From 3c2e885595d6ebc1770d42d4afa0b16855476f50 Mon Sep 17 00:00:00 2001 From: Michal Kovarik Date: Feb 06 2020 09:47:09 +0000 Subject: Remove unused files Scripts have been replaced by pipeline-as-a-service or rewritten to python/bash. --- diff --git a/README.md b/README.md index 35e42e5..0af2e53 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,7 @@ with methods to ease deployment and management of ephemeral instances, suitable The currently available global variables are: * c3i: General utilities, including cleaning up stale resources from previous test runs. -* ca: Create a local certificate authority, and generate SSL certificates and Java keystores - and truststores. -* umb: Deploy an instance of the Unified Message Bus (ActiveMQ). -* koji: Deploy and provision a Koji hub. -* mbs: Deploy a Module Build Service instance. +* pagure: Client for pagure.io . More complete documentation is in progress. diff --git a/resources/ca/ssl.cnf.in b/resources/ca/ssl.cnf.in deleted file mode 100644 index 2ccedce..0000000 --- a/resources/ca/ssl.cnf.in +++ /dev/null @@ -1,70 +0,0 @@ -[ ca ] -default_ca = CA_default # The default ca section - -[ CA_default ] -dir = $ENV::PWD # Where everything is kept -certs = $dir # Where the issued certs are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir # default place for new certs. -certificate = $dir/ca-cert.pem # The CA certificate -private_key = $dir/ca-key.pem # The private key -serial = $dir/serial # The current serial number -x509_extensions = usr_cert # The extensions to add to the cert -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options -default_days = 7 # how long to certify for -default_md = sha256 # use SHA-256 by default -preserve = no # keep passed DN ordering -policy = policy_match - -[ policy_match ] -countryName = match -stateOrProvinceName = match -localityName = match -organizationName = match -organizationalUnitName = supplied -commonName = supplied -emailAddress = supplied - -[ req ] -default_bits = 2048 -default_md = sha256 -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca -prompt = no -string_mask = utf8only -req_extensions = v3_req - -[ req_distinguished_name ] -countryName = US -stateOrProvinceName = Massachusetts -localityName = Boston -0.organizationName = Test Company -organizationalUnitName = Test Unit -commonName = ${commonName} -emailAddress = test-ca@example.com - -[ req_attributes ] - -[ usr_cert ] -basicConstraints = CA:FALSE -nsCertType = server, client, email, objsign -nsComment = "Certificate for testing purposes only" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer -subjectAltName = ${subjectAltNames} - -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = serverAuth - -[ v3_ca ] -basicConstraints = critical,CA:TRUE,pathlen:0 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -keyUsage = keyCertSign -nsCertType = sslCA -subjectAltName = email:copy -issuerAltName = issuer:copy diff --git a/resources/openshift/templates/koji.yaml b/resources/openshift/templates/koji.yaml deleted file mode 100644 index ce32594..0000000 --- a/resources/openshift/templates/koji.yaml +++ /dev/null @@ -1,355 +0,0 @@ -apiVersion: v1 -kind: Template -metadata: - name: koji-hub-test-template - app: koji -parameters: -- name: TEST_ID - displayName: Test id - description: Short unique identifier for this test run (e.g. Jenkins job number) - required: true -- name: KOJI_HUB_IMAGE - displayName: Koji image repo to be tested - description: The location of the Koji hub image to deploy - value: quay.io/factory2/koji:latest - required: true -- name: DATABASE_PASSWORD - displayName: Database password - generate: expression - from: "[\\w]{12}" -- name: KOJI_HUB_CERT - displayName: Koji hub SSL certificate - description: SSL certificate for the Koji hub (base64 encoded) - required: true -- name: KOJI_HUB_KEY - displayName: Koji hub SSL private key - description: SSL private key for the Koji hub (base64 encoded) - required: true -- name: KOJI_CA_CERT - displayName: Koji hub CA certificate - description: Certificate for the CA that issued the Koji hub certificate (base64 encoded) - required: true -- name: KOJI_MESSAGING_URL - displayName: Koji messaging URL - description: The URL to the message broker used by the Koji messaging plugin - required: true -- name: KOJI_MESSAGING_CERT_AND_KEY - displayName: Koji messaging certificate and key - description: SSL certificate and private key for messaging, concatenated, in PEM format (base64 encoded) - required: true -- name: KOJI_ADMIN_USER - displayName: Koji admin user - description: Username to add to the Koji instance as an admin - value: admin - required: true -objects: -- apiVersion: v1 - kind: Secret - metadata: - name: koji-${TEST_ID}-db-secret - labels: - app: koji - service: database - environment: test-${TEST_ID} - stringData: - password: "${DATABASE_PASSWORD}" -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: koji-${TEST_ID}-db - labels: - app: koji - service: database - environment: test-${TEST_ID} - spec: - replicas: 1 - strategy: - type: Recreate - selector: - app: koji - service: database - environment: test-${TEST_ID} - template: - metadata: - labels: - app: koji - service: database - environment: test-${TEST_ID} - spec: - containers: - - name: postgresql - image: registry.access.redhat.com/rhscl/postgresql-95-rhel7:latest - imagePullPolicy: Always - ports: - - containerPort: 5432 - protocol: TCP - resources: - limits: - memory: 512Mi - cpu: 0.4 - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - exec: - command: [ /bin/sh, -i, -c, "psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1'" ] - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - tcpSocket: - port: 5432 - env: - - name: POSTGRESQL_USER - value: koji - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: koji-${TEST_ID}-db-secret - key: password - - name: POSTGRESQL_DATABASE - value: koji - triggers: - - type: ConfigChange -- apiVersion: v1 - kind: Service - metadata: - name: koji-${TEST_ID}-db - labels: - app: koji - service: database - environment: test-${TEST_ID} - spec: - ports: - - port: 5432 - protocol: TCP - targetPort: 5432 - selector: - app: koji - service: database - environment: test-${TEST_ID} -- apiVersion: v1 - kind: Secret - metadata: - name: koji-${TEST_ID}-hub-certs - labels: - app: koji - service: hub - environment: test-${TEST_ID} - data: - kojihub.crt: |- - ${KOJI_HUB_CERT} - kojihub.key: |- - ${KOJI_HUB_KEY} - kojica.crt: |- - ${KOJI_CA_CERT} - kojimsg.pem: |- - ${KOJI_MESSAGING_CERT_AND_KEY} -- apiVersion: v1 - kind: ConfigMap - metadata: - name: koji-${TEST_ID}-hub-config - labels: - app: koji - service: hub - environment: test-${TEST_ID} - data: - ssl.conf: |- - LoadModule ssl_module modules/mod_ssl.so - Listen 8443 - SSLPassPhraseDialog builtin - SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) - SSLSessionCacheTimeout 300 - SSLRandomSeed startup file:/dev/urandom 256 - SSLRandomSeed connect builtin - SSLCryptoDevice builtin - - ErrorLog logs/ssl_error_log - TransferLog logs/ssl_access_log - LogLevel debug - SSLEngine on - SSLProtocol all -SSLv2 - SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES - ServerName koji-hub - SSLCertificateFile /etc/pki/koji/certs/kojihub.crt - SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key - SSLCertificateChainFile /etc/pki/koji/certs/kojica.crt - SSLCACertificateFile /etc/pki/koji/certs/kojica.crt - SSLVerifyDepth 1 - CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - hub.conf: |- - [hub] - KojiDir = /mnt/koji - LoginCreatesUser = On - DisableNotifications = True - PluginPath = /usr/lib/koji-hub-plugins - Plugins = protonmsg - KojiDebug = On - KojiTraceback = extended - DBName = koji - DBUser = koji - DBPass = ${DATABASE_PASSWORD} - DBHost = koji-${TEST_ID}-db - KojiWebURL = https://koji-${TEST_ID}-web/koji - EnableMaven = True - EnableWin = True - KojiDebug = On - KojiTraceback = extended - DNUsernameComponent = CN - ProxyDNs = /C=US/ST=Massachusetts/L=Boston/O=Test Company/OU=Test Unit/CN=koji-${TEST_ID}-web/emailAddress=test-ca@example.com - protonmsg.conf: |- - [broker] - urls = ${KOJI_MESSAGING_URL} - cert = /etc/pki/koji/certs/kojimsg.pem - cacert = /etc/pki/koji/certs/kojica.crt - topic_prefix = VirtualTopic.eng.brew - connect_timeout = 10 - send_timeout = 60 -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: koji-${TEST_ID}-hub - labels: - app: koji - service: hub - environment: test-${TEST_ID} - spec: - replicas: 1 - strategy: - type: Recreate - recreateParams: - pre: - failurePolicy: Abort - execNewPod: - containerName: koji-hub - command: - - /bin/sh - - -i - - -c - - | - # try for 10 minutes (600 seconds) - e=$(( $(date +%s) + 600 )) - i=0 - while [ $(date +%s) -lt $e ]; do - export PGPASSWORD="${DATABASE_PASSWORD}" - echo "TRY #$((++i))" - psql -h koji-${TEST_ID}-db koji koji -c "select 1 from task" || psql -h koji-${TEST_ID}-db koji koji -f /usr/share/doc/koji*/docs/schema.sql - if [ $? -eq 0 ]; then - psql -h koji-${TEST_ID}-db koji koji -c "insert into users (name, usertype, status) values ('${KOJI_ADMIN_USER}', 0, 0)" && \ - psql -h koji-${TEST_ID}-db koji koji -c "insert into user_perms (user_id, perm_id, creator_id) values \ - ((select id from users where name = '${KOJI_ADMIN_USER}'), \ - (select id from permissions where name = 'admin'), \ - (select id from users where name = '${KOJI_ADMIN_USER}'))" || : - exit 0 - fi - sleep 10 - done - exit 1 - selector: - app: koji - service: hub - environment: test-${TEST_ID} - template: - metadata: - labels: - app: koji - service: hub - environment: test-${TEST_ID} - spec: - containers: - - name: koji-hub - image: ${KOJI_HUB_IMAGE} - imagePullPolicy: Always - ports: - - containerPort: 8080 - protocol: TCP - name: http - - containerPort: 8443 - protocol: TCP - name: https - livenessProbe: - failureThreshold: 3 - httpGet: - path: /kojifiles/ - port: 8080 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /kojifiles/ - port: 8080 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - memory: 512Mi - cpu: 400m - requests: - memory: 256Mi - cpu: 200m - volumeMounts: - - mountPath: /mnt/koji - name: koji-volume - - mountPath: /etc/pki/koji/certs - name: koji-hub-certs-vol - - mountPath: /etc/pki/tls/cert.pem - name: koji-hub-certs-vol - subPath: kojica.crt - - mountPath: /etc/httpd/conf.d/ssl.conf - name: koji-hub-config-vol - subPath: ssl.conf - - mountPath: /etc/koji-hub/hub.conf - name: koji-hub-config-vol - subPath: hub.conf - volumes: - - name: koji-volume - emptyDir: {} - - name: koji-hub-config-vol - configMap: - name: koji-${TEST_ID}-hub-config - - name: koji-hub-certs-vol - secret: - secretName: koji-${TEST_ID}-hub-certs -- apiVersion: v1 - kind: Service - metadata: - name: koji-${TEST_ID}-hub - labels: - app: koji - service: hub - environment: test-${TEST_ID} - spec: - ports: - - name: http - port: 80 - targetPort: http - - name: https - port: 443 - targetPort: https - selector: - app: koji - service: hub - environment: test-${TEST_ID} -- apiVersion: v1 - kind: Route - metadata: - name: koji-${TEST_ID}-hub - labels: - app: koji - service: hub - environment: test-${TEST_ID} - spec: - to: - kind: Service - name: koji-${TEST_ID}-hub - port: - targetPort: https - tls: - termination: passthrough - insecureEdgeTerminationPolicy: Redirect diff --git a/resources/openshift/templates/krb5.yaml b/resources/openshift/templates/krb5.yaml deleted file mode 100644 index 1b12c65..0000000 --- a/resources/openshift/templates/krb5.yaml +++ /dev/null @@ -1,262 +0,0 @@ ---- -apiVersion: v1 -kind: Template -metadata: - name: krb5-test-template -labels: - template: krb5-test-template -parameters: -- name: TEST_ID - displayName: Test id - description: Short unique identifier for this test run (e.g. Jenkins job number) - required: true -- name: NAME - displayName: The name for this deployment config. - required: true - value: krb5 -- name: REALM - displayName: The Kerberos realm to manage. - required: true - value: CLUSTER.LOCAL -- name: DOMAIN - displayName: The DNS domain associated with the realm. - required: true - value: cluster.local -- name: KDC_DB_PASSWORD - displayName: The master password for the Kerberos database. - generate: expression - from: "[\\w]{16}" -- name: ADMIN_PASSWORD - displayName: The password for the kadmin/admin principal. - generate: expression - from: "[\\w]{16}" -- name: INIT_USERS - displayName: A comma-separated list of initial users to define, in username:password format. - required: false -- name: IMAGE - displayName: Location of the image to deploy. - required: true - value: quay.io/factory2/krb5-fedora:latest -objects: -- apiVersion: v1 - kind: Secret - metadata: - name: ${NAME}-${TEST_ID}-secret - labels: - app: ${NAME} - service: kerberos - environment: test-${TEST_ID} - stringData: - KDC_DB_PASSWORD: ${KDC_DB_PASSWORD} - ADMIN_PASSWORD: ${ADMIN_PASSWORD} -- apiVersion: v1 - kind: ConfigMap - metadata: - name: ${NAME}-${TEST_ID}-config - labels: - app: ${NAME} - service: kerberos - environment: test-${TEST_ID} - data: - krb5.conf: | - includedir /etc/krb5.conf.d/ - - [logging] - default = STDERR - kdc = STDERR - admin_server = STDERR - debug = true - - [libdefaults] - dns_lookup_kdc = false - dns_lookup_realm = false - dns_canonicalize_hostname = false - ticket_lifetime = 24h - renew_lifetime = 7d - forwardable = true - pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt - spake_preauth_groups = edwards25519 - default_realm = ${REALM} - default_ccache_name = FILE:/tmp/%{uid}-ccache - - [realms] - ${REALM} = { - kdc = kerberos-${TEST_ID}:8088 - admin_server = kerberos-${TEST_ID}:8749 - kpasswd_server = kerberos-${TEST_ID}:8464 - kdc_listen = 8088 - kdc_tcp_listen = 8088 - kadmind_listen = 8749 - kpasswd_listen = 8464 - acl_file = /etc/kadm5.acl - } - - [domain_realm] - .${DOMAIN} = ${REALM} - ${DOMAIN} = ${REALM} - kadm5.acl: | - */admin@${REALM} * -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: ${NAME}-${TEST_ID} - labels: - app: ${NAME} - service: kerberos - environment: test-${TEST_ID} - spec: - replicas: 1 - strategy: - type: Recreate - selector: - app: ${NAME} - service: kerberos - environment: test-${TEST_ID} - template: - metadata: - labels: - app: ${NAME} - service: kerberos - environment: test-${TEST_ID} - spec: - initContainers: - - name: init-kdc-db - image: ${IMAGE} - imagePullPolicy: Always - command: - - /usr/local/bin/init-kdc-db - env: - - name: REALM - value: ${REALM} - - name: INIT_USERS - value: ${INIT_USERS} - envFrom: - - secretRef: - name: ${NAME}-${TEST_ID}-secret - volumeMounts: - - name: config-vol - mountPath: /etc/krb5.conf - subPath: krb5.conf - - name: config-vol - mountPath: /etc/kadm5.acl - subPath: kadm5.acl - - name: data-vol - mountPath: /var/kerberos/krb5kdc - resources: - requests: - memory: "384Mi" - cpu: "300m" - limits: - memory: "512Mi" - cpu: "500m" - containers: - - name: kdc - image: ${IMAGE} - imagePullPolicy: Always - command: - - /usr/sbin/krb5kdc - - -n - volumeMounts: - - name: config-vol - subPath: krb5.conf - mountPath: /etc/krb5.conf - - name: config-vol - subPath: kadm5.acl - mountPath: /etc/kadm5.acl - - name: data-vol - mountPath: /var/kerberos/krb5kdc - ports: - - name: kdc - containerPort: 8088 - - name: kdc-udp - containerPort: 8088 - protocol: UDP - resources: - requests: - memory: "384Mi" - cpu: "300m" - limits: - memory: "512Mi" - cpu: "500m" - livenessProbe: - tcpSocket: - port: 8088 - readinessProbe: - tcpSocket: - port: 8088 - - name: kadmind - image: ${IMAGE} - imagePullPolicy: Always - command: - - /usr/sbin/kadmind - - -nofork - volumeMounts: - - name: config-vol - subPath: krb5.conf - mountPath: /etc/krb5.conf - - name: config-vol - subPath: kadm5.acl - mountPath: /etc/kadm5.acl - - name: data-vol - mountPath: /var/kerberos/krb5kdc - ports: - - name: admin - containerPort: 8749 - - name: kpasswd - containerPort: 8464 - - name: kpasswd-udp - containerPort: 8464 - protocol: UDP - resources: - requests: - memory: "384Mi" - cpu: "300m" - limits: - memory: "512Mi" - cpu: "500m" - livenessProbe: - tcpSocket: - port: 8749 - readinessProbe: - tcpSocket: - port: 8749 - volumes: - - name: config-vol - configMap: - name: ${NAME}-${TEST_ID}-config - - name: data-vol - emptyDir: {} - triggers: - - type: ConfigChange -- apiVersion: v1 - kind: Service - metadata: - name: kerberos-${TEST_ID} - labels: - app: ${NAME} - service: kerberos - environment: test-${TEST_ID} - spec: - type: NodePort - ports: - - name: kdc - port: 8088 - targetPort: kdc - - name: kdc-udp - port: 8088 - protocol: UDP - targetPort: kdc-udp - - name: admin - port: 8749 - targetPort: admin - - name: kpasswd - port: 8464 - targetPort: kpasswd - - name: kpasswd-udp - port: 8464 - protocol: UDP - targetPort: kpasswd-udp - selector: - app: ${NAME} - service: kerberos - environment: test-${TEST_ID} diff --git a/resources/openshift/templates/mbs-frontend-krb5.yaml b/resources/openshift/templates/mbs-frontend-krb5.yaml deleted file mode 100644 index bc0545c..0000000 --- a/resources/openshift/templates/mbs-frontend-krb5.yaml +++ /dev/null @@ -1,349 +0,0 @@ ---- -apiVersion: v1 -kind: Template -metadata: - name: mbs-frontend-krb5-template - app: mbs -parameters: -- name: TEST_ID - displayName: Test id - description: Short unique identifier for this test run (e.g. Jenkins job number) - required: true -- name: MBS_FRONTEND_IMAGE - displayName: Image for MBS frontend - description: Image to be used for MBS frontend deployment - required: true -- name: KOJI_URL - displayName: Top level URL of the Koji instance to use - description: Top level URL of the Koji instance to use. Without a '/' at the end. - required: true -- name: FLASK_SECRET_KEY - displayName: The secret key for Flask - generate: expression - from: "[\\w]{16}" -- name: DATABASE_PASSWORD - displayName: Database password - description: The password for the database. - required: true -- name: FRONTEND_KEYTAB - displayName: Base64-encoded Kerberos keytab used by the frontend - required: true -- name: KRB5_CONF_CONFIGMAP - displayName: Name of the ConfigMap containing the krb5.conf required for Kerberos auth - required: true -- name: KRB5_USER - displayName: A user who will be allowed to authenticate to the MBS. - required: false - value: mbs-admin -objects: -- apiVersion: v1 - kind: Secret - metadata: - name: mbs-${TEST_ID}-frontend-keytab - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - keytab: ${FRONTEND_KEYTAB} -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-httpd-config - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - mbs.conf: | - WSGIDaemonProcess mbs user=fedmsg group=fedmsg home=/usr/share/mbs maximum-requests=1000 display-name=mbs processes=2 threads=2 - WSGISocketPrefix run/wsgi - WSGIRestrictStdout Off - WSGIRestrictSignal Off - WSGIPythonOptimize 1 - WSGIApplicationGroup %{GLOBAL} - - WSGIScriptAlias / /usr/share/mbs/mbs.wsgi - - - WSGIProcessGroup mbs - - # Return JSON when authentication fails - ErrorDocument 401 "{\"error\": \"You must be authenticated to perform this action.\"}" - Header always set Content-Type "application/json" "expr=%{REQUEST_STATUS} == 401" - - AuthType GSSAPI - AuthName "MBS Kerberos negotiate authentication based on GSSAPI" - GssapiSSLonly On - GssapiCredStore keytab:/etc/mbs.keytab - - # GET methods are allowed for everyone, but any other method - # needs a valid-user. - - Require method GET OPTIONS - Require valid-user - - - - RedirectMatch ^/$ /module-build-service/1/module-builds/ -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-frontend-config - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - config.py: | - class ProdConfiguration(object): - DEBUG = True - - SECRET_KEY = '${FLASK_SECRET_KEY}' - - SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:${DATABASE_PASSWORD}@mbs-${TEST_ID}-database:5432/mbs' - SQLALCHEMY_TRACK_MODIFICATIONS = True - - # Global network-related values, in seconds - NET_TIMEOUT = 120 - NET_RETRY_INTERVAL = 30 - - SYSTEM = 'koji' - MESSAGING = 'umb' - MESSAGING_TOPIC_PREFIX = ['/queue/Consumer.mbs.queue.VirtualTopic.eng'] - KOJI_CONFIG = '/etc/module-build-service/koji.conf' - KOJI_PROFILE = 'test' - ARCHES = ['x86_64'] - KOJI_PROXYUSER = False - KOJI_REPOSITORY_URL = '${KOJI_URL}/kojiroot/repos' - PDC_URL = '' - PDC_INSECURE = False - PDC_DEVELOP = True - SCMURLS = [] - ALLOW_CUSTOM_SCMURLS = True - - RESOLVER = 'koji' - - # This is a whitelist of prefixes of koji tags we're allowed to manipulate - KOJI_TAG_PREFIXES = ['module'] - - DEFAULT_DIST_TAG_PREFIX = 'module+' - - # Use the same priority as all other builds - KOJI_BUILD_PRIORITY = 0 - - # Control where modules get tagged post-build. - BASE_MODULE_NAMES = set(['platform']) - KOJI_CG_TAG_BUILD = False - KOJI_CG_BUILD_TAG_TEMPLATE = '' - KOJI_CG_DEFAULT_BUILD_TAG = '' - - # Enable authentication - NO_AUTH = False - - YAML_SUBMIT_ALLOWED = True - - # Allow maintainers to specify something that differs from the git branch. - ALLOW_NAME_OVERRIDE_FROM_SCM = False - ALLOW_STREAM_OVERRIDE_FROM_SCM = True - - # How often should we resort to polling, in seconds - # Set to zero to disable polling - POLLING_INTERVAL = 600 - - # Determines how many builds that can be submitted to the builder - # and be in the build state at a time. Set this to 0 for no restrictions - # New name - NUM_CONCURRENT_BUILDS = 5 - - RPMS_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/rpms/' - RPMS_ALLOW_REPOSITORY = True - RPMS_DEFAULT_CACHE = '' - RPMS_ALLOW_CACHE = False - MODULES_DEFAULT_REPOSITORY = '' - MODULES_ALLOW_REPOSITORY = False - MODULES_ALLOW_SCRATCH = True - - # Our per-build logs for the Koji content generator go here. - # CG imports are controlled by KOJI_ENABLE_CONTENT_GENERATOR - BUILD_LOGS_DIR = '/var/tmp' - - # Time after which MBS will delete koji targets it created. - KOJI_TARGET_DELETE_TIME = 86400 - - # Whether or not to import modules back to koji. - KOJI_ENABLE_CONTENT_GENERATOR = True - - # Available backends are: console, file. - LOG_BACKEND = 'console' - - # Available log