diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f7269fea9..c9070e38f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4.1.3 - name: Install Ansible run: python -m pip install 'ansible <= 2.9' @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4.1.3 - name: Install Ansible run: python -m pip install 'ansible' @@ -46,7 +46,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4.1.3 - name: Get operator-sdk image 0.19.4 run: curl --output operator-sdk -JL https://github.com/operator-framework/operator-sdk/releases/download/$RELEASE_VERSION/operator-sdk-$RELEASE_VERSION-x86_64-linux-gnu @@ -69,7 +69,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4.1.3 - name: Verify image builds run: docker build --tag infrawatch/service-telemetry-operator:latest --file build/Dockerfile . @@ -82,7 +82,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4.1.3 - name: Get operator-sdk image 0.19.4 run: curl --output operator-sdk -JL https://github.com/operator-framework/operator-sdk/releases/download/$RELEASE_VERSION/operator-sdk-$RELEASE_VERSION-x86_64-linux-gnu @@ -110,7 +110,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4.1.3 # prepare environment to buld the bundle - name: Get operator-sdk image 0.19.4 @@ -146,7 +146,7 @@ jobs: run: operator-sdk-$RELEASE_VERSION bundle validate --verbose /tmp/bundle - name: Create KinD cluster to execute scorecard tests - uses: helm/kind-action@v1.4.0 + uses: helm/kind-action@v1.10.0 # perform scorecard checks against a KinD cluster - name: Check scorecord validation diff --git a/.jenkins/Dockerfile b/.jenkins/Dockerfile deleted file mode 100644 index 9930d6c57..000000000 --- a/.jenkins/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -FROM jenkins/jenkins:latest -RUN jenkins-plugin-cli -p ant:latest \ - antisamy-markup-formatter:latest \ - authorize-project:latest \ - build-timeout:latest \ - blueocean:latest \ - cloudbees-folder:latest \ - configuration-as-code:latest \ - credentials-binding:latest \ - email-ext:latest \ - git:latest \ - github-branch-source:latest \ - github-scm-trait-notification-context:latest \ - gradle:latest \ - ldap:latest \ - mailer:latest \ - matrix-auth:latest \ - pam-auth:latest \ - pipeline-github-lib:latest \ - pipeline-stage-view:latest \ - role-strategy:latest \ - ssh-slaves:latest \ - timestamper:latest \ - workflow-aggregator:latest \ - ws-cleanup:latest \ - kubernetes-credentials-provider:latest \ - kubernetes:latest \ - openshift-client:latest \ - openshift-login:latest \ - job-dsl:latest \ - ansible:latest \ - ansicolor:latest \ - github-pr-comment-build:latest diff --git a/.jenkins/README.md b/.jenkins/README.md deleted file mode 100644 index f39f1b771..000000000 --- a/.jenkins/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# Jenkins artifacts for STF -Use these to run a jenkins in Openshift that will do CI tests on STF - -## Start a new project for CI -``` -oc new-project ci -``` - -## Build the Jenkins master image -``` -oc new-build --binary=true --name=jenkins -oc start-build jenkins --from-file ./Dockerfile --follow=true -``` - -## Build the Jenkins agent image -NOTE: The operator-sdk version in the Dockerfile is the latest version that will work with the STO build scripts -``` -cd agent -oc new-build --binary=true --name=jenkins-agent -oc start-build jenkins-agent --from-file ./Dockerfile --follow=true -cd .. -``` - -## Set your local secret stuff -You'll need to get/generate a GitHub App ID & Privkey and put the key in gh-app-privkey.pem -``` -GH_APPID= -GH_ORG= - -oc create secret generic github-app-key --from-literal=owner=${GH_ORG} --from-literal=appID=${GH_APPID} --from-literal=privateKey="$(cat ./gh-app-privkey.pem)" -oc annotate secret/github-app-key jenkins.io/credentials-description="gh-app-key" -oc label secret/github-app-key jenkins.io/credentials-type=gitHubApp -``` - -## Deploy all the things -``` -oc apply -f deploy/service-route.yaml - -export SMEE_CHANNEL= #(just the slug, not the whole URL) -export GH_ORG= -export JENKINS_URL=$(oc get route jenkins -ojsonpath='{.spec.host}') -# This is for labelling the status that is returned to github -export OCP_VERSION= # e.g. 4.14 - -for f in deploy/*; do - envsubst < "${f}" | oc apply -f - -done -``` - -## Access the console and load the jobs -`xdg-open https://$JENKINS_URL` - -The Jenkins master pod is configured to use OpenShift SSO. To login as an admin, use the host cluster's "kubeadmin" credentials. - -After logging in, navigate to your organization from the home panel and press the "Scan Organization Now" button. This will discover all projects in the organization that have valid Jenkinsfiles in them. diff --git a/.jenkins/agent/Dockerfile b/.jenkins/agent/Dockerfile deleted file mode 100644 index ab7f97cb3..000000000 --- a/.jenkins/agent/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM quay.io/openshift/origin-jenkins-agent-base:latest - -# pass --build-arg OC_CLIENT_VERSION= to build stage to change client version -ARG OC_CLIENT_VERSION="4.13" - -RUN curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/v0.19.4/operator-sdk-v0.19.4-x86_64-linux-gnu" && \ - chmod +x operator-sdk-v0.19.4-x86_64-linux-gnu && mv operator-sdk-v0.19.4-x86_64-linux-gnu /usr/local/bin/operator-sdk -RUN dnf install -y ansible golang python38 && \ - dnf groupinstall -y "Development Tools" -y && \ - alternatives --set python /usr/bin/python3.8 && \ - python -m pip install openshift kubernetes "ansible-core~=2.12" && \ - ansible-galaxy collection install -f 'kubernetes.core:>=2.2.0' community.general -RUN curl -LO "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-$OC_CLIENT_VERSION/openshift-client-linux.tar.gz" && \ - tar -xv -C /usr/local/bin -f openshift-client-linux.tar.gz diff --git a/.jenkins/agent/README.md b/.jenkins/agent/README.md deleted file mode 100644 index dbef269fc..000000000 --- a/.jenkins/agent/README.md +++ /dev/null @@ -1,29 +0,0 @@ -The Jenkins agent pod is used to run all Jenkins pipelines for the Service Telemetry Framework. - -# Build in OpenShift - -```bash -oc new-build --binary=true --name=jenkins-agent -oc start-build jenkins-agent --from-dir . -``` - -You can override the default `oc` client version being installed by overriding the default argument `OC_CLIENT_VERSION` from the `Dockerfile`. - -```bash -oc new-build --build-arg OC_CLIENT_VERSION=4.10 --binary=true --name=jenkins-agent -oc start-build jenkins-agent --from-dir . -``` - -Builds will be available in-cluster at the address: `image-registry.openshift-image-registry.svc:5000//jenkins-agent:latest` - -# Build with Podman/Docker - -```bash -podman build -t jenkins-agent:latest . -``` - -You can override the default `oc` client version being installed by overriding the default argument `OC_CLIENT_VERSION` from the `Dockerfile`. - -```bash -podman build --build-arg OC_CLIENT_VERSION=4.10 -t jenkins-agent:latest . -``` diff --git a/.jenkins/agent/install-sdk.sh b/.jenkins/agent/install-sdk.sh deleted file mode 100755 index fe4813198..000000000 --- a/.jenkins/agent/install-sdk.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# NOTE: any version of operator-sdk later than v0.19.4 is incompatable with the build scripts - -SDK_FULL_NAME="operator-sdk-v0.19.4-x86_64-linux-gnu" -curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/v0.19.4/$SDK_FULL_NAME" -chmod +x "$SDK_FULL_NAME" && mv "$SDK_FULL_NAME" /usr/local/bin/operator-sdk diff --git a/.jenkins/deploy/casc-configmap.yaml b/.jenkins/deploy/casc-configmap.yaml deleted file mode 100644 index ab372d230..000000000 --- a/.jenkins/deploy/casc-configmap.yaml +++ /dev/null @@ -1,144 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: jenkins-casc - namespace: ci -data: - casc.yaml: | - unclassified: - location: - url: "https://${JENKINS_URL}" - jenkins: - numExecutors: 1 - remotingSecurity: - enabled: true - - # permissions for anonymous - revisit is moved to public internet rather than behind firewall - authorizationStrategy: - globalMatrix: - permissions: - - "Job/Build:anonymous" - - "Job/Discover:anonymous" - - "Job/Read:anonymous" - - "Job/Cancel:anonymous" - - "Overall/Read:anonymous" - clouds: - - kubernetes: - name: kubernetes - containerCapStr: 100 - containerCap: 1 - jenkinsUrl: "http://jenkins:8080/" - templates: - - name: ocp-agent - label: ocp-agent - namespace: ci - serviceAccount: jenkins - containers: - - name: exec - workingDir: "/home/jenkins/agent" - image: image-registry.openshift-image-registry.svc:5000/ci/jenkins-agent:latest - alwaysPullImage: true - command: sleep - args: infinity - - security: - queueItemAuthenticator: - authenticators: - - global: - strategy: triggeringUsersAuthorizationStrategy - - # organization config - jobs: - - script: > - organizationFolder('${GH_ORG}') { - description("${GH_ORG} GitHub Organization") - displayName('${GH_ORG}') - - organizations { - github { - apiUri("https://api.github.com") - repoOwner("${GH_ORG}") - credentialsId("github-app-key") - } - } - configure { node -> - def traits = node / navigators / 'org.jenkinsci.plugins.github__branch__source.GitHubSCMNavigator' / traits - - // Discover branches - traits << 'org.jenkinsci.plugins.github__branch__source.BranchDiscoveryTrait' { - strategyId(1) - // Values - // 1 : Exclude branches that are also filed as PRs - // 2 : Only branches that are also filed as PRs - // 3 : All branches - } - // Discover pull requests from origin - traits << 'org.jenkinsci.plugins.github__branch__source.OriginPullRequestDiscoveryTrait' { - strategyId(1) - // Values - // 1 : Merging the pull request with