From fb240ea4706ab1417150e9a3655b08ac4a3ce1f3 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Mon, 19 Feb 2018 14:55:32 +0100 Subject: [PATCH] Update osbs-namespace to latest upstream. This is an update of the ansible-role-osbs-namespace role to the latest upstream available + PR16 not yet merged. https://github.com/projectatomic/ansible-role-osbs-namespace Signed-off-by: Clement Verna --- roles/osbs-namespace/README.md | 29 +++-- roles/osbs-namespace/defaults/main.yml | 21 +++- roles/osbs-namespace/meta/main.yml | 2 +- roles/osbs-namespace/operations/README.md | 73 +++++++++++ .../operations/defaults/main.yml | 24 ++++ roles/osbs-namespace/operations/meta/main.yml | 12 ++ .../operations/tasks/disable-node.yml | 25 ++++ .../operations/tasks/enable-node.yml | 15 +++ .../osbs-namespace/operations/tasks/main.yml | 15 +++ .../operations/tasks/tag-buildroot.yml | 9 ++ .../tasks/update-node-selector-labels.yml | 23 ++++ .../operations/tasks/upgrade-docker.yml | 15 +++ roles/osbs-namespace/tasks/main.yml | 113 ++++++++++-------- roles/osbs-namespace/tasks/orchestrator.yml | 35 ++++++ .../templates/client-config-secret.conf.j2 | 11 +- .../templates/openshift-prune-cronjob.yml.j2 | 18 +++ .../templates/openshift-rolebinding.v2.yml.j2 | 2 +- .../osbs-buildroot-imagestream.yml.j2 | 9 ++ .../templates/reactor-config-secret.yml.j2 | 7 ++ .../files/expected-client-config-secret.conf | 26 ++-- .../tests/group_vars/masters.yml | 5 +- roles/osbs-namespace/tests/test.yml | 9 +- 22 files changed, 414 insertions(+), 84 deletions(-) create mode 100644 roles/osbs-namespace/operations/README.md create mode 100644 roles/osbs-namespace/operations/defaults/main.yml create mode 100644 roles/osbs-namespace/operations/meta/main.yml create mode 100644 roles/osbs-namespace/operations/tasks/disable-node.yml create mode 100644 roles/osbs-namespace/operations/tasks/enable-node.yml create mode 100644 roles/osbs-namespace/operations/tasks/main.yml create mode 100644 roles/osbs-namespace/operations/tasks/tag-buildroot.yml create mode 100644 roles/osbs-namespace/operations/tasks/update-node-selector-labels.yml create mode 100644 roles/osbs-namespace/operations/tasks/upgrade-docker.yml create mode 100644 roles/osbs-namespace/templates/openshift-prune-cronjob.yml.j2 create mode 100644 roles/osbs-namespace/templates/osbs-buildroot-imagestream.yml.j2 diff --git a/roles/osbs-namespace/README.md b/roles/osbs-namespace/README.md index 580275a80e..c29851f238 100644 --- a/roles/osbs-namespace/README.md +++ b/roles/osbs-namespace/README.md @@ -35,12 +35,12 @@ Role Variables # in orchestrator workspace osbs_worker_clusters: x86_64: - - name: prod-x86_64-on-prem + - name: prod-first-x86_64 max_concurrent_builds: 6 - openshift_url: https://my-x86_64-on-premise-cluster.redhat.com:8443 - - name: prod-x86_64-osd + openshift_url: https://my-first-x86_64-cluster.fedoraproject.org:8443 + - name: prod-second-x86_64 max_concurrent_builds: 16 - openshift_url: https://my-x86_64-osd-cluster.redhat.com:8443 + openshift_url: https://my-second-x86_64-cluster.fedoraproject.org # optional params, and their defaults: enabled: true # yaml boolean namespace: worker @@ -48,9 +48,9 @@ Role Variables verify_ssl: 'true' # yaml string ppc64le: - - name: prod-ppc64le-on-prem + - name: prod-ppc64le max_concurrent_builds: 6 - openshift_url: https://my-ppc64le-on-premise-cluster.redhat.com:8443 + openshift_url: https://my-ppc64le-cluster.fedoraproject.org:8443 # Service accounts to be created - these accounts will also be bound to # edit clusterrole and