-
Notifications
You must be signed in to change notification settings - Fork 143
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update gen-assembly tekton job for ART OSD (#3862)
- Bump base image and dependencies for artcd image - Update gen-assembly job to use pyartcd - Add externalsecrets for secrets managed on AWS Secrets Manager
- Loading branch information
Showing
17 changed files
with
407 additions
and
149 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,13 +18,13 @@ data: | |
smtp_server = "smtp.corp.redhat.com" | ||
from = "[email protected]" | ||
reply_to = "[email protected]" | ||
cc = [] | ||
cc = ["[email protected]"] | ||
prepare_release_notification_recipients_ocp4=["[email protected]", "[email protected]", "[email protected]"] | ||
prepare_release_notification_recipients_ocp3=["[email protected]", "[email protected]", "[email protected]", "[email protected]", "[email protected]", "[email protected]"] | ||
promote_image_list_recipients = ["[email protected]"] | ||
[jira] | ||
url = "https://issues.redhat.com" | ||
[jira.templates] | ||
ocp4 = "OCPPLAN-4756" | ||
ocp3 = "OCPPLAN-1373" | ||
ocp4 = "ART-4223" | ||
ocp3 = "ART-4234" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
tekton-pipelines/externalsecrets/art-bot-github-token.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: art-bot-github-token | ||
spec: | ||
data: | ||
- remoteRef: | ||
key: art-bot-github-token | ||
property: token-for-rate-limiting | ||
secretKey: token-for-rate-limiting | ||
- remoteRef: | ||
key: art-bot-github-token | ||
property: powerful | ||
secretKey: powerful | ||
refreshInterval: 1h | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: main-secret-store | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: synced-art-bot-github-token | ||
template: | ||
engineVersion: v2 | ||
mergePolicy: Replace | ||
type: Opaque |
22 changes: 22 additions & 0 deletions
22
tekton-pipelines/externalsecrets/art-bot-slack-api-token.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: art-bot-slack-api-token | ||
spec: | ||
data: | ||
- remoteRef: | ||
key: art/prod/art-bot-slack-api-token | ||
property: api_token | ||
secretKey: api_token | ||
refreshInterval: 1h | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: main-secret-store | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: synced-art-bot-slack-api-token | ||
template: | ||
engineVersion: v2 | ||
mergePolicy: Replace | ||
type: Opaque |
21 changes: 21 additions & 0 deletions
21
tekton-pipelines/externalsecrets/art-publish-ci-dockerconfigjson.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: art-publish-ci-dockerconfigjson | ||
spec: | ||
data: | ||
- remoteRef: | ||
key: art/prod/art-publish@ci-dockerconfigjson | ||
secretKey: .dockerconfigjson | ||
refreshInterval: 1h | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: main-secret-store | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: synced-art-publish-ci-dockerconfigjson | ||
template: | ||
engineVersion: v2 | ||
mergePolicy: Replace | ||
type: kubernetes.io/dockerconfigjson |
21 changes: 21 additions & 0 deletions
21
tekton-pipelines/externalsecrets/art_quay_dev-dockerconfigjson.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: art-quay-dev-dockerconfigjson | ||
spec: | ||
data: | ||
- remoteRef: | ||
key: art/prod/[email protected] | ||
secretKey: .dockerconfigjson | ||
refreshInterval: 1h | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: main-secret-store | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: synced-art-quay-dev-dockerconfigjson | ||
template: | ||
engineVersion: v2 | ||
mergePolicy: Replace | ||
type: kubernetes.io/dockerconfigjson |
25 changes: 25 additions & 0 deletions
25
tekton-pipelines/externalsecrets/exd-ocp-buildvm-bot-prod-keytab.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: exd-ocp-buildvm-bot-prod-keytab | ||
spec: | ||
data: | ||