the current target branch revision - // 2 : The current pull request revision - // 3 : Both the current pull request revision and the pull request merged with the current target branch revision - } - // Discover pull requests from forks - traits << 'org.jenkinsci.plugins.github__branch__source.ForkPullRequestDiscoveryTrait' { - strategyId(1) - // Values - // 1 : Merging the pull request with the current target branch revision - // 2 : The current pull request revision - // 3 : Both the current pull request revision and the pull request merged with the current target branch revision - - trustID('1') - // Values - // 0 : Everyone - // 1 : Forks in the same account - // 2 : Nobody - } - // Custom Github Notification Context; https://github.com/jenkinsci/github-scm-trait-notification-context-plugin - traits << 'org.jenkinsci.plugins.githubScmTraitNotificationContext.NotificationContextTrait' { - contextLabel("continuous-integration/jenkins/ocp-${OCP_VERSION}") - typeSuffix(true) - } - } - - // "Project Recognizers" - projectFactories { - workflowMultiBranchProjectFactory { - scriptPath 'Jenkinsfile' - } - } - - // "Orphaned Item Strategy" - orphanedItemStrategy { - discardOldItems { - daysToKeep(-1) - numToKeep(-1) - } - } - - // "Scan Organization Folder Triggers" : 1 day - // We need to configure this stuff by hand because JobDSL only allow 'periodic(int min)' for now - configure { node -> - node / triggers / 'com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger' { - spec('H H * * *') - interval(86400000) - } - } - - // set webhook triggers and suppress automatic issue triggering - // for now, we want trigger - def commentTriggerPhrase = '^test$|^retest$|^recheck$' - configure { node -> - node / strategy(class: 'jenkins.branch.DefaultBranchPropertyStrategy') { - properties(class: 'java.util.Arrays$${ESCAPEDOLLAR}ArrayList') { - def s = a(class: 'jenkins.branch.BranchProperty-array') - s / 'jenkins.branch.NoTriggerBranchProperty' {} - s / 'com.adobe.jenkins.github__pr__comment__build.TriggerPRCommentBranchProperty'(plugin: 'github-pr-comment-build@2.3') { - commentBody(commentTriggerPhrase) - } - // s / 'com.adobe.jenkins.github__pr__comment__build.TriggerPRCommentBranchProperty' - // s / 'com.adobe.jenkins.github__pr__comment__build.TriggerPRReviewBranchProperty'(plugin: 'github-pr-comment-build@2.3') - } - } - } - } diff --git a/.jenkins/deploy/deploy-smee.yaml b/.jenkins/deploy/deploy-smee.yaml deleted file mode 100644 index 4afa9531a..000000000 --- a/.jenkins/deploy/deploy-smee.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: smee-client -spec: - progressDeadlineSeconds: 600 - replicas: 1 - revisionHistoryLimit: 10 - selector: - matchLabels: - name: smee-client - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - name: smee-client - spec: - containers: - - args: - - --url - - "https://smee.io/${SMEE_CHANNEL}" - - --target - - "http://jenkins:8080/github-webhook/" - env: - - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - image: quay.io/infrawatch/smee:latest - imagePullPolicy: Always - name: smee-client - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - terminationGracePeriodSeconds: 30 diff --git a/.jenkins/deploy/jenkins-deploy.yaml b/.jenkins/deploy/jenkins-deploy.yaml deleted file mode 100644 index b2cbb01d0..000000000 --- a/.jenkins/deploy/jenkins-deploy.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jenkins - namespace: ci -spec: - selector: - matchLabels: - app: jenkins - replicas: 1 - template: - metadata: - labels: - app: jenkins - spec: - serviceAccountName: jenkins - containers: - - name: jenkins - image: >- - image-registry.openshift-image-registry.svc:5000/ci/jenkins:latest - ports: - - name: http-port - containerPort: 8080 - - name: jnlp-port - containerPort: 50000 - volumeMounts: - - name: jenkins-home - mountPath: /var/jenkins_home - - name: jenkins-casc - mountPath: /var/jenkins_config - env: - - name: OPENSHIFT_ENABLE_OAUTH - value: "true" - - name: JAVA_OPTS - value: -Djenkins.install.runSetupWizard=false - - name: CASC_JENKINS_CONFIG - value: /var/jenkins_config/casc.yaml - volumes: - - name: jenkins-home - emptyDir: {} - - name: jenkins-casc - configMap: - name: jenkins-casc diff --git a/.jenkins/deploy/sa-rbac.yaml b/.jenkins/deploy/sa-rbac.yaml deleted file mode 100644 index a18a5fabf..000000000 --- a/.jenkins/deploy/sa-rbac.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: jenkins - annotations: - serviceaccounts.openshift.io/oauth-redirectreference.jenkins: "{\"kind\":\"OAuthRedirectReference\",\"apiVersion\":\"v1\",\"reference\":{\"kind\":\"Route\",\"name\":\"jenkins\"}}" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: admin-access - namespace: default -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: jenkins - namespace: ci diff --git a/.jenkins/deploy/service-route.yaml b/.jenkins/deploy/service-route.yaml deleted file mode 100644 index d8fe3e53b..000000000 --- a/.jenkins/deploy/service-route.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: jenkins - namespace: ci -spec: - selector: - app: jenkins - ports: - - protocol: TCP - name: jnlp - port: 50000 - targetPort: 50000 - - protocol: TCP - name: http - port: 8080 - targetPort: 8080 ---- -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: jenkins - namespace: ci -spec: - to: - kind: Service - name: jenkins - weight: 100 - port: - targetPort: http - tls: - termination: edge - insecureEdgeTerminationPolicy: Redirect - wildcardPolicy: None diff --git a/.zuul.yaml b/.zuul.yaml index 636f0cf44..db743b8ac 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -1,24 +1,27 @@ --- - nodeset: - name: stf-crc_extracted-ocp412 + name: stf-crc_extracted-ocp414 nodes: - name: controller label: cloud-centos-9-stream-tripleo-vexxhost - name: crc - label: coreos-crc-extracted-2-19-0-xxl + label: coreos-crc-extracted-2-30-0-xxl - nodeset: - name: stf-crc_extracted-ocp414 + name: stf-crc_extracted-ocp416 nodes: - name: controller label: cloud-centos-9-stream-tripleo-vexxhost - name: crc - label: coreos-crc-extracted-2-30-0-xxl + label: coreos-crc-extracted-2-39-0-3xl -# Based on the 2-node job cookbook at https://github.com/openstack-k8s-operators/ci-framework/blob/main/docs/source/cookbooks/zuul-job-nodeset.md - job: name: stf-base-2node parent: podified-multinode-edpm-deployment-crc + description: | + A base job for STF that deploys extracted CRC with a 2-node topology. + This job is based on the cookbook example in: https://github.com/openstack-k8s-operators/ci-framework/blob/main/docs/source/cookbooks/zuul-job-nodeset.md + All non-abstract jobs that inherit from this must have a nodeset configured. abstract: true required-projects: - name: github.com/openstack-k8s-operators/dataplane-operator @@ -68,11 +71,11 @@ - job: name: stf-base - # defined in: https://review.rdoproject.org/cgit/config/tree/zuul.d/_jobs-crc.yaml parent: stf-base-2node abstract: true description: | Run the stf-run-ci role, and then test stf + Any non-abstract jobs that inherit from this must pass a `scenario` var. roles: # adds in dependent roles i.e. put it in the role path - zuul: github.com/openstack-k8s-operators/ci-framework # These are the additional repos that zuul will clone @@ -122,11 +125,13 @@ scenario: "local_build-index_deploy" - job: - name: stf-crc-ocp_412-nightly_bundles - parent: stf-crc-nightly_bundles + name: stf-crc-nightly_bundles-index_deploy + parent: stf-base + abstract: true description: | - Deploy STF using the nightly bundles on OCP 4.12 - nodeset: stf-crc_extracted-ocp412 + Create an index image using nightly bundles and deploy STF from it + vars: + scenario: "nightly_bundles-index_deploy" - job: name: stf-crc-ocp_414-nightly_bundles @@ -136,11 +141,11 @@ nodeset: stf-crc_extracted-ocp414 - job: - name: stf-crc-ocp_412-local_build - parent: stf-crc-local_build + name: stf-crc-ocp_416-nightly_bundles + parent: stf-crc-nightly_bundles description: | - Build images locally and deploy STF on OCP 4.12 - nodeset: stf-crc_extracted-ocp412 + Deploy STF using the nightly bundles on OCP 4.16 + nodeset: stf-crc_extracted-ocp416 - job: name: stf-crc-ocp_414-local_build @@ -150,11 +155,11 @@ nodeset: stf-crc_extracted-ocp414 - job: - name: stf-crc-ocp_412-local_build-index_deploy - parent: stf-crc-local_build-index_deploy + name: stf-crc-ocp_416-local_build + parent: stf-crc-local_build description: | - Build STF locally and deploy from index on OCP 4.12 - nodeset: stf-crc_extracted-ocp412 + Build STF locally and deploy from index on OCP 4.16 + nodeset: stf-crc_extracted-ocp416 - job: name: stf-crc-ocp_414-local_build-index_deploy @@ -163,16 +168,39 @@ Build STF locally and deploy from index on OCP 4.14 nodeset: stf-crc_extracted-ocp414 +- job: + name: stf-crc-ocp_416-local_build-index_deploy + parent: stf-crc-local_build-index_deploy + description: | + Build STF locally and deploy from index on OCP 4.16 + nodeset: stf-crc_extracted-ocp416 + +- job: + name: stf-crc-ocp_414-nightly_bundles-index_deploy + parent: stf-crc-nightly_bundles-index_deploy + description: | + Create an index image using nightly bundles and deploy STF from it on OCP 4.14 + nodeset: stf-crc_extracted-ocp414 + +- job: + name: stf-crc-ocp_416-nightly_bundles-index_deploy + parent: stf-crc-nightly_bundles-index_deploy + description: | + Create an index image using nightly bundles and deploy STF from it on OCP 4.16 + nodeset: stf-crc_extracted-ocp416 + - project-template: name: stf-crc-jobs description: | STF CRC jobs that build and deploy STF github-check: jobs: - - stf-crc-ocp_412-local_build - stf-crc-ocp_414-local_build - - stf-crc-ocp_412-local_build-index_deploy + - stf-crc-ocp_416-local_build - stf-crc-ocp_414-local_build-index_deploy + - stf-crc-ocp_416-local_build-index_deploy + - stf-crc-ocp_414-nightly_bundles-index_deploy + - stf-crc-ocp_416-nightly_bundles-index_deploy - project: name: infrawatch/service-telemetry-operator @@ -180,5 +208,5 @@ - stf-crc-jobs periodic: jobs: - - stf-crc-ocp_412-nightly_bundles - stf-crc-ocp_414-nightly_bundles + - stf-crc-ocp_416-nightly_bundles diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index f94b64b1e..000000000 --- a/Jenkinsfile +++ /dev/null @@ -1,228 +0,0 @@ -#!