WIP: Migrate gen-assembly to OSD

tekton-pipelines/config/ssh-config.yaml

@@ -5,5 +5,7 @@ metadata:
   name: ssh-config
 data:
   known_hosts: |
-    pkgs.devel.redhat.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAplqWKs26qsoaTxvWn3DFcdbiBxqRLhFngGiMYhbudnAj4li9/VwAJqLm1M6YfjOoJrj9dlmuXhNzkSzvyoQODaRgsjCG5FaRjuN8CSM/y+glgCYsWX1HFZSnAasLDuW0ifNLPR2RBkmWx61QKq+TxFDjASBbBywtupJcCsA5ktkjLILS+1eWndPJeSUJiOtzhoN8KIigkYveHSetnxauxv1abqwQTk5PmxRgRt20kZEFSRqZOJUlcl85sZYzNC/G7mneptJtHlcNrPgImuOdus5CW+7W49Z/1xqqWI/iRjwipgEMGusPMlSzdxDX4JzIx6R53pDpAwSAQVGDz4F9eQ==
+    pkgs.devel.redhat.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDT8I6l839M7tb6V/Le8x3pGo3sTo6SG/kMrVwPQ6kUtxuaWKBLCmI1HVawfRbBz4fO+8AifdKjtOKUHcI6iPr8=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

tekton-pipelines/externalsecrets/art-bot-github-token.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-bot-github-token
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: Auto
+      key: art-bot-github-token
+      property: token-for-rate-limiting
+    secretKey: token-for-rate-limiting
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: Auto
+      key: art-bot-github-token
+      property: powerful
+    secretKey: powerful
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-bot-github-token
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque

tekton-pipelines/externalsecrets/art-bot-slack-api-token.yaml

@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-bot-slack-api-token
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/art-bot-slack-api-token
+      property: api_token
+    secretKey: api_token
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-bot-slack-api-token
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque

tekton-pipelines/externalsecrets/art-publish-ci-dockerconfigjson.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-publish-ci-dockerconfigjson
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/art-publish@ci-dockerconfigjson
+    secretKey: .dockerconfigjson
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-publish-ci-dockerconfigjson
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/dockerconfigjson

tekton-pipelines/externalsecrets/art_quay_dev-dockerconfigjson.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-quay-dev-dockerconfigjson
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/[email protected]
+    secretKey: .dockerconfigjson
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-art-quay-dev-dockerconfigjson
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/dockerconfigjson

tekton-pipelines/externalsecrets/exd-ocp-buildvm-bot-prod-keytab.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: exd-ocp-buildvm-bot-prod-keytab
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/exd-ocp-buildvm-bot-prod-keytab-principal
+      property: principal
+    secretKey: principal
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/exd-ocp-buildvm-bot-prod-keytab
+    secretKey: keytab
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-exd-ocp-buildvm-bot-prod-keytab
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque

tekton-pipelines/externalsecrets/openshift-bot-ssh-private-key.yaml

@@ -0,0 +1,34 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: openshift-bot-ssh-private-key
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/openshift-bot-ssh-private-key
+    secretKey: ssh_privatekey
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: synced-openshift-bot-ssh-private-key
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/ssh-auth
+      metadata:
+        annotations:
+          tekton.dev/git-0: github.com
+          tekton.dev/git-1: pkgs.devel.redhat.com
+      data:
+        known_hosts: |
+          pkgs.devel.redhat.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDT8I6l839M7tb6V/Le8x3pGo3sTo6SG/kMrVwPQ6kUtxuaWKBLCmI1HVawfRbBz4fO+8AifdKjtOKUHcI6iPr8=
+          github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+          github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+          github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        ssh-privatekey: "{{ .ssh_privatekey }}"

