dbfd217e26
Adds Workflow to Gerrit submission rules. This addtional submission rule applies to both non-verified projects and verified-projects. All repositories now require Workflow and Code-Review, while the Verified label is optional. Change-Id: Ide975ee757271e8ecb37bfaf471f91d5caf202a6
343 lines
11 KiB
Bash
Executable File
343 lines
11 KiB
Bash
Executable File
#!/bin/bash
|
|
set -ex
|
|
|
|
gerrit_source=$(mktemp -d)
|
|
repo_sha="251041b192ef8acf1963d747482126d0e9e66e75"
|
|
repo_remote="https://gerrit.googlesource.com/k8s-gerrit"
|
|
|
|
function get_repo() {
|
|
pushd "${1}"
|
|
git init
|
|
git remote add origin "${2}"
|
|
git fetch origin --depth=1 "${3}"
|
|
git reset --hard FETCH_HEAD
|
|
popd
|
|
}
|
|
get_repo "${gerrit_source}" "${repo_remote}" "${repo_sha}"
|
|
|
|
# TODO: This needs fixed upstream
|
|
patch ${gerrit_source}/helm-charts/gerrit/templates/gerrit.stateful-set.yaml <<'EOF'
|
|
--- /tmp/tmp.8ZADMTe64b/helm-charts/gerrit/templates/gerrit.stateful-set.yaml 2021-01-16 21:33:32.331105033 +0000
|
|
+++ /tmp/tmp.z8R6CX0Gqg/helm-charts/gerrit/templates/gerrit.stateful-set.yaml 2021-01-16 20:11:36.275929405 +0000
|
|
@@ -57,9 +57,14 @@
|
|
imagePullPolicy: {{ .Values.images.imagePullPolicy }}
|
|
command:
|
|
- /bin/ash
|
|
- - -ce
|
|
+ - -cex
|
|
args:
|
|
- |
|
|
+ python3 /var/tools/gerrit-initializer \
|
|
+ -c /var/config/gerrit-init.yaml \
|
|
+ -s /var/gerrit \
|
|
+ init
|
|
+
|
|
symlink_config_to_site(){
|
|
for file in /var/mnt/etc/config/* /var/mnt/etc/secret/*; do
|
|
ln -sf $file /var/gerrit/etc/$(basename $file)
|
|
EOF
|
|
|
|
function generate_ssh_host_key_override() {
|
|
local work_dir
|
|
work_dir="$(mktemp -d)"
|
|
mkdir -p "${work_dir}/etc/ssh"
|
|
ssh-keygen -A -f "${work_dir}"
|
|
local output_file
|
|
output_file="$(mktemp -d)/gerrit-host-rsa-key.yaml"
|
|
tee "${output_file}" <<EOF
|
|
gerrit:
|
|
service:
|
|
ssh:
|
|
rsaKey: |-
|
|
$(awk '{ print " " $0 }' "${work_dir}/etc/ssh/ssh_host_rsa_key")
|
|
EOF
|
|
export ssh_host_key_override="${output_file}"
|
|
}
|
|
generate_ssh_host_key_override
|
|
|
|
# shellcheck disable=SC2046
|
|
helm upgrade \
|
|
--create-namespace \
|
|
--install \
|
|
--namespace=gerrit \
|
|
gerrit \
|
|
"${gerrit_source}/helm-charts/gerrit" \
|
|
--values="${ssh_host_key_override}" \
|
|
$(./tools/deployment/common/get-values-overrides.sh gerrit)
|
|
|
|
./tools/deployment/common/wait-for-pods.sh gerrit
|
|
|
|
#TODO(portdirect): Update chart to support SSH via TCP ingress, in addition to being able to spec nodeport
|
|
kubectl patch -n gerrit svc gerrit-gerrit-service --patch '{
|
|
"spec": {
|
|
"ports": [
|
|
{
|
|
"name": "ssh",
|
|
"nodePort": 29418,
|
|
"port": 29418,
|
|
"protocol": "TCP",
|
|
"targetPort": 29418
|
|
}
|
|
]
|
|
}
|
|
}'