osbs-custom-build role in specified namespace @@ -86,8 +86,8 @@ Role Variables # Koji integration osbs_koji_secret_name: kojisecret - osbs_koji_hub: https://koji-hub.redhat.com # Empty default value - osbs_koji_root: https://koji-root.redhat.com # Empty default value + osbs_koji_hub: https://koji.fedoraproject.org # Empty default value + osbs_koji_root: https://koji.fedoraproject.org/kojihub # Empty default value # Pulp integration osbs_pulp_secret_name: pulpsecret @@ -98,11 +98,18 @@ Role Variables osbs_registry_api_version: - v1 - v2 - osbs_registry_uri: https://distribution-registry.redhat.com/v2 # Empty default value + osbs_registry_uri: https://distribution.registry.fedoraproject.org/v2 # Empty default value # Dist-git integration - osbs_sources_command: rhpkg sources - osbs_source_registry_uri: https://source-registry.redhat.com # Empty default value + osbs_sources_command: fedpkg sources + osbs_source_registry_uri: https://source.registry.fedoraproject.org # Empty default value + + # Pruning + osbs_prune: false + osbs_prune_schedule: '0 0 */8 * *' + osbs_prune_secret: '' + osbs_prune_image: '' + osbs_prune_commands: ["/prune.sh"] For a full list, see defaults/main.yml diff --git a/roles/osbs-namespace/defaults/main.yml b/roles/osbs-namespace/defaults/main.yml index 00069104dd..ad3b37123f 100644 --- a/roles/osbs-namespace/defaults/main.yml +++ b/roles/osbs-namespace/defaults/main.yml @@ -24,7 +24,7 @@ osbs_worker_clusters: {} osbs_koji_secret_name: kojisecret osbs_distribution_scope: public -osbs_authoritative_registry: registry.access.redhat.com +osbs_authoritative_registry: registry.fedoraproject.org osbs_koji_hub: '' osbs_koji_root: '' osbs_pulp_registry_name: '' @@ -36,6 +36,21 @@ osbs_registry_secret_name: v2-registry-dockercfg osbs_registry_uri: '' osbs_source_registry_uri: '' osbs_build_json_dir: /usr/share/osbs -osbs_sources_command: rhpkg sources -osbs_vendor: Red Hat, Inc. +osbs_sources_command: fedpkg sources +osbs_vendor: Fedora Project osbs_nodeselector: '' +osbs_buildroot_repository: '' +osbs_buildroot_imagestream: '' +osbs_insecure_repository: true +osbs_buildroot_imagestream_live_tag: '' + +osbs_prune: false +osbs_prune_schedule: '0 0 */8 * *' +osbs_prune_service_account: '' +osbs_prune_image: '' +osbs_prune_commands: ["/prune.sh"] +osbs_serviceaccount_pruner: '' + +osbs_odcs_enabled: false +osbs_odcs_signing_intents: {} +osbs_odcs_default_signing_intent: null diff --git a/roles/osbs-namespace/meta/main.yml b/roles/osbs-namespace/meta/main.yml index 98c9c543be..2f6d20271d 100644 --- a/roles/osbs-namespace/meta/main.yml +++ b/roles/osbs-namespace/meta/main.yml @@ -1,7 +1,7 @@ # Standards: 1.8 galaxy_info: author: Luiz Carvalho - description: setup OpenShift namespace for OSBS usage + description: Setup OpenShift namespace for OSBS usage company: Red Hat, Inc. license: BSD min_ansible_version: 2.1 diff --git a/roles/osbs-namespace/operations/README.md b/roles/osbs-namespace/operations/README.md new file mode 100644 index 0000000000..e8d22ab0a0 --- /dev/null +++ b/roles/osbs-namespace/operations/README.md @@ -0,0 +1,73 @@ +ansible-role-osbs-namespace/operations +====================================== + +Collection of common maintenance operations for an OpenShift cluster. +By default, all tasks in this sub-roles are disabled. Use the control +booleans to enable the desired operations: + +Requirements +------------ + +A running instance of OpenShift. + +Role Variables +-------------- + + + # Update docker daemon on each OpenShift node. + # It's highly recommended to