diff --git a/.dockerignore b/.dockerignore index 3c00af0d0..181a6871c 100644 --- a/.dockerignore +++ b/.dockerignore @@ -6,7 +6,6 @@ config_frontend coverage dist docs -ingress node_modules overlays packages/components/dist @@ -14,5 +13,4 @@ packages/components/node_modules packages/utils/dist tekton test -testdata vendor diff --git a/base/200-clusterrole-dashboard.yaml b/base/200-clusterrole-dashboard.yaml index 5cf163635..28adfd849 100644 --- a/base/200-clusterrole-dashboard.yaml +++ b/base/200-clusterrole-dashboard.yaml @@ -29,19 +29,3 @@ rules: - deployments verbs: - list - - apiGroups: - - route.openshift.io - resources: - - routes - verbs: - - get - - list - - apiGroups: - - extensions - - apps - resources: - - ingresses - verbs: - - get - - list - - watch diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go index c976bfbd8..56e1a4d53 100644 --- a/cmd/dashboard/main.go +++ b/cmd/dashboard/main.go @@ -23,7 +23,6 @@ import ( "time" "github.com/gorilla/csrf" - routeclientset "github.com/openshift/client-go/route/clientset/versioned" dashboardclientset "github.com/tektoncd/dashboard/pkg/client/clientset/versioned" "github.com/tektoncd/dashboard/pkg/controllers" "github.com/tektoncd/dashboard/pkg/endpoints" @@ -121,14 +120,6 @@ func main() { } var triggersClient triggersclientset.Interface - var routeClient routeclientset.Interface - - if *isOpenshift { - routeClient, err = routeclientset.NewForConfig(cfg) - if err != nil { - logging.Log.Errorf("Error building route clientset: %s", err.Error()) - } - } transport, err := rest.TransportFor(cfg) if err != nil { @@ -154,7 +145,6 @@ func main() { PipelineClient: pipelineClient, PipelineResourceClient: pipelineResourceClient, K8sClient: k8sClient, - RouteClient: routeClient, TriggersClient: triggersClient, Options: options, } diff --git a/docs/README.md b/docs/README.md index add59d283..e61cce4a8 100644 --- a/docs/README.md +++ b/docs/README.md @@ -109,7 +109,6 @@ Once set up, the dashboard is available in the browser under the address ## What's next -Tekton Dashboard provides many features such as Webhook extension (for setting -up a GitHub repository with a Tekton pipeline in the UI), TLS support, and -Ingress support. For more information, see the +Try out some of our [walkthroughs](./walkthrough) for more details on deploying and configuring the +Tekton Dashboard for some common scenarios. For more information, see the [Tekton Dashboard GitHub repository](https://github.com/tektoncd/dashboard). diff --git a/docs/dev/api.md b/docs/dev/api.md index d19abe289..211d7215e 100644 --- a/docs/dev/api.md +++ b/docs/dev/api.md @@ -1,39 +1,10 @@ # Tekton Dashboard - Backend API -The backend API provides the following endpoints at `/v1/namespaces/`: +The backend API provides the following endpoints: __GET endpoints__ -__Dashboard Endpoints__ -``` -GET /v1/namespaces//endpoints -Get the registered `tekton-dashboard` entry points (route and ingress) host values -Returns HTTP code 200 and the registered dashboard ingress host value -Returns HTTP code 404 if an error occurred getting the ingress - -Example payload response is formatted as so: - -[ - { - "type": "Route", - "url": "tekton-dashboard-tekton-pipelines.apps.192.168.222.145.nip.io" - }, - { - "type": "Ingress", - "url": "tekton-dashboard.192.168.222.145.nip.io" - } -] -``` - -__Dashboard Ingress__ -``` -GET /v1/namespaces//ingress -Get the registered `tekton-dashboard` ingress host value -Returns HTTP code 200 and the registered dashboard ingress host value -Returns HTTP code 404 if an error occurred getting the ingress -``` - __Extensions__ ``` GET /v1/extensions @@ -66,4 +37,3 @@ Example payload response is formatted as so: "ReadOnly": true } ``` - diff --git a/docs/install.md b/docs/install.md index 72cf9ef00..565a81e75 100644 --- a/docs/install.md +++ b/docs/install.md @@ -8,8 +8,7 @@ This guide explains how to install Tekton Dashboard. It covers the following top - [Installing with the installer script](#installing-with-the-installer-script) - [Installing Tekton Dashboard on Kubernetes](#installing-tekton-dashboard-on-kubernetes) - [Installing Tekton Dashboard on OpenShift](#installing-tekton-dashboard-on-openshift) -- [Accessing the Dashboard on Kubernetes](#accessing-the-dashboard-on-kubernetes) -- [Accessing the Dashboard on OpenShift](#accessing-the-dashboard-on-openshift) +- [Accessing the Dashboard](#accessing-the-dashboard) - [Uninstalling the Dashboard on Kubernetes](#uninstalling-the-dashboard-on-kubernetes) - [Next steps](#next-steps) @@ -111,15 +110,13 @@ To install Tekton Dashboard on an OpenShift cluster: kubectl apply --filename https://storage.googleapis.com/tekton-releases/dashboard/latest/openshift-tekton-dashboard-release.yaml --validate=false ``` -1. Access the dashboard by determining its route with `kubectl get route tekton-dashboard -n openshift-pipelines` - Congratulations! You have successfully installed Tekton Dashboard on your OpenShift cluster. **Note for users installing Tekton Pipelines and Triggers outside the OpenShift Pipelines operator:** Tekton Dashboard on OpenShift works out of the box with the OpenShift Pipelines operator. If you installed Tekton Pipelines and Triggers without using the OpenShift Pipelines operator, you will need to change the following args `--pipelines-namespace=openshift-pipelines` and `--triggers-namespace=openshift-pipelines` and set their values to the