Adding Alibaba platform to CI

OWNERS_ALIASES

@@ -125,3 +125,16 @@ aliases:
   - jeffnowicki
   - srcarrier
   - staebler
+  alibaba-approvers
+  - kwoodson
+  - jcpowermac
+  - fabianofranz
+  - rvanderp3
+  - mtulio
+  alibaba-reviewers
+  - kwoodson
+  - jcpowermac
+  - fabianofranz
+  - rvanderp3
+  - mtulio
+

ci-operator/config/openshift/installer/openshift-installer-master.yaml

@@ -206,6 +206,10 @@ tests:
   steps:
     cluster_profile: gcp
     workflow: openshift-e2e-gcp
+- as: e2e-alibaba
+  steps:
+    cluster_profile: alibabacloud
+    workflow: openshift-e2e-alibabacloud
 - as: e2e-gcp-shared-vpc
   optional: true
   steps:

ci-operator/jobs/openshift/installer/openshift-installer-master-presubmits.yaml

@@ -1,5 +1,77 @@
 presubmits:
   openshift/installer:
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build02
+    context: ci/prow/e2e-alibaba
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: alibabacloud
+      ci-operator.openshift.io/cloud-cluster-profile: alibabacloud
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-installer-master-e2e-alibaba
+    rerun_command: /test e2e-alibaba
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --secret-dir=/usr/local/e2e-alibaba-cluster-profile
+        - --target=e2e-alibaba
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /usr/local/e2e-alibaba-cluster-profile
+          name: cluster-profile
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: cluster-profile
+        secret:
+          secretName: cluster-secrets-alibabacloud
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-alibaba,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/step-registry/gather/alibabacloud-console/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- alibaba-approvers
+reviewers:
+- alibaba-reviewers

ci-operator/step-registry/gather/alibabacloud-console/gather-alibabacloud-console-commands.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM
+
+
+
+if test -f "${KUBECONFIG}"
+then
+	oc --request-timeout=5s get nodes -o jsonpath --template '{range .items[*]}{.spec.providerID}{"\n"}{end}' | sed 's|.*/||' > "${TMPDIR}/node-provider-IDs.txt" &
+	wait "$!"
+
+	oc --request-timeout=5s -n openshift-machine-api get machines -o jsonpath --template '{range .items[*]}{.spec.providerID}{"\n"}{end}' | sed 's|.*/||' >> "${TMPDIR}/node-provider-IDs.txt" &
+	wait "$!"
+else
+	echo "No kubeconfig; skipping providerID extraction."
+fi
+
+if test -s "${SHARED_DIR}/alibaba-instance-ids.txt"
+then
+	cat "${SHARED_DIR}/alibaba-instance-ids.txt" >> "${TMPDIR}/node-provider-IDs.txt"
+else
+	echo "No alibaba-instance-ids.txt; skipping console log retrieval."
+fi
+
+if test ! -s "${TMPDIR}/node-provider-IDs.txt"
+then
+    echo "No node-provider-IDs found. Exiting."
+	exit 0
+fi
+
+pushd /tmp
+
+export ALIBABA_CLI_CREDENTIALS_FILE="${SHARED_DIR}/config"
+
+wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz -O aliyun-cli.tgz
+tar zxvf aliyun-cli.tgz
+popd
+
+/tmp/aliyun version
+
+echo "Settting --config-path=${ALIBABA_CLI_CREDENTIALS_FILE} and --region=${LEASED_RESOURCE}"
+/tmp/aliyun --config-path "${ALIBABA_CLI_CREDENTIALS_FILE}" configure set --region "${LEASED_RESOURCE}"
+
+cat "${TMPDIR}/node-provider-IDs.txt" | sort | grep . | uniq | while read -r INSTANCE_ID
+do
+	echo "Gathering console logs for ${INSTANCE_ID}"
+        /tmp/aliyun --config-path "${ALIBABA_CLI_CREDENTIALS_FILE}" ecs GetInstanceConsoleOutput --RegionId "${LEASED_RESOURCE}" --InstanceId "$INSTANCE_ID" | jq -r '.ConsoleOutput' | base64 -d > "${ARTIFACT_DIR}/${INSTANCE_ID}" &
+	wait "$!"
+done

ci-operator/step-registry/gather/alibabacloud-console/gather-alibabacloud-console-ref.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "gather/alibabacloud-console/gather-alibabacloud-console-ref.yaml",
+	"owners": {
+		"approvers": [
+			"alibaba-approvers"
+		],
+		"reviewers": [
+			"alibaba-reviewers"
+		]
+	}
+}

ci-operator/step-registry/gather/alibabacloud-console/gather-alibabacloud-console-ref.yaml