/usr/bin/env groovy - - -def tested_files = "build/.*|deploy/.*|roles/.*|tests/smoketest/.*|Makefile|watches.yaml|Jenkinsfile" - -// can't just use BUILD_TAG because qdr operator limits name of resources to 60 chars -def namespace = env.JOB_BASE_NAME + '-' + env.BUILD_NUMBER -namespace = namespace.toLowerCase() -namespace = namespace.replaceAll('\\.', '-') - -def stf_resource = """ -apiVersion: infra.watch/v1beta1 -kind: ServiceTelemetry -metadata: - name: default - namespace: ${namespace} -spec: - observabilityStrategy: use_redhat - alerting: - alertmanager: - storage: - strategy: ephemeral - receivers: - snmpTraps: - enabled: true - backends: - events: - elasticsearch: - enabled: true - storage: - strategy: ephemeral - metrics: - prometheus: - enabled: true - storage: - strategy: ephemeral - transports: - qdr: - enabled: true - deploymentSize: 1 - web: - enabled: false - elasticsearchManifest: | - apiVersion: elasticsearch.k8s.elastic.co/v1 - kind: Elasticsearch - metadata: - name: elasticsearch - namespace: $namespace - spec: - version: 7.16.1 - volumeClaimDeletePolicy: DeleteOnScaledownAndClusterDeletion - http: - tls: - certificate: - secretName: 'elasticsearch-es-cert' - nodeSets: - - config: - node.roles: - - master - - data - - ingest - node.store.allow_mmap: true - count: 1 - name: default - podTemplate: - metadata: - labels: - tuned.openshift.io/elasticsearch: elasticsearch - spec: - containers: - - name: elasticsearch - resources: - limits: - cpu: '2' - memory: 2Gi - requests: - cpu: '1' - memory: 1Gi - volumes: - - emptyDir: {} - name: elasticsearch-data -""" - -def working_branch = "master" - -pipeline { - agent { - kubernetes { - inheritFrom 'ocp-agent' - defaultContainer 'exec' - } - } - environment { - run_ci = sh(script: "git fetch origin ${env.CHANGE_TARGET} && git diff --name-only origin/${env.CHANGE_TARGET} | egrep \"${tested_files}\"", returnStatus: true) - } - stages { - stage('Clone Upstream') { - when { - environment name: 'run_ci', value: '0' - } - steps { - dir('service-telemetry-operator') { - catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') { - checkout scm - script { - working_branch = sh(script: 'git ls-remote --heads origin | grep $(git rev-parse HEAD) | cut -d / -f 3-', returnStdout: true).toString().trim() - if (!working_branch) { - // in this case, a merge with the base branch was required thus we use the second to last commit - // to find the original topic branch name - working_branch = sh(script: 'git ls-remote --heads origin | grep $(git rev-parse HEAD~1) | cut -d / -f 3-', returnStdout: true).toString().trim() - } - } - sh "git checkout -b ${working_branch}" - } - } - } - } - stage('Create project') { - when { - environment name: 'run_ci', value: '0' - expression { - currentBuild.result == null - } - } - steps { - dir('service-telemetry-operator') { - catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') { - script { - openshift.withCluster() { - openshift.newProject(namespace) - } - } - } - } - } - } - stage('Build STF Containers') { - when { - environment name: 'run_ci', value: '0' - expression { - currentBuild.result == null - } - } - steps { - dir('service-telemetry-operator') { - catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') { - ansiColor('xterm') { - ansiblePlaybook( - playbook: 'build/run-ci.yaml', - colorized: true, - extraVars: [ - "namespace": namespace, - "__deploy_stf": "false", - "__local_build_enabled": "true", - "__service_telemetry_snmptraps_enabled": "true", - "__service_telemetry_storage_ephemeral_enabled": "true", - "working_branch":"${working_branch}" - ] - ) - } - } - } - } - } - stage('Deploy STF Object') { - when { - environment name: 'run_ci', value: '0' - expression { - currentBuild.result == null - } - } - steps { - dir('service-telemetry-operator') { - catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') { - script { - openshift.withCluster() { - openshift.withProject(namespace) { - timeout(time: 800, unit: 'SECONDS') { - openshift.create(stf_resource) - sh "OCP_PROJECT=${namespace} VALIDATION_SCOPE=use_redhat ./build/validate_deployment.sh" - } - } - } - } - } - } - } - } - stage('Run Smoketest') { - when { - environment name: 'run_ci', value: '0' - expression { - currentBuild.result == null - } - } - steps { - dir('service-telemetry-operator') { - catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') { - sh "OCP_PROJECT=${namespace} ./tests/smoketest/smoketest.sh" - } - } - } - } - stage('Cleanup') { - when { - environment name: 'run_ci', value: '0' - } - steps { - dir('service-telemetry-operator') { - script { - openshift.withCluster(){ - openshift.selector("project/${namespace}").delete() - } - } - } - } - post { - always { - script { - if ( currentBuild.result != null && currentBuild.result != 'SUCCESS' ) { - currentBuild.result = 'FAILURE' - } - } - } - } - } - } -} diff --git a/README.md b/README.md index e336242b5..757073711 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ loaded for you. * smartgatewayCollectdEventsManifest * smartgatewayCeilometerEventsManifest * servicemonitorManifest +* scrapeconfigManifest ## Development diff --git a/build/Dockerfile b/build/Dockerfile index a236fb9c8..dc1e06eff 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM quay.io/openshift/origin-ansible-operator:4.12 +FROM quay.io/openshift/origin-ansible-operator:4.14 # temporarily switch to root user to adjust image layers USER 0 diff --git a/build/stf-run-ci/README.md b/build/stf-run-ci/README.md index 664e57e7a..ecc4fd38e 100644 --- a/build/stf-run-ci/README.md +++ b/build/stf-run-ci/README.md @@ -20,7 +20,8 @@ choose to override: | `__deploy_stf` | {true,false} | true | Whether to deploy an instance of STF | | `__local_build_enabled` | {true,false} | true | Whether to deploy STF from local built artifacts. Also see `working_branch`, `sg_branch`, `sgo_branch` | | `__deploy_from_bundles_enabled` | {true,false} | false | Whether to deploy STF from OLM bundles (TODO: compat with `__local_build_enabled`) | -| `__deploy_from_index_enabled` | {true,false} | false | Whether to deploy STF from locally built bundles and index image. | +| `__deploy_from_index_enabled` | {true,false} | false | Whether to deploy STF from locally built bundles/OLM bundles and index image. | +| `__disconnected_deploy` | {true,false} | false | Whether to deploy on a disconnected cluster | | `__service_telemetry_bundle_image_path` | | `quay.io/infrawatch-operators/service-telemetry-operator-bundle:nightly-head` | Image path to Service Telemetry Operator bundle | | `__smart_gateway_bundle_image_path` | | `quay.io/infrawatch-operators/smart-gateway-operator-bundle:nightly-head` | Image path to Smart Gateway Operator bundle | | `setup_bundle_registry_tls_ca` | {true,false} | true | Whether to setup or not a TLS CA cert for the bundle registry access | @@ -82,9 +83,10 @@ choose to override: You can deploy Service Telemetry Framework using this role in a few configuration methods: -* local build artifacts from Git repository cloned locally -* local build artifacts, local bundle artifacts, and Subscription via OLM using locally built index image -* standard deployment using Subscription and OLM +* local build artifacts from Git repository cloned locally (local build) +* local build artifacts, local bundle artifacts, and Subscription via OLM using locally built index image (local build + deploy from index) +* externally build bundle artifacts and Subscription via OLM using locally built index image (deploy from bundles + deploy from index) +* standard deployment using Subscription and OLM (deploy from bundles) * supporting components but no instance of Service Telemetry Operator ## Basic deployment @@ -133,6 +135,27 @@ You can perform a deployment using OLM and a Subscription from locally built art ansible-playbook -e __local_build_enabled=true -e __deploy_from_index_enabled=true run-ci.yaml ``` +## Deployment with pre-build bundles and index + +Instead of relying on the operator-sdk to deploy from selected bundles using the "operator-sdk run bundle" utility, +you can perform a deployment using OLM and a Subscription to a locally created index image like this: + +```sh +ansible-playbook -e __local_build_enabled=false -e __deploy_from_bundles_enabled=true \ + -e __deploy_from_index_enabled=true \ + -e __service_telemetry_bundle_image_path=//stf-service-telemetry-operator-bundle: \ + -e __smart_gateway_bundle_image_path=//stf-smart-gateway-operator-bundle: \ + -e pull_secret_registry= \ + -e pull_secret_user= \ + -e pull_secret_pass= + run-ci.yaml +``` + +Since you will fetch the selected images from a bundle registry, it is required that you have all the required +access credentials for the desired registry correctly configured. Check the "Deployment with pre-build bundles" +docs above to get more information about this. + + # License Apache v2.0 diff --git a/build/stf-run-ci/defaults/main.yml