use `serial: 1` in your playbook. + osbs_upgrade_docker: false + # Docker version to update to. + osbs_docker_version: + + # Update OpenShift node labels. + osbs_update_node_labels: false + # A list of labels to be applied to each OpenShift node. + osbs_node_labels: [] + # A list of all predefined node selector labels + osbs_managed_node_labels: + - "auto_build=true" + + # Disable a node to make it safe to perform + # operations such as restarting docker daemon + # or any other risky maintenance + osbs_disable_node: true + # Then to re-enable node: + osbs_enable_node: true + +See `operations/defaults/main.yml` for a comprehensive list of all +available variables. + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - name: update docker + hosts: nodes + roles: + - role: ansible-role-osbs-namespace/operations + osbs_upgrade_docker: true + osbs_docker_version: docker-1.12.6-61.git85d7426.el7 + + - name: node maintenance + hosts: nodes + roles: + - role: ansible-role-osbs-namespace/operations + osbs_disable_node: true + - role: my-maintenance-role + - role: ansible-role-osbs-namespace/operations + osbs_enable_node: true + +License +------- + +BSD + +Author Information +------------------ + +Luiz Carvalho diff --git a/roles/osbs-namespace/operations/defaults/main.yml b/roles/osbs-namespace/operations/defaults/main.yml new file mode 100644 index 0000000000..0137d87705 --- /dev/null +++ b/roles/osbs-namespace/operations/defaults/main.yml @@ -0,0 +1,24 @@ +--- +osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig +osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + +osbs_disable_node: false +osbs_enable_node: false +osbs_upgrade_docker: false +osbs_update_node_labels: false +osbs_node_labels: [] +osbs_managed_node_labels: +- "auto_build=true" + +# Retry for about 2 hours +osbs_wait_active_pods_retries: 240 +osbs_wait_active_pods_delay: 30 # seconds + +# Wait for about 5 minutes +osbs_wait_node_ready_retries: 30 +osbs_wait_node_ready_delay: 10 + +osbs_buildroot_imagestream_live_tag: '' +osbs_buildroot_imagestream: '' +osbs_buildroot_imagestream_post_build_tag: '' diff --git a/roles/osbs-namespace/operations/meta/main.yml b/roles/osbs-namespace/operations/meta/main.yml new file mode 100644 index 0000000000..dace97f01a --- /dev/null +++ b/roles/osbs-namespace/operations/meta/main.yml @@ -0,0 +1,12 @@ +# Standards: 1.8 +galaxy_info: + author: Luiz Carvalho + description: Collection of common maintenance operations for OpenShift + company: Red Hat, Inc. + license: BSD + min_ansible_version: 2.1 + platforms: + name: EL + versions: + - 7 +dependencies: [] diff --git a/roles/osbs-namespace/operations/tasks/disable-node.yml b/roles/osbs-namespace/operations/tasks/disable-node.yml new file mode 100644 index 0000000000..09ba1260ec --- /dev/null +++ b/roles/osbs-namespace/operations/tasks/disable-node.yml @@ -0,0 +1,25 @@ +--- +- name: Mark node as unschedulable + command: > + oadm manage-node {{ inventory_hostname }} --schedulable=false + +- name: Evacuate infra pods + command: > + oadm manage-node {{ inventory_hostname }} --evacuate + --pod-selector={{ item }} + with_items: + - "deploymentconfig=router" + - "deploymentconfig=registry-console" + - "deploymentconfig=docker-registry" + +- name: Wait until no more pods are running in node + register: active_pods_result + shell: > + oadm manage-node {{ inventory_hostname }} --list-pods | + grep -v 'READY' | awk '{print $2}' | grep -v '0/' + until: active_pods_result.rc == 1 + failed_when: active_pods_result.rc > 1 + changed_when: false # read-only