@@ -0,0 +1,20 @@
+ref:
+  as: gather-alibabacloud-console
+  optional_on_success: true
+  from: tools
+  grace_period: 10m
+  commands: gather-alibabacloud-console-commands.sh
+  env:
+  - name: TMPDIR
+    default: /tmp
+    documentation: A pathname of a directory made available for programs that need a place to create temporary files.
+  resources:
+    requests:
+      cpu: 300m
+      memory: 300Mi
+  credentials:
+  - namespace: test-credentials
+    name: alibabaconfig
+    mount_path: /var/run/vault/alibaba
+  documentation: |-
+    The pre-deprovision artifacts step collects console logs from Alibaba instances.  It gathers console logs for all nodes and machines with a provider ID, as well as any instance IDs listed in ${SHARED_DIR}/alibaba-instance-ids.txt.  alibaba-instance-ids.txt entries should have a single provider ID per line.  Duplicate entries are ok; the step deduplicates before gathering.

ci-operator/step-registry/ipi/alibabacloud/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- alibaba-approvers
+reviewers:
+- alibaba-reviewers

ci-operator/step-registry/ipi/alibabacloud/ipi-alibabacloud-workflow.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "ipi/alibabacloud/ipi-alibabacloud-workflow.yaml",
+	"owners": {
+		"approvers": [
+			"alibaba-approvers"
+		],
+		"reviewers": [
+			"alibaba-reviewers"
+		]
+	}
+}

ci-operator/step-registry/ipi/alibabacloud/ipi-alibabacloud-workflow.yaml

@@ -0,0 +1,15 @@
+workflow:
+  as: ipi-alibabacloud
+  steps:
+    pre:
+    - chain: ipi-alibabacloud-pre
+    post:
+    - chain: ipi-alibabacloud-post
+  documentation: |-
+    The IPI workflow provides pre- and post- steps that provision and
+    deprovision an OpenShift cluster with a default configuration on Alibaba,
+    allowing job authors to inject their own end-to-end test logic.
+
+    All modifications to this workflow should be done by modifying the
+    `ipi-alibabacloud-{pre,post}` chains to allow other workflows to mimic and extend
+    this base workflow without a need to backport changes.

ci-operator/step-registry/ipi/alibabacloud/post/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/ipi/alibabacloud/post/ipi-alibabacloud-post-chain.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "ipi/alibabacloud/post/ipi-alibabacloud-post-chain.yaml",
+	"owners": {
+		"approvers": [
+			"alibaba-approvers"
+		],
+		"reviewers": [
+			"alibaba-reviewers"
+		]
+	}
+}

ci-operator/step-registry/ipi/alibabacloud/post/ipi-alibabacloud-post-chain.yaml

@@ -0,0 +1,8 @@
+chain:
+  as: ipi-alibabacloud-post
+  steps:
+  - ref: gather-alibabacloud-console
+  - chain: ipi-deprovision
+  - ref: ipi-conf-alibabacloud-cloud-creds-deprovision
+  documentation: |-
+    The IPI cleanup step contains all steps that gather and deprovision an OpenShift cluster on Alibaba, provisioned by the `ipi-alibabacloud-pre` chain.

ci-operator/step-registry/ipi/alibabacloud/pre/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/ipi/alibabacloud/pre/ipi-alibabacloud-pre-chain.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "ipi/alibabacloud/pre/ipi-alibabacloud-pre-chain.yaml",
+	"owners": {
+		"approvers": [
+			"alibaba-approvers"
+		],
+		"reviewers": [
+			"alibaba-reviewers"
+		]
+	}
+}

ci-operator/step-registry/ipi/alibabacloud/pre/ipi-alibabacloud-pre-chain.yaml

@@ -0,0 +1,9 @@
+chain:
+  as: ipi-alibabacloud-pre
+  steps:
+  - chain: ipi-conf-alibabacloud
+  - ref: ipi-conf-alibabacloud-cloud-creds-provision
+  - chain: ipi-install
+  documentation: |-
+    The IPI setup step contains all steps that provision an OpenShift cluster
+    with a default configuration on Alibaba.