- remoteRef: | ||
key: art/prod/exd-ocp-buildvm-bot-prod-keytab-principal | ||
property: principal | ||
secretKey: principal | ||
- remoteRef: | ||
key: art/prod/exd-ocp-buildvm-bot-prod-keytab | ||
secretKey: keytab | ||
refreshInterval: 1h | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: main-secret-store | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: synced-exd-ocp-buildvm-bot-prod-keytab | ||
template: | ||
engineVersion: v2 | ||
mergePolicy: Replace | ||
type: Opaque |
32 changes: 32 additions & 0 deletions
32
tekton-pipelines/externalsecrets/openshift-bot-ssh-private-key.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: openshift-bot-ssh-private-key | ||
spec: | ||
data: | ||
- remoteRef: | ||
key: art/prod/openshift-bot-ssh-private-key | ||
secretKey: ssh_privatekey | ||
refreshInterval: 1h | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: main-secret-store | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: synced-openshift-bot-ssh-private-key | ||
template: | ||
engineVersion: v2 | ||
mergePolicy: Replace | ||
type: kubernetes.io/ssh-auth | ||
metadata: | ||
annotations: | ||
tekton.dev/git-0: github.com | ||
tekton.dev/git-1: pkgs.devel.redhat.com | ||
data: | ||
known_hosts: | | ||
pkgs.devel.redhat.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDT8I6l839M7tb6V/Le8x3pGo3sTo6SG/kMrVwPQ6kUtxuaWKBLCmI1HVawfRbBz4fO+8AifdKjtOKUHcI6iPr8= | ||
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== | ||
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl | ||
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= | ||
ssh-privatekey: "{{ .ssh_privatekey }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,39 +1,36 @@ | ||
FROM registry.access.redhat.com/ubi8/ubi:8.5 AS builder | ||
FROM registry.access.redhat.com/ubi9/ubi:9.2 AS builder | ||
|
||
# Install build dependencies | ||
WORKDIR /usr/local/src | ||
USER root | ||
RUN dnf -y module enable python36 \ | ||
&& dnf -y install python3 python3-wheel python3-devel gcc krb5-devel wget tar gzip \ | ||
&& python3 -m pip install "pip >= 21" | ||
RUN dnf -y install python3 python3-pip python3-wheel python3-devel gcc krb5-devel wget tar gzip git | ||
|
||
# Download oc | ||
ARG OC_VERSION=latest | ||
RUN wget -O openshift-client-linux-"$OC_VERSION".tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/"$OC_VERSION"/openshift-client-linux.tar.gz \ | ||
&& tar -xzvf openshift-client-linux-"$OC_VERSION".tar.gz oc kubectl | ||
RUN wget -O "openshift-client-linux-${OC_VERSION}.tar.gz" "https://mirror.openshift.com/pub/openshift-v4/$(arch)/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz" \ | ||
&& tar -xzvf "openshift-client-linux-$OC_VERSION.tar.gz" oc kubectl | ||
|
||
# Build pyartcd, elliott, and doozer | ||
COPY art-tools . | ||
COPY pyartcd pyartcd | ||
RUN python3 -m pip wheel --wheel-dir /usr/local/src/wheels --use-deprecated=legacy-resolver \ | ||
./elliott ./doozer ./pyartcd | ||
COPY art-tools art-tools | ||
RUN python3 -m pip wheel --wheel-dir /usr/local/src/wheels \ | ||
./art-tools/elliott ./art-tools/doozer ./pyartcd | ||
|
||
|
||
FROM registry.access.redhat.com/ubi8/ubi:8.5 | ||
FROM registry.access.redhat.com/ubi9/ubi:9.2 | ||
LABEL name="openshift-art/art-cd" \ | ||
maintainer="OpenShift Team Automated Release Tooling <[email protected]>" | ||
|
||
# Trust Red Hat IT Root CA | ||
RUN curl -o /etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crt --fail -L \ | ||
https://password.corp.redhat.com/RH-IT-Root-CA.crt \ | ||
# Trust Red Hat IT Root CA certificates | ||
RUN curl -fLo /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem \ | ||
&& curl -fLo /etc/pki/ca-trust/source/anchors/2015-IT-Root-CA.pem https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem \ | ||
&& curl -fLo /etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crt https://certs.corp.redhat.com/certs/RH-IT-Root-CA.crt \ | ||
