WIP: Migrate gen-assembly to OSD

tekton-pipelines/config/artcd-config.yaml

@@ -18,13 +18,13 @@ data:
     smtp_server = "smtp.corp.redhat.com"
     from = "[email protected]"
     reply_to = "[email protected]"
-    cc = []
+    cc = ["[email protected]"]
     prepare_release_notification_recipients_ocp4=["[email protected]", "[email protected]", "[email protected]"]
     prepare_release_notification_recipients_ocp3=["[email protected]", "[email protected]", "[email protected]", "[email protected]", "[email protected]", "[email protected]"]
     promote_image_list_recipients = ["[email protected]"]
 
     [jira]
     url = "https://issues.redhat.com"
     [jira.templates]
-    ocp4 = "OCPPLAN-4756"
-    ocp3 = "OCPPLAN-1373"
+    ocp4 = "ART-4223"
+    ocp3 = "ART-4234"

tekton-pipelines/config/doozer-config.yaml

@@ -15,13 +15,16 @@ data:
     group:
 
     #Username for running rhpkg / brew / tito
-    user: ocp-build
+    user: exd-ocp-buildvm-bot-prod
 
     # Pointer to relational db to store info in. Possible values: prod, stage, empty
     # datastore: prod
 
     # cache_dir: /mnt/workspace/jenkins/doozer_cache
 
+    hosts:
+      prodsec_git: git.prodsec.redhat.com
+
     global_opts:
       # num of concurrent distgit pull/pushes
       distgit_threads: 20

tekton-pipelines/config/kerberos-config.yaml

@@ -32,9 +32,13 @@ data:
     # by storing krb5 credential cache into a file rather than kernel keyring.
     # See https://blog.tomecek.net/post/kerberos-in-a-container/
     default_ccache_name = FILE:/tmp/krb5cc_%{uid}
-    rdns = false
-    default_realm = IPA.REDHAT.COM
     dns_lookup_realm = true
     dns_lookup_kdc = true
-    allow_weak_crypto = yes
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    dns_canonicalize_hostname = false
+    allow_weak_crypto = no
     udp_preference_limit = 0
+    default_realm = IPA.REDHAT.COM

tekton-pipelines/config/ssh-config.yaml

@@ -5,5 +5,7 @@ metadata:
   name: ssh-config
 data:
   known_hosts: |
-    pkgs.devel.redhat.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAplqWKs26qsoaTxvWn3DFcdbiBxqRLhFngGiMYhbudnAj4li9/VwAJqLm1M6YfjOoJrj9dlmuXhNzkSzvyoQODaRgsjCG5FaRjuN8CSM/y+glgCYsWX1HFZSnAasLDuW0ifNLPR2RBkmWx61QKq+TxFDjASBbBywtupJcCsA5ktkjLILS+1eWndPJeSUJiOtzhoN8KIigkYveHSetnxauxv1abqwQTk5PmxRgRt20kZEFSRqZOJUlcl85sZYzNC/G7mneptJtHlcNrPgImuOdus5CW+7W49Z/1xqqWI/iRjwipgEMGusPMlSzdxDX4JzIx6R53pDpAwSAQVGDz4F9eQ==
+    pkgs.devel.redhat.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDT8I6l839M7tb6V/Le8x3pGo3sTo6SG/kMrVwPQ6kUtxuaWKBLCmI1HVawfRbBz4fO+8AifdKjtOKUHcI6iPr8=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

tekton-pipelines/externalsecrets/art-bot-github-token.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-bot-github-token
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: Auto
+      key: art-bot-github-token
+      property: token-for-rate-limiting
+    secretKey: token-for-rate-limiting
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: Auto
+      key: art-bot-github-token
+      property: powerful
+    secretKey: powerful
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-bot-github-token
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque

tekton-pipelines/externalsecrets/art-bot-slack-api-token.yaml

@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-bot-slack-api-token
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/art-bot-slack-api-token
+      property: api_token
+    secretKey: api_token
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-bot-slack-api-token
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque

tekton-pipelines/externalsecrets/art-publish-ci-dockerconfigjson.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-publish-ci-dockerconfigjson
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/art-publish@ci-dockerconfigjson
+    secretKey: .dockerconfigjson
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-publish-ci-dockerconfigjson
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/dockerconfigjson