b/build/stf-run-ci/defaults/main.yml index a6c5ee184..5001dd2c0 100644 --- a/build/stf-run-ci/defaults/main.yml +++ b/build/stf-run-ci/defaults/main.yml @@ -10,6 +10,8 @@ __deploy_from_bundles_enabled: false __deploy_from_index_enabled: false __deploy_stf: true +__disconnected_deploy: false + __service_telemetry_events_certificates_endpoint_cert_duration: 70080h __service_telemetry_events_certificates_ca_cert_duration: 70080h __service_telemetry_events_enabled: true @@ -36,7 +38,8 @@ __smart_gateway_bundle_image_path: "quay.io/infrawatch-operators/smart-gateway-o default_operator_registry_image_base: registry.redhat.io/openshift4/ose-operator-registry default_operator_registry_image_tag: v4.13 -elasticsearch_version: 7.16.1 +elasticsearch_version: 7.17.20 +elasticsearch_image: registry.connect.redhat.com/elastic/elasticsearch sgo_image_tag: latest sto_image_tag: latest @@ -53,6 +56,13 @@ pull_secret_registry: pull_secret_user: pull_secret_pass: +redhat_operators: redhat-operators +community_operators: community-operators +certified_operators: certified-operators +infrawatch_operators: infrawatch-operators + +stf_channel: unstable + # used when building images to default to correct version branch for STF subcomponents per STF version version_branches: sgo: master diff --git a/build/stf-run-ci/requirements.txt b/build/stf-run-ci/requirements.txt index 70c742e0e..ecdb60633 100644 --- a/build/stf-run-ci/requirements.txt +++ b/build/stf-run-ci/requirements.txt @@ -1,8 +1,8 @@ # https://stackoverflow.com/questions/64073422/importerror-cannot-import-name-oauth1session-from-requests-oauthlib -requests==2.31.0 +requests==2.32.0 requests_oauthlib==1.3.0 # https://github.com/domainaware/parsedmarc/issues/318 oauthlib==3.2.2 kubernetes==24.2.0 openshift==0.13.1 -ansible-core==2.12.10 +ansible-core==2.15.9 diff --git a/build/stf-run-ci/tasks/create_catalog.yml b/build/stf-run-ci/tasks/create_catalog.yml index feed3b56f..6c2b5b6cc 100644 --- a/build/stf-run-ci/tasks/create_catalog.yml +++ b/build/stf-run-ci/tasks/create_catalog.yml @@ -7,11 +7,65 @@ # Updating to use stdout_lines[-1] so that any additional info that gets added to generate_bundles (e.g. for debug) doesn't break this task # Adding from_json so that the JSON output is parsed into a dictionary -- name: Create info variables from bundle generation output +- name: Create info variables from bundle generation output (local build) + when: __local_build_enabled | bool and not __deploy_from_bundles_enabled | bool ansible.builtin.set_fact: sto_bundle_info: "{{ generate_bundle_sto.stdout_lines[-1] | from_json }}" sgo_bundle_info: "{{ generate_bundle_sgo.stdout_lines[-1] | from_json }}" +- name: Create info variables from provided pre-built bundles (deploy from bundles) + when: __deploy_from_bundles_enabled | bool and not __local_build_enabled | bool + block: + - name: Get STO operator bundle info + ansible.builtin.command: oc image info {{ __service_telemetry_bundle_image_path }} + register: sto_prebuilt_image_info + + - name: Get SGO operator bundle info + ansible.builtin.command: oc image info {{ __smart_gateway_bundle_image_path }} + register: sgo_prebuilt_image_info + + - name: Get STO and SGO bundle versions + ansible.builtin.set_fact: + sto_prebuilt_bundle_version: "{{ sto_prebuilt_image_info.stdout_lines[-1] | split('=') | last }}" + sgo_prebuilt_bundle_version: "{{ sgo_prebuilt_image_info.stdout_lines[-1] | split('=') | last }}" + + - name: Set info variables from provided pre-built bundles + ansible.builtin.set_fact: + sto_bundle_info: + 'bundle_default_channel': "{{ stf_channel }}" + 'bundle_channels': "{{ stf_channel }}" + 'operator_bundle_version': "{{ sto_prebuilt_bundle_version }}" + sgo_bundle_info: + 'bundle_default_channel': "{{ stf_channel }}" + 'bundle_channels': "{{ stf_channel }}" + 'operator_bundle_version': "{{ sgo_prebuilt_bundle_version }}" + +- name: Show STO and SGO bundle info that will used in the index image + ansible.builtin.debug: + msg: + - "{{ sto_bundle_info }}" + - "{{ sgo_bundle_info }}" + +- name: Create ImageStream for STO and SGO (deploying from bundles) + when: __deploy_from_bundles_enabled | bool + block: + - name: Create ImageStream for STO + ansible.builtin.command: + cmd: | + oc import-image -n {{ namespace }} service-telemetry-operator-bundle:{{ sto_bundle_info.operator_bundle_version }} --from={{ __service_telemetry_bundle_image_path }} --confirm --insecure + register: sto_is + + - name: Create ImageStream for SGO + ansible.builtin.command: + cmd: | + oc import-image -n {{ namespace }} smart-gateway-operator-bundle:{{ sgo_bundle_info.operator_bundle_version }} --from={{ __smart_gateway_bundle_image_path }} --confirm --insecure + register: sgo_is + + - name: Set correct STO and SGO bundle paths when deploying from index with pre-built bundles + ansible.builtin.set_fact: + sto_bundle_image_path: "{{ __internal_registry_path }}/{{ namespace }}/service-telemetry-operator-bundle:{{ sto_bundle_info.operator_bundle_version }}" + sgo_bundle_image_path: "{{ __internal_registry_path }}/{{ namespace }}/smart-gateway-operator-bundle:{{ sgo_bundle_info.operator_bundle_version }}" + - name: Get the builder-dockercfg Secret name ansible.builtin.command: oc get secret -n {{ namespace }} --field-selector='type==kubernetes.io/dockercfg' -ojsonpath='{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="builder")].metadata.name}' register: secret_builder_dockercfg_name diff --git a/build/stf-run-ci/tasks/main.yml b/build/stf-run-ci/tasks/main.yml index 3f4972cf8..df29982ab 100644 --- a/build/stf-run-ci/tasks/main.yml +++ b/build/stf-run-ci/tasks/main.yml @@ -24,37 +24,25 @@ - name: Fail on mutually exclusive flags ansible.builtin.fail: msg: __deploy_from_bundles_enabled not currently supported with __local_build_enabled (but should be) - when: __local_build_enabled | bool and __deploy_from_bundles_enabled | bool - -- name: Fail when deploying from index image and local build disabled - ansible.builtin.fail: - msg: __deploy_from_index_enabled must also have __local_build_enabled - when: __deploy_from_index_enabled | bool and not __local_build_enabled | bool - -- name: Fail when deploying from index images and deployment from bundles also requested (mutually exclusive methods) - ansible.builtin.fail: - msg: __deploy_from_index_enabled can not be used with __deploy_from_bundles_enabled - when: __deploy_from_index_enabled | bool and __deploy_from_bundles_enabled | bool + when: + - __local_build_enabled | bool + - __deploy_from_bundles_enabled | bool - name: Get the list of nodes kubernetes.core.k8s_info: kind: Node register: node_info -- name: Get OCP version - ansible.builtin.shell: oc version -o yaml | grep openshiftVersion | awk '{print $2}' - register: ocp_ver - -- name: Find out if we are using crc by looking at the node hostnames - ansible.builtin.set_fact: - is_crc: "{{ True if 'crc' in node_info.resources[0].metadata.labels[\"kubernetes.io/hostname\"] else False }}" - # -- prepare environment and cleanup - name: Clean up any existing global artifacts ansible.builtin.include_tasks: pre-clean.yml tags: - pre-clean +- name: Set up bundle registry credentials (deploy from bundles) + ansible.builtin.include_tasks: setup_registry_auth.yml + when: __deploy_from_bundles_enabled | bool or setup_bundle_registry_auth | bool + - name: Setup supporting Operator subscriptions ansible.builtin.include_tasks: setup_base.yml tags: @@ -77,6 +65,7 @@ prometheus_webhook_snmp_dir: "{{ prometheus_webhook_snmp_dir if prometheus_webhook_snmp_dir is defined else base_dir + '/working/prometheus-webhook-snmp' }}" - name: Get operator_sdk_v0 (build bundles) + when: __local_build_enabled | bool ansible.builtin.command: cmd: "./get_operator_sdk.sh {{ operator_sdk_v0 }}" creates: "{{ base_dir }}/working/operator-sdk-{{ operator_sdk_v0 }}" @@ -149,7 +138,7 @@ pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted -- when: __deploy_from_index_enabled | bool +- when: __deploy_from_index_enabled | bool and __local_build_enabled | bool tags: - create_bundles block: @@ -170,11 +159,13 @@ tags: - build +- when: __deploy_from_index_enabled | bool + block: - name: Create file-based catalog ansible.builtin.include_tasks: create_catalog.yml # -- deploy -- when: not __local_build_enabled | bool +- when: not __local_build_enabled | bool and not __deploy_from_index_enabled | bool block: - name: Setup Service Telemetry Framework from supplied bundle URLs ansible.builtin.include_tasks: setup_stf_from_bundles.yml @@ -196,7 +187,7 @@ name: service-telemetry-operator namespace: "{{ namespace }}" spec: - channel: stable-1.5 + channel: "{{ stf_channel }}" installPlanApproval: Automatic name: service-telemetry-operator source: service-telemetry-framework-operators diff --git a/build/stf-run-ci/tasks/preflight_checks.yml b/build/stf-run-ci/tasks/preflight_checks.yml index 066474572..cd42c76c9 100644 --- a/build/stf-run-ci/tasks/preflight_checks.yml +++ b/build/stf-run-ci/tasks/preflight_checks.yml @@ -26,10 +26,6 @@ ansible.builtin.debug: var: csv_sto.stdout - - name: "Show service-telemetry-operator CSV information" - ansible.builtin.debug: - var: csv_sto.stdout - - name: "Show fail message if CSV isn't Succeeded after the alotted time" ansible.builtin.fail: msg: "Service Telemetry Operator CSV not Succeeded after 10 minutes. Check {{ logfile_dir }}/oc_get_csv_sto.log for more information" diff --git a/build/stf-run-ci/tasks/setup_base.yml b/build/stf-run-ci/tasks/setup_base.yml index bb6667184..443d7cb76 100644 --- a/build/stf-run-ci/tasks/setup_base.yml +++ b/build/stf-run-ci/tasks/setup_base.yml @@ -1,5 +1,6 @@ --- - name: Setup OperatorHub dependencies + when: not __disconnected_deploy | bool kubernetes.core.k8s: definition: apiVersion: config.openshift.io/v1 @@ -30,7 +31,7 @@ - "{{ namespace }}" # documented procedure: https://infrawatch.github.io/documentation/#deploying-observability-operator_assembly-installing-the-core-components-of-stf -- name: Subscribe to Red Hat Obervability Operator +- name: Subscribe to Red Hat Observability Operator kubernetes.core.k8s: definition: apiVersion: operators.coreos.com/v1alpha1 @@ -44,7 +45,7 @@ channel: development installPlanApproval: Automatic name: cluster-observability-operator - source: redhat-operators + source: "{{ redhat_operators }}" sourceNamespace: openshift-marketplace when: - __service_telemetry_observability_strategy in ['use_redhat', 'use_hybrid'] @@ -62,7 +63,7 @@ channel: beta installPlanApproval: Automatic name: prometheus - source: community-operators + source: "{{ community_operators }}" sourceNamespace: openshift-marketplace when: - __service_telemetry_observability_strategy == "use_community" @@ -107,11 +108,11 @@ channel: stable-v1 installPlanApproval: Automatic name: openshift-cert-manager-operator - source: redhat-operators + source: "{{ redhat_operators }}" sourceNamespace: openshift-marketplace # installed by properties.yaml definition as of STF 1.5.3 -- when: not __deploy_from_index_enabled | bool +- when: __local_build_enabled | bool block: - name: Subscribe to AMQ Interconnect Operator kubernetes.core.k8s: @@ -125,7 +126,7 @@ channel: 1.10.x installPlanApproval: Automatic name: amq7-interconnect-operator - source: redhat-operators + source: "{{ redhat_operators }}" sourceNamespace: openshift-marketplace # undocumented procedure: used for backwards compatilibity verification @@ -142,7 +143,7 @@ channel: stable installPlanApproval: Automatic name: elasticsearch-eck-operator-certified - source: certified-operators + source: "{{ certified_operators }}" sourceNamespace: openshift-marketplace - name: Wait for Elasticsearch CRD to appear diff --git a/build/stf-run-ci/tasks/setup_registry_auth.yml b/build/stf-run-ci/tasks/setup_registry_auth.yml new file mode 100644 index 000000000..5c096fdcc --- /dev/null +++ b/build/stf-run-ci/tasks/setup_registry_auth.yml @@ -0,0 +1,116 @@ +- name: Update Pull Secret with bundle registry credentials + when: setup_bundle_registry_auth | bool + block: + - name: Get existing Pull Secret from openshift config + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + namespace: openshift-config + name: pull-secret + register: pull_secret + + - name: Decode docker config json + ansible.builtin.set_fact: + dockerconfigjson: "{{ pull_secret.resources[0].data['.dockerconfigjson'] | b64decode }}" + + - name: Merge registry creds into auth section of docker config + ansible.builtin.set_fact: + new_dockerauths: "{{ dockerconfigjson['auths'] | combine( { + pull_secret_registry:{ + 'auth': (pull_secret_user ~ ':' ~ pull_secret_pass) | b64encode + } + }) }}" + + - name: Create new docker config + ansible.builtin.set_fact: + new_dockerconfigjson: "{{ dockerconfigjson | combine({'auths': new_dockerauths}) }}" + + - name: Create Pull Secret for bundle registry access (in the local namespace) + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + type: kubernetes.io/dockerconfigjson + metadata: + name: pull-secret + namespace: "{{ namespace }}" + data: + .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}" + + - name: Create Pull Secret for bundle registry access (in the global namespace) + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + type: kubernetes.io/dockerconfigjson + metadata: + name: pull-secret + namespace: openshift-config + data: + .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}" + +- name: Create registry CA Cert + when: setup_bundle_registry_tls_ca | bool + kubernetes.core.k8s: + state: present + definition: + apiVersion: v1 + kind: Secret + type: Opaque + metadata: + name: registry-tls-ca + namespace: "{{ namespace }}" + data: + cert.pem: "{{ lookup('file', 'CA.pem') | b64encode }}" + +- name: Patch the default service account to use our pull secret + when: setup_bundle_registry_tls_ca | bool + kubernetes.core.k8s_json_patch: + kind: ServiceAccount + namespace: "{{ namespace }}" + name: default + patch: + - op: add + path: /imagePullSecrets + value: + - name: pull-secret + +- name: Ensure that the bundle paths are set + ansible.builtin.assert: + that: + - '__smart_gateway_bundle_image_path | default("") | length > 0' + - '__service_telemetry_bundle_image_path | default("") | length > 0' + fail_msg: "Bundle path(s) not set. __smart_gateway_bundle_image_path is '{{ __smart_gateway_bundle_image_path }}' and __service_telemetry_bundle_image_path is '{{ __service_telemetry_bundle_image_path }}'. Both values need to be set." + success_msg: "Bundle paths are defined, are not None and have a non-zero-length." + +- name: Try to access to the STO bundle + ansible.builtin.command: oc image info {{ __service_telemetry_bundle_image_path }} + register: sto_bundle_info + ignore_errors: true + +- name: Print STO bundle info + ansible.builtin.debug: + msg: + - "{{ sto_bundle_info }}" + +- name: Fail if the expected STO bundle was not correctly fetched + ansible.builtin.fail: + msg: "The requested STO bundle couldn't be retrieved from the bundle registry. Check configuration for the bundles registry and retry." + when: "__service_telemetry_bundle_image_path not in sto_bundle_info.stdout" + +- name: Try to access to the SGO bundle + ansible.builtin.command: oc image info {{ __smart_gateway_bundle_image_path }} + register: sgo_bundle_info + ignore_errors: true + +- name: Print SGO bundle info + ansible.builtin.debug: + msg: + - "{{ sgo_bundle_info }}" + +- name: Fail is the expected SGO bundle was not correctly fetched + ansible.builtin.fail: + msg: "The requested SGO bundle couldn't be retrieved from the bundle registry. Check configuration for the bundles registry and retry." + when: "__smart_gateway_bundle_image_path not in sgo_bundle_info.stdout" diff --git a/build/stf-run-ci/tasks/setup_stf.yml b/build/stf-run-ci/tasks/setup_stf.yml index c608fd58c..819d74809 100644 --- a/build/stf-run-ci/tasks/setup_stf.yml +++ b/build/stf-run-ci/tasks/setup_stf.yml @@ -1,5 +1,8 @@ --- - name: Set default InfraWatch OperatorSource manifest + when: + - __deploy_from_index_enabled | bool + - infrawatch_catalog_source_manifest is not defined ansible.builtin.set_fact: infrawatch_catalog_source_manifest: | apiVersion: operators.coreos.com/v1alpha1 @@ -9,15 +12,15 @@ namespace: openshift-marketplace spec: displayName: InfraWatch Operators - image: quay.io/infrawatch-operators/infrawatch-catalog:nightly-1.5 + image: quay.io/infrawatch-operators/infrawatch-catalog:nightly publisher: InfraWatch sourceType: grpc updateStrategy: registryPoll: interval: 30m - when: infrawatch_catalog_source_manifest is not defined - name: Set default Smart Gateway Operator Subscription manifest + when: smart_gateway_operator_subscription_manifest is not defined ansible.builtin.set_fact: smart_gateway_operator_subscription_manifest: | apiVersion: operators.coreos.com/v1alpha1 @@ -26,14 +29,14 @@ name: smart-gateway-operator namespace: "{{ namespace }}" spec: - channel: stable-1.5 + channel: "{{ stf_channel }}" installPlanApproval: Automatic name: smart-gateway-operator - source: infrawatch-operators + source: "{{ infrawatch_operators }}" sourceNamespace: openshift-marketplace - when: smart_gateway_operator_subscription_manifest is not defined - name: Set default Service Telemetry Operator Subscription manifest + when: service_telemetry_operator_subscription_manifest is not defined ansible.builtin.set_fact: service_telemetry_operator_subscription_manifest: | apiVersion: operators.coreos.com/v1alpha1 @@ -42,15 +45,15 @@ name: service-telemetry-operator namespace: "{{ namespace }}" spec: - channel: stable-1.5 + channel: "{{ stf_channel }}" installPlanApproval: Automatic name: service-telemetry-operator - source: infrawatch-operators + source: "{{ infrawatch_operators }}" sourceNamespace: openshift-marketplace - when: service_telemetry_operator_subscription_manifest is not defined # enable catalogsource - name: Enable InfraWatch Catalog Source + when: __deploy_from_index_enabled | bool kubernetes.core.k8s: definition: '{{ infrawatch_catalog_source_manifest }}' diff --git a/build/stf-run-ci/tasks/setup_stf_from_bundles.yml b/build/stf-run-ci/tasks/setup_stf_from_bundles.yml index cdb09be85..9406ad278 100644 --- a/build/stf-run-ci/tasks/setup_stf_from_bundles.yml +++ b/build/stf-run-ci/tasks/setup_stf_from_bundles.yml @@ -1,81 +1,3 @@ -- when: setup_bundle_registry_auth | bool - block: - - name: Get existing Pull Secret from openshift config - kubernetes.core.k8s_info: - api_version: v1 - kind: Secret - namespace: openshift-config - name: pull-secret - register: pull_secret - - - name: Decode docker config json - ansible.builtin.set_fact: - dockerconfigjson: "{{ pull_secret.resources[0].data['.dockerconfigjson'] | b64decode }}" - - - name: Merge registry creds into auth section of docker config - ansible.builtin.set_fact: - new_dockerauths: "{{ dockerconfigjson['auths'] | combine( { - pull_secret_registry:{ - 'auth': (pull_secret_user ~ ':' ~ pull_secret_pass) | b64encode - } - }) }}" - - - name: Create new docker config - ansible.builtin.set_fact: - new_dockerconfigjson: "{{ dockerconfigjson | combine({'auths': new_dockerauths}) }}" - - - name: Create Pull Secret for bundle registry access (in the local namespace) - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - type: kubernetes.io/dockerconfigjson - metadata: - name: pull-secret - namespace: "{{ namespace }}" - data: - .