tekton-pipelines/pipelines/gen-assembly.yaml

@@ -8,7 +8,9 @@ metadata:
 spec:
   description: >-
     Generate a recommended definition for an assembly based on a set of nightlies.
-    This are no side effects from running this job. It is the responsibility of the Artist to check the results into git / releases.yml.
+    Find nightlies ready for release and define an assembly to add to `releases.yml`.
+    A pull request will be automatically created to add the generated assembly definition to releases.yml.
+    It is the responsibility of the ARTist to review and merge the PR.
   params:
     - name: group
       description: Group name. e.g. openshift-4.9
@@ -18,12 +20,31 @@ spec:
       description: Use "true" to generate an assembly definition for a custom release. Custom assemblies are not for official release. They can, for example, not have all required arches for the group.
       default: "false"
     - name: nightlies
-      description: List of nightlies for each arch. For custom releases you do not need a nightly for each arch.
-    - name: in_flight_prev
-      description: (Optional for custom release) This is the in-flight release version of previous minor version of OCP. If there is no in-flight release, use "none".
+      description: (Optional) List of nightlies for each arch. For custom releases you do not need a nightly for each arch.
+      default: ""
+    - name: in-flight-prev
+      description: This is the in-flight release version of previous minor version of OCP. If there is no in-flight release, use "none".
     - name: previous
       description: '(Optional) List of OCP releases that can upgrade to the current release. Leave empty to use suggested value. Otherwise, follow item #6 "PREVIOUS" of the following doc for instructions on how to fill this field: https://mojo.redhat.com/docs/DOC-1201843#jive_content_id_Completing_a_4yz_release'
       default: ""
+    - name: allow-pending
+      description: Match nightlies that have not completed tests
+      default: "false"
+    - name: allow-rejected
+      description: Match nightlies that have failed their tests
+      default: "false"
+    - name: allow-inconsistency
+      description: Allow matching nightlies built from matching commits but with inconsistent RPMs
+      default: "false"
+    - name: limit-arches
+      description: (Optional) Limit included arches. Only applicable to a custom release.
+      default: ""
+    - name: data-path
+      description: (Optional) ocp-build-data fork to use (e.g. assembly definition in your own fork)
+      default: ""
+    - name: dry-run
+      description: Take no action, just echo what the job would have done.
+      default: "false"
   tasks:
     - name: gen-assembly
       taskRef:
@@ -37,10 +58,22 @@ spec:
           value: "$(params.nightlies)"
         - name: custom
           value: "$(params.custom)"
-        - name: in_flight_prev
-          value: "$(params.in_flight_prev)"
+        - name: in-flight-prev
+          value: "$(params.in-flight-prev)"
         - name: previous
           value: "$(params.previous)"
+        - name: allow-pending
+          value: "$(params.allow-pending)"
+        - name: allow-rejected
+          value: "$(params.allow-rejected)"
+        - name: allow-inconsistency
+          value: "$(params.allow-inconsistency)"
+        - name: limit-arches
+          value: "$(params.limit-arches)"
+        - name: data-path
+          value: "$(params.data-path)"
+        - name: dry-run
+          value: "$(params.dry-run)"
 
 ---
 apiVersion: tekton.dev/v1beta1
@@ -59,12 +92,31 @@ spec:
       description: Use "true" to generate an assembly definition for a custom release. Custom assemblies are not for official release. They can, for example, not have all required arches for the group.
       default: "false"
     - name: nightlies
-      description: List of nightlies for each arch. For custom releases you do not need a nightly for each arch.
-    - name: in_flight_prev
+      description: (Optional) List of nightlies for each arch. For custom releases you do not need a nightly for each arch.
+      default: ""
+    - name: in-flight-prev
       description: This is the in-flight release version of previous minor version of OCP. If there is no in-flight release, use "none".
     - name: previous
       description: '(Optional) List of OCP releases that can upgrade to the current release. Leave empty to use suggested value. Otherwise, follow item #6 "PREVIOUS" of the following doc for instructions on how to fill this field: https://mojo.redhat.com/docs/DOC-1201843#jive_content_id_Completing_a_4yz_release'
       default: ""
+    - name: allow-pending
+      description: Match nightlies that have not completed tests
+      default: "false"
+    - name: allow-rejected
+      description: Match nightlies that have failed their tests
+      default: "false"
+    - name: allow-inconsistency
+      description: Allow matching nightlies built from matching commits but with inconsistent RPMs
+      default: "false"
+    - name: limit-arches
+      description: (Optional) Limit included arches. Only applicable to a custom release.
+      default: ""
+    - name: data-path
+      description: (Optional) ocp-build-data fork to use (e.g. assembly definition in your own fork)
+      default: ""
+    - name: dry-run
+      description: Take no action, just echo what the job would have done.
+      default: "false"
   steps:
     - name: gen-assembly
       image: image-registry.openshift-image-registry.svc:5000/hackspace-yuxzhu/artcd:latest
@@ -79,47 +131,63 @@ spec:
             "artcd",
             "-v",
             "--config=/etc/artcd/artcd.toml",
-            "--dry-run",
         ]
 