tekton-pipelines/externalsecrets/art_quay_dev-dockerconfigjson.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-quay-dev-dockerconfigjson
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/[email protected]
+    secretKey: .dockerconfigjson
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-quay-dev-dockerconfigjson
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/dockerconfigjson

tekton-pipelines/externalsecrets/exd-ocp-buildvm-bot-prod-keytab.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: exd-ocp-buildvm-bot-prod-keytab
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/exd-ocp-buildvm-bot-prod-keytab-principal
+      property: principal
+    secretKey: principal
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/exd-ocp-buildvm-bot-prod-keytab
+    secretKey: keytab
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-exd-ocp-buildvm-bot-prod-keytab
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque

tekton-pipelines/externalsecrets/openshift-bot-ssh-private-key.yaml

@@ -0,0 +1,34 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: openshift-bot-ssh-private-key
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/openshift-bot-ssh-private-key
+    secretKey: ssh_privatekey
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-openshift-bot-ssh-private-key
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/ssh-auth
+      metadata:
+        annotations:
+          tekton.dev/git-0: github.com
+          tekton.dev/git-1: pkgs.devel.redhat.com
+      data:
+        known_hosts: |
+          pkgs.devel.redhat.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDT8I6l839M7tb6V/Le8x3pGo3sTo6SG/kMrVwPQ6kUtxuaWKBLCmI1HVawfRbBz4fO+8AifdKjtOKUHcI6iPr8=
+          github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+          github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+          github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        ssh-privatekey: "{{ .ssh_privatekey }}"

tekton-pipelines/images/artcd/Containerfile

@@ -1,39 +1,36 @@
-FROM registry.access.redhat.com/ubi8/ubi:8.5 AS builder
+FROM registry.access.redhat.com/ubi9/ubi:9.2 AS builder
 
 # Install build dependencies
 WORKDIR /usr/local/src
 USER root
-RUN dnf -y module enable python36 \
-  && dnf -y install python3 python3-wheel python3-devel gcc krb5-devel wget tar gzip \
-  && python3 -m pip install "pip >= 21"
+RUN dnf -y install python3 python3-pip python3-wheel python3-devel gcc krb5-devel wget tar gzip git
 
 # Download oc
 ARG OC_VERSION=latest
-RUN wget -O openshift-client-linux-"$OC_VERSION".tar.gz https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/"$OC_VERSION"/openshift-client-linux.tar.gz \
-  && tar -xzvf openshift-client-linux-"$OC_VERSION".tar.gz oc kubectl
+RUN wget -O "openshift-client-linux-${OC_VERSION}.tar.gz" "https://mirror.openshift.com/pub/openshift-v4/$(arch)/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz" \
+  && tar -xzvf "openshift-client-linux-$OC_VERSION.tar.gz" oc kubectl
 
 # Build pyartcd, elliott, and doozer
-COPY art-tools .
 COPY pyartcd pyartcd
-RUN python3 -m pip wheel --wheel-dir /usr/local/src/wheels --use-deprecated=legacy-resolver \
-  ./elliott ./doozer ./pyartcd
+COPY art-tools art-tools
+RUN python3 -m pip wheel --wheel-dir /usr/local/src/wheels \
+  ./art-tools/elliott ./art-tools/doozer ./pyartcd
 
-
-FROM registry.access.redhat.com/ubi8/ubi:8.5
+FROM registry.access.redhat.com/ubi9/ubi:9.2
 LABEL name="openshift-art/art-cd" \
   maintainer="OpenShift Team Automated Release Tooling <[email protected]>"
 
-# Trust Red Hat IT Root CA
-RUN curl -o /etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crt --fail -L \
-         https://password.corp.redhat.com/RH-IT-Root-CA.crt \
+# Trust Red Hat IT Root CA certificates
+RUN curl -fLo /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem \
+  && curl -fLo /etc/pki/ca-trust/source/anchors/2015-IT-Root-CA.pem https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem \
+  && curl -fLo /etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crt https://certs.corp.redhat.com/certs/RH-IT-Root-CA.crt \
  && update-ca-trust extract
 
