ba92e4
A link to the change's built image CVE scan report is added
to "Checks->Message" section in Gerrit. The link is posted in both
success and failure result of the 'jarvispipeline' check.
For the Task-createFailure and Task-createSuccess, the taskRun uid
is obtained from the 'microflow-setup-image' pod in the
corresponding namespace.
Additionally, the 800 script is updated to immediately fail the
CI pipeline if the development pipeline fails.
Change-Id: I9be8a486d71247385280a863f22a9bf9973333bb
This adds LDAP group as member to the respective harbor project in the
jarvis-projects chart.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: Icb50ccb2d3bb82dd630c87c372caadf04730a536
This patchset moves all of the Tekton task script sections to use
a defined entrypoint instead of an ansible-playbook command. This is
a step to keeping all business logic out of the tekton tasks, i.e. the
tekton tasks should work with any standard container given, not just one
using Ansible.
Change-Id: I5e106a8a75b79c0c2948cda638fbe532fd12fae3
This adds in LDAP groups and associated the newly created project-
based users into these groups.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I082d342cccce1f7de9942f0915d4c23b53863b64
This patchset copies the development-pipeline and standard-container
into the sample network mongodb directory to begin testing the pipeline
and standard-container in a namespace created by jarvis-system.
Change-Id: I8448a122e8da218752ea57b15fb2983881e90ec9
For all upstream charts we use, this PS pins and/or updates the chart
version to the latest in the respective chart repo.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I39d2c1e13503d495b48bf93a7c0371de6eed6c96
This patch set places in additional users in the openLDAP deployment in
the gate.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I1564da86e5299ae4e10e0d5d53cb0c1fa97704af
This change adds two repositories intended to be used as templates to the Gerrit setup. One repository will utilize the 'Verified' label, one repository will not. This will divide the repositories into two groups, a group where the checks provided by Jarvis is enforced as CI, and a group where the checks provided by Jarvis are informational only, and do not block patch sets. This is configurable in the Jarvis-Project Helm chart.
Change-Id: Iff8a2b1a29883837ac7dab49056fe0c64d675e10
This patchset dynamically creates a namespace with the changeset and
patchset number that is triggered via gerrit.
Change-Id: Id257fcb6a12711ae1a6341337cf6e1b0bec8c7e5
This patch set updates the cert manager deployment to latest.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I50368c1bdf43aa7cdf72116401f7febed5526c4d
Occasionally, the request made to Gerrit is made before the Verified label is applied by the pipeline. To remedy this we will send the request multiple times until the expected result is returned (or until it has been tried 6 times in 30 seconds)
Change-Id: Ie876cf94e4a56684f25d868008a1b78054cac09b
This patch set initializes the notary key and places it into the harbor
notary server which can be used to sign images. A follow on patch set
will update the ansible to utilize this key.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I7ef9239518dbb1e45bd4de965a43524e1c8fc93d
Kyverno is a policy engine designed for Kubernetes that will
be used to make sure Kubernetes resources are compliant to a
defined set of rules. For example, a rule can be implemented in
Kyverno stating that no containers can run as privileged. Kyverno
would then block Kubernetes resources from being created or updated
that violate this rule (if in enforce mode). Kyverno also has auditing
capability that scans existing resources and creates compliance reports
at the namespace level.
Kyverno via its CLI (kyverno apply command), also allows scans of
resource definitions(yaml) to report violations that may exists without
the need of creating or updating a resource. This could be useful down
the line if there is a desire to create a CI gate to test a incoming
change for policy violations - essentially pushing the testing to the
left as opposed to getting policy violation feedback when the Kubernetes
admission controller is invoked.
Change-Id: Ie8537fa625a6508211aa17f929c5803773a8fda5
This removes the script's redundant project creation curl calls as
this is created by the project code here [0]. This also moved the
wedged temporary script last to allow projects creation to occur
prior to the dev pipeline run.
[0] 1169477e65/charts/jarvis-project/templates/Job-project.yaml (L53-L72)
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: Ie6ca362cf7d05dd07881e8540c556f7a3ad534e7
Updating example configmap data and adding an example standardized container
to be used for the gates.
Added Chart tasks in order to make testing easier for the chart workflow.
Removing the triggers and cluster roles settings to get ready to move the pipeline to
a new location.
Added pipelinerun to allow for testing via kubectl create -f
co-author: sshturm@mirantis.com - Combined feat(chart) Chart task in Development Pipeline
Change-Id: Icdb6bfe391e0e30883eeca661668763515a5565a
Signed-off-by: Pete Birley <pete@port.direct>
This reverts commit 7522da6cc14154dea964a4d25362c426c0ee0034.
Reason for revert: Gate is sporadically failing
Change-Id: I813f16505b23dcd97980b149b440af53130df908
This PS adds the gatekeeper chart to the deployment, which is required
to provide safeguards surreounding pipelines.
Signed-off-by: Pete Birley <pete@port.direct>
Change-Id: Ie434d4052435cde83f0ff91d068f25882cebe1de
This PS simply cleans the minikube deployment slightly and adds
a SAN to the K8s API certs matching the hostname of the vm. This
Enables the K8s api to be accessed more cleanly from outside of
the vagrant environment, and opens the door to deploying an IDC
for K8s.
Signed-off-by: Pete Birley <pete@port.direct>
Change-Id: Idd86fe9b3f449fc794586b1a7d8c8f2e51eeb9d7
This patch addresses a few issues with the Makefile
- removes redundant directory checks;
- removes requirements.yaml check as helm3 moved that into Charts.yaml;
- fixes so "helm dep up" would work;
- removes loki and harbor from exclusion as they are now actual charts;
- updates the script to use the makefile.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: Ie6133bce4a45dd085569c51abc4c4c3c52b14378
This adds a chart that allows LDAP support for Harbor dashboard.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I60849d720f09296e5cc6872a77053667a6f5b69e
This adds example configurations in the gate to leverage LDAP
auth for Grafana dashboard.
This patch also fixes up minor indentation errors in YAML.
Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I0961ced71b8a4d1c4f639fd898bc70761f8de995
This PS adds the basic gerrit<->tekton interaction, which consists of
two charts:
* Jarvis-System: which launches a utility to scrape pending gerrit
checks and rechecks, before forwarding requests to a tekton event-
listener. This event listener then launches a pipeline that sets up
the environment for the pipeline in the project repo to make use of.
* Jarvis-Project: which launches a job, which sets up a repo in gerrit,
configures the checks upon it, and addtionally sets up appropriate
repos in harbor for oci images and helm charts.
Note: This change makes use of the Jarvis-Connector, which is hosted here:
* https://github.com/att-comdev/jarvis-connector
Change-Id: I0ca023e357fb562b4f65e081a06ac6581471b4bc
Signed-off-by: Pete Birley <pete@port.direct>