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}" - - - name: Create Pull Secret for bundle registry access (in the global namespace) - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - type: kubernetes.io/dockerconfigjson - metadata: - name: pull-secret - namespace: openshift-config - data: - .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}" - -- when: setup_bundle_registry_tls_ca | bool - name: Create registry CA Cert - kubernetes.core.k8s: - state: present - definition: - apiVersion: v1 - kind: Secret - type: Opaque - metadata: - name: registry-tls-ca - namespace: "{{ namespace }}" - data: - cert.pem: "{{ lookup('file', 'CA.pem') | b64encode }}" - -- when: setup_bundle_registry_tls_ca | bool - name: Patch the default service account to use our pull secret - kubernetes.core.k8s_json_patch: - kind: ServiceAccount - namespace: "{{ namespace }}" - name: default - patch: - - op: add - path: /imagePullSecrets - value: - - name: pull-secret - # When the task is skipped, pull_secret is still defined. It is set to the task output i.e. # "pull_secret": { # "changed": false, @@ -87,14 +9,6 @@ ansible.builtin.set_fact: pull_secret: '' -- name: "Ensure that the bundle paths are set." - ansible.builtin.assert: - that: - - '__smart_gateway_bundle_image_path | default("") | length > 0' - - '__service_telemetry_bundle_image_path | default("") | length > 0' - fail_msg: "Bundle path(s) not set. __smart_gateway_bundle_image_path is '{{ __smart_gateway_bundle_image_path }}' and __service_telemetry_bundle_image_path is '{{ __service_telemetry_bundle_image_path }}'. Both values need to be set." - success_msg: "Bundle paths are defined, are not None and have a non-zero-length" - - name: Deploy SGO via OLM bundle ansible.builtin.shell: cmd: "{{ base_dir }}/working/operator-sdk-{{ operator_sdk_v1 }} --verbose run bundle {{ __smart_gateway_bundle_image_path }} {% if pull_secret | length > 0 %} --pull-secret-name=pull-secret --ca-secret-name=registry-tls-ca {% endif %} --namespace={{ namespace }} --timeout 600s" diff --git a/build/stf-run-ci/tasks/setup_stf_local_build.yml b/build/stf-run-ci/tasks/setup_stf_local_build.yml index ffe2e7f6a..8c6219250 100644 --- a/build/stf-run-ci/tasks/setup_stf_local_build.yml +++ b/build/stf-run-ci/tasks/setup_stf_local_build.yml @@ -17,6 +17,8 @@ RELATED_IMAGE_BRIDGE_SMARTGATEWAY_TAG={{ sg_bridge_image_path | parse_tag | quote }} \ OPERATOR_IMAGE={{ sgo_image_path | parse_image | quote }} \ OPERATOR_TAG={{ sgo_image_path | parse_tag | quote }} \ + BUNDLE_CHANNELS={{ stf_channel }} \ + BUNDLE_DEFAULT_CHANNEL={{ stf_channel }} \ ./generate_bundle.sh register: generate_bundle_sgo rescue: @@ -67,6 +69,8 @@ RELATED_IMAGE_PROMETHEUS_WEBHOOK_SNMP_TAG={{ prometheus_webhook_snmp_image_path | parse_tag | quote }} \ OPERATOR_IMAGE={{ sto_image_path | parse_image | quote }} \ OPERATOR_TAG={{ sto_image_path | parse_tag | quote }} \ + BUNDLE_CHANNELS={{ stf_channel }} \ + BUNDLE_DEFAULT_CHANNEL={{ stf_channel }} \ ./generate_bundle.sh register: generate_bundle_sto rescue: diff --git a/build/stf-run-ci/templates/manifest_elasticsearch.j2 b/build/stf-run-ci/templates/manifest_elasticsearch.j2 index e2e50c6f4..ebd0dc9d0 100644 --- a/build/stf-run-ci/templates/manifest_elasticsearch.j2 +++ b/build/stf-run-ci/templates/manifest_elasticsearch.j2 @@ -33,10 +33,10 @@ spec: resources: limits: cpu: "2" - memory: 4Gi + memory: 2Gi requests: cpu: "1" - memory: 4Gi + memory: 2Gi volumes: - emptyDir: {} name: elasticsearch-data @@ -49,4 +49,5 @@ spec: certificateAuthorities: {} updateStrategy: changeBudget: {} - version: {{ elasticsearch_version }} \ No newline at end of file + version: {{ elasticsearch_version }} + image: {{ elasticsearch_image }}:{{ elasticsearch_version }} diff --git a/ci/README.md b/ci/README.md new file mode 100644 index 000000000..2c559f013 --- /dev/null +++ b/ci/README.md @@ -0,0 +1,132 @@ +# service-telemetry-operator CI playbooks + +The playbooks in this directory are used by zuul jobs, which are defined in ../.zuul.yaml. + +## Job descriptions + +### PR jobs + +There are 6 jobs run on every PR that is targeting `master`. +These are reported under the `rdoproject.org/github-check` check. + +Two scenarios run: +- `local_build`, which builds the STF images and deploys by creating a STF object. +- `local_build-index_deploy`, which builds the images and does an index-based deployment + +Each of these scenarios run across the following OCP versions: +- 4.14 +- 4.16 + +### Periodic jobs + +The `nightly_bundles` jobs are run nightly. These jobs deploy STF using the nightly builds published to quay.io. +The same three versions of OCP are used. + +## Job hierarchy + +The jobs in this repo have two base jobs: + +- `stf-base-2node` +- `stf-base` + +These two base jobs are split according to purpose: infrastructure provisioning and STF deployment. + +`stf-base-2node` inherits from jobs defined in [ci-framework](http://github.com/openstack-k8s-operators/ci-framework), [rdo-jobs](https://review.rdoproject.org/cgit/rdo-jobs/) and [rdo/config](https://review.rdoproject.org/cgit/config/) repos. +This job configures the hosts used for running the jobs. +It is expected that `stf-base-2node` should not be modified unless there are changes to the upstream jobs. + +`stf-base` inherits from `stf-base-2node`, and defines the stf-specific parts of the jobs (prepare hosts, build STF images, deploy STF, test STF). + +These jobs are [abstract](https://zuul-ci.org/docs/zuul/latest/config/job.html#attr-job.abstract) and cannot be run directly, however, they contain the plumbing that allows the deployment scenario and OCP version to be configured. + +The scenario (`nightly_bundles`, `local_build`, `local_build-index_deploy`) is selected by passing a `scenario` [var to the job](https://zuul-ci.org/docs/zuul/latest/config/job.html#attr-job.vars). +The OCP version is selected by changing the nodeset that is use in the job. + +The jobs are named to describe the combination of scenario and OCP version that is used in the job. +The naming convention is `stf-crc-ocp_- e.g. `stf-crc-ocp_413-local_build` + +## OCP version selection + +The OCP version selection is done by specifying the `nodeset` to be used by the job. +The `nodesets` are defined in `.zuul.yaml`. Each nodeset corresponds to a different version of OCP. +Each nodeset contains two hosts: `crc` and `controller`. +All ansible playbooks are run against `controller`. + +The rest of this section provides further detail on the OCP version selection, and how it relates to CRC and the deployment topology. + +The nodesets select the hosts based on labels in zuul. +The labels available in zuul are shown on the [RDO Zuul labels tab](https://review.rdoproject.org/zuul/labels). + +The labels used for the nodesets are `coreos-crc-extracted--`. +The “extracted” CRC describes the way that the job deploys and interacts with CRC. + +Usually, CRC is run using the `crc start` command, which created a VM on your host which runs the OCP cloud. +In Zuul, the provisioned hosts are also virtual machines, so running `crc start` would result in a VM in a VM. This nested virtualisation causes some performance issues. + +The `extracted` deployment try to address the performance issues associated with nested virtualisation. The infrastructure is more complicated than nested. +The `coreos-crc-extracted-...` labels provide a VM with an extracted CRC VM image, so that the CRC VM can be booted directly by the cloud provider. The `crc` VM is not accessed directly, but via a second `controller` VM, on which tests are run. The `stf-base-2node` job includes a network configuration to make sure the controller can communicate with the OCP deployment in CRC. + +The name of each nodeset corresponds to the version of OCP that is deployed by the CRC image. + +## Adding new jobs + +If a new job needs to be added, it should inherit from `stf-base` ( or one of its child-jobs) which includes common tasks for setting up STF. The new jobs should have minimal configuration lines; either the `scenario` var is passed, which selects a vars file for stf-run-ci, to change its configuration, or the nodeset should be updated, which selects the OCP version. + +Below is an example of how to add a job. Take note of how the `scenario` var and the `nodeset` is passed. + + - job: + name: stf-crc-nightly_bundles + parent: stf-base + abstract: true + description: | + Example of a job that extends the `stf-base` job, and passes the `nightly_bundles` scenario var. This job does NOT have a nodeset defined so it must be abstract. + vars: + scenario: "nightly_bundles" + + + - job: + name: stf-crc-ocp_414-nightly_bundles + parent: stf-crc-nightly_bundles + description: | + Example of a job defining a nodeset to be used. + Since this job derives from a job with a scenario, it can be run directly. + nodeset: stf-crc_extracted-ocp414 + +All non-abstract jobs inheriting from `stf-base` must pass a `scenario` var to work correctly. There is no default value for the `scenario`. +All non-abstract jobs defined in this repo must have a `nodeset` to run correctly. Specifically, the nodeset must include nodes called `controller` and `crc`. This requirements comes from the `stf-base-2node` job. + +Once a new job is defined, it should be added to a project or to the `stf-crc-jobs` [template](https://zuul-ci.org/docs/zuul/latest/config/project.html#project-template) in `.zuul.yaml`. +Any job added to a project is run only against changes to that project. +Any job added to the `stf-crc-jobs` project template is run in the other repos across the infrawatch org. + +## Troubleshooting + +## FAQ + +### How does Zuul work across branches? +Each branch has its own zuul configuration. The configuration for a particular branch lives on that branch. +To run jobs on a branch, the `.zuul.yaml` file needs to exist on that branch. + +### How does Zuul decide which branches to check out? + +- For the repo-in-test, zuul checks out the dev branch. +- For all other required repos, zuul checks out the branch with the same name as the target (usually master, sometimes stable*) +- If `branch-override` option is specified in the job definition, then that branch is checked out instead of the default. +- When you use `Depends-On`, it checks out the branch in the referenced PR/changeset. + +### How do I test dependant patches? +If you're working on a a change that involves PRs to multiple repos (which are tested by Zuul), you can add a `Depends-On: ` line to the PR description of your change. + +You can use `Depends-On` to reference a change in any repo that zuul knows about (i.e. included in `project.yaml` in RDO in this case). + +### How do I add Zuul to a new repo? +The Zuul instance we use is hosted by RDO. In order for jobs to be run on a new repo, the following criteria must be met: +- The `softwarefactory-project-zuul` github app must also be added to the organisation (this is already done for infrawatch). +- The repo must be configured in [rdo/config](https://review.rdoproject.org/cgit/config/tree/zuul/rdo.yaml). An example of adding a repo is (here)[https://review.rdoproject.org/r/c/config/+/51666). +- The `softwarefactory-project-zuul` app must have repository access configured for the repo you want to add. This setting can be found in organisation/infrawatch -> settings -> Github Apps. + +### How do I configure job triggers? +In Zuul, jobs themselves don't have triggers. Triggers are configure per-pipeline. +Each job needs to be added to a pipeline to run. + +RDO Zuul defines the (pipelines that we can use)[https://review.rdoproject.org/cgit/config/tree/zuul.d/pipelines.yaml]. diff --git a/ci/vars-nightly_bundles-index_deploy.yml b/ci/vars-nightly_bundles-index_deploy.yml new file mode 100644 index 000000000..a50563158 --- /dev/null +++ b/ci/vars-nightly_bundles-index_deploy.yml @@ -0,0 +1,5 @@ +--- +# ansible-playbook -e __local_build_enabled=false -e __deploy_from_index_enabled=true -e __deploy_from_bundles_enabled=true -e __service_telemetry_bundle_image_path=quay.io/infrawatch-operators/service-telemetry-operator-bundle:nightly-head -e __smart_gateway_bundle_image_path=quay.io/infrawatch-operators/smart-gateway-operator-bundle:nightly-head --skip-tags bundle_registry_tls_ca --skip-tags bundle_registry_auth build/run-ci.yaml +__local_build_enabled: false +__deploy_from_bundles_enabled: true +__deploy_from_index_enabled: true diff --git a/deploy/olm-catalog/service-telemetry-operator/Dockerfile.in b/deploy/olm-catalog/service-telemetry-operator/Dockerfile.in index 871edc3c1..c642847c7 100644 --- a/deploy/olm-catalog/service-telemetry-operator/Dockerfile.in +++ b/deploy/olm-catalog/service-telemetry-operator/Dockerfile.in @@ -13,7 +13,7 @@ LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v0.19.4 LABEL operators.operatorframework.io.metrics.project_layout=ansible LABEL com.redhat.delivery.operator.bundle=true -LABEL com.redhat.openshift.versions="v4.12-v4.14" +LABEL com.redhat.openshift.versions="v4.14-v4.16" LABEL com.redhat.delivery.backport=false LABEL com.redhat.component="service-telemetry-operator-bundle-container" \ diff --git a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml index 4ec0f7f5c..953bb7739 100644 --- a/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/service-telemetry-operator/manifests/service-telemetry-operator.clusterserviceversion.yaml @@ -203,6 +203,15 @@ spec: - kind: ServiceMonitors name: servicemonitors.monitoring.coreos.com version: v1 + - kind: ScrapeConfigs + name: scrapeconfigs.monitoring.coreos.com + version: v1alpha1 + - kind: ServiceMonitors + name: servicemonitors.monitoring.rhobs + version: v1 + - kind: ScrapeConfigs + name: scrapeconfigs.monitoring.rhobs + version: v1alpha1 version: v1beta1 description: Service Telemetry Operator for monitoring clouds displayName: Service Telemetry Operator @@ -378,17 +387,21 @@ spec: - apiGroups: - monitoring.coreos.com resources: + - scrapeconfigs - servicemonitors verbs: - get - create + - delete - apiGroups: - monitoring.rhobs resources: + - scrapeconfigs - servicemonitors verbs: - get - create + - delete - apiGroups: - apps resourceNames: diff --git a/deploy/olm-catalog/service-telemetry-operator/metadata/properties.yaml b/deploy/olm-catalog/service-telemetry-operator/metadata/properties.yaml index 5ffce5254..7dd691a01 100644 --- a/deploy/olm-catalog/service-telemetry-operator/metadata/properties.yaml +++ b/deploy/olm-catalog/service-telemetry-operator/metadata/properties.yaml @@ -1,6 +1,6 @@ properties: - type: olm.maxOpenShiftVersion - value: "4.14" + value: "4.16" - type: olm.constraint value: failureMessage: Require Smart Gateway for Service Telemetry Framework diff --git a/deploy/role.yaml b/deploy/role.yaml index cdade2ce7..ba2dfbbe8 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -129,17 +129,21 @@ rules: - apiGroups: - monitoring.coreos.com resources: + - scrapeconfigs - servicemonitors verbs: - get - create + - delete - apiGroups: - monitoring.rhobs resources: + - scrapeconfigs - servicemonitors verbs: - get - create + - delete - apiGroups: - apps resourceNames: diff --git a/roles/servicetelemetry/tasks/base_smartgateway.yml b/roles/servicetelemetry/tasks/base_smartgateway.yml index 4d0cfdafd..7077e928d 100644 --- a/roles/servicetelemetry/tasks/base_smartgateway.yml +++ b/roles/servicetelemetry/tasks/base_smartgateway.yml @@ -6,8 +6,8 @@ k8s: definition: "{{ lookup('template', manifest) | from_yaml }}" -- name: Deploy SG-specific ServiceMonitor for metrics SGs - include_tasks: component_servicemonitor.yml +- name: Deploy SG-specific ScrapeConfig for metrics SGs + include_tasks: component_scrapeconfig.yml when: - data_type == 'metrics' - has_monitoring_api | bool diff --git a/roles/servicetelemetry/tasks/component_alertmanager.yml b/roles/servicetelemetry/tasks/component_alertmanager.yml index 1e5551311..e8d21388d 100644 --- a/roles/servicetelemetry/tasks/component_alertmanager.yml +++ b/roles/servicetelemetry/tasks/component_alertmanager.yml @@ -46,6 +46,7 @@ name: '{{ ansible_operator_meta.name }}' namespace: '{{ ansible_operator_meta.namespace }}' when: + - "'monitoring.rhobs' in api_groups" - observability_strategy not in ['use_redhat', 'use_hybrid'] # TODO: expand the management of alertmanager receivers and move this functionality to a common location diff --git a/roles/servicetelemetry/tasks/component_prometheus.yml b/roles/servicetelemetry/tasks/component_prometheus.yml index 601a28247..a88d8d9ac 100644 --- a/roles/servicetelemetry/tasks/component_prometheus.yml +++ b/roles/servicetelemetry/tasks/component_prometheus.yml @@ -212,6 +212,7 @@ name: '{{ ansible_operator_meta.name }}' namespace: '{{ ansible_operator_meta.namespace }}' when: + - "'monitoring.rhobs' in api_groups" - observability_strategy not in ['use_redhat', 'use_hybrid'] - name: Set default prometheus service template diff --git a/roles/servicetelemetry/tasks/component_prometheus_reader.yml b/roles/servicetelemetry/tasks/component_prometheus_reader.yml index 6cbee8b42..c86f021fc 100644 --- a/roles/servicetelemetry/tasks/component_prometheus_reader.yml +++ b/roles/servicetelemetry/tasks/component_prometheus_reader.yml @@ -21,7 +21,7 @@ - apiGroups: - '{{ prometheus_operator_api_string | replace("/v1","") }}' resources: - - prometheus + - prometheuses verbs: - get namespaces: diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml index 7e26e567f..e35c00bc0 100644 --- a/roles/servicetelemetry/tasks/component_qdr.yml +++ b/roles/servicetelemetry/tasks/component_qdr.yml @@ -230,7 +230,6 @@ prefix: ceilometer edgeListeners: - expose: true - host: 0.0.0.0 port: 5671 {% if servicetelemetry_vars.transports.qdr.auth == "basic" %} saslMechanisms: PLAIN @@ -249,9 +248,12 @@ sslProfile: inter-router listeners: - port: 5672 - - expose: {{ servicetelemetry_vars.transports.qdr.web.enabled }} + host: 127.0.0.1 + {% if servicetelemetry_vars.transports.qdr.web.enabled == "true" %} + - expose: true http: true port: 8672 + {% endif %} sslProfiles: - caCert: {{ ansible_operator_meta.name }}-interconnect-openstack-ca credentials: {{ ansible_operator_meta.name }}-interconnect-openstack-credentials diff --git a/roles/servicetelemetry/tasks/component_scrapeconfig.yml b/roles/servicetelemetry/tasks/component_scrapeconfig.yml new file mode 100644 index 000000000..274472262 --- /dev/null +++ b/roles/servicetelemetry/tasks/component_scrapeconfig.yml @@ -0,0 +1,90 @@ +- name: Create an access token for prometheus-stf to use in scrapeconfigs + k8s: + state: '{{ "present" if servicetelemetry_vars.backends.metrics.prometheus.enabled else "absent" }}' + definition: + apiVersion: v1 + kind: Secret + metadata: + name: prometheus-stf-token + namespace: '{{ ansible_operator_meta.namespace }}' + annotations: + kubernetes.io/service-account.name: prometheus-stf + type: kubernetes.io/service-account-token + +- name: Create SG-specific Scrape Config manifest + set_fact: + sg_specific_scrapeconfig_manifest: | + apiVersion: {{ prometheus_operator_api_string | replace("/v1","/v1alpha1") }} + kind: ScrapeConfig + metadata: + labels: + app: smart-gateway + name: '{{ this_smartgateway }}' + namespace: '{{ ansible_operator_meta.namespace }}' + spec: + authorization: + type: bearer + credentials: + name: prometheus-stf-token + key: token + metricRelabelings: + - action: labeldrop + regex: pod + - action: labeldrop + regex: namespace + - action: labeldrop + regex: instance + - action: replace + regex: '.