|
|
sleep 30
|
|
|
|
function gerrit_bootstrap() {
|
|
# Define creds to use for gerrit.
|
|
ldap_username="jarvis"
|
|
ldap_password="password"
|
|
|
|
# Login to gerrit, to provision admin account
|
|
curl --verbose \
|
|
-d "username=${ldap_username}&password=${ldap_password}" \
|
|
-X POST \
|
|
https://gerrit.jarvis.local/login
|
|
|
|
# Create SSH Keys if the private key does not already exist, note this will fail if a public key already
|
|
# exists at the default location without a corresponding private key.
|
|
mkdir -p "${HOME}/.ssh"
|
|
if [[ ! -f "${HOME}/.ssh/id_rsa" ]]; then
|
|
ssh-keygen -t rsa -f "${HOME}/.ssh/id_rsa" -q -N ""
|
|
fi
|
|
|
|
# Add SSH Public key to gerrit
|
|
curl --verbose \
|
|
-u "${ldap_username}:${ldap_password}" \
|
|
-X POST \
|
|
-H "Content-Type: text/plain" \
|
|
--data "@${HOME}/.ssh/id_rsa.pub" \
|
|
https://gerrit.jarvis.local/a/accounts/self/sshkeys/
|
|
|
|
# Add Gerrit HostKey to SSH known hosts
|
|
ssh-keyscan -p 29418 -H gerrit.jarvis.local >> "${HOME}/.ssh/known_hosts"
|
|
|
|
# Validate access to gerrit via SSH
|
|
ssh -p 29418 ${ldap_username}@gerrit.jarvis.local gerrit version
|
|
|
|
# Configure Git
|
|
git config --global user.name "Edwin Jarvis"
|
|
git config --global user.email "jarvis@cluster.local"
|
|
git config --global --add gitreview.username "jarvis"
|
|
|
|
# Configure Access Rules in All-Projects
|
|
all_projects_repo=$(mktemp -d)
|
|
git clone ssh://${ldap_username}@gerrit.jarvis.local:29418/All-Projects.git "${all_projects_repo}"
|
|
# Replace project.config file
|
|
pushd "${all_projects_repo}"
|
|
git fetch origin refs/meta/config:refs/remotes/origin/meta/config
|
|
git checkout meta/config
|
|
rm project.config || true
|
|
tee project.config << EOF
|
|
[project]
|
|
description = Access inherited by all other projects.
|
|
[receive]
|
|
requireContributorAgreement = false
|
|
requireSignedOffBy = false
|
|
requireChangeId = true
|
|
enableSignedPush = false
|
|
[submit]
|
|
mergeContent = true
|
|
[capability]
|
|
checks-administrateCheckers = group Administrators
|
|
administrateServer = group Administrators
|
|
priority = batch group Service Users
|
|
streamEvents = group Service Users
|
|
[access "refs/*"]
|
|
read = group Administrators
|
|
read = group Anonymous Users
|
|
revert = group Registered Users
|
|
[access "refs/for/*"]
|
|
addPatchSet = group Registered Users
|
|
[access "refs/for/refs/*"]
|
|
push = group Registered Users
|
|
pushMerge = group Registered Users
|
|
[access "refs/heads/*"]
|
|
create = group Administrators
|
|
create = group Project Owners
|
|
editTopicName = +force group Administrators
|
|
editTopicName = +force group Project Owners
|
|
forgeAuthor = group Registered Users
|
|
forgeCommitter = group Administrators
|
|
forgeCommitter = group Project Owners
|
|
push = group Administrators
|
|
push = group Project Owners
|
|
submit = group Administrators
|
|
submit = group Project Owners
|
|
label-Code-Review = -2..+2 group Administrators
|
|
label-Code-Review = -2..+2 group Project Owners
|
|
label-Code-Review = -1..+1 group Registered Users
|
|
label-Verified = -1..+1 group Administrators