namespace where Pipelines and Triggers were respectively deployed. -## Accessing the Dashboard on Kubernetes +## Accessing the Dashboard By default, the Dashboard is not exposed outside the cluster. @@ -184,20 +181,6 @@ Notes: - The exact `Ingress` resource definition may vary a little depending on the ingress controller installed in the cluster. Some specific annotations may be required for the ingress controller to process the `Ingress` resource correctly - If you don't have access to a domain you can use the freely available [`nip.io`](https://nip.io/) service -## Accessing the Dashboard on OpenShift - -Assuming you installed the Dashboard following the instructions in [Installing Tekton Dashboard on OpenShift](#installing-tekton-dashboard-on-openshift), you can access the Dashboard by determining its route. - -Simply browse the url returned by running the following command to access your Dashboard: - -```bash -kubectl get route tekton-dashboard -n openshift-pipelines -``` - -**Known issue:** - -If the default ingress certificate in the OpenShift cluster was changed, for example via [this procedure](https://docs.openshift.com/container-platform/4.3/authentication/certificates/replacing-default-ingress-certificate.html), then the oauth-proxy sidecar might not recognize its certificate, and you might arrive at a "500 Internal Error" page instead of the dashboard. Refer to [this workaround](./oauth-certificate-workaround.md) for a procedure to resolve the issue. - ## Uninstalling the Dashboard on Kubernetes The Dashboard can be uninstalled by running the following command: diff --git a/docs/oauth-certificate-workaround.md b/docs/oauth-certificate-workaround.md deleted file mode 100644 index 1bb905e65..000000000 --- a/docs/oauth-certificate-workaround.md +++ /dev/null @@ -1,61 +0,0 @@ -# 500 Internal Error page when accessing the dashboard on OpenShift - -If the default ingress certificate in the OpenShift cluster was changed, then the certificate the OpenShift OAuth server uses might no longer be recognized automatically by the `oauth-proxy` container deployed as a sidecar with the dashboard. In this situation, you may see a "500 Internal Error" page when trying to access the dashboard, with an error message containing "certificate signed by unknown authority". The logs of the `oauth-proxy` container might also show errors like this: -``` -2020/07/07 11:12:13 oauthproxy.go:645: error redeeming code (client: [ IP address elided ]): Post https://oauth-openshift.apps.[ url elided ]/oauth/token: x509: certificate signed by unknown authority -2020/07/07 11:12:13 oauthproxy.go:438: ErrorPage 500 Internal Error Internal Error -``` - -## Workaround - -OpenShift can populate a ConfigMap containing certificates that should be trusted by applications in the cluster. More information on that proccess can be found here: https://docs.openshift.com/container-platform/4.3/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki. - -To create that ConfigMap, create a file named "ocp-ca-bundle-configmap.yaml" with these contents: -``` -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - config.openshift.io/inject-trusted-cabundle: "true" - name: ocp-ca-bundle - namespace: tekton-pipelines -``` - -And apply it to the cluster via `oc create -f ocp-ca-bundle-configmap.yaml`. - -Then, create a file named "dashboard-patch.yaml" with these contents: -``` -spec: - template: - spec: - containers: - - name: oauth-proxy - args: - - --https-address=:8443 - - --provider=openshift - - --skip-provider-button=true - - --openshift-service-account=tekton-dashboard - - --upstream=http://localhost:9097 - - --tls-cert=/etc/tls/private/tls.crt - - --tls-key=/etc/tls/private/tls.key - - --cookie-secret=SECRET - - --skip-auth-regex=^/v1/extensions/.*\.js - - --openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --openshift-ca=/etc/ocp-injected-certs/tls-ca-bundle.pem - volumeMounts: - - mountPath: /etc/ocp-injected-certs - name: ocp-injected-certs - volumes: - - name: ocp-injected-certs - configMap: - name: ocp-ca-bundle - defaultMode: 420 - items: - - key: ca-bundle.crt - path: tls-ca-bundle.pem -``` - -And apply it to the dashboard deployment via: -``` -oc -n tekton-pipelines patch deployment tekton-dashboard --patch "$(cat dashboard-patch.yaml)" -``` diff --git a/go.mod b/go.mod index f3ff800b2..218789a7f 100644 --- a/go.mod +++ b/go.mod @@ -16,8 +16,6 @@ require ( github.com/google/go-cmp v0.5.0 github.com/gorilla/csrf v1.7.0 github.com/gorilla/websocket v1.4.2 - github.com/openshift/api v3.9.0+incompatible // indirect - github.com/openshift/client-go v0.0.0-20191125132246-f6563a70e19a github.com/tektoncd/pipeline v0.15.2 github.com/tektoncd/plumbing v0.0.0-20200430135134-e53521e1d887 github.com/tektoncd/triggers v0.6.1 diff --git a/go.sum b/go.sum index 29ff8d361..58da3f7b2 100644 --- a/go.sum +++ b/go.sum @@ -229,6 +229,7 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575/go.mod h1:9d6lWj8KzO/fd/NrVaLscBKmPigpZpn5YawRPw+e3Yo= github.com/clarketm/json v1.13.4/go.mod h1:ynr2LRfb0fQU34l07csRNBTcivjySLLiY1YzQqKVfdo= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudevents/sdk-go v1.0.0 h1:gS5I0s2qPmdc4GBPlUmzZU7RH30BaiOdcRJ1RkXnPrc= github.com/cloudevents/sdk-go v1.0.0/go.mod h1:3TkmM0cFqkhCHOq5JzzRU/RxRkwzoS8TZ+G448qVTog= github.com/cloudevents/sdk-go/v2 v2.1.0 h1:bmgrU8k+K2ppZ+G/q5xEQx/Xk9HRtJmkrEO3qtDO2k0= github.com/cloudevents/sdk-go/v2 