*/(.*)$' + replacement: $1 + sourceLabels: [job] + targetLabel: service + - action: labeldrop + regex: job + - action: labeldrop + regex: publisher + - action: replace + targetLabel: container + replacement: sg-core + - action: replace + targetLabel: endpoint + replacement: prom-https + scheme: HTTPS + scrapeInterval: {{ servicetelemetry_vars.backends.metrics.prometheus.scrape_interval }} + staticConfigs: + - targets: + - '{{ this_smartgateway }}.{{ ansible_operator_meta.namespace }}.svc:8083' + tlsConfig: + ca: + configMap: + name: serving-certs-ca-bundle + key: service-ca.crt + serverName: '{{ this_smartgateway }}.{{ ansible_operator_meta.namespace }}.svc' + +- name: Create ScrapeConfig to scrape Smart Gateway + k8s: + state: '{{ "present" if servicetelemetry_vars.backends.metrics.prometheus.enabled else "absent" }}' + definition: + '{{ sg_specific_scrapeconfig_manifest }}' + +- name: Create additional ScrapeConfig if provided + k8s: + state: '{{ "present" if servicetelemetry_vars.backends.metrics.prometheus.enabled else "absent" }}' + definition: + '{{ scrapeconfig_manifest }}' + when: scrapeconfig_manifest is defined + +- name: Create additional ServiceMonitor if provided (legacy) + k8s: + state: '{{ "present" if servicetelemetry_vars.backends.metrics.prometheus.enabled else "absent" }}' + definition: + '{{ servicemonitor_manifest }}' + when: servicemonitor_manifest is defined + +- name: Remove (legacy) default ServiceMonitors + k8s: + state: absent + api_version: '{{ prometheus_operator_api_string }}' + kind: ServiceMonitor + namespace: '{{ ansible_operator_meta.namespace }}' + name: '{{ this_smartgateway }}' \ No newline at end of file diff --git a/roles/servicetelemetry/tasks/component_servicemonitor.yml b/roles/servicetelemetry/tasks/component_servicemonitor.yml deleted file mode 100644 index 753116c46..000000000 --- a/roles/servicetelemetry/tasks/component_servicemonitor.yml +++ /dev/null @@ -1,52 +0,0 @@ -- name: Create SG-specific Service Monitor manifest - set_fact: - sg_specific_servicemonitor_manifest: | - apiVersion: {{ prometheus_operator_api_string }} - kind: ServiceMonitor - metadata: - labels: - app: smart-gateway - name: '{{ this_smartgateway }}' - namespace: '{{ ansible_operator_meta.namespace }}' - spec: - endpoints: - - interval: {{ servicetelemetry_vars.backends.metrics.prometheus.scrape_interval }} - metricRelabelings: - - action: labeldrop - regex: pod - sourcelabels: [] - - action: labeldrop - regex: namespace - sourcelabels: [] - - action: labeldrop - regex: instance - sourcelabels: [] - - action: labeldrop - regex: job - sourcelabels: [] - - action: labeldrop - regex: publisher - sourcelabels: [] - port: prom-https - scheme: https - tlsConfig: - caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt - serverName: "{{ this_smartgateway }}.{{ ansible_operator_meta.namespace }}.svc" - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - selector: - matchLabels: - app: smart-gateway - smart-gateway: "{{ this_smartgateway }}" - -- name: Create ServiceMonitor to scrape Smart Gateway - k8s: - state: '{{ "present" if servicetelemetry_vars.backends.metrics.prometheus.enabled else "absent" }}' - definition: - '{{ sg_specific_servicemonitor_manifest }}' - -- name: Create additional serviceMonitor if provided - k8s: - state: '{{ "present" if servicetelemetry_vars.backends.metrics.prometheus.enabled else "absent" }}' - definition: - '{{ servicemonitor_manifest }}' - when: servicemonitor_manifest is defined diff --git a/roles/servicetelemetry/templates/manifest_alertmanager.j2 b/roles/servicetelemetry/templates/manifest_alertmanager.j2 index 4e2287fe9..c24dcd603 100644 --- a/roles/servicetelemetry/templates/manifest_alertmanager.j2 +++ b/roles/servicetelemetry/templates/manifest_alertmanager.j2 @@ -12,7 +12,7 @@ spec: {% endif %} replicas: {{ servicetelemetry_vars.alerting.alertmanager.deployment_size }} serviceAccountName: alertmanager-stf - serviceMonitorSelector: + scrapeConfigSelector: matchLabels: app: smart-gateway listenLocal: true @@ -29,7 +29,7 @@ spec: - -upstream=http://localhost:9093/ - -cookie-secret-file=/etc/proxy/secrets/session_secret - -openshift-service-account=alertmanager-stf - - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}", "resource": "alertmanagers", "group":"{{ prometheus_operator_api_string | replace("/v1","") }}", "verb":"get"}' + - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}", "resource": "alertmanagers", "resourceAPIGroup":"{{ prometheus_operator_api_string | replace("/v1","") }}", "verb":"get"}' - '-openshift-delegate-urls={"/": {"namespace":"{{ ansible_operator_meta.namespace }}", "resource": "alertmanagers", "group":"{{ prometheus_operator_api_string | replace("/v1","") }}", "verb":"get"}}' ports: - containerPort: 9095 diff --git a/roles/servicetelemetry/templates/manifest_grafana.j2 b/roles/servicetelemetry/templates/manifest_grafana.j2 index 8b176b103..b7fdd6a4c 100644 --- a/roles/servicetelemetry/templates/manifest_grafana.j2 +++ b/roles/servicetelemetry/templates/manifest_grafana.j2 @@ -42,7 +42,7 @@ spec: - -upstream=http://localhost:3000 - -cookie-secret-file=/etc/proxy/secrets/session_secret - -openshift-service-account=grafana-serviceaccount - - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "grafana", "group":"integreatly.org", "verb":"get"}' + - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "grafanas", "resourceAPIGroup":"integreatly.org", "verb":"get"}' - -openshift-ca=/etc/pki/tls/cert.pem - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt ports: diff --git a/roles/servicetelemetry/templates/manifest_grafana_v5.j2 b/roles/servicetelemetry/templates/manifest_grafana_v5.j2 index 278e452ff..4c775c411 100644 --- a/roles/servicetelemetry/templates/manifest_grafana_v5.j2 +++ b/roles/servicetelemetry/templates/manifest_grafana_v5.j2 @@ -61,7 +61,7 @@ spec: - '-https-address=:3002' - '-http-address=' - '-email-domain=*' - - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "grafana", "group":"grafana.integreatly.org", "verb":"get"}' + - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "grafanas", "resourceAPIGroup":"grafana.integreatly.org", "verb":"get"}' - '-upstream=http://localhost:3000' - '-tls-cert=/etc/tls/private/tls.crt' - '-tls-key=/etc/tls/private/tls.key' diff --git a/roles/servicetelemetry/templates/manifest_prometheus.j2 b/roles/servicetelemetry/templates/manifest_prometheus.j2 index d9610b056..ad9fff789 100644 --- a/roles/servicetelemetry/templates/manifest_prometheus.j2 +++ b/roles/servicetelemetry/templates/manifest_prometheus.j2 @@ -17,7 +17,7 @@ spec: ruleSelector: {} securityContext: {} serviceAccountName: prometheus-stf - serviceMonitorSelector: + scrapeConfigSelector: matchLabels: app: smart-gateway listenLocal: true @@ -48,8 +48,8 @@ spec: - -upstream=http://localhost:9090/ - -cookie-secret-file=/etc/proxy/secrets/session_secret - -openshift-service-account=prometheus-stf - - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "prometheus", "group":"{{ prometheus_operator_api_string | replace("/v1","") }}", "verb":"get"}' - - '-openshift-delegate-urls={"/":{"namespace":"{{ ansible_operator_meta.namespace }}","resource": "prometheus", "group":"{{ prometheus_operator_api_string | replace("/v1","") }}", "verb":"get"}}' + - '-openshift-sar={"namespace":"{{ ansible_operator_meta.namespace }}","resource": "prometheuses", "resourceAPIGroup":"{{ prometheus_operator_api_string | replace("/v1","") }}", "verb":"get"}' + - '-openshift-delegate-urls={"/":{"namespace":"{{ ansible_operator_meta.namespace }}","resource": "prometheuses", "group":"{{ prometheus_operator_api_string | replace("/v1","") }}", "verb":"get"}}' ports: - containerPort: 9092 diff --git a/tests/smoketest/smoketest.sh b/tests/smoketest/smoketest.sh index b4a8db29f..c8bfd62c3 100755 --- a/tests/smoketest/smoketest.sh +++ b/tests/smoketest/smoketest.sh @@ -129,8 +129,8 @@ echo "*** [INFO] Showing oc get all..." oc get all echo -echo "*** [INFO] Showing servicemonitors..." -oc get servicemonitors.monitoring.rhobs -o yaml +echo "*** [INFO] Showing scrapeconfigs..." +oc get scrapeconfigs.monitoring.rhobs -o yaml echo if [ "$SMOKETEST_VERBOSE" = "true" ]; then diff --git a/tests/smoketest/smoketest_job.yaml.template b/tests/smoketest/smoketest_job.yaml.template index 12626f3b2..d1a4846fa 100644 --- a/tests/smoketest/smoketest_job.yaml.template +++ b/tests/smoketest/smoketest_job.yaml.template @@ -14,7 +14,7 @@ spec: restartPolicy: Never containers: - name: smoketest-collectd - image: quay.io/tripleomaster/openstack-collectd:current-tripleo + image: quay.io/tripleomastercentos9/openstack-collectd:current-tripleo command: - /smoketest_collectd_entrypoint.sh env: @@ -43,7 +43,7 @@ spec: allowPrivilegeEscalation: false - name: smoketest-ceilometer - image: quay.io/tripleomaster/openstack-ceilometer-notification:current-tripleo + image: quay.io/tripleomastercentos9/openstack-ceilometer-notification:current-tripleo command: - /smoketest_ceilometer_entrypoint.sh env: