From b9a5f7844f9bd7624bd03ed148cd97dde243cd1b Mon Sep 17 00:00:00 2001 From: Nicola Tarocco Date: Mon, 10 Jan 2022 17:36:12 +0100 Subject: [PATCH] Changes to move PROD to OKD4 --- .gitignore | 1 + .gitlab-ci.yml | 44 ++++++++++-------------- README.md | 45 +++++++++++++------------ app-config/openshift/config-fetch.py | 19 ++++------- app-config/openshift/config-generate.py | 6 ++-- 5 files changed, 51 insertions(+), 64 deletions(-) diff --git a/.gitignore b/.gitignore index f2492ed8..34a5a41b 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ support # openshift config check folder app-config/openshift/test-cara +app-config/openshift/cara-prod diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c34a0955..f57bc054 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -72,16 +72,16 @@ check_openshift_config_test: CARA_INSTANCE: 'test-cara' BRANCH: 'live/test-cara' OC_SERVER: https://api.paas.okd.cern.ch - OC_TOKEN: "${OPENSHIFT_CONFIG_CHECKER_TOKEN_TEST_CARA}" + OC_TOKEN: "${OPENSHIFT_TEST_CONFIG_CHECKER_TOKEN}" check_openshift_config_prod: extends: .test_openshift_config variables: - CARA_INSTANCE: 'cara' + CARA_INSTANCE: 'cara-prod' BRANCH: 'master' - OC_SERVER: https://openshift.cern.ch - OC_TOKEN: "${OPENSHIFT_CONFIG_CHECKER_TOKEN_PROD}" + OC_SERVER: https://api.paas.okd.cern.ch + OC_TOKEN: "${OPENSHIFT_PROD_CONFIG_CHECKER_TOKEN}" # ################################################################################################### @@ -93,23 +93,18 @@ check_openshift_config_prod: rules: - if: '$CI_COMMIT_BRANCH == "live/test-cara"' variables: - DOCKER_REGISTRY: $CI_REGISTRY_IMAGE IMAGE_TAG: test-cara-latest - KANIKO_AUTH: "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" - if: '$CI_COMMIT_BRANCH == "master"' variables: - DOCKER_REGISTRY: "${OPENSHIFT_DOCKER_REGISTRY_PROD}" - # change to `cara-latest` after moving prod to OKD4 - IMAGE_TAG: latest - KANIKO_AUTH: "{\"auths\":{\"$OPENSHIFT_DOCKER_REGISTRY_PROD\":{\"auth\":\"$OPENSHIFT_DOCKER_TOKEN_PROD\"}}}" + IMAGE_TAG: cara-prod-latest image: # Based on guidance at https://gitlab.cern.ch/gitlabci-examples/build_docker_image. name: gitlab-registry.cern.ch/ci-tools/docker-image-builder entrypoint: [""] script: - - echo ${KANIKO_AUTH} > /kaniko/.docker/config.json + - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - echo "Building ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:latest Docker image..." - - /kaniko/executor --context ${CI_PROJECT_DIR}/${DOCKER_CONTEXT_DIRECTORY} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE_DIRECTORY}/Dockerfile --destination ${DOCKER_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG} + - /kaniko/executor --context ${CI_PROJECT_DIR}/${DOCKER_CONTEXT_DIRECTORY} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE_DIRECTORY}/Dockerfile --destination ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG} auth-service-image_builder: @@ -148,19 +143,16 @@ oci_calculator: rules: - if: '$CI_COMMIT_BRANCH == "live/test-cara"' variables: - OC_SERVER: "https://api.paas.okd.cern.ch" OC_PROJECT: "test-cara" - OC_TOKEN: ${OPENSHIFT_CARA_TEST_DEPLOY_TOKEN} + OC_TOKEN: ${OPENSHIFT_TEST_DEPLOY_TOKEN} IMAGE_TAG: test-cara-latest - # UNCOMMENT when prod migrated to OKD4 - # - if: '$CI_COMMIT_BRANCH == "master"' - # variables: - # OC_SERVER: "https://openshift.cern.ch" - # OC_PROJECT: "cara" - # OC_TOKEN: ${OPENSHIFT_CARA_DEPLOY_TOKEN} - # IMAGE_TAG: cara-latest + - if: '$CI_COMMIT_BRANCH == "master"' + variables: + OC_PROJECT: "cara-prod" + OC_TOKEN: ${OPENSHIFT_PROD_DEPLOY_TOKEN} + IMAGE_TAG: cara-prod-latest script: - - oc tag --source=docker ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest --token ${OC_TOKEN} --server=${OC_SERVER} -n ${OC_PROJECT} + - oc tag --source=docker ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest --token ${OC_TOKEN} --server=https://api.paas.okd.cern.ch -n ${OC_PROJECT} link_auth-service_with_gitlab_registry: extends: @@ -189,13 +181,11 @@ trigger_cara-router_build_on_openshift: rules: - if: '$CI_COMMIT_BRANCH == "live/test-cara"' variables: - OC_SERVER: "https://api.paas.okd.cern.ch" OC_PROJECT: "test-cara" BUILD_WEBHOOK_SECRET: ${OPENSHIFT_TEST_BUILD_WEBHOOK_SECRET} - if: '$CI_COMMIT_BRANCH == "master"' variables: - OC_SERVER: "https://openshift.cern.ch" - OC_PROJECT: "cara" - BUILD_WEBHOOK_SECRET: ${OPENSHIFT_BUILD_WEBHOOK_SECRET} + OC_PROJECT: "cara-prod" + BUILD_WEBHOOK_SECRET: ${OPENSHIFT_PROD_BUILD_WEBHOOK_SECRET} script: - - curl -X POST -k ${OC_SERVER}/apis/build.openshift.io/v1/namespaces/${OC_PROJECT}/buildconfigs/cara-router/webhooks/${BUILD_WEBHOOK_SECRET}/generic + - curl -X POST -k https://api.paas.okd.cern.ch/apis/build.openshift.io/v1/namespaces/${OC_PROJECT}/buildconfigs/cara-router/webhooks/${BUILD_WEBHOOK_SECRET}/generic diff --git a/README.md b/README.md index 886a5cf1..aa67fda1 100644 --- a/README.md +++ b/README.md @@ -181,27 +181,12 @@ $ oc login https://api.paas.okd.cern.ch Then, switch to the project that you want to update: ```console -$ oc project test-cara -``` - -If you need to create the application in a new project, run: - -```console -$ cd app-config/openshift - -$ oc process -f routes.yaml --param HOST='test-cara.web.cern.ch' | oc create -f - -$ oc process -f configmap.yaml | oc create -f - -$ oc process -f services.yaml | oc create -f - -$ oc process -f imagestreams.yaml | oc create -f - -$ oc process -f buildconfig.yaml --param GIT_BRANCH='live/test-cara' | oc create -f - -$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='test-cara' | oc create -f - +$ oc project cara-test ``` Create a new service account in OpenShift to use GitLab container registry: ```console -$ oc project test-cara - $ oc create serviceaccount gitlabci-deployer serviceaccount "gitlabci-deployer" created @@ -212,11 +197,11 @@ $ oc serviceaccounts get-token gitlabci-deployer <...test-token...> ``` -Add the token to GitLab to allow GitLab to access OpenShift and define/change image stream tags. Go to `Settings` -> `CI / CD` -> `Variables` -> click on `Expand` button and create the variable `OPENSHIFT_CARA_TEST_DEPLOY_TOKEN`: insert the token `<...test-token...>`. +Add the token to GitLab to allow GitLab to access OpenShift and define/change image stream tags. Go to `Settings` -> `CI / CD` -> `Variables` -> click on `Expand` button and create the variable `OPENSHIFT_TEST_DEPLOY_TOKEN`: insert the token `<...test-token...>`. Then, create the webhook secret to be able to trigger automatic builds from GitLab. -Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`. +Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_TEST_WEBHOOK_SECRET`. ```console $ WEBHOOKSECRET=$(openssl rand -hex 50) @@ -231,10 +216,26 @@ For CI usage, we also suggest creating a service account: oc create sa gitlab-config-checker ``` -Under ``Resources`` -> ``Membership`` enable the ``View`` role for this new service account. +Under ``User Management`` -> ``RoleBindings`` create a new `RoleBinding` to grant `View` access to the `gitlab-config-checker` service account: -To get this new user's authentication token go to ``Resources`` -> ``Secrets`` and locate the token in the newly -created secret associated with the user (in this case ``gitlab-config-checker-token-XXXX``). +* name: `gitlab-config-checker-view-role` +* role name: `view` +* service account: `gitlab-config-checker` + +To get this new user's authentication token go to ``User Management`` -> ``Service Accounts`` -> `gitlab-config-checker` and locate the token in the newly created secret associated with the user (in this case ``gitlab-config-checker-token-XXXX``). Copy the `token` value from `Data`. + +Create the various configurations: + +```console +$ cd app-config/openshift + +$ oc process -f routes.yaml --param HOST='test-cara.web.cern.ch' | oc create -f - +$ oc process -f configmap.yaml | oc create -f - +$ oc process -f services.yaml | oc create -f - +$ oc process -f imagestreams.yaml | oc