&& update-ca-trust extract | ||
|
||
# Install runtime dependencies | ||
COPY ./tekton-pipelines/images/artcd/files/ / | ||
RUN \ | ||
# Configure Python environment | ||
dnf -y module enable python36 && dnf -y install python3 \ | ||
&& python3 -m pip install "pip >= 21" \ | ||
dnf -y install python3 python3-pip \ | ||
# Other tools | ||
&& dnf -y install git brewkoji rhpkg krb5-workstation \ | ||
# Clean up | ||
|
@@ -47,7 +44,7 @@ COPY --from=builder /usr/local/src/wheels /usr/local/src/wheels | |
RUN python3 -m pip install --ignore-installed --no-index --find-links=/usr/local/src/wheels pyartcd rh-elliott rh-doozer \ | ||
&& rm /usr/local/src/wheels/*.whl \ | ||
# Make python-certifi trust system CA certificates | ||
&& python3 -m pip --no-cache-dir install certifi && ln -sf /etc/pki/tls/cert.pem /usr/local/lib/python3.6/site-packages/certifi/cacert.pem | ||
&& python3 -m pip install pip_system_certs | ||
|
||
# Set up user | ||
RUN useradd -m -d /home/dev -u 1000 dev | ||
|
4 changes: 2 additions & 2 deletions
4
tekton-pipelines/images/artcd/files/etc/yum.repos.d/pulp.repo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,13 @@ | ||
[pulp-dist-baseos] | ||
name = Dist repo - BaseOS | ||
baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel8/8/$basearch/baseos/os | ||
baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel$releasever/$releasever/$basearch/baseos/os | ||
enabled = 1 | ||
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release | ||
gpgcheck = 1 | ||
|
||
[pulp-dist-appstream] | ||
name = Dist repo - AppStream | ||
baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel8/8/$basearch/appstream/os/ | ||
baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel$releasever/$releasever/$basearch/appstream/os/ | ||
enabled = 1 | ||
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release | ||
gpgcheck = 1 |
16 changes: 8 additions & 8 deletions
16
tekton-pipelines/images/artcd/files/etc/yum.repos.d/rcm-tools.repo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,27 @@ | ||
[rcm-tools-rhel-8-baseos-rpms] | ||
[rcm-tools-rhel-$releasever-baseos-rpms] | ||
name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS (RPMs) | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS/$basearch/os/ | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS/$basearch/os/ | ||
enabled=1 | ||
gpgcheck=1 | ||
gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal | ||
|
||
[rcm-tools-rhel-8-baseos-source-rpms] | ||
[rcm-tools-rhel-$releasever-baseos-source-rpms] | ||
name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS (Source RPMs) | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS/source/tree/ | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS/source/tree/ | ||
enabled=0 | ||
gpgcheck=1 | ||
gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal | ||
|
||
[rcm-tools-rhel-8-server-optional-rpms] | ||
[rcm-tools-rhel-$releasever-server-optional-rpms] | ||
name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS - Optional (RPMs) | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS-optional/$basearch/os/ | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS-optional/$basearch/os/ | ||
enabled=1 | ||
gpgcheck=1 | ||
gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal | ||
|
||
[rcm-tools-rhel-8-server-optional-source-rpms] | ||
[rcm-tools-rhel-$releasever-server-optional-source-rpms] | ||
name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS - Optional (Source RPMs) | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS-optional/source/tree/ | ||
baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS-optional/source/tree/ | ||
enabled=0 | ||
gpgcheck=1 | ||
gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
--- | ||
apiVersion: v1 | ||
apiVersion: image.openshift.io/v1 | ||
kind: ImageStream | ||
metadata: | ||
name: "artcd" | ||
|
Oops, something went wrong.