diff --git a/roles/osbs-namespace/README.md b/roles/osbs-namespace/README.md index c29851f238..18de59f1b3 100644 --- a/roles/osbs-namespace/README.md +++ b/roles/osbs-namespace/README.md @@ -1,5 +1,5 @@ -Role Name -========= +osbs-namespace +============== Setup an OpenShift namespace as required by OSBS: - Create namespace, also referred to as project (`osbs_namespace`) @@ -52,13 +52,26 @@ Role Variables max_concurrent_builds: 6 openshift_url: https://my-ppc64le-cluster.fedoraproject.org:8443 + # Reactor config maps to be created in orchestrator namespace + osbs_reactor_config_maps: + - name: reactor-config-map + # See config.json schema in atomic-reactor project for details: + # https://github.com/projectatomic/atomic-reactor/blob/master/atomic_reactor/schemas/config.json + data: + clusters: + x86_64: + - enabled: true + max_concurrent_builds: 10 + name: x86_64-on-premise + version: 1 + # Service accounts to be created - these accounts will also be bound to # edit clusterrole and osbs-custom-build role in specified namespace osbs_service_accounts: - bot - ci - # User and groups to be assigned view clusterrole in specified namespace + # Users and groups to be assigned view clusterrole in specified namespace osbs_readonly_groups: - group1 - group2 @@ -84,6 +97,14 @@ Role Variables - user1 - user2 + # Users and groups to be assigned cluster-reader clusterrole cluster wide + osbs_cluster_reader_groups: + - group1 + - group2 + osbs_cluster_reader_users: + - user1 + - user2 + # Koji integration osbs_koji_secret_name: kojisecret osbs_koji_hub: https://koji.fedoraproject.org # Empty default value diff --git a/roles/osbs-namespace/defaults/main.yml b/roles/osbs-namespace/defaults/main.yml index e24261056b..48de1bc1dd 100644 --- a/roles/osbs-namespace/defaults/main.yml +++ b/roles/osbs-namespace/defaults/main.yml @@ -14,6 +14,8 @@ osbs_cpu_limitrange: '' osbs_admin_groups: [] osbs_admin_users: [] +osbs_cluster_reader_groups: [] +osbs_cluster_reader_users: [] osbs_readonly_groups: [] osbs_readonly_users: [] osbs_readwrite_groups: [] @@ -32,7 +34,7 @@ osbs_pulp_secret_name: pulpsecret osbs_registry_api_versions: - v1 - v2 -osbs_registry_secret_name: '' +osbs_registry_secret_name: v2-registry-dockercfg osbs_registry_uri: '' osbs_source_registry_uri: '' osbs_build_json_dir: /usr/share/osbs @@ -54,7 +56,7 @@ osbs_serviceaccount_pruner: '' osbs_odcs_enabled: false osbs_odcs_signing_intents: {} osbs_odcs_default_signing_intent: null +osbs_odcs_api_url: '' +osbs_odcs_auth_ssl_certs_dir: /usr/share/osbs -koji_use_kerberos: false -koji_kerberos_keytab: '' -koji_kerberos_principal: '' +osbs_reactor_config_maps: [] diff --git a/roles/osbs-namespace/filter_plugins/__init__.py b/roles/osbs-namespace/filter_plugins/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/osbs-namespace/filter_plugins/with_isolated_workers.py b/roles/osbs-namespace/filter_plugins/with_isolated_workers.py new file mode 100644 index 0000000000..8e8daa4d45 --- /dev/null +++ b/roles/osbs-namespace/filter_plugins/with_isolated_workers.py @@ -0,0 +1,56 @@ +""" +Copyright (c) 2018 Red Hat, Inc +All rights reserved. + +This software may be modified and distributed under the terms +of the BSD license. See the LICENSE file for details. +""" +from copy import deepcopy +import re + + +# Negative regex used to exclude characters that are not allowed +# in naming a kubernetes resource +INVALID_KUBERNETES_NAME_CHARS = re.compile(r'[^a-z0-9\.