ci-operator/step-registry/ipi/alibabacloud/pre/stableinitial/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/ipi/alibabacloud/pre/stableinitial/ipi-alibabacloud-pre-stableinitial-chain.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "ipi/alibabacloud/pre/stableinitial/ipi-alibabacloud-pre-stableinitial-chain.yaml",
+	"owners": {
+		"approvers": [
+			"alibaba-approvers"
+		],
+		"reviewers": [
+			"alibaba-reviewers"
+		]
+	}
+}

ci-operator/step-registry/ipi/alibabacloud/pre/stableinitial/ipi-alibabacloud-pre-stableinitial-chain.yaml

@@ -0,0 +1,10 @@
+chain:
+  as: ipi-alibabacloud-pre-stableinitial
+  steps:
+  - chain: ipi-conf-alibabacloud
+  - ref: ipi-conf-alibabacloud-cloud-creds-provision
+  - chain: ipi-install-stableinitial
+  documentation: |-
+    The IPI setup step contains all steps that provision an OpenShift cluster
+    from stable-initial imagestream with a default configuration on Alibaba.
+

ci-operator/step-registry/ipi/conf/alibabacloud/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- alibaba-approvers
+reviewers:
+- alibaba-reviewers

ci-operator/step-registry/ipi/conf/alibabacloud/cloud-creds-deprovision/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/ipi/conf/alibabacloud/cloud-creds-deprovision/ipi-conf-alibabacloud-cloud-creds-deprovision-commands.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+export ALIBABA_CLOUD_CREDENTIALS_FILE=${SHARED_DIR}/alibabacreds.ini
+cluster_id="${NAMESPACE}-${JOB_NAME_HASH}"
+
+# extract ccoctl from the release image
+CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' "${RELEASE_IMAGE_LATEST}")
+cd "/tmp"
+oc image extract "${CCO_IMAGE}" --file="/usr/bin/ccoctl"
+chmod 555 "/tmp/ccoctl"
+
+# delete credentials infrastructure created by cloud-creds-provision configure step
+"/tmp/ccoctl" alibabacloud \
+  delete-ram-users \
+  --name="${cluster_id}"

ci-operator/step-registry/ipi/conf/alibabacloud/cloud-creds-deprovision/ipi-conf-alibabacloud-cloud-creds-deprovision-ref.metadata.json

@@ -0,0 +1,11 @@
+{
+	"path": "ipi/conf/alibabacloud/cloud-creds-deprovision/ipi-conf-alibabacloud-cloud-creds-deprovision-ref.yaml",
+	"owners": {
+		"approvers": [
+			"alibaba-approvers"
+		],
+		"reviewers": [
+			"alibaba-reviewers"
+		]
+	}
+}

ci-operator/step-registry/ipi/conf/alibabacloud/cloud-creds-deprovision/ipi-conf-alibabacloud-cloud-creds-deprovision-ref.yaml

@@ -0,0 +1,9 @@
+ref:
+  as: ipi-conf-alibabacloud-cloud-creds-deprovision
+  from: cli
+  commands: ipi-conf-alibabacloud-cloud-creds-deprovision-commands.sh
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+  documentation: The IPI cloud-creds-deprovision configure step adds a step that removes cloud access keys

ci-operator/step-registry/ipi/conf/alibabacloud/cloud-creds-provision/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/ipi/conf/alibabacloud/cloud-creds-provision/ipi-conf-alibabacloud-cloud-creds-provision-commands.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+CR_PATH="/tmp/credrequests"
+MPREFIX="${SHARED_DIR}/manifest"
+cluster_id="${NAMESPACE}-${JOB_NAME_HASH}"
+export ALIBABA_CLOUD_CREDENTIALS_FILE="${SHARED_DIR}/alibabacreds.ini"
+
+# extract ccoctl from the release image
+oc registry login
+CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' "${RELEASE_IMAGE_LATEST}")
+cd "/tmp"
+oc image extract "${CCO_IMAGE}" --file="/usr/bin/ccoctl"
+chmod 555 "/tmp/ccoctl"
+
+# extract alibabacloud credentials requests from the release image
+oc adm release extract --credentials-requests --cloud=alibabacloud --to="${CR_PATH}" "${RELEASE_IMAGE_LATEST}"
+
+# create required credentials infrastructure and installer manifests for workload identity
+"/tmp/ccoctl" alibabacloud create-ram-users \
+    --region "${LEASED_RESOURCE}" \
+    --name="${cluster_id}" \
+    --credentials-requests-dir="${CR_PATH}" \
+    --output-dir="/tmp"
+
+cd "/tmp/manifests"
+# copy generated secret manifests from ccoctl target directory into shared directory
+for FILE in *; do cp "${FILE}" "${MPREFIX}_${FILE}"; done