pingu_98/cara
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into feature/base_theme_improvements

Browse source
This commit is contained in:
Luis Aleixo 2021-12-21 10:48:10 +00:00
commit 2aba369ca2
15 changed files with 182 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -9,8 +9,9 @@ __pycache__
.idea
.vscode
env*
venv
support
# openshift config check folder
app-config/openshift/test-cara

154
.gitlab-ci.yml
View file

@ -1,4 +1,3 @@
# Use the acc-py-devtools templates found at
# https://gitlab.cern.ch/-/ide/project/acc-co/devops/python/acc-py-devtools/blob/master/-/acc_py_devtools/templates/gitlab-ci/python.yml.
include:
@ -10,6 +9,9 @@ variables:
PY_VERSION: "3.9"
# ###################################################################################################
# Test code
# A full installation of CARA, tested with pytest.
test_install:
extends: .acc_py_full_test
@ -21,10 +23,20 @@ test_dev:
# A development installation of CARA tested with pytest.
test_dev-39:
variables:
PY_VERSION: "3.9"
extends: .acc_py_dev_test
# ###################################################################################################
# Test OpenShift config
.test_openshift_config:
stage: test
rules:
- if: '$OC_TOKEN && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == $BRANCH'
allow_failure: false # The branch must represent what is deployed.
allow_failure: true # The branch must represent what is deployed. FIXME: change to true because of a diff between ConfigMaps
- if: '$OC_TOKEN && $CI_MERGE_REQUEST_EVENT_TYPE != "detached"'
allow_failure: true # Anything other than the branch may fail without blocking the pipeline.
image: registry.cern.ch/docker.io/mambaorg/micromamba
@ -34,7 +46,6 @@ test_dev:
- wget https://github.com/openshift/origin/releases/download/v3.11.0/openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz
- tar xzf ./openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz
- mv openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit/oc $HOME/env/bin/
script:
- cd ./app-config/openshift
- oc login ${OC_SERVER} --token="${OC_TOKEN}"
@ -43,19 +54,18 @@ test_dev:
- python ./config-normalise.py ./${CARA_INSTANCE}/actual ./${CARA_INSTANCE}/actual-normed
- python ./config-normalise.py ./${CARA_INSTANCE}/expected ./${CARA_INSTANCE}/expected-normed
- diff -u ./${CARA_INSTANCE}/actual-normed/ ./${CARA_INSTANCE}/expected-normed/
artifacts:
paths:
- ./app-config/openshift/${CARA_INSTANCE}/actual
- ./app-config/openshift/${CARA_INSTANCE}/expected
check_openshift_config_test-cara:
check_openshift_config_test:
extends: .test_openshift_config
variables:
CARA_INSTANCE: 'test-cara'
BRANCH: 'live/test-cara'
OC_SERVER: openshift-dev.cern.ch
OC_SERVER: https://api.paas.okd.cern.ch
OC_TOKEN: "${OPENSHIFT_CONFIG_CHECKER_TOKEN_TEST_CARA}"
@ -64,36 +74,31 @@ check_openshift_config_prod:
variables:
CARA_INSTANCE: 'cara'
BRANCH: 'master'
OC_SERVER: openshift.cern.ch
OC_SERVER: https://openshift.cern.ch
OC_TOKEN: "${OPENSHIFT_CONFIG_CHECKER_TOKEN_PROD}"
# A development installation of CARA tested with pytest.
test_dev-39:
variables:
PY_VERSION: "3.9"
extends: .acc_py_dev_test
# ###################################################################################################
# Build docker images
.image_builder:
# Build and push images to the openshift instance, which automatically triggers an application re-deployment.
stage: deploy
image:
# Based on guidance at https://gitlab.cern.ch/gitlabci-examples/build_docker_image.
name: gitlab-registry.cern.ch/ci-tools/docker-image-builder
entrypoint: [""]
rules:
- if: '$OPENSHIFT_DOCKER_TOKEN_TEST != "" && $CI_COMMIT_BRANCH == "live/test-cara"'
variables:
DOCKER_REGISTRY: "${OPENSHIFT_DOCKER_REGISTRY_TEST}"
DOCKER_TOKEN: "${OPENSHIFT_DOCKER_TOKEN_TEST}"
- if: '$OPENSHIFT_DOCKER_TOKEN_PROD != "" && $CI_COMMIT_BRANCH == "master"'
variables:
DOCKER_REGISTRY: "${OPENSHIFT_DOCKER_REGISTRY_PROD}"
DOCKER_TOKEN: "${OPENSHIFT_DOCKER_TOKEN_PROD}"
script:
- echo "{\"auths\":{\"$DOCKER_REGISTRY\":{\"auth\":\"$DOCKER_TOKEN\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor --context $CI_PROJECT_DIR/$DOCKER_CONTEXT_DIRECTORY --dockerfile $CI_PROJECT_DIR/$DOCKERFILE_DIRECTORY/Dockerfile --destination $DOCKER_REGISTRY/$IMAGE_NAME:latest
