From 91ea826060c00a5bcd6d9d2f69c88513ba9ae14c Mon Sep 17 00:00:00 2001 From: Phil Elson Date: Wed, 14 Jul 2021 15:48:34 +0200 Subject: [PATCH] Add a CI job to validate the test-cara instance. --- .gitlab-ci.yml | 36 ++++++++++++-- README.md | 11 +++++ app-config/openshift/fetch-config.py | 73 ++++++++++++++++++++++++++++ 3 files changed, 115 insertions(+), 5 deletions(-) create mode 100644 app-config/openshift/fetch-config.py diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b48c9521..a465101f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,14 +10,39 @@ variables: PY_VERSION: "3.6" # This is what we have running in OpenShift currently. -# A full installation of CARA, tested with pytest. -test_install: - extends: .acc_py_full_test +## A full installation of CARA, tested with pytest. +#test_install: +# extends: .acc_py_full_test +# +# +## A development installation of CARA tested with pytest. +#test_dev: +# extends: .acc_py_dev_test # A development installation of CARA tested with pytest. -test_dev: - extends: .acc_py_dev_test +test_openshift_config: + rules: + - if: '$OPENSHIFT_CONFIG_CHECKER_TOKEN_TEST_CARA' + image: registry.cern.ch/docker.io/mambaorg/micromamba + before_script: + - micromamba create --yes -p $HOME/env python=3.9 wget -c conda-forge + - export PATH=$HOME/env/bin/:$PATH + - wget https://github.com/openshift/origin/releases/download/v3.11.0/openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz + - tar xzf ./openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz + - mv openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit/oc $HOME/env/bin/ + + script: + - cd ./app-config/openshift + - oc login openshift-dev.cern.ch --token="${OPENSHIFT_CONFIG_CHECKER_TOKEN_TEST_CARA}" + - python ./fetch-config.py test-cara --output-directory ./test-cara/actual +# - python ./build_config.py test-cara + +# - pytest ./test_config.py --arg test-cara + artifacts: + paths: + - ./app-config/openshift/test-cara/actual +# - ./app-config/openshift/test-cara/expected # A development installation of CARA tested with pytest. @@ -86,3 +111,4 @@ oci_calculator: script: - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE/calculator:latest + diff --git a/README.md b/README.md index 692c3ae6..08a7ca8b 100644 --- a/README.md +++ b/README.md @@ -211,6 +211,17 @@ $ oc create secret generic \ gitlab-cara-webhook-secret ``` +For CI usage, we also suggest creating a service account: + +```console +oc create sa gitlab-config-checker +``` + +Under ``Resources`` -> ``Membership`` enable the ``View`` role for this new service account. + +To get this new user's authentication token go to ``Resources`` -> ``Secrets`` and locate the token in the newly +created secret associated with the user (in this case ``gitlab-config-checker-token-XXXX``). + ### CERN SSO integration The SSO integration uses OpenID credentials configured in [CERN Applications portal](https://application-portal.web.cern.ch/). diff --git a/app-config/openshift/fetch-config.py b/app-config/openshift/fetch-config.py new file mode 100644 index 00000000..92ee8fbb --- /dev/null +++ b/app-config/openshift/fetch-config.py @@ -0,0 +1,73 @@ +import argparse +import pathlib +import subprocess +import sys +import typing + + +def configure_parser(parser: argparse.ArgumentParser) -> None: + parser.description = "Fetch the openshift config for CARA" + parser.set_defaults(handler=handler) + parser.add_argument( + "instance", choices=['cara', 'test-cara'], + help="Pick the instance for which you want to generated the config", + ) + parser.add_argument( + "--output-directory", default='config', + help="Location to put the config files", + ) + + +def get_oc_server() -> typing.Optional[str]: + # Return the openshift server that is currently logged in, or None if not logged in + # (or other issues getting the information from the oc client). + try: + subprocess.check_output(['oc', 'whoami'], stderr=subprocess.PIPE) + except subprocess.CalledProcessError: + # User not logged on, or oc command missing. + return None + + return subprocess.run([ + 'oc', 'whoami', '--show-server' + ], check=True, stdout=subprocess.PIPE).stdout.decode().strip() + + +def fetch_config(output_directory: pathlib.Path): + output_directory.mkdir(exist_ok=True, parents=True) + + for component in ['routes', 'configmap', 'services', 'imagestreams', 'buildconfig', 'deploymentconfig']: + with (output_directory / f'{component}.json').open('wt') as fh: + cmd = ['oc', 'get', '--export', '-o', 'json', component] + print(f'Running: {" ".join(cmd)}') + subprocess.run(['oc', 'get', '--export', '-o', 'json', component], stdout=fh, check=True) + print(f'Config in: {output_directory.absolute()}') + + +def handler(args: argparse.ArgumentParser) -> None: + if args.instance == 'cara': + login_server = 'https://openshift.cern.ch:443' + project_name = 'cara' + elif args.instance == 'test-cara': + login_server = 'https://openshift-dev.cern.ch:443' + project_name = 'test-cara' + + actual_login_server = get_oc_server() + if actual_login_server != login_server: + print(actual_login_server) + print(f'\nPlease login to the correct openshift server with: \n\n oc login {login_server}\n', file=sys.stderr) + sys.exit(1) + + subprocess.run(['oc', 'project', project_name], stdout=subprocess.DEVNULL, check=True) + + fetch_config(pathlib.Path(args.output_directory)) + + +def main(): + parser = argparse.ArgumentParser() + configure_parser(parser) + args = parser.parse_args() + args.handler(args) + + +if __name__ == '__main__': + main()