-]+') + + +class FilterModule(object): + def filters(self): + return {'with_isolated_workers': do_with_isolated_workers} + + +def do_with_isolated_workers(reactor_configs): + """Generate reactor configs for each worker cluster + + :param reactor_configs: list, each dict should contain a name and + a data key. The value of name key is used to name the config map object + and the value of data key is a reactor config + + :return: a new list of reactor configs that contains new reactor configs + for each worker cluster in addition to the original reactor configs + """ + all_configs = list(reactor_configs) + + for config in reactor_configs: + clusters = config.get('data', {}).get('clusters', {}) + for arch, workers_info in clusters.items(): + for worker_info in workers_info: + worker_info = deepcopy(worker_info) + worker_info['enabled'] = True + + worker_config = deepcopy(config) + + name = _clean_kubernetes_name(config['name'] + '-' + worker_info['name']) + worker_config['name'] = name + + worker_config['data']['clusters'] = {arch: [worker_info]} + + all_configs.append(worker_config) + + return all_configs + + +def _clean_kubernetes_name(name): + name = name.lower() + name = INVALID_KUBERNETES_NAME_CHARS.sub('-', name) + return name diff --git a/roles/osbs-namespace/operations/README.md b/roles/osbs-namespace/operations/README.md index e8d22ab0a0..11a5f47d02 100644 --- a/roles/osbs-namespace/operations/README.md +++ b/roles/osbs-namespace/operations/README.md @@ -35,6 +35,9 @@ Role Variables # Then to re-enable node: osbs_enable_node: true + # Override default systemd unit files + osbs_systemd_override: true + See `operations/defaults/main.yml` for a comprehensive list of all available variables. diff --git a/roles/osbs-namespace/operations/defaults/main.yml b/roles/osbs-namespace/operations/defaults/main.yml index 0137d87705..cc6ee236af 100644 --- a/roles/osbs-namespace/operations/defaults/main.yml +++ b/roles/osbs-namespace/operations/defaults/main.yml @@ -19,6 +19,10 @@ osbs_wait_active_pods_delay: 30 # seconds osbs_wait_node_ready_retries: 30 osbs_wait_node_ready_delay: 10 +osbs_buildroot_do_tag: false osbs_buildroot_imagestream_live_tag: '' osbs_buildroot_imagestream: '' osbs_buildroot_imagestream_post_build_tag: '' + +osbs_systemd_override: false +osbs_systemd_limit_nofile: 131072 diff --git a/roles/osbs-namespace/operations/handlers/main.yml b/roles/osbs-namespace/operations/handlers/main.yml new file mode 100644 index 0000000000..726a27045c --- /dev/null +++ b/roles/osbs-namespace/operations/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart atomic-openshift-node + service: + name: atomic-openshift-node + state: restarted + daemon_reload: yes diff --git a/roles/osbs-namespace/operations/tasks/main.yml b/roles/osbs-namespace/operations/tasks/main.yml index d86303a478..29d8bc3e94 100644 --- a/roles/osbs-namespace/operations/tasks/main.yml +++ b/roles/osbs-namespace/operations/tasks/main.yml @@ -9,7 +9,10 @@ when: osbs_update_node_labels - include: tag-buildroot.yml - when: osbs_buildroot_imagestream_live_tag != '' + when: osbs_buildroot_do_tag - include: enable-node.yml when: osbs_enable_node + +- include: override-systemd.yml + when: osbs_systemd_override diff --git a/roles/osbs-namespace/operations/tasks/override-systemd.yml b/roles/osbs-namespace/operations/tasks/override-systemd.yml new file mode 100644 index 0000000000..c898879721 --- /dev/null +++ b/roles/osbs-namespace/operations/tasks/override-systemd.yml @@ -0,0 +1,11 @@ +--- +- name: Set LimitNOFILE in atomic-openshift-node + lineinfile: + path: /etc/systemd/system/atomic-openshift-node.service + regexp: '^LimitNOFILE=' + line: 'LimitNOFILE={{ osbs_systemd_limit_nofile }}' + backup: yes + notify: + - restart atomic-openshift-node + +- meta: flush_handlers diff --git a/roles/osbs-namespace/operations/tasks/tag-buildroot.yml b/roles/osbs-namespace/operations/tasks/tag-buildroot.yml index 7098de1888..b21ff0b09c 100644 --- a/roles/osbs-namespace/operations/tasks/tag-buildroot.yml +++ b/roles/osbs-namespace/operations/tasks/tag-buildroot.yml @@ -2,8 +2,13 @@ # Tag the desired build image with the post build tag (“staged” for stage, “released” for prod) - name: tag buildroot imagestream command: > - oc tag {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }} {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_post_build_tag }} + oc tag --namespace={{ osbs_namespace }} + {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }} + {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_post_build_tag }} environment: "{{ osbs_environment }}" - when: osbs_buildroot_imagestream != '' and osbs_buildroot_imagestream_live_tag != '' and osbs_buildroot_imagestream_post_build_tag != '' + when: + - osbs_buildroot_imagestream != '' + - osbs_buildroot_imagestream_live_tag != '' + - osbs_buildroot_imagestream_post_build_tag != '' tags: - oc diff --git a/roles/osbs-namespace/tasks/main.yml b/roles/osbs-namespace/tasks/main.yml index eadb355f6f..6f6cc49fa8 100644 --- a/roles/osbs-namespace/tasks/main.yml +++ b/roles/osbs-namespace/tasks/main.yml @@ -69,11 +69,13 @@ - name: osbs-custom-build-readwrite role: system:build-strategy-custom + yaml_version: v1 users: "{{ osbs_readwrite_users }}" groups: "{{ osbs_readwrite_groups }}" - name: osbs-custom-build-admin role: system:build-strategy-custom + yaml_version: v1 users: "{{ osbs_admin_users }}" groups: "{{ osbs_admin_groups }}" @@ -85,6 +87,13 @@ role: system:build-strategy-custom serviceaccounts: "{{ osbs_service_accounts }}" + - name: osbs-cluster-reader + role: cluster-reader + yaml_version: v1 + type: ClusterRoleBinding + users: "{{ osbs_cluster_reader_users }}" + groups: "{{ osbs_cluster_reader_groups }}" + register: yaml_rolebindings when: osbs_is_admin tags: diff --git a/roles/osbs-namespace/tasks/orchestrator.yml b/roles/osbs-namespace/tasks/orchestrator.yml index 024d4162f1..85bf503ef1 100644 --- a/roles/osbs-namespace/tasks/orchestrator.yml +++ b/roles/osbs-namespace/tasks/orchestrator.yml @@ -17,6 +17,25 @@ tags: - oc +- name: generate reactor config maps + template: + src: reactor-config-map.yml.j2 + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-{{ item.name }}.yml" + with_items: "{{ osbs_reactor_config_maps | with_isolated_workers }}" + register: yaml_reactor_config_maps + tags: + - oc + +- name: create reactor config maps + shell: > + oc --namespace={{ osbs_namespace }} create configmap {{ item.item.name }} \ + --from-file='config.yaml'={{ item.dest }} --dry-run -o yaml | \ + oc --namespace={{ osbs_namespace }} replace --force -f - + when: item.changed + with_items: "{{ yaml_reactor_config_maps.results }}" + tags: + - oc + # Setup imagestream - name: copy imagestream template: @@ -42,6 +61,7 @@ - name: update imagestream tag command: > oc import-image {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }} + --namespace={{ osbs_namespace }} --from {{ osbs_buildroot_repository }}:{{ osbs_buildroot_imagestream_live_tag }} {{ " --insecure" if osbs_insecure_repository else ''}} environment: "{{ osbs_environment }}" diff --git a/roles/osbs-namespace/templates/client-config-secret.conf.j2 b/roles/osbs-namespace/templates/client-config-secret.conf.j2 index a9e8b6b399..d5b385213d 100644 --- a/roles/osbs-namespace/templates/client-config-secret.conf.j2 +++ b/roles/osbs-namespace/templates/client-config-secret.conf.j2 @@ -18,7 +18,7 @@ distribution_scope = {{ osbs_distribution_scope }} # Koji integration {% if osbs_koji_secret_name %} -# koji_certs_secret = {{ osbs_koji_secret_name }} +koji_certs_secret = {{ osbs_koji_secret_name }} {% endif %} {% if osbs_koji_hub %} koji_hub = {{ osbs_koji_hub }} @@ -26,15 +26,6 @@ koji_hub = {{ osbs_koji_hub }} {% if osbs_koji_root %} koji_root = {{ osbs_koji_root }} {% endif %} -{% if koji_use_kerberos %} -koji_use_kerberos = {{ koji_use_kerberos }} -{% endif %} -{% if koji_kerberos_keytab %} -koji_kerberos_keytab = {{ koji_kerberos_keytab }} -{% endif %} -{% if koji_kerberos_principal %} -koji_kerberos_principal = {{ koji_kerberos_principal }} -{% endif %} # Pulp integration {% if osbs_pulp_registry_name %} diff --git a/roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 b/roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 index 2b0648b588..e601c6d354 100644 --- a/roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 +++ b/roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 @@ -1,5 +1,5 @@ apiVersion: v1 -kind: RoleBinding +kind: {{ item.type | default("RoleBinding") }} metadata: name: {{ item.name }} namespace: {{ osbs_namespace }} diff --git a/roles/osbs-namespace/templates/reactor-config-map.yml.j2 b/roles/osbs-namespace/templates/reactor-config-map.yml.j2 new file mode 100644 index 0000000000..a2c4331005 --- /dev/null +++ b/roles/osbs-namespace/templates/reactor-config-map.yml.j2 @@ -0,0 +1,3 @@ +# {{ item.name }} +--- +{{ item.data | to_nice_yaml }} diff --git a/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 b/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 index bba90c2dee..e418b74b0f 100644 --- a/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 +++ b/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 @@ -14,6 +14,9 @@ clusters: {% if osbs_odcs_enabled %} odcs: + api_url: {{ osbs_odcs_api_url }} + auth: + ssl_certs_dir: {{ osbs_odcs_auth_ssl_certs_dir }} signing_intents: {{ osbs_odcs_signing_intents | to_yaml | indent(4) }} default_signing_intent: {{ osbs_odcs_default_signing_intent }} diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-ppc64le-on-premise.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-ppc64le-on-premise.yml new file mode 100644 index 0000000000..03dfd093ce --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-ppc64le-on-premise.yml @@ -0,0 +1,15 @@ +# reactor-config-map-ppc64le-on-premise +--- +artifacts_allowed_domains: +- example.com/beta +- example.com/released +clusters: + ppc64le: + - enabled: true + max_concurrent_builds: 11 + name: ppc64le-on-premise +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: public + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-ppc64le-on-premise.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-ppc64le-on-premise.yml new file mode 100644 index 0000000000..fe1a81d07e --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-ppc64le-on-premise.yml @@ -0,0 +1,13 @@ +# reactor-config-map-scratch-ppc64le-on-premise +--- +artifacts_allowed_domains: [] +clusters: + ppc64le: + - enabled: true + max_concurrent_builds: 11 + name: ppc64le-on-premise +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: private + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-aws.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-aws.yml new file mode 100644 index 0000000000..a8e1196a93 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-aws.yml @@ -0,0 +1,13 @@ +# reactor-config-map-scratch-x86-64-aws +--- +artifacts_allowed_domains: [] +clusters: + x86_64: + - enabled: true + max_concurrent_builds: 20 + name: x86_64-aws +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: private + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-azure.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-azure.yml new file mode 100644 index 0000000000..32b099e9d0 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-azure.yml @@ -0,0 +1,13 @@ +# reactor-config-map-scratch-x86-64-azure +--- +artifacts_allowed_domains: [] +clusters: + x86_64: + - enabled: true + max_concurrent_builds: 30 + name: x86_64-azure +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: private + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-on-premise.