# Build and push images to the openshift instance, which automatically triggers an application re-deployment.
stage: deploy
rules:
- if: '$CI_COMMIT_BRANCH == "live/test-cara"'
variables:
IMAGE_TAG: test-cara-latest
- if: '$CI_COMMIT_BRANCH == "master"'
variables:
IMAGE_TAG: cara-latest
image:
# Based on guidance at https://gitlab.cern.ch/gitlabci-examples/build_docker_image.
name: gitlab-registry.cern.ch/ci-tools/docker-image-builder
entrypoint: [""]
script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- echo "Building ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:latest Docker image..."
- /kaniko/executor --context ${CI_PROJECT_DIR}/${DOCKER_CONTEXT_DIRECTORY} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE_DIRECTORY}/Dockerfile --destination ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}
auth-service-image_builder:
@ -114,32 +119,69 @@ cara-webservice-image_builder:
DOCKER_CONTEXT_DIRECTORY: ""
trigger_build_on_openshift:
stage: deploy
rules:
- if: '$OPENSHIFT_BUILD_WEBHOOK_SECRET'
script:
- curl -X POST -k https://openshift.cern.ch:443/apis/build.openshift.io/v1/namespaces/cara/buildconfigs/cara-router/webhooks/${OPENSHIFT_BUILD_WEBHOOK_SECRET}/generic
deploy_to_test:
stage: deploy
rules:
- if: '$CI_COMMIT_BRANCH == "live/test-cara" && $OPENSHIFT_TEST_BUILD_WEBHOOK_SECRET'
script:
- curl -X POST -k https://api.paas.okd.cern.ch/apis/build.openshift.io/v1/namespaces/test-cara/buildconfigs/cara-router/webhooks/${OPENSHIFT_TEST_BUILD_WEBHOOK_SECRET}/generic
oci_calculator:
# A convenient way for users to run the CARA calculator.
extends:
- .image_builder
variables:
IMAGE_NAME: calculator
DOCKERFILE_DIRECTORY: app-config/cara-public-docker-image
DOCKER_CONTEXT_DIRECTORY: ""
# ###################################################################################################
# Link build Docker images OpenShift <-> GitLab registry
.link_docker_images_with_gitlab_registry:
stage: deploy
image: gitlab-registry.cern.ch/paas-tools/openshift-client:latest
rules:
- if: '$CI_COMMIT_BRANCH == "live/test-cara"'
variables:
OC_SERVER: "https://api.paas.okd.cern.ch"
OC_PROJECT: "test-cara"
OC_TOKEN: ${OPENSHIFT_CARA_TEST_DEPLOY_TOKEN}
- if: '$CI_COMMIT_BRANCH == "master"'
variables:
OC_SERVER: "https://openshift.cern.ch"
OC_PROJECT: "cara"
OC_TOKEN: ${OPENSHIFT_CARA_DEPLOY_TOKEN}
script:
- oc tag --source=docker ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:latest ${IMAGE_NAME}:latest --token ${OC_TOKEN} --server=${OC_SERVER} -n ${OC_PROJECT}
link_auth-service_with_gitlab_registry:
extends:
- .link_docker_images_with_gitlab_registry
variables:
IMAGE_NAME: auth-service
link_cara-webservice_with_gitlab_registry:
extends:
- .link_docker_images_with_gitlab_registry
variables:
IMAGE_NAME: cara-webservice
link_calculator_with_gitlab_registry:
extends:
- .link_docker_images_with_gitlab_registry
variables:
IMAGE_NAME: calculator
# ###################################################################################################
# Trigger build of CARA router on OpenShift
trigger_cara-router_build_on_openshift:
stage: deploy
rules:
# Only run if branch is master (the default branch).
- if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
image:
name: gitlab-registry.cern.ch/ci-tools/docker-image-builder
entrypoint: [""]
- if: '$CI_COMMIT_BRANCH == "live/test-cara"'
variables:
OC_SERVER: "https://api.paas.okd.cern.ch"
OC_PROJECT: "test-cara"
BUILD_WEBHOOK_SECRET: ${OPENSHIFT_TEST_BUILD_WEBHOOK_SECRET}
- if: '$CI_COMMIT_BRANCH == "master"'
variables:
OC_SERVER: "https://openshift.cern.ch"
OC_PROJECT: "cara"
BUILD_WEBHOOK_SECRET: ${OPENSHIFT_BUILD_WEBHOOK_SECRET}
script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/app-config/cara-public-docker-image/Dockerfile --destination $CI_REGISTRY_IMAGE/calculator:latest
- curl -X POST -k ${OC_SERVER}/apis/build.openshift.io/v1/namespaces/${OC_PROJECT}/buildconfigs/cara-router/webhooks/${BUILD_WEBHOOK_SECRET}/generic

19
README.md
View file

@ -175,7 +175,7 @@ but it may be origin if you haven't configured it differently):
First, get the [oc](https://docs.okd.io/3.11/cli_reference/get_started_cli.html) client and then login:
```console
$ oc login https://openshift-dev.cern.ch
$ oc login https://api.paas.okd.cern.ch
```
Then, switch to the project that you want to update:
@ -197,6 +197,23 @@ $ oc process -f buildconfig.yaml --param GIT_BRANCH='live/test-cara' | oc create
$ oc process -f deploymentconfig.yaml --param PROJECT_NAME='test-cara' | oc create -f -
```
Create a new service account in OpenShift to use GitLab container registry:
```console
$ oc project test-cara
$ oc create serviceaccount gitlabci-deployer
serviceaccount "gitlabci-deployer" created
$ oc policy add-role-to-user registry-editor -z gitlabci-deployer
# We will refer to the output of this command as `test-token`
$ oc serviceaccounts get-token gitlabci-deployer
<...test-token...>
```
Add the token to GitLab to allow GitLab to access OpenShift and define/change image stream tags. Go to `Settings` -> `CI / CD` -> `Variables` -> click on `Expand` button and create the variable `OPENSHIFT_CARA_TEST_DEPLOY_TOKEN`: insert the token `<...test-token...>`.
Then, create the webhook secret to be able to trigger automatic builds from GitLab.
Create and store the secret. Copy the secret above and add it to the GitLab project under `CI /CD` -> `Variables` with the name `OPENSHIFT_CARA_TEST_WEBHOOK_SECRET`.

4
app-config/auth-service/Dockerfile
View file

@ -1,4 +1,4 @@
FROM condaforge/mambaforge as conda
FROM registry.cern.ch/docker.io/condaforge/mambaforge as conda
RUN mamba create --yes -p /opt/app python=3.9
COPY . /opt/app-source
@ -17,7 +17,7 @@ RUN cd /opt/app \
&& find /opt/app/lib -name '*.pyx' -delete \
;
FROM debian
FROM registry.cern.ch/docker.io/library/debian
COPY --from=conda /opt/app /opt/app
CMD [ \

2
app-config/cara-public-docker-image/Dockerfile
View file

@ -1,4 +1,4 @@
FROM python:3.9
FROM registry.cern.ch/docker.io/library/python:3.9
# Copy just the requirements.txt initially, allowing Docker effectively to cache the build (good for dev).
COPY ./requirements.txt /tmp/requirements.txt

4
app-config/cara-webservice/Dockerfile
View file

@ -1,4 +1,4 @@
FROM condaforge/mambaforge as conda
FROM registry.cern.ch/docker.io/condaforge/mambaforge as conda
RUN mamba create --yes -p /opt/app python=3.9
COPY . /opt/app-source
@ -18,7 +18,7 @@ RUN cd /opt/app \
&& find /opt/app/lib -name '*.pyx' -delete \
;
FROM debian
FROM registry.cern.ch/docker.io/library/debian
COPY --from=conda /opt/app /opt/app
ENV PATH=/opt/app/bin/:$PATH

4
app-config/openshift/buildconfig.yaml
View file

@ -1,6 +1,6 @@
---
kind: "Template"
apiVersion: "v1"
apiVersion: template.openshift.io/v1
metadata:
name: "cara-application"
creationTimestamp: null
@ -12,7 +12,7 @@
objects:
-
kind: BuildConfig
apiVersion: v1
apiVersion: build.openshift.io/v1
metadata:
name: cara-router
labels:

25
app-config/openshift/config-fetch.py
View file

@ -32,12 +32,23 @@ def get_oc_server() -> typing.Optional[str]:
], check=True, stdout=subprocess.PIPE).stdout.decode().strip()
def fetch_config(output_directory: pathlib.Path):
def fetch_config(output_directory: pathlib.Path, okd_version: int):
output_directory.mkdir(exist_ok=True, parents=True)
for component in ['routes', 'configmap', 'services', 'imagestreams', 'buildconfig', 'deploymentconfig']:
for component, name in [
('routes', None),
('configmap', 'auth-service'),
('services', None),