|
|
label-Verified = -1..+1 group Service Users
|
|
label-Verified = -1..+1 group Project Owners
|
|
label-Workflow = -1..+1 group Administrators
|
|
label-Workflow = -1..+1 group Service Users
|
|
label-Workflow = -1..+1 group Project Owners
|
|
[access "refs/meta/config"]
|
|
exclusiveGroupPermissions = read
|
|
create = group Administrators
|
|
push = group Administrators
|
|
push = group Project Owners
|
|
read = group Administrators
|
|
read = group Project Owners
|
|
submit = group Administrators
|
|
submit = group Project Owners
|
|
label-Code-Review = -2..+2 group Administrators
|
|
label-Code-Review = -2..+2 group Project Owners
|
|
label-Code-Review = -1..+1 group Registered Users
|
|
label-Verified = -1..+1 group Administrators
|
|
label-Verified = -1..+1 group Service Users
|
|
label-Verified = -1..+1 group Project Owners
|
|
label-Workflow = -1..+1 group Administrators
|
|
label-Workflow = -1..+1 group Service Users
|
|
label-Workflow = -1..+1 group Project Owners
|
|
[access "refs/tags/*"]
|
|
create = group Administrators
|
|
create = group Project Owners
|
|
createSignedTag = group Administrators
|
|
createSignedTag = group Project Owners
|
|
createTag = group Administrators
|
|
createTag = group Project Owners
|
|
|
|
EOF
|
|
git add .
|
|
git commit -asm "Create Submission Rules"
|
|
git push origin HEAD:refs/meta/config
|
|
popd
|
|
|
|
# Create template repositories for voting and non-voting CI
|
|
ssh -p 29418 ${ldap_username}@gerrit.jarvis.local gerrit create-project "Verified-Label-Projects" \
|
|
--submit-type MERGE_IF_NECESSARY --owner Administrators --empty-commit
|
|
ssh -p 29418 ${ldap_username}@gerrit.jarvis.local gerrit create-project "Non-Verified-Label-Projects" \
|
|
--submit-type MERGE_IF_NECESSARY --owner Administrators --empty-commit
|
|
|
|
# Configure Labels & Submission Rules for Verified-Label-Projects
|
|
verified_repo=$(mktemp -d)
|
|
git clone ssh://${ldap_username}@gerrit.jarvis.local:29418/Verified-Label-Projects.git "${verified_repo}"
|
|
# Replace project.config file, add rules.pl file
|
|
pushd "${verified_repo}"
|
|
git fetch origin refs/meta/config:refs/remotes/origin/meta/config
|
|
git checkout meta/config
|
|
rm project.config || true
|
|
rm rules.pl || true
|
|
tee project.config << EOF
|
|
[access]
|
|
inheritFrom = All-Projects
|
|
[access "refs/*"]
|
|
owner = group Administrators
|
|
[label "Code-Review"]
|
|
function = MaxWithBlock
|
|
defaultValue = 0
|
|
copyMinScore = true
|
|
copyAllScoresOnTrivialRebase = true
|
|
value = -2 This shall not be merged
|
|
value = -1 I would prefer this is not merged as is
|
|
value = 0 No score
|
|
value = +1 Looks good to me, but someone else must approve
|
|
value = +2 Looks good to me, approved
|
|
[label "Verified"]
|
|
function = MaxWithBlock
|
|
defaultValue = 0
|
|
value = -1 Fails
|
|
value = 0 No score
|
|
value = +1 Verified
|
|
copyAllScoresIfNoCodeChange = true
|
|
[label "Workflow"]
|
|
function = MaxWithBlock
|
|
defaultValue = 0
|
|
value = -1 Work in progress
|
|
value = 0 Ready for reviews
|
|
value = +1 Approved
|
|
|
|
EOF
|
|
tee rules.pl << EOF
|
|
sum_list([], 0).