command + environment: "{{ osbs_environment }}" + retries: "{{ osbs_wait_active_pods_retries }}" + delay: "{{ osbs_wait_active_pods_delay }}" diff --git a/roles/osbs-namespace/operations/tasks/enable-node.yml b/roles/osbs-namespace/operations/tasks/enable-node.yml new file mode 100644 index 0000000000..75fb3b5841 --- /dev/null +++ b/roles/osbs-namespace/operations/tasks/enable-node.yml @@ -0,0 +1,15 @@ +--- +- name: Mark node as schedulable + command: > + oadm manage-node {{ inventory_hostname }} --schedulable=true + +- name: Wait for node to be Ready + register: node_status + shell: > + oc get node {{ inventory_hostname }} --no-headers=true | + awk '{print $2}' + until: "'Ready' in node_status.stdout_lines" + changed_when: false # read-only command + environment: "{{ osbs_environment }}" + retries: "{{ osbs_wait_node_ready_retries }}" + delay: "{{ osbs_wait_node_ready_delay }}" diff --git a/roles/osbs-namespace/operations/tasks/main.yml b/roles/osbs-namespace/operations/tasks/main.yml new file mode 100644 index 0000000000..d86303a478 --- /dev/null +++ b/roles/osbs-namespace/operations/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- include: disable-node.yml + when: osbs_disable_node + +- include: upgrade-docker.yml + when: osbs_upgrade_docker + +- include: update-node-selector-labels.yml + when: osbs_update_node_labels + +- include: tag-buildroot.yml + when: osbs_buildroot_imagestream_live_tag != '' + +- include: enable-node.yml + when: osbs_enable_node diff --git a/roles/osbs-namespace/operations/tasks/tag-buildroot.yml b/roles/osbs-namespace/operations/tasks/tag-buildroot.yml new file mode 100644 index 0000000000..7098de1888 --- /dev/null +++ b/roles/osbs-namespace/operations/tasks/tag-buildroot.yml @@ -0,0 +1,9 @@ +--- +# Tag the desired build image with the post build tag (“staged” for stage, “released” for prod) +- name: tag buildroot imagestream + command: > + oc tag {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }} {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_post_build_tag }} + environment: "{{ osbs_environment }}" + when: osbs_buildroot_imagestream != '' and osbs_buildroot_imagestream_live_tag != '' and osbs_buildroot_imagestream_post_build_tag != '' + tags: + - oc diff --git a/roles/osbs-namespace/operations/tasks/update-node-selector-labels.yml b/roles/osbs-namespace/operations/tasks/update-node-selector-labels.yml new file mode 100644 index 0000000000..bb256bbcf7 --- /dev/null +++ b/roles/osbs-namespace/operations/tasks/update-node-selector-labels.yml @@ -0,0 +1,23 @@ +--- +# delete all predefined node selector labels which are not needed anymore +- name: Remove managed node labels + command: > + oc label node {{ inventory_hostname }} {{ item | regex_replace('=.+') }}- + with_items: "{{ osbs_managed_node_labels | difference(osbs_node_labels) }}" + register: delete_label + changed_when: ('not found' not in delete_label.stderr) + environment: "{{ osbs_environment }}" + tags: + - oc + +# set specified node selector labels +- name: Apply node labels + command: > + oc label node {{ inventory_hostname }} {{ item }} + with_items: "{{ osbs_node_labels | intersect(osbs_managed_node_labels) }}" + register: add_label + changed_when: ('labeled' in add_label.stdout) + failed_when: (('labeled' not in add_label.stdout) and ('already has a value' not in add_label.stderr)) + environment: "{{ osbs_environment }}" + tags: + - oc diff --git a/roles/osbs-namespace/operations/tasks/upgrade-docker.yml b/roles/osbs-namespace/operations/tasks/upgrade-docker.yml new file