v2.1.0/go.mod h1:3CTrpB4+u7Iaj6fd7E2Xvm5IxMdRoaAhqaRVnOr2rCU= @@ -855,10 +856,6 @@ github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5X github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= -github.com/openshift/api v3.9.0+incompatible h1:fJ/KsefYuZAjmrr3+5U9yZIZbTOpVkDDLDLFresAeYs= -github.com/openshift/api v3.9.0+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY= -github.com/openshift/client-go v0.0.0-20191125132246-f6563a70e19a h1:Otk3CuCAEHiMUr4Er6b+csq4Ar6qilAs9h93tbea+qM= -github.com/openshift/client-go v0.0.0-20191125132246-f6563a70e19a/go.mod h1:6rzn+JTr7+WYS2E1TExP4gByoABxMznR6y2SnUIkmxk= github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/openzipkin/zipkin-go v0.2.0/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/openzipkin/zipkin-go v0.2.2 h1:nY8Hti+WKaP0cRsSeQ026wU03QsM762XBeCXBb9NAWI= diff --git a/ingress/basic-dashboard-ingress.yaml b/ingress/basic-dashboard-ingress.yaml deleted file mode 100644 index 7b4655453..000000000 --- a/ingress/basic-dashboard-ingress.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: tekton-dashboard - namespace: tekton-pipelines -spec: - rules: - - host: replacemeingress.nip.io - http: - paths: - - backend: - serviceName: tekton-dashboard - servicePort: 9097 \ No newline at end of file diff --git a/ingress/https-ingress.yaml b/ingress/https-ingress.yaml deleted file mode 100644 index 106060f68..000000000 --- a/ingress/https-ingress.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: tekton-dashboard - namespace: tekton-pipelines -spec: - tls: - - hosts: - - ${URL} - secretName: ${CERTIFICATE_SECRET_NAME} - rules: - - host: ${URL} - http: - paths: - - backend: - serviceName: tekton-dashboard - servicePort: 9097 diff --git a/ingress/ingress-https-setup.sh b/ingress/ingress-https-setup.sh deleted file mode 100644 index 0e4045085..000000000 --- a/ingress/ingress-https-setup.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -# path to dashboard repo -export REPO_TOP_LEVEL=$(git rev-parse --show-toplevel) -# path to cert, keys, script & yaml file -export INGRESS_DIR=${REPO_TOP_LEVEL}"/ingress" - -# certificate data -# *Make sure names contain only lowercase alphanumeric characters, . or -. Must start & end with alphanumeric characters* -export CERTIFICATE_KEY="" -export CERTIFICATE_KEY_PASSPHRASE="" -export CERTIFICATE_NAME="" -export CERTIFICATE_SECRET_NAME="" -export IP_ADDRESS=$(ip route get 8.8.8.8 | awk '{print $NF; exit}') -export URL="tekton-dashboard.${IP_ADDRESS}.nip.io" -# optional certificate information -export COUNTRY="" -export STATE="" -export LOCATION="" -export ORGANIZATION="" -export ORGANIZATIONAl_UNIT="" -export COMMON_NAME=$URL - -# delete the current route if one is created otherwise comment out this line -oc delete $(oc get route -o name -n tekton-pipelines) -n tekton-pipelines - -# create a private key for the CA & add passphrase -openssl genrsa -des3 -out ${INGRESS_DIR}/$CERTIFICATE_KEY.pem -passout pass:${CERTIFICATE_KEY_PASSPHRASE} 2048 - -# generate the root CA -openssl req -x509 -new -nodes -key ${INGRESS_DIR}/${CERTIFICATE_KEY}.pem -sha256 -days 1825 -out ${INGRESS_DIR}/${CERTIFICATE_NAME}.pem -passin pass:${CERTIFICATE_KEY_PASSPHRASE} -subj /C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${ORGANIZATIONAl_UNIT}/CN=${COMMON_NAME} - -# for some reason the key wasn't being parsed when trying to create it with oc so this command fixes it -openssl rsa -in ${INGRESS_DIR}/${CERTIFICATE_KEY}.pem -out ${INGRESS_DIR}/${CERTIFICATE_KEY}.pem -passin pass:${CERTIFICATE_KEY_PASSPHRASE} - -# create the secret -oc create secret tls ${CERTIFICATE_SECRET_NAME} --cert=${INGRESS_DIR}/${CERTIFICATE_NAME}.pem --key=${INGRESS_DIR}/${CERTIFICATE_KEY}.pem -n tekton-pipelines - -# populate variables in https-ingress & apply yaml file: -envsubst < ${INGRESS_DIR}/https-ingress.yaml | kubectl apply -f - - -echo "Done. Now access the host with https://"${URL} diff --git a/overlays/installer/k8s/base/kustomization.yaml b/overlays/installer/k8s/base/kustomization.yaml deleted file mode 100644 index 836d297ad..000000000 --- a/overlays/installer/k8s/base/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../base diff --git a/overlays/installer/k8s/read-write/kustomization.yaml b/overlays/installer/k8s/read-write/kustomization.yaml deleted file mode 100644 index 53f89c9be..000000000 --- a/overlays/installer/k8s/read-write/kustomization.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base -patchesJson6902: - - target: - group: rbac.authorization.k8s.io - version: v1 - kind: ClusterRole - name: tekton-dashboard-backend - path: ../../../patches/read-write/clusterrole-backend-patch.yaml - - target: - group: rbac.authorization.k8s.io - version: v1 - kind: ClusterRole - name: tekton-dashboard-tenant - path: ../../../patches/read-write/clusterrole-tenant-patch.yaml diff --git a/overlays/installer/openshift/base/kustomization.yaml b/overlays/installer/openshift/base/kustomization.yaml deleted file mode 100644 index 568d45ebc..000000000 --- a/overlays/installer/openshift/base/kustomization.