|
|
sum_list([H | Rest], Sum) :- sum_list(Rest,Tmp), Sum is H + Tmp.
|
|
|
|
add_category_min_score(In, Category, Min, P) :-
|
|
findall(2, gerrit:commit_label(label(Category,2),R),Z),
|
|
sum_list(Z, Sum),
|
|
Sum >= Min, !,
|
|
gerrit:commit_label(label(Category, V), U),
|
|
V >= 1,
|
|
!,
|
|
P = [label(Category,ok(U)) | In].
|
|
|
|
add_category_min_score(In, Category,Min,P) :-
|
|
P = [label(Category,need(Min)) | In].
|
|
|
|
submit_filter(In, Out) :-
|
|
In =.. [submit | Ls],
|
|
gerrit:remove_label(Ls,label('Code-Review',_),NoCR),
|
|
add_category_min_score(NoCR,'Code-Review', 4, Labels),
|
|
Out =.. [submit | Labels].
|
|
|
|
EOF
|
|
git add .
|
|
git commit -asm "Create Submission Rules"
|
|
git push origin HEAD:refs/meta/config
|
|
popd
|
|
|
|
# Configure Labels & Submission Rules for Non-Verified-Label-Projects
|
|
non_verified_repo=$(mktemp -d)
|
|
git clone ssh://${ldap_username}@gerrit.jarvis.local:29418/Non-Verified-Label-Projects.git "${non_verified_repo}"
|
|
# Replace project.config file, add rules.pl file
|
|
pushd "${non_verified_repo}"
|
|
git fetch origin refs/meta/config:refs/remotes/origin/meta/config
|
|
git checkout meta/config
|
|
rm project.config || true
|
|
rm rules.pl || true
|
|
tee project.config << EOF
|
|
[access]
|
|
inheritFrom = All-Projects
|
|
[access "refs/*"]
|
|
owner = group Administrators
|
|
[label "Code-Review"]
|
|
function = MaxWithBlock
|
|
defaultValue = 0
|
|
copyMinScore = true
|
|
copyAllScoresOnTrivialRebase = true
|
|
value = -2 This shall not be merged
|
|
value = -1 I would prefer this is not merged as is
|
|
value = 0 No score
|
|
value = +1 Looks good to me, but someone else must approve
|
|
value = +2 Looks good to me, approved
|
|
[label "Workflow"]
|
|
function = MaxWithBlock
|
|
defaultValue = 0
|
|
value = -1 Work in progress
|
|
value = 0 Ready for reviews
|
|
value = +1 Approved
|
|
|
|
EOF
|
|
tee rules.pl << EOF
|
|
sum_list([], 0).
|
|
sum_list([H | Rest], Sum) :- sum_list(Rest,Tmp), Sum is H + Tmp.
|
|
|
|
add_category_min_score(In, Category, Min, P) :-
|
|
findall(2, gerrit:commit_label(label(Category,2),R),Z),
|
|
sum_list(Z, Sum),
|
|
Sum >= Min, !,
|
|
gerrit:commit_label(label(Category, V), U),
|
|
V >= 1,
|
|
!,
|
|
P = [label(Category,ok(U)) | In].
|
|
|
|
add_category_min_score(In, Category,Min,P) :-
|
|
P = [label(Category,need(Min)) | In].
|
|
|
|
submit_filter(In, Out) :-
|
|
In =.. [submit | Ls],
|
|
gerrit:remove_label(Ls,label('Code-Review',_),NoCR),
|
|
add_category_min_score(NoCR,'Code-Review', 4, Labels),
|
|
Out =.. [submit | Labels].
|
|
|
|
EOF
|
|
git add .
|
|
git commit -asm "Create Submission Rules"
|
|
git push origin HEAD:refs/meta/config
|
|
popd
|
|
}
|
|
|
|
gerrit_bootstrap
|