diff --git a/cluster/ci/config/atomic/homu/ssh-cfg.yml b/cluster/ci/config/atomic/homu/ssh-cfg.yml new file mode 100644 index 0000000000000..c4e9921867705 --- /dev/null +++ b/cluster/ci/config/atomic/homu/ssh-cfg.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: homu-ssh-config +data: + known-hosts: | + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + ssh-config: | + UserKnownHostsFile /etc/homu-cfg/known-hosts + # We do want this + StrictHostKeyChecking yes + # Not worth the pain + CheckHostIP no + # Based on https://stribika.github.io/2015/01/04/secure-secure-shell.html + # Algorithms checked for github.com as of 20161222. Note they + # do not offer ed25519 host keys, only DSS and RSA. + Host github.com + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa + KexAlgorithms curve25519-sha256@libssh.org + Ciphers chacha20-poly1305@openssh.com + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + + Host * + PasswordAuthentication no + KbdInteractiveAuthentication no + GSSAPIAuthentication no + Protocol 2 + # https://lwn.net/Articles/671874/ + UseRoaming no diff --git a/cluster/ci/config/atomic/homu/test/Dockerfile b/cluster/ci/config/atomic/homu/test/Dockerfile new file mode 100644 index 0000000000000..4275da3807025 --- /dev/null +++ b/cluster/ci/config/atomic/homu/test/Dockerfile @@ -0,0 +1,9 @@ +FROM fedora:25 +RUN yum -y install nss_wrapper git python-pip findutils && yum clean all && \ + mkdir /app && cd /app && git clone -b homu-rollup-2 https://github.com/cgwalters/homu.git && pip3 install ./homu && \ + find /usr/lib/python* -name git_helper.py -exec chmod a+x {} ';' +ADD ./nss-wrapper-exec /usr/bin/nss-wrapper-exec +ENV HOME=/tmp +WORKDIR /tmp +EXPOSE 8080 +CMD ["/usr/bin/nss-wrapper-exec", "env", "PYTHONUNBUFFERED=1", "/usr/bin/homu", "-v", "--config", "/etc/homu-secrets/cfg.toml"] diff --git a/cluster/ci/config/atomic/homu/test/bc.yml b/cluster/ci/config/atomic/homu/test/bc.yml new file mode 100644 index 0000000000000..cbdb1c7d8aae9 --- /dev/null +++ b/cluster/ci/config/atomic/homu/test/bc.yml @@ -0,0 +1,26 @@ +kind: "BuildConfig" +apiVersion: "v1" +metadata: + name: "homu-test-build" +spec: + runPolicy: "Serial" + triggers: + - type: "GitHub" + github: + secret: "b58082a16b117b48a4d5bb3925b9c7b557806170" + - type: "ImageChange" + source: + type: "Git" + git: + uri: "ssh://git@github.com/cgwalters/projectatomic-ci-infra" + sourceSecret: + name: private-github-repo-key + contextDir: homu/test + strategy: + type: "Docker" + dockerStrategy: + noCache: true + output: + to: + kind: "ImageStreamTag" + name: "homu-test:latest" diff --git a/cluster/ci/config/atomic/homu/test/dc.yml b/cluster/ci/config/atomic/homu/test/dc.yml new file mode 100644 index 0000000000000..82ac4202d3d2a --- /dev/null +++ b/cluster/ci/config/atomic/homu/test/dc.yml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: DeploymentConfig +metadata: + name: homu-test + labels: + app: homu-test +spec: + replicas: 1 + selector: + app: homu-test + deploymentconfig: homu-test + template: + metadata: + labels: + app: homu-test + deploymentconfig: homu-test + spec: + containers: + - image: homu-test + name: homu-test + ports: + - containerPort: 8080 + name: homu + protocol: TCP + volumeMounts: + - name: cfg + mountPath: /etc/homu-secrets + readOnly: true + - name: sshcfg + mountPath: /etc/homu-cfg + readOnly: true + readinessProbe: + httpGet: + path: / + port: homu + volumes: + - name: cfg + secret: + secretName: homu-cfg-test + - name: sshcfg + configMap: + name: homu-ssh-config + triggers: + - type: ConfigChange + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - homu-test + from: + kind: ImageStreamTag + name: homu-test:latest + type: ImageChange + strategy: + type: Rolling diff --git a/cluster/ci/config/atomic/homu/test/nss-wrapper-exec b/cluster/ci/config/atomic/homu/test/nss-wrapper-exec new file mode 100755 index 0000000000000..04f532392fa04 --- /dev/null +++ b/cluster/ci/config/atomic/homu/test/nss-wrapper-exec @@ -0,0 +1,13 @@ +#!/usr/bin/bash +set -euo pipefail +export USER_ID=$(id -u) +export GROUP_ID=$(id -g) +passwd=$(mktemp -t 'nss-wrapper-passwd.XXXXXX') +cat > ${passwd} << EOF +root:x:0:0:root:/root:/bin/bash +user:x:${USER_ID}:${GROUP_ID}:user:${HOME}:/bin/bash +EOF +export LD_PRELOAD=libnss_wrapper.so +export NSS_WRAPPER_PASSWD=${passwd} +export NSS_WRAPPER_GROUP=/etc/group +exec "$@" diff --git a/cluster/ci/config/atomic/homu/test/svc.yml b/cluster/ci/config/atomic/homu/test/svc.yml new file mode 100644 index 0000000000000..c0a8c7e9314f5 --- /dev/null +++ b/cluster/ci/config/atomic/homu/test/svc.yml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: List +items: + +- apiVersion: v1 + kind: Service + metadata: + name: homu-test + labels: + app: homu-test + spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + app: homu-test + deploymentconfig: homu-test + +- apiVersion: v1 + kind: Route + metadata: + labels: + app: homu-test + name: homu-test + spec: + to: + name: homu-test + port: + targetPort: 8080 + tls: + termination: edge