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-on-premise.yml new file mode 100644 index 0000000000..34e4efd881 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-on-premise.yml @@ -0,0 +1,13 @@ +# reactor-config-map-scratch-x86-64-on-premise +--- +artifacts_allowed_domains: [] +clusters: + x86_64: + - enabled: true + max_concurrent_builds: 10 + name: x86_64-on-premise +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: private + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch.yml new file mode 100644 index 0000000000..897d146f33 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch.yml @@ -0,0 +1,23 @@ +# reactor-config-map-scratch +--- +artifacts_allowed_domains: [] +clusters: + ppc64le: + - enabled: true + max_concurrent_builds: 11 + name: ppc64le-on-premise + x86_64: + - enabled: true + max_concurrent_builds: 10 + name: x86_64-on-premise + - enabled: false + max_concurrent_builds: 20 + name: x86_64-aws + - enabled: false + max_concurrent_builds: 30 + name: x86_64-azure +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: private + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-aws.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-aws.yml new file mode 100644 index 0000000000..2d6f356f85 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-aws.yml @@ -0,0 +1,15 @@ +# reactor-config-map-x86-64-aws +--- +artifacts_allowed_domains: +- example.com/beta +- example.com/released +clusters: + x86_64: + - enabled: true + max_concurrent_builds: 20 + name: x86_64-aws +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: public + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-azure.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-azure.yml new file mode 100644 index 0000000000..2d686cc989 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-azure.yml @@ -0,0 +1,15 @@ +# reactor-config-map-x86-64-azure +--- +artifacts_allowed_domains: +- example.com/beta +- example.com/released +clusters: + x86_64: + - enabled: true + max_concurrent_builds: 30 + name: x86_64-azure +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: public + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-on-premise.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-on-premise.yml new file mode 100644 index 0000000000..c583323b69 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-on-premise.yml @@ -0,0 +1,15 @@ +# reactor-config-map-x86-64-on-premise +--- +artifacts_allowed_domains: +- example.com/beta +- example.com/released +clusters: + x86_64: + - enabled: true + max_concurrent_builds: 10 + name: x86_64-on-premise +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: public + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/files/expected-reactor-config-map.yml b/roles/osbs-namespace/tests/files/expected-reactor-config-map.yml new file mode 100644 index 0000000000..f671afa261 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-reactor-config-map.yml @@ -0,0 +1,25 @@ +# reactor-config-map +--- +artifacts_allowed_domains: +- example.com/beta +- example.com/released +clusters: + ppc64le: + - enabled: true + max_concurrent_builds: 11 + name: ppc64le-on-premise + x86_64: + - enabled: true + max_concurrent_builds: 10 + name: x86_64-on-premise + - enabled: false + max_concurrent_builds: 20 + name: x86_64-aws + - enabled: false + max_concurrent_builds: 30 + name: x86_64-azure +image_labels: + authoritative-source-url: registry.example.com + distribution-scope: public + vendor: Example, Inc. +version: 