('imagestreams', None),
('buildconfig', None),
('deploymentconfig', None)]:
with (output_directory / f'{component}.yaml').open('wt') as fh:
cmd = ['oc', 'get', '--export', '-o', 'yaml', component]
cmdOKD4 = ['oc', 'get', '-o', 'yaml', component]
cmdOKD3 = ['oc', 'get', '--export', '-o', 'yaml', component]
cmd = cmdOKD4 if okd_version == 4 else cmdOKD3
if name:
cmd += [name]
print(f'Running: {" ".join(cmd)}')
subprocess.run(cmd, stdout=fh, check=True)
print(f'Config in: {output_directory.absolute()}')
@ -47,18 +58,20 @@ def handler(args: argparse.ArgumentParser) -> None:
if args.instance == 'cara':
login_server = 'https://openshift.cern.ch:443'
project_name = 'cara'
okd_version = 3
elif args.instance == 'test-cara':
login_server = 'https://openshift-dev.cern.ch:443'
login_server = 'https://api.paas.okd.cern.ch:443'
project_name = 'test-cara'
okd_version = 4
actual_login_server = get_oc_server()
if actual_login_server != login_server:
print(f'\nPlease login to the correct openshift server with: \n\n oc login {login_server}\n', file=sys.stderr)
print(f'\nPlease login to the correct OpenShift server with: \n\n oc login {login_server}\n', file=sys.stderr)
sys.exit(1)
subprocess.run(['oc', 'project', project_name], stdout=subprocess.DEVNULL, check=True)
fetch_config(pathlib.Path(args.output_directory))
fetch_config(pathlib.Path(args.output_directory), okd_version)
def main():

10
app-config/openshift/config-generate.py
View file

@ -17,7 +17,7 @@ def configure_parser(parser: argparse.ArgumentParser) -> None:
)
def generate_config(output_directory: pathlib.Path, project_name: str, hostname: str, branch: str):
def generate_config(output_directory: pathlib.Path, project_name: str, image_tag_name: str, hostname: str, branch: str):
output_directory.mkdir(exist_ok=True, parents=True)
def oc_process(component_name: str, context: typing.Optional[dict] = None):
@ -33,7 +33,7 @@ def generate_config(output_directory: pathlib.Path, project_name: str, hostname:
oc_process('services')
oc_process('imagestreams')
oc_process('buildconfig', context={'GIT_BRANCH': branch})
oc_process('deploymentconfig', context={'PROJECT_NAME': project_name})
oc_process('deploymentconfig', context={'PROJECT_NAME': project_name, 'IMAGE_TAG_NAME': image_tag_name})
print(f'Config in: {output_directory.absolute()}')
@ -41,14 +41,16 @@ def generate_config(output_directory: pathlib.Path, project_name: str, hostname:
def handler(args: argparse.ArgumentParser) -> None:
if args.instance == 'cara':
project_name = 'cara'
image_tag_name = 'cara-latest'
branch = 'master'
hostname = 'cara.web.cern.ch'
elif args.instance == 'test-cara':
branch = 'live/test-cara'
project_name = 'test-cara'
image_tag_name = 'test-cara-latest'
branch = 'live/test-cara'
hostname = 'test-cara.web.cern.ch'
generate_config(pathlib.Path(args.output_directory), project_name, hostname, branch)
generate_config(pathlib.Path(args.output_directory), project_name, image_tag_name, hostname, branch)
def main():

12
app-config/openshift/config-normalise.py
View file

@ -22,8 +22,9 @@ def clean_ephemeral_config(config: dict):
config.get('metadata', []).clear()
METADATA_TO_PRESERVE = ['labels', 'name']
CERN_OKD4_METADATA_LABELS = ['migration.openshift.io', 'velero.io']
for item in config['items']:
for item in config.get('items', {}):
item.pop('status', None)
for key in list(item['metadata'].keys()):
@ -31,10 +32,14 @@ def clean_ephemeral_config(config: dict):
del item['metadata'][key]
item.get('spec', {}).pop('clusterIP', None)
item.get('spec', {}).pop('clusterIPs', None)
item.get('spec', {}).pop('revisionHistoryLimit', None)
if item['kind'] == 'BuildConfig':
for trigger in item.get('spec', {}).get('triggers', []):
trigger.get('imageChange', {}).pop('lastTriggeredImageID', None)
item.get('spec', {}).pop('failedBuildsHistoryLimit', None)
item.get('spec', {}).pop('successfulBuildsHistoryLimit', None)
if item['kind'] == 'DeploymentConfig':
item['spec'].get('template', {}).get('metadata', {}).pop('creationTimestamp', None)
@ -46,6 +51,11 @@ def clean_ephemeral_config(config: dict):
for trigger in item['spec'].get('triggers', []):
trigger.get('imageChangeParams', {}).pop('lastTriggeredImage', None)
for label in list(item['metadata'].get('labels', {}).keys()):
for prefix in CERN_OKD4_METADATA_LABELS:
if label.startswith(prefix):
item['metadata']['labels'].pop(label)