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../base - - ../../../resources/openshift/route.yaml - - ../../../resources/openshift/route-service.yaml -patches: - - ../../../patches/openshift/serviceaccount-patch.yaml -patchesJson6902: - - target: - group: apps - version: v1 - kind: Deployment - name: tekton-dashboard - namespace: tekton-pipelines - path: ../../../patches/openshift/deployment-patch.yaml -namespace: tekton-dashboard diff --git a/overlays/installer/openshift/read-only/kustomization.yaml b/overlays/installer/openshift/read-only/kustomization.yaml deleted file mode 100644 index 25a9a4e6d..000000000 --- a/overlays/installer/openshift/read-only/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../base diff --git a/overlays/installer/k8s/read-only/kustomization.yaml b/overlays/installer/read-only/kustomization.yaml similarity index 100% rename from overlays/installer/k8s/read-only/kustomization.yaml rename to overlays/installer/read-only/kustomization.yaml diff --git a/overlays/installer/openshift/read-write/kustomization.yaml b/overlays/installer/read-write/kustomization.yaml similarity index 87% rename from overlays/installer/openshift/read-write/kustomization.yaml rename to overlays/installer/read-write/kustomization.yaml index 53f89c9be..d02d52631 100644 --- a/overlays/installer/openshift/read-write/kustomization.yaml +++ b/overlays/installer/read-write/kustomization.yaml @@ -23,10 +23,10 @@ patchesJson6902: version: v1 kind: ClusterRole name: tekton-dashboard-backend - path: ../../../patches/read-write/clusterrole-backend-patch.yaml + path: ../../patches/read-write/clusterrole-backend-patch.yaml - target: group: rbac.authorization.k8s.io version: v1 kind: ClusterRole name: tekton-dashboard-tenant - path: ../../../patches/read-write/clusterrole-tenant-patch.yaml + path: ../../patches/read-write/clusterrole-tenant-patch.yaml diff --git a/overlays/patches/openshift/deployment-patch.yaml b/overlays/patches/openshift/deployment-patch.yaml deleted file mode 100644 index 6fbe9cdd2..000000000 --- a/overlays/patches/openshift/deployment-patch.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -- op: add - path: /spec/template/spec/containers/- - value: - name: oauth-proxy - image: openshift/oauth-proxy:latest - imagePullPolicy: IfNotPresent - securityContext: - runAsUser: 1000 - ports: - - name: public - containerPort: 8443 - args: - - --https-address=:8443 - - --provider=openshift - - --skip-provider-button=true - - --openshift-service-account=tekton-dashboard - - --upstream=http://localhost:9097 - - --tls-cert=/etc/tls/private/tls.crt - - --tls-key=/etc/tls/private/tls.key - - --cookie-secret=SECRET - - --skip-auth-regex=^/v1/extensions/.*\.js - volumeMounts: - - name: proxy-tls - mountPath: /etc/tls/private -- op: add - path: /spec/template/spec/volumes/- - value: - name: proxy-tls - secret: - secretName: proxy-tls diff --git a/overlays/patches/openshift/serviceaccount-patch.yaml b/overlays/patches/openshift/serviceaccount-patch.yaml deleted file mode 100644 index 481044fa6..000000000 --- a/overlays/patches/openshift/serviceaccount-patch.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: tekton-dashboard - name: tekton-dashboard - namespace: tekton-pipelines - annotations: - serviceaccounts.openshift.io/oauth-redirectreference.primary: - '{"kind":"OAuthRedirectReference","apiVersion":"v1", - "reference":{"kind":"Route","name":"tekton-dashboard"}}' diff --git a/overlays/resources/openshift/route-service.yaml b/overlays/resources/openshift/route-service.yaml deleted file mode 100644 index e9861b627..000000000 --- a/overlays/resources/openshift/route-service.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -kind: Service -apiVersion: v1 -metadata: - name: tekton-dashboard-secure - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard - annotations: - service.alpha.openshift.io/serving-cert-secret-name: proxy-tls -spec: - ports: - - name: http - protocol: TCP - port: 443 - targetPort: 8443 - selector: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/name: dashboard - app.kubernetes.io/part-of: tekton-dashboard diff --git a/overlays/resources/openshift/route.yaml b/overlays/resources/openshift/route.yaml deleted file mode 100644 index c07c6c712..000000000 --- a/overlays/resources/openshift/route.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 The Tekton Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - name: tekton-dashboard - namespace: tekton-pipelines - labels: - app.kubernetes.io/component: dashboard - app.kubernetes.io/instance: default - app.kubernetes.io/part-of: tekton-dashboard -spec: - to: - kind: Service - name: tekton-dashboard-secure - tls: - termination: Reencrypt - insecureEdgeTerminationPolicy: Redirect diff --git a/pkg/endpoints/cluster.go b/pkg/endpoints/cluster.go index c0c4a1605..7ab77d927 100644 --- a/pkg/endpoints/cluster.go +++ b/pkg/endpoints/cluster.go @@ -46,11 +46,6 @@ type Properties struct { ExternalLogsURL string `json:"ExternalLogsURL"` } -const ( - tektonDashboardIngressName string = "tekton-dashboard" - tektonDashboardRouteName string = "tekton-dashboard" -) - var secretsURIPattern *regexp.Regexp = regexp.MustCompile("/secrets[?