1 diff --git a/roles/osbs-namespace/tests/group_vars/masters.yml b/roles/osbs-namespace/tests/group_vars/masters.yml index 26b0b5098c..17fa93d4c1 100644 --- a/roles/osbs-namespace/tests/group_vars/masters.yml +++ b/roles/osbs-namespace/tests/group_vars/masters.yml @@ -16,3 +16,52 @@ osbs_worker_clusters: - allowed.domain.com - also-allowed.domain.com auto_build_node_selector: 'auto_build=true' + +_reactor_config_map: + version: 1 + + clusters: + + x86_64: + - name: x86_64-on-premise + max_concurrent_builds: 10 + enabled: True + + - name: x86_64-aws + max_concurrent_builds: 20 + enabled: False + + - name: x86_64-azure + max_concurrent_builds: 30 + enabled: False + + ppc64le: + - name: ppc64le-on-premise + max_concurrent_builds: 11 + enabled: True + + artifacts_allowed_domains: + - example.com/beta + - example.com/released + + image_labels: + vendor: "Example, Inc." + authoritative-source-url: registry.example.com + distribution-scope: public + +_scratch_reactor_config_map_overrides: + + artifacts_allowed_domains: [] + + image_labels: + distribution-scope: private + +osbs_reactor_config_maps: + +- name: reactor-config-map + data: "{{ _reactor_config_map }}" + +- name: reactor-config-map-scratch + data: > + {{ _reactor_config_map | + combine(_scratch_reactor_config_map_overrides, recursive=True) }} diff --git a/roles/osbs-namespace/tests/pre-oc-cluster.sh b/roles/osbs-namespace/tests/pre-oc-cluster.sh new file mode 100755 index 0000000000..009a7c36b8 --- /dev/null +++ b/roles/osbs-namespace/tests/pre-oc-cluster.sh @@ -0,0 +1,36 @@ +#!/bin/bash +set -xeuo pipefail + +# Script inspired by: +# https://github.com/radanalyticsio/radanalyticsio.github.io/blob/master/.travis.yml + +TEST_DIR=`pwd` +ORIGIN_DIR=$TEST_DIR/../origin +OC_VERSION='v3.7.0' +OC_RELEASE_NAME='openshift-origin-client-tools-v3.7.0-7ed6862-linux-64bit' + +# Add required insecure container registry +sudo sed -i -e 's/sock/sock --insecure-registry 172.30.0.0\/16/' /etc/default/docker +sudo cat /etc/default/docker +sudo service docker restart + +# Download and setup oc binary +sudo mkdir -p $ORIGIN_DIR +sudo chmod -R 766 $ORIGIN_DIR +sudo curl -L \ + https://github.com/openshift/origin/releases/download/${OC_VERSION}/${OC_RELEASE_NAME}.tar.gz | \ + sudo tar -C $ORIGIN_DIR -xz ${OC_RELEASE_NAME}/oc +sudo cp $ORIGIN_DIR/${OC_RELEASE_NAME}/oc /bin/ +sudo chmod +x /bin/oc + +oc version + +# Below cmd is important to get oc working in ubuntu +sudo docker run -v /:/rootfs -ti --rm \ + --entrypoint=/bin/bash \ + --privileged openshift/origin:v3.7.0 \ + -c "mv /rootfs/bin/findmnt /rootfs/bin/findmnt.backup" + +# Avoid error from travis wrapper script with unbound variable: +# https://github.com/travis-ci/travis-ci/issues/5434 +set +u diff --git a/roles/osbs-namespace/tests/test.yml b/roles/osbs-namespace/tests/test.yml index c55df525c6..eaf70b57f2 100644 --- a/roles/osbs-namespace/tests/test.yml +++ b/roles/osbs-namespace/tests/test.yml @@ -17,7 +17,8 @@ - name: bring up new cluster command: > oc cluster up - --version v3.6.0 + --image {{ osbs_test_ocp_image | default('registry.access.redhat.com/openshift3/ose') }} + --version {{ osbs_test_ocp_version | default('v3.7') }} register: cmd_cluster_up changed_when: cmd_cluster_up.rc == 0 @@ -64,24 +65,11 @@ oc -n test-worker get serviceaccount orchestrator changed_when: false - - name: policy binding created - command: > - oc -n test-worker get policybinding ':default' - changed_when: false - - - name: custom builds roles created - command: > - oc -n test-worker get role osbs-custom-build - changed_when: false - - name: expected rolebindings created in worker namespace command: > oc -n test-worker get rolebinding {{ item }} with_items: - osbs-admin - - osbs-admin - - osbs-custom-build-admin - - osbs-custom-build-readwrite - osbs-custom-build-serviceaccounts - osbs-readonly - osbs-readwrite @@ -128,6 +116,28 @@ {{ playbook_dir }}/tmp/test-orchestrator-client-config-secret.conf changed_when: false + - name: reactor config maps were generated properly + command: > + diff {{ playbook_dir }}/files/expected-{{ item }}.yml + {{ playbook_dir }}/tmp/test-host-test-orchestrator-{{ item }}.yml + changed_when: false + with_items: + - reactor-config-map-ppc64le-on-premise + - reactor-config-map-scratch-ppc64le-on-premise + - reactor-config-map-scratch-x86-64-aws + - reactor-config-map-scratch-x86-64-azure + - reactor-config-map-scratch-x86-64-on-premise + - reactor-config-map-scratch + - reactor-config-map-x86-64-aws + - reactor-config-map-x86-64-azure + - reactor-config-map-x86-64-on-premise + - reactor-config-map + register: cmd_diff_config_maps + + - name: reactor config mpas were created + command: oc -n test-orchestrator get configmaps {{ item.item }} + changed_when: false + with_items: "{{ cmd_diff_config_maps.results }}" - name: setup namespace as non admin hosts: masters @@ -151,6 +161,8 @@ oc login -u system:admin register: cmd_login_admin changed_when: cmd_login_admin.rc == 0 + tags: + - wip - name: test non-admin namespace hosts: masters @@ -179,14 +191,13 @@ failed_when: ('No resources found' not in cmd_rolebinding.stderr) and ('NotFound' not in cmd_rolebinding.stderr) with_items: - osbs-admin - - osbs-admin - - osbs-custom-build-admin - - osbs-custom-build-readwrite - osbs-custom-build-serviceaccounts - osbs-readonly - osbs-readwrite - osbs-readwrite-serviceaccounts changed_when: false + tags: + - wip - name: create limitrange namespace hosts: masters @@ -292,6 +303,8 @@ oc login -u system:admin register: cmd_login_admin changed_when: cmd_login_admin.rc == 0 + tags: + - wip - name: test policybinding dedicated-admin namespace hosts: masters @@ -310,3 +323,63 @@ - osbs-readwrite - osbs-readwrite-serviceaccounts changed_when: false + tags: + - wip + +- name: setup users and groups in namespace + hosts: masters + roles: + - role: "{{ playbook_dir }}/../." + osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config" + osbs_openshift_home: tmp + osbs_namespace: test-users-and-groups + osbs_nodeselector: "worker=true" + osbs_admin_groups: + - admin-group + osbs_admin_users: + - admin-user + osbs_cluster_reader_groups: + - cluster-reader-group + osbs_cluster_reader_users: + - cluster-reader-user + osbs_readonly_groups: + - readonly-group + osbs_readonly_users: + - readonly-user + osbs_readwrite_groups: + - readwrite-group + osbs_readwrite_users: + - readwrite-user + +- name: test users and groups namespace + hosts: masters + vars: + osbs_users_groups_info: + - role_name: osbs-admin + type: rolebinding + expected: User Groupadmin-user admin-group + - role_name: osbs-readonly + type: rolebinding + expected: User Groupreadonly-user readonly-group + - role_name: osbs-readwrite + type: rolebinding + expected: User Groupreadwrite-user readwrite-group + - role_name: osbs-cluster-reader + type: clusterrolebinding + expected: User Groupcluster-reader-user cluster-reader-group + tasks: + - name: query rolebindings + command: > + oc -n test-users-and-groups get {{ item.type }} {{ item.role_name }} + -o jsonpath='{.subjects[*].kind}{.subjects[*].name}' + register: osbs_rolebindings + changed_when: false + with_items: "{{ osbs_users_groups_info }}" + + - name: verify rolebindings + fail: + msg: "{{ item.1.type }} {{ item.1.role_name }} not as expected" + when: "item.0.stdout != item.1.expected" + with_together: + - "{{ osbs_rolebindings.results }}" + - "{{ osbs_users_groups_info }}"