 # Install runtime dependencies
 COPY ./tekton-pipelines/images/artcd/files/ /
 RUN \
   # Configure Python environment
-  dnf -y module enable python36 && dnf -y install python3 \
-  && python3 -m pip install "pip >= 21" \
+  dnf -y install python3 python3-pip \
   # Other tools
   && dnf -y install git brewkoji rhpkg krb5-workstation \
   # Clean up
@@ -47,7 +44,7 @@ COPY --from=builder /usr/local/src/wheels /usr/local/src/wheels
 RUN python3 -m pip install --ignore-installed --no-index --find-links=/usr/local/src/wheels pyartcd rh-elliott rh-doozer \
   && rm /usr/local/src/wheels/*.whl \
   # Make python-certifi trust system CA certificates
-  && python3 -m pip --no-cache-dir install certifi && ln -sf /etc/pki/tls/cert.pem /usr/local/lib/python3.6/site-packages/certifi/cacert.pem
+  && python3 -m pip install pip_system_certs
 
 # Set up user
 RUN useradd -m -d /home/dev -u 1000 dev

tekton-pipelines/images/artcd/files/etc/yum.repos.d/pulp.repo

@@ -1,13 +1,13 @@
 [pulp-dist-baseos]
 name = Dist repo - BaseOS
-baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel8/8/$basearch/baseos/os
+baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel$releasever/$releasever/$basearch/baseos/os
 enabled = 1
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 gpgcheck = 1
 
 [pulp-dist-appstream]
 name = Dist repo - AppStream
-baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel8/8/$basearch/appstream/os/
+baseurl = http://rhsm-pulp.corp.redhat.com/content/dist/rhel$releasever/$releasever/$basearch/appstream/os/
 enabled = 1
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 gpgcheck = 1

tekton-pipelines/images/artcd/files/etc/yum.repos.d/rcm-tools.repo

@@ -1,27 +1,27 @@
-[rcm-tools-rhel-8-baseos-rpms]
+[rcm-tools-rhel-$releasever-baseos-rpms]
 name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS (RPMs)
-baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS/$basearch/os/
+baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS/$basearch/os/
 enabled=1
 gpgcheck=1
 gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal
 
-[rcm-tools-rhel-8-baseos-source-rpms]
+[rcm-tools-rhel-$releasever-baseos-source-rpms]
 name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS (Source RPMs)
-baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS/source/tree/
+baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS/source/tree/
 enabled=0
 gpgcheck=1
 gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal
 
-[rcm-tools-rhel-8-server-optional-rpms]
+[rcm-tools-rhel-$releasever-server-optional-rpms]
 name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS - Optional (RPMs)
-baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS-optional/$basearch/os/
+baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS-optional/$basearch/os/
 enabled=1
 gpgcheck=1
 gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal
 
-[rcm-tools-rhel-8-server-optional-source-rpms]
+[rcm-tools-rhel-$releasever-server-optional-source-rpms]
 name=RCM Tools for Red Hat Enterprise Linux $releasever BaseOS - Optional (Source RPMs)
-baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-8/compose/BaseOS-optional/source/tree/
+baseurl=http://download.devel.redhat.com/rel-eng/RCMTOOLS/latest-RCMTOOLS-2-RHEL-$releasever/compose/BaseOS-optional/source/tree/
 enabled=0
 gpgcheck=1
 gpgkey=http://download.devel.redhat.com/rel-eng/RCMTOOLS/RPM-GPG-KEY-rcminternal

tekton-pipelines/infra/artcd-image-bc.yaml

@@ -13,8 +13,8 @@ spec:
       dockerfilePath: tekton-pipelines/images/artcd/Containerfile
   source:
     git:
-      uri: "https://github.com/openshift-eng/aos-cd-jobs.git"
-      ref: "master"
+      uri: "https://github.com/vfreex/aos-cd-jobs.git"
+      ref: "tekton-pipeline-migration"
   output:
     to:
       kind: "ImageStreamTag"

tekton-pipelines/infra/artcd-is.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: v1
+apiVersion: image.openshift.io/v1
 kind: ImageStream
 metadata:
   name: "artcd"