create -f - +$ oc process -f buildconfig.yaml --param GIT_BRANCH='live/test-cara' | oc create -f - +$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='cara-test' | oc create -f - +``` ### CERN SSO integration @@ -289,7 +290,7 @@ $ oc process -f services.yaml | oc replace -f - $ oc process -f routes.yaml --param HOST='test-cara.web.cern.ch' | oc replace -f - $ oc process -f imagestreams.yaml | oc replace -f - $ oc process -f buildconfig.yaml --param GIT_BRANCH='live/test-cara' | oc replace -f - -$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='test-cara' | oc replace -f - +$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='cara-test' | oc replace -f - ``` Be aware that if you change/replace the **route** of the PROD instance, diff --git a/app-config/openshift/config-fetch.py b/app-config/openshift/config-fetch.py index a09592e1..973d0c11 100644 --- a/app-config/openshift/config-fetch.py +++ b/app-config/openshift/config-fetch.py @@ -9,7 +9,7 @@ def configure_parser(parser: argparse.ArgumentParser) -> None: parser.description = "Fetch the openshift config for CARA" parser.set_defaults(handler=handler) parser.add_argument( - "instance", choices=['cara', 'test-cara'], + "instance", choices=['cara-prod', 'test-cara'], help="Pick the instance for which you want to fetch the config", ) parser.add_argument( @@ -32,7 +32,7 @@ def get_oc_server() -> typing.Optional[str]: ], check=True, stdout=subprocess.PIPE).stdout.decode().strip() -def fetch_config(output_directory: pathlib.Path, okd_version: int): +def fetch_config(output_directory: pathlib.Path): output_directory.mkdir(exist_ok=True, parents=True) for component, name in [ @@ -44,9 +44,7 @@ def fetch_config(output_directory: pathlib.Path, okd_version: int): ('deploymentconfig', None)]: with (output_directory / f'{component}.yaml').open('wt') as fh: - cmdOKD4 = ['oc', 'get', '-o', 'yaml', component] - cmdOKD3 = ['oc', 'get', '--export', '-o', 'yaml', component] - cmd = cmdOKD4 if okd_version == 4 else cmdOKD3 + cmd = ['oc', 'get', '-o', 'yaml', component] if name: cmd += [name] print(f'Running: {" ".join(cmd)}') @@ -55,14 +53,11 @@ def fetch_config(output_directory: pathlib.Path, okd_version: int): def handler(args: argparse.ArgumentParser) -> None: - if args.instance == 'cara': - login_server = 'https://openshift.cern.ch:443' - project_name = 'cara' - okd_version = 3 + login_server = 'https://api.paas.okd.cern.ch:443' + if args.instance == 'cara-prod': + project_name = 'cara-prod' elif args.instance == 'test-cara': - login_server = 'https://api.paas.okd.cern.ch:443' project_name = 'test-cara' - okd_version = 4 actual_login_server = get_oc_server() if actual_login_server != login_server: @@ -71,7 +66,7 @@ def handler(args: argparse.ArgumentParser) -> None: subprocess.run(['oc', 'project', project_name], stdout=subprocess.DEVNULL, check=True) - fetch_config(pathlib.Path(args.output_directory), okd_version) + fetch_config(pathlib.Path(args.output_directory)) def main(): diff --git a/app-config/openshift/config-generate.py b/app-config/openshift/config-generate.py index 079f8e78..aedb2267 100644 --- a/app-config/openshift/config-generate.py +++ b/app-config/openshift/config-generate.py @@ -8,7 +8,7 @@ def configure_parser(parser: argparse.ArgumentParser) -> None: parser.description = "Generate the config files which can be later submitted to openshift" parser.set_defaults(handler=handler) parser.add_argument( - "instance", choices=['cara', 'test-cara'], + "instance", choices=['cara-prod', 'test-cara'], help="Pick the instance for which you want to generate the config", ) parser.add_argument( @@ -39,8 +39,8 @@ def generate_config(output_directory: pathlib.Path, project_name: str, hostname: def handler(args: argparse.ArgumentParser) -> None: - if args.instance == 'cara': - project_name = 'cara' + if args.instance == 'cara-prod': + project_name = 'cara-prod' branch = 'master' hostname = 'cara.web.cern.ch' elif args.instance == 'test-cara':