mode 100644 index 0000000000..9464b3b28b --- /dev/null +++ b/roles/osbs-namespace/operations/tasks/upgrade-docker.yml @@ -0,0 +1,15 @@ +--- +- include: disable-node.yml + +- name: Update docker package + yum: + name: "{{ osbs_docker_version }}" + update_cache: true + state: present + +- name: Restart docker service + systemd: + state: restarted + name: docker + +- include: enable-node.yml diff --git a/roles/osbs-namespace/tasks/main.yml b/roles/osbs-namespace/tasks/main.yml index af6a4fd1d0..eadb355f6f 100644 --- a/roles/osbs-namespace/tasks/main.yml +++ b/roles/osbs-namespace/tasks/main.yml @@ -1,4 +1,13 @@ --- +# Query namespace +- name: query osbs namespace + command: oc get project {{ osbs_namespace }} + register: namespace_result + failed_when: namespace_result.rc != 0 and ('not found' not in namespace_result.stderr) + changed_when: false + tags: + - oc + # Create namespace - name: create osbs namespace command: oc new-project {{ osbs_namespace }} @@ -6,6 +15,7 @@ failed_when: new_project.rc != 0 and ('already exists' not in new_project.stderr) changed_when: new_project.rc == 0 environment: "{{ osbs_environment }}" + when: "'not found' in namespace_result.stderr" tags: - oc @@ -32,46 +42,6 @@ tags: - oc -# Setup policy binding -- name: query policybinding - command: oc get policybinding {{ osbs_namespace }}:default --namespace {{ osbs_namespace }} - environment: "{{ osbs_environment }}" - register: policybinding_query - failed_when: policybinding_query.rc != 0 and ('not found' not in policybinding_query.stderr) - changed_when: false - when: osbs_is_admin - tags: - - oc - -- name: create a policybinding - command: oc create policybinding {{ osbs_namespace }} --namespace {{ osbs_namespace }} - environment: "{{ osbs_environment }}" - when: "osbs_is_admin and 'not found' in policybinding_query.stderr" - tags: - - oc - -# Setup role -- name: copy role - template: - src: role-osbs-custom-build.yml.j2 - dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-role-osbs-custom-build.yml" - environment: "{{ osbs_environment }}" - register: yaml_role - when: osbs_is_admin - tags: - - oc - -- name: import role - command: > - oc replace - --namespace={{ osbs_namespace }} - --force=true - --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-role-osbs-custom-build.yml - environment: "{{ osbs_environment }}" - when: yaml_role.changed - tags: - - oc - # Setup role bindings - name: copy role bindings template: @@ -98,16 +68,12 @@ groups: "{{ osbs_admin_groups }}" - name: osbs-custom-build-readwrite - role: osbs-custom-build - yaml_version: v1 - role_namespace: "{{ osbs_namespace }}" + role: system:build-strategy-custom users: "{{ osbs_readwrite_users }}" groups: "{{ osbs_readwrite_groups }}" - name: osbs-custom-build-admin - role: osbs-custom-build - yaml_version: v1 - role_namespace: "{{ osbs_namespace }}" + role: system:build-strategy-custom users: "{{ osbs_admin_users }}" groups: "{{ osbs_admin_groups }}" @@ -116,8 +82,7 @@ serviceaccounts: "{{ osbs_service_accounts }}" - name: osbs-custom-build-serviceaccounts - role: osbs-custom-build - role_namespace: "{{ osbs_namespace }}" + role: system:build-strategy-custom serviceaccounts: "{{ osbs_service_accounts }}" register: yaml_rolebindings @@ -133,7 +98,35 @@ --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-rolebinding-{{ item.item.name }}.yml environment: "{{ osbs_environment }}" with_items: "{{ yaml_rolebindings.results }}" - when: item.changed + when: yaml_rolebindings.changed and item.changed + tags: + - oc + +- name: copy pruner role binding + template: + src: "openshift-rolebinding.