35f14aa728
Each CNF project now has a jarvis.yaml defining credentials for harbor and docker, kubeconfig, and certs. The existing ldap users are used in the jarvis.yaml for both the staging and non-staging phases of the CI. The kubeconfig and harbor-ca entries of the jarvis.yaml are populated during the 800 script and adds those entries as base64 encoded data so that the required format (indentations and spacing) is maintained. The Task-createProjectAccess then decodes the kubeconfig and harbor-ca and creates the secrets for them in the correct namespace. Secret creation all takes place in the Task-createProjectAccess. Change-Id: If0c243416323e36a6f7797d8d378961552193c0d
89 lines
2.8 KiB
YAML
89 lines
2.8 KiB
YAML
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: promote
|
|
namespace: {{ $.Release.Namespace }}
|
|
spec:
|
|
description: >-
|
|
This task will promote images and chart into a non-test repository
|
|
workspaces:
|
|
- name: k8s_cluster_data
|
|
- name: development_pipeline_data
|
|
steps:
|
|
- name: promote-artifacts
|
|
image: {{ $.Values.tasks.promote.promoteImage }}
|
|
env:
|
|
# Connect to the sidecar over TCP, with TLS.
|
|
- name: DOCKER_HOST
|
|
value: tcp://localhost:2376
|
|
# Verify TLS.
|
|
- name: DOCKER_TLS_VERIFY
|
|
value: '1'
|
|
# Use the certs generated by the sidecar daemon.
|
|
- name: DOCKER_CERT_PATH
|
|
value: /certs/client
|
|
# specify HELM_DATA_HOME since tekton defines HOME as /home/tekton, which is used by Helm by default meaning
|
|
# Helm won't find any plugins installed during image build time
|
|
- name: HELM_DATA_HOME
|
|
value: /root/.local/share/helm
|
|
volumeMounts:
|
|
- mountPath: /tekton/home/.docker/pull/config.json
|
|
name: image-pull-creds
|
|
subPath: .dockerconfigjson
|
|
- mountPath: /tekton/home/.docker/push/config.json
|
|
name: image-push-creds
|
|
subPath: .dockerconfigjson
|
|
- mountPath: /certs/client
|
|
name: dind-certs
|
|
- mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
|
|
name: harbor-ca
|
|
subPath: harbor-ca
|
|
- mountPath: /workspace/helm-creds/push
|
|
name: helm-push-creds
|
|
- mountPath: /workspace/helm-creds/pull
|
|
name: helm-pull-creds
|
|
script: |
|
|
/jarvis/promote_artifacts.sh
|
|
sidecars:
|
|
- image: {{ $.Values.tasks.image.sidecarServer }}
|
|
name: server
|
|
args:
|
|
- --storage-driver=vfs
|
|
- --userland-proxy=false
|
|
- --debug
|
|
- --insecure-registry={{ $.Values.tasks.image.insecureRegistry }}
|
|
##TODO: Get rid of privileged true
|
|
securityContext:
|
|
privileged: true
|
|
env:
|
|
# Write generated certs to the path shared with the client.
|
|
- name: DOCKER_TLS_CERTDIR
|
|
value: /certs
|
|
volumeMounts:
|
|
- mountPath: /certs/client
|
|
name: dind-certs
|
|
# Wait for the dind daemon to generate the certs it will share with the
|
|
# client.
|
|
readinessProbe:
|
|
periodSeconds: 1
|
|
exec:
|
|
command: ['ls', '/certs/client/ca.pem']
|
|
volumes:
|
|
- name: dind-certs
|
|
emptyDir: {}
|
|
- name: image-pull-creds
|
|
secret:
|
|
secretName: harbor-docker-auth
|
|
- name: image-push-creds
|
|
secret:
|
|
secretName: harbor-docker-auth-promote
|
|
- name: helm-pull-creds
|
|
secret:
|
|
secretName: harbor-basic-auth
|
|
- name: helm-push-creds
|
|
secret:
|
|
secretName: harbor-basic-auth-promote
|
|
- name: harbor-ca
|
|
secret:
|
|
secretName: harbor-ca
|