/]") // ProxyRequest does as the name suggests: proxies requests and logs what's going on @@ -76,85 +71,6 @@ func (r Resource) ProxyRequest(request *restful.Request, response *restful.Respo } } -// GetIngress returns the Ingress endpoint called "tektonDashboardIngressName" in the requested namespace -func (r Resource) GetIngress(request *restful.Request, response *restful.Response) { - requestNamespace := utils.GetNamespace(request) - - ingress, err := r.K8sClient.ExtensionsV1beta1().Ingresses(requestNamespace).Get(tektonDashboardIngressName, metav1.GetOptions{}) - - if err != nil || ingress == nil { - logging.Log.Errorf("Unable to retrieve any ingresses: %s", err) - utils.RespondError(response, err, http.StatusInternalServerError) - return - } - - noRuleError := "no Ingress rules found labelled " + tektonDashboardIngressName - - // Harden this block to avoid Go panics (array index out of range) - if len(ingress.Spec.Rules) > 0 { // Got more than zero entries? - if ingress.Spec.Rules[0].Host != "" { // For that rule, is there actually a host? - ingressHost := ingress.Spec.Rules[0].Host - response.WriteEntity(ingressHost) - return - } - logging.Log.Errorf("found an empty Ingress rule labelled %s", tektonDashboardIngressName) - } else { - logging.Log.Error(noRuleError) - } - - logging.Log.Error("Unable to retrieve any Ingresses") - utils.RespondError(response, err, http.StatusInternalServerError) - return -} - -// GetEndpoints returns the Ingress or Route for the Dashboard -func (r Resource) GetEndpoints(request *restful.Request, response *restful.Response) { - type element struct { - Type string `json:"type"` - Url string `json:"url"` - } - var responses []element - var err error - requestNamespace := utils.GetNamespace(request) - - if r.Options.IsOpenShift { - ingress, err := r.K8sClient.ExtensionsV1beta1().Ingresses(requestNamespace).Get(tektonDashboardIngressName, metav1.GetOptions{}) - noRuleError := "no Ingress rules found labelled " + tektonDashboardIngressName - if err != nil || ingress == nil { - logging.Log.Infof("Unable to retrieve any ingresses: %s", err) - } else { - if len(ingress.Spec.Rules) > 0 { // Got more than zero entries? - if ingress.Spec.Rules[0].Host != "" { // For that rule, is there actually a host? - ingressHost := ingress.Spec.Rules[0].Host - responses = append(responses, element{"Ingress", ingressHost}) - } - } else { - logging.Log.Error(noRuleError) - } - } - } else { - route, err := r.RouteClient.RouteV1().Routes(requestNamespace).Get(tektonDashboardIngressName, metav1.GetOptions{}) - noRuleError := "no Route found labelled " + tektonDashboardRouteName - if err != nil || route == nil { - logging.Log.Infof("Unable to retrieve any routes: %s", err) - } else { - if route.Spec.Host != "" { // For that rule, is there actually a host? - routeHost := route.Spec.Host - responses = append(responses, element{"Route", routeHost}) - } else { - logging.Log.Error(noRuleError) - } - } - } - - if len(responses) != 0 { - response.WriteEntity(responses) - } else { - logging.Log.Error("Unable to retrieve any Ingresses or Routes") - utils.RespondError(response, err, http.StatusInternalServerError) - } -} - // GetProperties is used to get the installed namespace for the Dashboard, // the version of the Tekton Dashboard, the version of Tekton Pipelines, whether or not one's // running on OpenShift, when one's in read-only mode and Tekton Triggers version (if Installed) diff --git a/pkg/endpoints/cluster_test.go b/pkg/endpoints/cluster_test.go deleted file mode 100644 index c6e28f116..000000000 --- a/pkg/endpoints/cluster_test.go +++ /dev/null @@ -1,55 +0,0 @@ -/* -Copyright 2019 The Tekton Authors -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package endpoints_test - -import ( - "encoding/json" - "fmt" - "net/http" - "testing" - - "github.com/tektoncd/dashboard/pkg/testutils" - extensionsV1beta1 "k8s.io/api/extensions/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func TestGETIngress(t *testing.T) { - server, r, namespace := testutils.DummyServer() - defer server.Close() - - hostName := "dashboard-host" - ingress := &extensionsV1beta1.Ingress{ObjectMeta: metav1.ObjectMeta{Name: "tekton-dashboard"}} - myRule := &extensionsV1beta1.IngressRule{} - myRule.Host = hostName - - myRuleAsArray := make([]extensionsV1beta1.IngressRule, 1) - myRuleAsArray[0] = *myRule - ingress.Spec.Rules = myRuleAsArray - - _, err := r.K8sClient.ExtensionsV1beta1().Ingresses(namespace).Create(ingress) - if err != nil { - t.Fatalf("Error creating ingress '%s': %v\n", ingress.Name, err) - } - - httpReq := testutils.DummyHTTPRequest("GET", fmt.Sprintf("%s/v1/namespaces/%s/ingress", server.URL, namespace), nil) - response, _ := http.DefaultClient.Do(httpReq) - responseIngressHost := "" - if err := json.NewDecoder(response.Body).Decode(&responseIngressHost); err != nil { - t.Fatalf("Error decoding getIngress response: %v\n", err) - } - if responseIngressHost != hostName { - t.Errorf("Response for getting the Ingress host was %s, should have been %s", responseIngressHost, hostName) - } - -} diff --git a/pkg/endpoints/types.go b/pkg/endpoints/types.go index 3927459bd..600eaa501 100644 --- a/pkg/endpoints/types.go +++ b/pkg/endpoints/types.go @@ -3,7 +3,6 @@ package endpoints import ( "net/http" - routeclientset "github.com/openshift/client-go/route/clientset/versioned" dashboardclientset "github.com/tektoncd/dashboard/pkg/client/clientset/versioned" pipelineclientset "github.com/tektoncd/pipeline/pkg/client/clientset/versioned" resourceclientset "github.com/tektoncd/pipeline/pkg/client/resource/clientset/versioned" @@ -54,7 +53,6 @@ type Resource struct { PipelineClient pipelineclientset.Interface PipelineResourceClient resourceclientset.Interface K8sClient k8sclientset.Interface - RouteClient routeclientset.Interface TriggersClient triggersclientset.Interface Options Options } diff --git a/pkg/router/router.go b/pkg/router/router.go index e4bf225fd..a2a5cfeb6 100644 --- a/pkg/router/router.go +++ b/pkg/router/router.go @@ -241,8 +241,6 @@ func registerEndpoints(r endpoints.Resource, container *restful.Container) { logging.Log.Info("Adding v1, and API for k8s resources and pipelines") wsv1.Route(wsv1.POST("/{namespace}/rerun").To(r.RerunPipelineRun)) - wsv1.Route(wsv1.GET("/{namespace}/ingress").To(r.GetIngress)) - wsv1.Route(wsv1.GET("/{namespace}/endpoints").To(r.GetEndpoints)) container.Add(wsv1) diff --git a/pkg/router/routes_test.go b/pkg/router/routes_test.go index 36041cd47..bfe168322 100644 --- a/pkg/router/routes_test.go +++ b/pkg/router/routes_test.go @@ -39,8 +39,6 @@ var excludeRoutes []string = []string{ "health", // Returns 204 "readiness", // Returns 204 "proxy", // Kube API server has its own standard - "ingress", // Ingress will not exist - "endpoints", // Route or Ingress will not exist "properties", // Pods and namespace will not exist } diff --git a/scripts/installer b/scripts/installer index e4a0a1cf8..c699af881 100755 --- a/scripts/installer +++ b/scripts/installer @@ -82,12 +82,6 @@ debug() { compile() { local overlay="overlays/installer" - if [ "$OPENSHIFT" == "true" ]; then - overlay="$overlay/openshift" - else - overlay="$overlay/k8s" - fi - if [ "$READONLY" == "true" ]; then overlay="$overlay/read-only" else @@ -110,10 +104,6 @@ download() { local url="$BASE_RELEASE_URL/previous/$VERSION/installer-" fi - if [ "$OPENSHIFT" == "true" ]; then - url="${url}openshift-" - fi - url="${url}tekton-dashboard-release" if [ "$READONLY" == "true" ]; then @@ -149,10 +139,6 @@ setup() { elif [ "$OPENSHIFT" == "true" ]; then TRIGGERS_NAMESPACE="openshift-pipelines" fi - - if [ -z "$LOGOUT_URL" ] && [ "$OPENSHIFT" == "true" ]; then - LOGOUT_URL="/oauth/sign_out" - fi } replace() { diff --git a/tekton/README.md b/tekton/README.md index e737ca1f7..eaa20339d 100644 --- a/tekton/README.md +++ b/tekton/README.md @@ -108,56 +108,11 @@ tkn pipeline start dashboard-release -p versionTag=$VERSION_TAG -r dashboard-sou Monitor the build logs to see the image coordinates that the image is pushed to. The release yaml files should appear under https://console.cloud.google.com/storage/browser/tekton-releases/dashboard. -## Running the release pipeline on OpenShift - -Decide which namespace and ServiceAccount you'll use for this process, an example is provided below. - -`oc new-project dashboard-release-pipeline` - -``` -apiVersion: v1 -kind: ServiceAccount -metadata: - name: release-pipeline-sa - namespace: dashboard-release-pipeline -``` - -Run the following commands to get around permission denied problems (as the build step uses `sudo`).: - -``` -oc adm policy add-scc-to-user privileged -z release-pipeline-sa -n dashboard-release-pipeline -oc adm policy add-scc-to-user anyuid -z release-pipeline-sa -n dashboard-release-pipeline -``` - -Next, install the Tekton resources from the main `tekton` folder. - -- `oc apply -f tekton` - -Then, install the Tekton resources from the `openshift` folder: - -- `oc apply -f tekton/openshift` - -- Create your release secret and all Tekton resources in the namespace you've chosen earlier, e.g. `dashboard-release-pipeline`: - - ``` - KEY_FILE=$HOME/googlekey/release.json - GENERIC_SECRET=release-secret - kubectl create secret generic $GENERIC_SECRET --from-file=$KEY_FILE -n dashboard-release-pipeline - kubectl patch serviceaccount release-pipeline-sa -n dashboard-release-pipeline -p "{\"secrets\": [{\"name\": \"$GENERIC_SECRET\"}]}" - ``` - -- When you're ready (secret created and patched to the ServiceAccount), specify the namespace with the `tkn` command: - - ``` - tkn pipeline start dashboard-release -p versionTag=v0.6.1 -r dashboard-source-repo=tekton-dashboard-git -r bucket-for-dashboard=tekton-bucket-dashboard -r builtDashboardImage=dashboard-image -n dashboard-release-pipeline -s release-pipeline-sa -p bucketName=mytestbucket - ``` - ## Manually complete the release work We have a number of tasks that are yet to be automated: - Write the release notes -- Attach `.yaml` files from https://console.cloud.google.com/storage/browser/tekton-releases/dashboard - any containers such as `oauth-proxy` should reference an image sha and not a tag such as `latest` -- Note that the image pinning, if doing the release on OpenShift, has not yet been implemented - so you'll have to do this manually until then. That work should be done under https://github.com/tektoncd/dashboard/issues/1384 +- Attach `.yaml` files from https://console.cloud.google.com/storage/browser/tekton-releases/dashboard - Update `/README.md` to add an entry in the table for the new release - Publish the GitHub release diff --git a/tekton/build.yml b/tekton/build.yaml similarity index 100% rename from tekton/build.yml rename to tekton/build.yaml diff --git a/tekton/openshift/publish.yaml b/tekton/openshift/publish.yaml deleted file mode 100644 index 0daec29a8..000000000 --- a/tekton/openshift/publish.yaml +++ /dev/null @@ -1,146 +0,0 @@ ---- -# yamllint disable rule:line-length -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: publish-tekton-dashboard -spec: - params: - - name: versionTag - description: The vX.Y.Z version that the artifacts should be tagged with (including `v`) - - name: imageRegistry - description: TODO(#569) This is a hack to make it easy for folks to switch the registry being used by the many many image outputs - - name: pathToProject - description: The path to the folder