WIP: Migrate gen-assembly to OSD

openshift-eng · Aug 4, 2023 · fd587fe · fd587fe
1 parent 2895d40
commit fd587fe
Show file tree

Hide file tree

Showing 9 changed files with 172 additions and 10 deletions.
diff --git a/tekton-pipelines/config/ssh-config.yaml b/tekton-pipelines/config/ssh-config.yaml
@@ -5,5 +5,7 @@ metadata:
   name: ssh-config
 data:
   known_hosts: |
-    pkgs.devel.redhat.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAplqWKs26qsoaTxvWn3DFcdbiBxqRLhFngGiMYhbudnAj4li9/VwAJqLm1M6YfjOoJrj9dlmuXhNzkSzvyoQODaRgsjCG5FaRjuN8CSM/y+glgCYsWX1HFZSnAasLDuW0ifNLPR2RBkmWx61QKq+TxFDjASBbBywtupJcCsA5ktkjLILS+1eWndPJeSUJiOtzhoN8KIigkYveHSetnxauxv1abqwQTk5PmxRgRt20kZEFSRqZOJUlcl85sZYzNC/G7mneptJtHlcNrPgImuOdus5CW+7W49Z/1xqqWI/iRjwipgEMGusPMlSzdxDX4JzIx6R53pDpAwSAQVGDz4F9eQ==
+    pkgs.devel.redhat.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDT8I6l839M7tb6V/Le8x3pGo3sTo6SG/kMrVwPQ6kUtxuaWKBLCmI1HVawfRbBz4fO+8AifdKjtOKUHcI6iPr8=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
diff --git a/tekton-pipelines/externalsecrets/art-bot-github-token.yaml b/tekton-pipelines/externalsecrets/art-bot-github-token.yaml
@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-bot-github-token
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: Auto
+      key: art-bot-github-token
+      property: token-for-rate-limiting
+    secretKey: token-for-rate-limiting
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: Auto
+      key: art-bot-github-token
+      property: powerful
+    secretKey: powerful
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: art-bot-github-token
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque
diff --git a/tekton-pipelines/externalsecrets/art-bot-slack-api-token.yaml b/tekton-pipelines/externalsecrets/art-bot-slack-api-token.yaml
@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-bot-slack-api-token
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/art-bot-slack-api-token
+      property: api_token
+    secretKey: api_token
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: art-bot-slack-api-token
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque
diff --git a/tekton-pipelines/externalsecrets/art-publish-ci-dockerconfigjson.yaml b/tekton-pipelines/externalsecrets/art-publish-ci-dockerconfigjson.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-publish-ci-dockerconfigjson
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/art-publish@ci-dockerconfigjson
+    secretKey: .dockerconfigjson
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: art-publish-ci-dockerconfigjson
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/dockerconfigjson
diff --git a/tekton-pipelines/externalsecrets/art_quay_dev-dockerconfigjson.yaml b/tekton-pipelines/externalsecrets/art_quay_dev-dockerconfigjson.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: art-quay-dev-dockerconfigjson
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/[email protected]
+    secretKey: .dockerconfigjson
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: art-quay-dev-dockerconfigjson
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/dockerconfigjson
diff --git a/tekton-pipelines/externalsecrets/exd-ocp-buildvm-bot-prod-keytab.yaml b/tekton-pipelines/externalsecrets/exd-ocp-buildvm-bot-prod-keytab.yaml
@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: exd-ocp-buildvm-bot-prod-keytab
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/exd-ocp-buildvm-bot-prod-keytab-principal
+      property: principal
+    secretKey: principal
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/exd-ocp-buildvm-bot-prod-keytab
+    secretKey: keytab
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: exd-ocp-buildvm-bot-prod-keytab
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: Opaque
diff --git a/tekton-pipelines/externalsecrets/openshift-bot-ssh-private-key.yaml b/tekton-pipelines/externalsecrets/openshift-bot-ssh-private-key.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: openshift-bot-ssh-private-key
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: art/prod/openshift-bot-ssh-private-key
+    secretKey: ssh-privatekey
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: main-secret-store
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: openshift-bot-ssh-private-key
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      type: kubernetes.io/ssh-auth
diff --git a/tekton-pipelines/pipelines/gen-assembly.yaml b/tekton-pipelines/pipelines/gen-assembly.yaml
@@ -108,9 +108,9 @@ spec:
         env=os.environ.copy()
         subprocess.run(cmd, check=True, universal_newlines=True, env=env)
       env:
-        # https://github.com/tektoncd/pipeline/issues/2013
-        - name: HOME
-          value: /home/dev
+        # # https://github.com/tektoncd/pipeline/issues/2013
+        # - name: HOME
+        #   value: /home/dev
         - name: SLACK_BOT_TOKEN
           valueFrom:
             secretKeyRef:
@@ -126,14 +126,14 @@ spec:
           mountPath: /etc/artcd/
         - name: doozer-config
           mountPath: /home/dev/.config/doozer/
+        - name: ssh-config
+          mountPath: /home/dev/.ssh/known_hosts
+          subPath: known_hosts
         - name: kerberos-keytab
           mountPath: /etc/kerberos-keytab
         - name: kerberos-config
           mountPath: /etc/krb5.conf.d/krb5-redhat.conf
           subPath: krb5-redhat.conf
-        # - name: registry-cred
-        #   mountPath: /home/dev/.docker/config.json
-        #   subPath: .dockerconfigjson
   volumes:
     - name: artcd-config
       configMap:
@@ -150,6 +150,6 @@ spec:
     - name: art-bot-slack-api-token
       secret:
         secretName: exd-ocp-buildvm-bot-prod-keytab
-    # - name: registry-cred
-    #   secret:
-    #     secretName: registry-cred
+    - name: ssh-config
+      configMap:
+        name: ssh-config
diff --git a/tekton-pipelines/serviceaccounts/pipeline.yaml b/tekton-pipelines/serviceaccounts/pipeline.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pipeline
+secrets:
+- name: art-publish-ci-dockerconfigjson
+- name: art-quay-dev-dockerconfigjson
+- name: openshift-bot-ssh-private-key