baec5970e5
This change adds two repositories intended to be used as templates to the Gerrit setup. One repository will utilize the 'Verified' label, one repository will not. This will divide the repositories into two groups, a group where the checks provided by Jarvis is enforced as CI, and a group where the checks provided by Jarvis are informational only, and do not block patch sets. This is configurable in the Jarvis-Project Helm chart. Change-Id: Iff8a2b1a29883837ac7dab49056fe0c64d675e10
120 lines
5.3 KiB
YAML
120 lines
5.3 KiB
YAML
{{- define "Job-project" -}}
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ template "helpers.labels.fullname" . }}
|
|
labels: {{- include "helpers.labels.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": post-install,post-upgrade
|
|
"helm.sh/hook-delete-policy": before-hook-creation
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels: {{- include "helpers.labels.labels" . | nindent 8 }}
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
nodeSelector:
|
|
{{ include "helpers.pod.node_selector" ( dict "Global" $ "Application" "project" ) | nindent 8 }}
|
|
containers:
|
|
- name: project
|
|
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "project" ) }}
|
|
imagePullPolicy: {{ .Values.images.pull.policy | quote }}
|
|
env:
|
|
- name: SSL_CERT_FILE
|
|
value: /usr/local/share/ca-certificates/ca.crt
|
|
- name: JARVIS_PROJECT_NAME
|
|
value: {{ .Release.Name }}
|
|
- name: GERRIT_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "helpers.labels.fullname" . }}
|
|
key: gerrit-username
|
|
- name: GERRIT_HOST
|
|
value: {{ .Values.params.gerrit.host }}
|
|
- name: GERRIT_URL
|
|
value: "https://{{ .Values.params.gerrit.host }}"
|
|
- name: HARBOR_URL
|
|
value: "https://{{ .Values.params.harbor.host }}"
|
|
command:
|
|
- sh
|
|
- -cex
|
|
- |
|
|
# Create gerrit repo
|
|
ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
|
|
-p 29418 \
|
|
-i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
|
|
gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" \
|
|
|| \
|
|
ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
|
|
-p 29418 \
|
|
-i /run/jarvis/secret/gerrit-ssh-key ${GERRIT_USERNAME}@${GERRIT_HOST} \
|
|
gerrit create-project "${JARVIS_PROJECT_NAME}" \
|
|
--owner Administrators \
|
|
{{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
|
|
--submit-type MERGE_IF_NECESSARY \
|
|
--empty-commit
|
|
|
|
# Set up checks on the repo
|
|
jarvis-connector --auth_file /run/jarvis/gerrit-authfile --gerrit $GERRIT_URL --update --repo "${JARVIS_PROJECT_NAME}" --prefix jarvispipeline || \
|
|
jarvis-connector --auth_file /run/jarvis/gerrit-authfile --gerrit $GERRIT_URL --register --repo "${JARVIS_PROJECT_NAME}" --prefix jarvispipeline
|
|
|
|
# Create project in harbor if it doesn't already exists
|
|
project_in_harbor(){
|
|
for PROJECT_NAME; do
|
|
PROJECT_CHECK_RESP=`curl -s -o /dev/null -I -w "%{http_code}" \
|
|
"${HARBOR_URL}/api/v2.0/projects?project_name=${PROJECT_NAME}" \
|
|
--netrc-file /run/jarvis/harbor-netrc/harbor-netrc \
|
|
-H 'accept: application/json'`
|
|
|
|
case "${PROJECT_CHECK_RESP}" in
|
|
"200") echo "${PROJECT_NAME} project already in harbor" ;;
|
|
"404") `curl -X POST "${HARBOR_URL}/api/v2.0/projects" \
|
|
--netrc-file /run/jarvis/harbor-netrc/harbor-netrc \
|
|
-H "accept: application/json" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{ \"project_name\": \"${PROJECT_NAME}\", \"public\": true, \"metadata\": { \"auto_scan\": \"true\" }}"` ;;
|
|
*) echo "Unable to retrieve projects in harbor: ${PROJECT_CHECK_RESP} response code."; exit 1
|
|
esac
|
|
done
|
|
}
|
|
# Add project and staging project in harbor
|
|
project_in_harbor "${JARVIS_PROJECT_NAME}" "${JARVIS_PROJECT_NAME}-staging"
|
|
|
|
|
|
volumeMounts:
|
|
- name: gerrit-creds
|
|
mountPath: /run/jarvis/gerrit-authfile
|
|
subPath: gerrit-authfile
|
|
- name: gerrit-creds
|
|
mountPath: /run/jarvis/secret/gerrit-ssh-key
|
|
subPath: gerrit-ssh-key
|
|
- name: jarvis-ca-crt
|
|
mountPath: /usr/local/share/ca-certificates/ca.crt
|
|
subPath: ca.crt
|
|
- name: netrc
|
|
mountPath: /run/jarvis/harbor-netrc
|
|
volumes:
|
|
- name: gerrit-creds
|
|
secret:
|
|
secretName: {{ template "helpers.labels.fullname" . }}
|
|
defaultMode: 0400
|
|
items:
|
|
- key: gerrit-ssh-key
|
|
path: gerrit-ssh-key
|
|
- key: gerrit-authfile
|
|
path: gerrit-authfile
|
|
# NOTE: We are making the assumption that the ca for gerrit is the same as that for the tekton eventlistener
|
|
- name: jarvis-ca-crt
|
|
secret:
|
|
secretName: {{ template "helpers.labels.fullname" . }}-project-tls
|
|
items:
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
- name: netrc
|
|
secret:
|
|
secretName: {{ template "helpers.labels.fullname" . }}-netrc
|
|
...
|
|
{{- end -}}
|
|
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Job-project" ) }}
|