in the go/src dir that contains the project, which is used by `ko` to name the resulting images - - name: bucketName - description: Use latest if it's a real release, otherwise the name of a test bucket you've made on GCS - resources: - inputs: - - name: dashboard-source-repo - type: git - targetPath: go/src/github.com/tektoncd/dashboard - - name: bucket-for-dashboard - type: storage - outputs: - - name: bucket-for-dashboard - type: storage - - name: builtDashboardImage - type: image - steps: - - name: link-input-bucket-to-output - image: busybox - command: ["cp"] - args: - - -r - - "/workspace/bucket-for-dashboard" - - "/workspace/output/" - - name: ensure-release-dirs-exist - image: busybox - command: ["mkdir"] - args: - - "-p" - - "/workspace/output/bucket-for-dashboard/$(params.bucketName)/" - - name: dashboard-run-ko - # TODO(#639) we should be able to use the image built by an upstream Task here instead of hardcoding - # Want to use your own plumbing image? Change this - image: gcr.io/tekton-releases/dogfooding/ko:gcloud-latest - imagePullPolicy: Always - env: - - name: KO_DOCKER_REPO - value: $(params.imageRegistry) - - name: GOPATH - value: /workspace/go - - name: CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE - value: /secret/release.json - - name: GO111MODULE - value: - command: - - /bin/sh - args: - - -ce - - | - set -e - set -x - - # Auth with CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE - gcloud auth configure-docker - - # ko requires this variable to be set in order to set image creation timestamps correctly https://github.com/google/go-containerregistry/pull/146 - export SOURCE_DATE_EPOCH=`date +%s` - - # Change to directory with our .ko.yaml - cd /workspace/go/src/github.com/tektoncd/dashboard - - # Rewrite "devel" to params.versionTag - sed -i 's/devel/$(params.versionTag)/g' /workspace/go/src/github.com/tektoncd/dashboard/base/300-deployment.yaml - sed -i 's/devel/$(params.versionTag)/g' /workspace/go/src/github.com/tektoncd/dashboard/base/300-service.yaml - # sed -i 's/devel/$(params.versionTag)/g' /workspace/go/src/github.com/tektoncd/dashboard/overlays/patches/dashboard-service.yaml - sed -i 's/devel/$(params.versionTag)/g' /workspace/go/src/github.com/tektoncd/dashboard/overlays/resources/openshift/internal-service.yaml - - # Publish images and create release.yamls - which ko # Tested with 0.2.0 - ko version - kustomize version # Tested with 3.5.4 - - # add installer script in the release - cp /workspace/go/src/github.com/tektoncd/dashboard/scripts/installer /workspace/output/bucket-for-dashboard/$(params.bucketName)/installer - - # build manifests for installer - kustomize build overlays/installer/k8s/read-write --load_restrictor none | ko resolve --preserve-import-paths -f - > /workspace/output/bucket-for-dashboard/$(params.bucketName)/installer-tekton-dashboard-release.yaml - kustomize build overlays/installer/k8s/read-only --load_restrictor none | ko resolve --preserve-import-paths -f - > /workspace/output/bucket-for-dashboard/$(params.bucketName)/installer-tekton-dashboard-release-readonly.yaml - kustomize build overlays/installer/openshift/read-write --load_restrictor none | ko resolve --preserve-import-paths -f - > /workspace/output/bucket-for-dashboard/$(params.bucketName)/installer-openshift-tekton-dashboard-release.yaml - kustomize build overlays/installer/openshift/read-only --load_restrictor none | ko resolve --preserve-import-paths -f - > /workspace/output/bucket-for-dashboard/$(params.bucketName)/installer-openshift-tekton-dashboard-release-readonly.yaml - - # build pre configured manifests - ./scripts/installer release --debug --output /workspace/output/bucket-for-dashboard/$(params.bucketName)/tekton-dashboard-release.yaml - ./scripts/installer release --debug --read-only --output /workspace/output/bucket-for-dashboard/$(params.bucketName)/tekton-dashboard-release-readonly.yaml - ./scripts/installer release --debug --openshift --output /workspace/output/bucket-for-dashboard/$(params.bucketName)/openshift-tekton-dashboard-release.yaml - ./scripts/installer release --debug --openshift --read-only --output /workspace/output/bucket-for-dashboard/$(params.bucketName)/openshift-tekton-dashboard-release-readonly.yaml - volumeMounts: - - name: gcp-secret - mountPath: /secret - # Todo reintroduce lockdown.py step for OpenShift - - name: tag-images - image: google/cloud-sdk - command: - - /bin/bash - volumeMounts: - - name: gcp-secret - mountPath: /secret - args: - - -ce - - | - set -e - set -x - - curl https://raw.githubusercontent.com/tektoncd/pipeline/master/tekton/koparse/koparse.py --output /usr/bin/koparse.py - chmod +x /usr/bin/koparse.py - - REGIONS=(us eu asia) - IMAGES=( - $(params.imageRegistry)/$(params.pathToProject)/$(resources.outputs.builtDashboardImage.url) - ) - # Parse the built images from the release.yaml generated by ko - BUILT_IMAGES=( $(/usr/bin/koparse.py --path /workspace/output/bucket-for-dashboard/$(params.bucketName)/tekton-dashboard-release.yaml --base $(params.imageRegistry)/$(params.pathToProject) --images ${IMAGES[@]}) ) - - # Auth with account credentials - gcloud auth activate-service-account --key-file=/secret/release.json - - # Tag the images and put them in all the regions - for IMAGE in "${BUILT_IMAGES[@]}" - do - IMAGE_WITHOUT_SHA=${IMAGE%%@*} - gcloud -q container images add-tag ${IMAGE} ${IMAGE_WITHOUT_SHA}:$(params.bucketName) - gcloud -q container images add-tag ${IMAGE} ${IMAGE_WITHOUT_SHA}:$(params.versionTag) - for REGION in "${REGIONS[@]}" - do - for TAG in "$(params.bucketName)" $(params.versionTag) - do - gcloud -q container images add-tag ${IMAGE} ${REGION}.