diff --git a/jenkins/README.md b/jenkins/README.md index 94f2a7c..0698818 100644 --- a/jenkins/README.md +++ b/jenkins/README.md @@ -38,11 +38,19 @@ Assuming you already have a cluster set up and running (e.g. `oc cluster up`): ``` $ oc new-project projectatomic-ci -$ echo "$GITHUB_TOKEN" > mytoken +$ echo -n "$GITHUB_TOKEN" > mytoken $ oc secrets new github-token token=mytoken $ oc new-app --file paci-jenkins.yaml ``` +If you're also planning to test publishing results to AWS S3: + +``` +$ echo -n "$AWS_ACCESS_KEY_ID" > aws-key-id +$ echo -n "$AWS_SECRET_ACCESS_KEY" > aws-key-secret +$ oc secrets new aws-access-key id=aws-key-id secret=aws-key-secret +``` + If your project already exists (e.g. you are not a cluster admin) and it is not named `projectatomic-ci`, make sure to pass the `-p NAMESPACE=$project` argument to the `new-app` command above. (Though note that the `job-builder` Jenkinsfile @@ -151,6 +159,12 @@ working OpenShift cluster. See the PAPR [instructions](https://github.com/projectatomic/papr/blob/ocp/docs/RUNNING.md) for more details on how to get started. +The `papr` service account needs to have a membership in an SCC with `RunAsAny`, +so that it can run test containers as root, much like Docker. In the +`oc cluster up` case, this can be done simply by adding the papr service account +to the `anyuid` SCC. Otherwise, you'll need to ask a cluster administrator to do +this for you. + To be able to trigger PAPR tests from GHPRB jobs in Jenkins, you simply need to build the PAPR image: diff --git a/jenkins/paci-jenkins.yaml b/jenkins/paci-jenkins.yaml index cf87e81..c256e1e 100644 --- a/jenkins/paci-jenkins.yaml +++ b/jenkins/paci-jenkins.yaml @@ -143,6 +143,20 @@ objects: subjects: - kind: ServiceAccount name: papr +- apiVersion: v1 + kind: ConfigMap + metadata: + name: papr-config + data: + config: | + github: + auth-from-env: true + publisher: + type: s3 + config: + auth-from-env: true + bucket: aos-ci + rootdir: ghprb - apiVersion: v1 kind: Route metadata: @@ -245,7 +259,9 @@ objects: claimName: ${JENKINS_SERVICE_NAME} - name: github-token-mount secret: - secretName: ${GITHUB_TOKEN_SECRET} + # we expect users to have created a secret called github-token with + # the key "token" containing the actual token + secretName: github-token - name: webhook-secret-mount secret: secretName: webhook-secret @@ -376,13 +392,6 @@ parameters: - description: Git branch/tag reference name: PAPR_REPO_REF value: master -- description: > - GitHub token secret. This is *not* the token itself. It is the name of the - OpenShift secret containing the token, which must be created beforehand. The - secret is expected to define a key "token" containing the token. - name: GITHUB_TOKEN_SECRET - value: github-token - required: true - description: Shared webhook secret. name: GITHUB_WEBHOOK_SHARED_SECRET generate: expression diff --git a/papr/papr-trigger.py b/papr/papr-trigger.py index 4493a13..25fbddc 100755 --- a/papr/papr-trigger.py +++ b/papr/papr-trigger.py @@ -19,12 +19,20 @@ import os import sys import json -import uuid import argparse import tempfile import subprocess +# XXX: Need to figure out GC strategy for the pod we create here (the "child" +# pods that PAPR creates are cleaned up by PAPR itself -- once we set up owner +# references, then even aborted PAPR jobs should end up cleaning child pods +# when we GC the parent). Maybe a Jenkins job to do this? Would want similar +# semantics like successfulBuildsHistoryLimit and failedBuildsHistoryLimit. +# Also note we'll still need this even once we move to Kubernetes Jobs, though +# owner references are implicitly added for child pods. + + def main(): args = parse_args() @@ -50,8 +58,6 @@ def parse_args(): def generate_papr_pod(args): repo_name = args.repo[args.repo.index('/')+1:] target_name = args.branch if args.branch else args.pull - uuid_name = uuid.uuid4().hex[:6] # XXX: actually check for collision - pod_name = "papr-%s-%s-%s" % (repo_name, target_name, uuid_name) # XXX: Migrate to Jobs, which have nicer semantics. For now, we're stuck # with kube v1.6, which knows jobs, but doesn't support "backoffLimit". # https://github.com/kubernetes/kubernetes/issues/30243 @@ -59,7 +65,7 @@ def generate_papr_pod(args): "apiVersion": "v1", "kind": "Pod", "metadata": { - "name": pod_name, + "generateName": "papr-%s-%s-" % (repo_name, target_name), "labels": { "app": "papr" } @@ -73,26 +79,54 @@ def generate_papr_pod(args): "image": "172.30.1.1:5000/projectatomic-ci/papr", "imagePullPolicy": "Always", "args": ["--debug", "runtest", "--conf", - "/etc/papr.conf", "--repo", args.repo], - # XXX: pvc for git checkout caches - # XXX: mount site.yaml configmap + "/etc/papr/config", "--repo", args.repo], + # XXX: pvc for git checkout caches (but need to add locking) + "env": [ + { + "name": "GITHUB_TOKEN", + "valueFrom": { + "secretKeyRef": { + "name": "github-token", + "key": "token", + "optional": False + } + } + }, + { + "name": "AWS_ACCESS_KEY_ID", + "valueFrom": { + "secretKeyRef": { + "name": "aws-access-key", + "key": "id", + "optional": False + } + } + }, + { + "name": "AWS_SECRET_ACCESS_KEY", + "valueFrom": { + "secretKeyRef": { + "name": "aws-access-key", + "key": "secret", + "optional": False + } + } + } + ], "volumeMounts": [ { - "name": "github-token-mount", - "mountPath": "/etc/github-token", - "readOnly": True + "name": "config-mount", + "mountPath": "/etc/papr" } ] } ], "volumes": [ { - "name": "github-token-mount", - "secret": { - # XXX: this is from the template; probably should just - # require the secret to have that exact name - "secretName": "github-token" - } + "name": "config-mount", + "configMap": { + "name": "papr-config" + } } ] } @@ -124,8 +158,7 @@ def create_papr_pod(pod): with tempfile.TemporaryFile() as tmpf: tmpf.write(json.dumps(pod).encode('utf-8')) tmpf.seek(0) - subprocess.check_output(["oc", "create", "-f", "-"], stdin=tmpf) - print(pod["metadata"]["name"]) + subprocess.check_call(["oc", "create", "-f", "-"], stdin=tmpf) if __name__ == '__main__':