{{ item.yaml_version | default('v2') }}.yml.j2" + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-rolebinding-{{ item.name }}.yml" + with_items: + + - name: osbs-pruner-serviceaccounts + role: system:image-pruner + type: ClusterRoleBinding + serviceaccounts: ["{{ osbs_serviceaccount_pruner }}"] + + register: yaml_rolebindings_pruner + when: osbs_is_admin and osbs_serviceaccount_pruner + tags: + - oc + +- name: import pruner role bindings + command: > + oc replace + --namespace={{ osbs_namespace }} + --force=true + --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-rolebinding-{{ item.item.name }}.yml + environment: "{{ osbs_environment }}" + with_items: "{{ yaml_rolebindings_pruner.results }}" + when: yaml_rolebindings_pruner.changed and item.changed tags: - oc @@ -188,5 +181,25 @@ tags: - oc -- import_tasks: orchestrator.yml +- name: copy prune cronjob yaml + template: + src: openshift-prune-cronjob.yml.j2 + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-prune-cronjob.yml" + register: yaml_cronjob + when: osbs_prune + tags: + - oc + +- name: import prune cronjob yaml + command: > + oc replace + --namespace={{ osbs_namespace }} + --force=true + --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-prune-cronjob.yml + environment: "{{ osbs_environment }}" + when: osbs_prune and yaml_cronjob.changed + tags: + - oc + +- include: orchestrator.yml when: osbs_orchestrator diff --git a/roles/osbs-namespace/tasks/orchestrator.yml b/roles/osbs-namespace/tasks/orchestrator.yml index 67a2ecbf55..024d4162f1 100644 --- a/roles/osbs-namespace/tasks/orchestrator.yml +++ b/roles/osbs-namespace/tasks/orchestrator.yml @@ -16,3 +16,38 @@ register: yaml_client_config_secret tags: - oc + +# Setup imagestream +- name: copy imagestream + template: + src: osbs-buildroot-imagestream.yml.j2 + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-osbs-buildroot-imagestream.yml" + environment: "{{ osbs_environment }}" + when: osbs_buildroot_repository != '' and osbs_buildroot_imagestream != '' + register: yaml_imagestream + tags: + - oc + +- name: create imagestream + command: > + oc replace + --namespace={{ osbs_namespace }} + --force=true + --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-osbs-buildroot-imagestream.yml + environment: "{{ osbs_environment }}" + when: yaml_imagestream.changed + tags: + - oc + +- name: update imagestream tag + command: > + oc import-image {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }} + --from {{ osbs_buildroot_repository }}:{{ osbs_buildroot_imagestream_live_tag }} + {{ " --insecure" if osbs_insecure_repository else ''}} + environment: "{{ osbs_environment }}" + when: osbs_buildroot_repository != '' and osbs_buildroot_imagestream != '' and osbs_buildroot_imagestream_live_tag != '' + register: imagestream_tag_updated + changed_when: ('The import completed successfully.' in imagestream_tag_updated.stdout) + failed_when: ('The import completed successfully.' not in imagestream_tag_updated.stdout) + tags: + - oc diff --git a/roles/osbs-namespace/templates/client-config-secret.conf.j2 b/roles/osbs-namespace/templates/client-config-secret.conf.j2 index 1d922bdd56..d5b385213d 100644 --- a/roles/osbs-namespace/templates/client-config-secret.conf.j2 +++ b/roles/osbs-namespace/templates/client-config-secret.conf.j2 @@ -9,7 +9,9 @@ openshift_url = {{ cluster.openshift_url }} token_file = /var/run/secrets/atomic-reactor/{{ cluster.name | replace('_', '-') }}-orchestrator/token use_auth = {{ cluster.use_auth | default('true') }} verify_ssl = {{ cluster.verify_ssl | default('true') }} -low_priority_node_selector = {{ cluster.low_priority_node_selector | default('') }} +{% if cluster.auto_build_node_selector | default('') %} +auto_build_node_selector = {{ cluster.auto_build_node_selector }} +{% endif %} authoritative_registry = {{ osbs_authoritative_registry }} distribution_scope = {{ osbs_distribution_scope }} @@ -51,3 +53,10 @@ sources_command = {{ osbs_sources_command }} vendor = {{ osbs_vendor }} {% endfor %} {% endfor %} + +[platform:x86_64] +architecture = amd64 +enable_v1 = true + +[platform:aarch64] +architecture = arm64 diff --git a/roles/osbs-namespace/templates/openshift-prune-cronjob.yml.j2 b/roles/osbs-namespace/templates/openshift-prune-cronjob.yml.j2 new file mode 100644 index 0000000000..d0a4978460 --- /dev/null +++ b/roles/osbs-namespace/templates/openshift-prune-cronjob.yml.j2 @@ -0,0 +1,18 @@ +apiVersion: batch/v2alpha1 +kind: CronJob +metadata: + name: build-pruner +spec: + schedule: "{{ osbs_prune_schedule }}" + jobTemplate: + spec: + template: + spec: + serviceAccountName: "{{ osbs_prune_serviceaccount }}" + containers: + - name: build-pruner + image: "{{ osbs_prune_image }}" + + {% if osbs_prune_commands %}command: {{ osbs_prune_commands | to_yaml }}{% endif %} + + restartPolicy: Never diff --git a/roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 b/roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 index c95e8da8a2..833255cc95 100644 --- a/roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 +++ b/roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 @@ -1,5 +1,5 @@ apiVersion: v1 -kind: RoleBinding +kind: {{ item.type | default("RoleBinding") }} metadata: name: {{ item.name }} namespace: {{ osbs_namespace }} diff --git a/roles/osbs-namespace/templates/osbs-buildroot-imagestream.yml.j2 b/roles/osbs-namespace/templates/osbs-buildroot-imagestream.yml.j2 new file mode 100644 index 0000000000..38b1d776b6 --- /dev/null +++ b/roles/osbs-namespace/templates/osbs-buildroot-imagestream.yml.j2 @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ImageStream +metadata: + annotations: + openshift.io/image.insecureRepository: "{{ osbs_insecure_repository }}" + name: {{ osbs_buildroot_imagestream }} + namespace: {{ osbs_namespace }} +spec: + dockerImageRepository: {{ osbs_buildroot_repository }} diff --git a/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 b/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 index de71de7cdd..bba90c2dee 100644 --- a/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 +++ b/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 @@ -11,3 +11,10 @@ clusters: {% endfor %} {% endfor %} + +{% if osbs_odcs_enabled %} +odcs: + signing_intents: + {{ osbs_odcs_signing_intents | to_yaml | indent(4) }} + default_signing_intent: {{ osbs_odcs_default_signing_intent }} +{% endif %} diff --git a/roles/osbs-namespace/tests/files/expected-client-config-secret.conf b/roles/osbs-namespace/tests/files/expected-client-config-secret.conf index 7ac9c016f4..4ae5d537f1 100644 --- a/roles/osbs-namespace/tests/files/expected-client-config-secret.conf +++ b/roles/osbs-namespace/tests/files/expected-client-config-secret.conf @@ -3,13 +3,12 @@ build_json_dir = /usr/share/osbs [minimum] namespace = worker -openshift_url = https://minimum-worker.test.redhat.com +openshift_url = https://minimum-worker.test.fedoraproject.org token_file = /var/run/secrets/atomic-reactor/minimum-orchestrator/token use_auth = true verify_ssl = false -artifacts_allowed_domains = -authoritative_registry = registry.access.redhat.com +authoritative_registry = registry.fedoraproject.org distribution_scope = public # Koji integration @@ -22,17 +21,17 @@ pulp_secret = pulpsecret registry_api_versions = v1,v2 registry_secret = v2-registry-dockercfg -sources_command = rhpkg sources -vendor = Red Hat, Inc. +sources_command = fedpkg sources +vendor = Fedora Project [all_values] namespace = spam -openshift_url = https://all_values-worker.test.redhat.com +openshift_url = https://all_values-worker.test.fedoraproject.org token_file = /var/run/secrets/atomic-reactor/all-values-orchestrator/token use_auth = false verify_ssl = false -artifacts_allowed_domains = allowed.domain.com,also-allowed.domain.com +auto_build_node_selector = auto_build=true -authoritative_registry = registry.access.redhat.com +authoritative_registry = registry.fedoraproject.org distribution_scope = public # Koji integration @@ -45,5 +44,12 @@ pulp_secret = pulpsecret registry_api_versions = v1,v2 registry_secret = v2-registry-dockercfg -sources_command = rhpkg sources -vendor = Red Hat, Inc. +sources_command = fedpkg sources +vendor = Fedora Project + +[platform:x86_64] +architecture = amd64 +enable_v1 = true + +[platform:aarch64] +architecture = arm64 diff --git a/roles/osbs-namespace/tests/group_vars/masters.yml b/roles/osbs-namespace/tests/group_vars/masters.yml index ac32cbd376..26b0b5098c 100644 --- a/roles/osbs-namespace/tests/group_vars/masters.yml +++ b/roles/osbs-namespace/tests/group_vars/masters.yml @@ -3,15 +3,16 @@ osbs_worker_clusters: x86_64: - name: 'minimum' max_concurrent_builds: 1 - openshift_url: 'https://minimum-worker.test.redhat.com' + openshift_url: 'https://minimum-worker.test.fedoraproject.org' verify_ssl: 'false' - name: 'all_values' namespace: 'spam' max_concurrent_builds: 99 - openshift_url: 'https://all_values-worker.test.redhat.com' + openshift_url: 'https://all_values-worker.test.fedoraproject.org' verify_ssl: 'false' use_auth: 'false' artifacts_allowed_domains: - allowed.domain.com - also-allowed.domain.com + auto_build_node_selector: 'auto_build=true' diff --git a/roles/osbs-namespace/tests/test.yml b/roles/osbs-namespace/tests/test.yml index 2c9759eeff..c55df525c6 100644 --- a/roles/osbs-namespace/tests/test.yml +++ b/roles/osbs-namespace/tests/test.yml @@ -17,8 +17,7 @@ - name: bring up new cluster command: > oc cluster up - --version v3.4.1.10 - --image registry.access.redhat.com/openshift3/ose + --version v3.6.0 register: cmd_cluster_up changed_when: cmd_cluster_up.rc == 0 @@ -170,14 +169,14 @@ command: > oc -n test-non-admin get role osbs-custom-build register: cmd_role - failed_when: "'No resources found' not in cmd_role.stderr" + failed_when: ('No resources found' not in cmd_role.stderr) and ('NotFound' not in cmd_role.stderr) changed_when: false - name: custom rolebindings NOT created in non-admin namespace command: > oc -n test-non-admin get rolebinding {{ item }} register: cmd_rolebinding - failed_when: "'No resources found' not in cmd_rolebinding.stderr" + failed_when: ('No resources found' not in cmd_rolebinding.stderr) and ('NotFound' not in cmd_rolebinding.stderr) with_items: - osbs-admin - osbs-admin @@ -227,7 +226,7 @@ command: > oc -n test-limitrange get limitrange cpureq register: cmd_limitrange - failed_when: "'No resources found' not in cmd_limitrange.stderr" + failed_when: ('No resources found' not in cmd_limitrange.stderr) and ('NotFound' not in cmd_limitrange.stderr) changed_when: false - name: setup policybinding dedicated-admin namespace