# Drop the template part of the config for now.
# TODO: Remove this constraint to ensure our deployments reflect the fact that they are templated.
r = item['metadata'].get('labels', {}).pop('template', None)

2
app-config/openshift/configmap.yaml
View file

@ -1,6 +1,6 @@
---
kind: "Template"
apiVersion: "v1"
apiVersion: template.openshift.io/v1
metadata:
name: "cara-configuration"
annotations:

23
app-config/openshift/deploymentconfig.yaml
View file

@ -1,6 +1,6 @@
---
kind: "Template"
apiVersion: "v1"
apiVersion: template.openshift.io/v1
metadata:
name: "cara-application"
annotations:
@ -10,7 +10,7 @@
template: "cara-application"
objects:
-
apiVersion: v1
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
name: auth-service
@ -66,10 +66,10 @@
- auth-service
from:
kind: ImageStreamTag
name: 'auth-service:latest'
name: 'auth-service:${IMAGE_TAG_NAME}'
namespace: ${PROJECT_NAME}
-
apiVersion: v1
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
name: cara-app
@ -123,10 +123,10 @@
- cara-webservice
from:
kind: ImageStreamTag
name: 'cara-webservice:latest'
name: 'cara-webservice:${IMAGE_TAG_NAME}'
namespace: ${PROJECT_NAME}
-
apiVersion: v1
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
name: cara-router
@ -179,7 +179,7 @@
namespace: ${PROJECT_NAME}
- type: ConfigChange
-
apiVersion: v1
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
name: cara-webservice
@ -259,11 +259,11 @@
- cara-webservice
from:
kind: ImageStreamTag
name: 'cara-webservice:latest'
name: 'cara-webservice:${IMAGE_TAG_NAME}'
namespace: ${PROJECT_NAME}
- type: ConfigChange
-
apiVersion: v1
apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
name: cara-calculator-open
@ -319,7 +319,7 @@
- cara-calculator-open
from:
kind: ImageStreamTag
name: 'cara-webservice:latest'
name: 'cara-webservice:${IMAGE_TAG_NAME}'
namespace: ${PROJECT_NAME}
- type: ConfigChange
@ -327,3 +327,6 @@
- name: PROJECT_NAME
description: The name of this project, e.g. test-cara
required: true
- name: IMAGE_TAG_NAME
description: The image tag name, e.g. cara-latest or cara-test-latest
required: true

8
app-config/openshift/imagestreams.yaml
View file

@ -1,6 +1,6 @@
---
kind: "Template"
apiVersion: "v1"
apiVersion: template.openshift.io/v1
metadata:
name: "cara-imagestreams"
creationTimestamp: null
@ -12,7 +12,7 @@
objects:
-
kind: ImageStream
apiVersion: v1
apiVersion: image.openshift.io/v1
metadata:
name: auth-service
spec:
@ -20,7 +20,7 @@
local: False
-
kind: ImageStream
apiVersion: v1
apiVersion: image.openshift.io/v1
metadata:
name: cara-router
spec:
@ -28,7 +28,7 @@
local: False
-
kind: ImageStream
apiVersion: v1
apiVersion: image.openshift.io/v1
metadata:
name: cara-webservice
spec:

4
app-config/openshift/routes.yaml
View file

@ -1,6 +1,6 @@
---
kind: "Template"
apiVersion: "v1"
apiVersion: template.openshift.io/v1
metadata:
name: "cara-route"
creationTimestamp: null
@ -11,7 +11,7 @@
template: "cara-route"
objects:
-
apiVersion: v1
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: cara-route

2
app-config/openshift/services.yaml
View file

@ -1,6 +1,6 @@
---
kind: "Template"
apiVersion: "v1"
apiVersion: template.openshift.io/v1
metadata:
name: "cara-services"
creationTimestamp: null