+        if "$(params.dry-run)" == "true":
+          cmd.append("--dry-run")
+
         cmd.extend([
             "gen-assembly",
             "--group", "$(params.group)",
             "--assembly", "$(params.assembly)",
-            "--allow-pending",
         ])
 
+        if "$(params.data-path)":
+          cmd.append(f"--data-path=$(params.data-path)")
+
+        limit_arches = [p for p in re.split(r'[\s,]', "$(params.limit-arches)") if p]
+        if limit_arches:
+          cmd.extend([f"--arch={p}" for p in limit_arches])
+
         if "$(params.custom)" == "true":
           cmd.append("--custom")
+
+        if "$(params.allow-pending)" == "true":
+          cmd.append("--allow-pending")
+
+        if "$(params.allow-rejected)" == "true":
+          cmd.append("--allow-rejected")
+
+        if "$(params.allow-inconsistency)" == "true":
+          cmd.append("--allow-inconsistency")
+
+        if "$(params.in-flight-prev)" and "$(params.in-flight-prev)" != "none":
+          cmd.append("--in-flight=$(params.in-flight-prev)")
+
+        previous_list = [p for p in re.split(r'[\s,]', "$(params.previous)") if p]
+        if previous_list:
+          cmd.extend([f"--previous={p}" for p in previous_list])
         else:
-          if "$(params.in_flight_prev)" and "$(params.in_flight_prev)" != "none":
-            cmd.append("--in-flight=$(params.in_flight_prev)")
-          previous_list = [p for p in re.split(r'[\s,]', "$(params.previous)") if p]
-          if previous_list:
-            cmd.extend([f"--previous={p}" for p in previous_list])
-          else:
-            cmd.append("--auto-previous")
+          cmd.append("--auto-previous")
+
         nightlies = [n for n in re.split(r'[\s,]', "$(params.nightlies)") if n]
         cmd.extend([f"--nightly={n}" for n in nightlies])
 
+        print(f"Running kinit...")
         subprocess.run(["kinit", "-f", "-k", "-t", "/etc/kerberos-keytab/keytab", "[email protected]"], check=True, universal_newlines=True)
 
         print(f"Running {cmd}...")
-        env=os.environ.copy()
-        subprocess.run(cmd, check=True, universal_newlines=True, env=env)
+        subprocess.run(cmd, check=True, universal_newlines=True, env=os.environ.copy())
       env:
-        # https://github.com/tektoncd/pipeline/issues/2013
-        - name: HOME
-          value: /home/dev
         - name: SLACK_BOT_TOKEN
           valueFrom:
             secretKeyRef:
-              name: art-bot-slack-api-token
+              name: synced-art-bot-slack-api-token
               key: api_token
         - name: GITHUB_TOKEN
           valueFrom:
             secretKeyRef:
-              name: art-bot-github-token
+              name: synced-art-bot-github-token
               key: powerful
       volumeMounts:
         - name: artcd-config
@@ -131,9 +199,6 @@ spec:
         - name: kerberos-config
           mountPath: /etc/krb5.conf.d/krb5-redhat.conf
           subPath: krb5-redhat.conf
-        # - name: registry-cred
-        #   mountPath: /home/dev/.docker/config.json
-        #   subPath: .dockerconfigjson
   volumes:
     - name: artcd-config
       configMap:
@@ -146,10 +211,7 @@ spec:
         name: kerberos-config
     - name: kerberos-keytab
       secret:
-        secretName: exd-ocp-buildvm-bot-prod-keytab
+        secretName: synced-exd-ocp-buildvm-bot-prod-keytab
     - name: art-bot-slack-api-token
       secret:
-        secretName: exd-ocp-buildvm-bot-prod-keytab
-    # - name: registry-cred
-    #   secret:
-    #     secretName: registry-cred
+        secretName: synced-exd-ocp-buildvm-bot-prod-keytab

tekton-pipelines/serviceaccounts/pipeline.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pipeline
+secrets:
+- name: synced-art-publish-ci-dockerconfigjson
+- name: synced-art-quay-dev-dockerconfigjson
+- name: synced-openshift-bot-ssh-private-key