${IMAGE_WITHOUT_SHA}:$TAG - done - done - done - volumes: - - name: gcp-secret - secret: - secretName: release-secret diff --git a/tekton/publish.yaml b/tekton/publish.yaml index 5df1397a9..a28b4b227 100644 --- a/tekton/publish.yaml +++ b/tekton/publish.yaml @@ -93,8 +93,6 @@ spec: # build manifests for installer kustomize build overlays/installer/k8s/read-write --load_restrictor none | ko resolve --preserve-import-paths -f - > $OUTPUT_BUCKET_RELEASE_DIR/installer-tekton-dashboard-release.yaml kustomize build overlays/installer/k8s/read-only --load_restrictor none | ko resolve --preserve-import-paths -f - > $OUTPUT_BUCKET_RELEASE_DIR/installer-tekton-dashboard-release-readonly.yaml - kustomize build overlays/installer/openshift/read-write --load_restrictor none | ko resolve --preserve-import-paths -f - > $OUTPUT_BUCKET_RELEASE_DIR/installer-openshift-tekton-dashboard-release.yaml - kustomize build overlays/installer/openshift/read-only --load_restrictor none | ko resolve --preserve-import-paths -f - > $OUTPUT_BUCKET_RELEASE_DIR/installer-openshift-tekton-dashboard-release-readonly.yaml # build pre configured manifests ./scripts/installer release --debug --output $OUTPUT_BUCKET_RELEASE_DIR/tekton-dashboard-release.yaml @@ -105,27 +103,6 @@ spec: - name: gcp-secret mountPath: /secret - - name: tag-external-images - image: python - workingDir: "/workspace/output/bucket-for-dashboard" - command: - - /bin/sh - args: - - -ce - - | - curl https://raw.githubusercontent.com/tektoncd/dashboard/master/tekton/scripts/lockdown.py --output lockdown.py - chmod +x lockdown.py - pip install docker - OUTPUT_BUCKET_RELEASE_DIR="/workspace/output/bucket-for-dashboard/previous/$(params.versionTag)" - - for MANIFEST in $OUTPUT_BUCKET_RELEASE_DIR/*.yaml - do - ./lockdown.py --omit dashboard --path $MANIFEST - done - volumeMounts: - - name: docker-socket - mountPath: /var/run/docker.sock - - name: copy-to-latest-bucket image: busybox workingDir: "/workspace/output/bucket-for-dashboard" @@ -193,7 +170,3 @@ spec: - name: gcp-secret secret: secretName: release-secret - - name: docker-socket - hostPath: - path: /var/run/docker.sock - type: Socket diff --git a/tekton/release-pipeline.yml b/tekton/release-pipeline.yaml similarity index 100% rename from tekton/release-pipeline.yml rename to tekton/release-pipeline.yaml diff --git a/tekton/scripts/lockdown.py b/tekton/scripts/lockdown.py deleted file mode 100755 index b81a8c9a9..000000000 --- a/tekton/scripts/lockdown.py +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/env python - -""" -lockdown.py updates release.yaml files - -This script does: -* Parses those external image and adds sha value to them in - the release.yaml file -""" - -import argparse -import os -import re -import string -import sys -import docker -from typing import List - -def scan_release(omit: List[str], path: str) -> List[str]: - """Extracts built images from the release.yaml at path - Args: - omit: The list of images that are omitted from the static image list - path: The path to the file (release.yaml) that will contain the built images - Returns: - list of the images parsed from the file - """ - print("scan_release") - images = [] - with open(path) as f: - print("path: " + path) - for line in f: - match = re.search("image:" + ".*" + "latest", line) - if match: - exclude = False - for image in omit: - if image in line: - exclude = True - if not(exclude): - images.append(match.group(0).replace("image:", "").strip()) - return images - -def lockdown_image(images: List[str]) -> List[str]: - """Lockdown images with the sha value - Args: - images: The list of images that are lockdowned - Returns: - list of the lockdowned images - """ - print("lockdown_image") - taggedimages = [] - client = docker.DockerClient(base_url='unix://var/run/docker.sock') - for image in images: - print("image:" + image) - imageobj = client.images.pull(image) - taggedimages.append(imageobj.attrs["RepoDigests"][0]) - return taggedimages - -def replace_images(org: List[str], new: List[str], path: str): - """Replace original images with new images in the release.yaml at path - Args: - org: The list of original images that are replaced by the new images - new: The list of new images - path: The path to the file (release.yaml) that will contain the built images - """ - print("replace_image") - with open(path) as f: - with open(path+".temp", "x") as ff: - for line in f: - newline = line - i = 0 - for o in org: - match = re.search(o , line) - if match: - newline = line.replace(o, new[i]) - i = i + 1 - ff.write(newline) - os.replace(path+".temp", path) - -if __name__ == "__main__": - arg_parser = argparse.ArgumentParser( - description="Lockdown external images with sha in a release.yaml") - arg_parser.add_argument("--path", type=str, required=True, - help="Path to the release.yaml") - arg_parser.add_argument("--omit", type=str, required=True, - help="String prefix which is omitted from the external images") - args = arg_parser.parse_args() - - images = scan_release(args.omit.split(",") , args.path) - taggedimages = lockdown_image(images) - replace_images(images, taggedimages, args.path) - - print("Done.\n") -