levels are: debug, info, warn, error. - LOG_LEVEL = 'debug' - - REBUILD_STRATEGY_ALLOW_OVERRIDE = True - REBUILD_STRATEGY = 'only-changed' - - KOJI_EXTERNAL_REPO_URL_PREFIX = '${KOJI_URL}/kojiroot/' - - ALLOWED_PRIVILEGED_MODULE_NAMES = ['build'] - - # Settings for Kerberos + LDAP auth - AUTH_METHOD = 'kerberos' - KERBEROS_KEYTAB = '/etc/mbs.keytab' - LDAP_URI = '' - LDAP_GROUPS_DN = '' - # These groups are allowed to submit builds. - ALLOWED_GROUPS = [] - # These users don't need to be part of a group to submit builds. - ALLOWED_USERS = ['${KRB5_USER}'] - # These groups are allowed to cancel the builds of other users. - ADMIN_GROUPS = [] - # These groups are allowed to import the virtual module. - ALLOWED_GROUPS_TO_IMPORT_MODULE = ['packager'] - - KOJI_TAG_EXTRA_OPTS = {u'mock.package_manager': u'dnf', u'mock.yum.module_hotfixes': 1, u'repo_include_all': True, u'mock.new_chroot': 0} - - SCRATCH_BUILD_ONLY_BRANCHES = [ - r'^private-.*', - ] - koji.conf: | - [test] - server = ${KOJI_URL}/kojihub - weburl = ${KOJI_URL}/koji/ - topurl = ${KOJI_URL}/kojiroot/ - authtype = ssl - ;client certificate - cert = /etc/koji-certs/kojiadmin.crt - ;certificate of the CA that issued the client certificate - ;ca = /etc/koji-certs/clientca.crt - ;certificate of the CA that issued the HTTP server certificate - serverca = /etc/koji-certs/koji_ca_cert.crt - mock.cfg: | - config_opts['root'] = '$root' - config_opts['target_arch'] = '$arch' - config_opts['legal_host_arches'] = ('$arch',) - config_opts['chroot_setup_cmd'] = 'install $group' - config_opts['dist'] = '' - config_opts['extra_chroot_dirs'] = [ '/run/lock', ] - config_opts['releasever'] = '' - config_opts['package_manager'] = 'dnf' - config_opts['nosync'] = True - config_opts['use_bootstrap_container'] = False - - config_opts['yum.conf'] = """ - $yum_conf - """ - yum.conf: | - [main] - keepcache=1 - debuglevel=2 - reposdir=/dev/null - logfile=/var/log/yum.log - retries=20 - obsoletes=1 - gpgcheck=0 - assumeyes=1 - syslog_ident=mock - syslog_device= - install_weak_deps=0 - metadata_expire=3600 - mdpolicy=group:primary - - # repos -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: mbs-${TEST_ID}-frontend - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - spec: - replicas: 1 - selector: - app: mbs - service: frontend - environment: test-${TEST_ID} - strategy: - type: Rolling - template: - metadata: - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - spec: - containers: - - name: frontend - image: "${MBS_FRONTEND_IMAGE}" - imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - - containerPort: 8443 - name: https - livenessProbe: - httpGet: - path: /module-build-service/1/monitor/metrics - port: http - readinessProbe: - httpGet: - path: /module-build-service/1/module-builds/?per_page=1&short=true - port: http - volumeMounts: - - name: fedmsg-config - mountPath: /etc/fedmsg.d - - name: frontend-certs - mountPath: /etc/mbs-certs - - name: mbs-config - mountPath: /etc/module-build-service - - name: httpd-config - subPath: mbs.conf - mountPath: /etc/httpd/conf.d/mbs.conf - - name: wsgi-config - mountPath: /usr/share/mbs - - name: koji-certs - mountPath: /etc/koji-certs - - name: cacerts-vol - subPath: cert-bundle - mountPath: /etc/pki/tls/cert.pem - - name: krb5-conf-vol - subPath: krb5.conf - mountPath: /etc/krb5.conf - - name: keytab-vol - subPath: keytab - mountPath: /etc/mbs.keytab - resources: - limits: - memory: 400Mi - cpu: 300m - volumes: - - name: fedmsg-config - configMap: - name: mbs-${TEST_ID}-frontend-fedmsg-config - - name: frontend-certs - secret: - secretName: mbs-${TEST_ID}-frontend-certs - - name: mbs-config - configMap: - name: mbs-${TEST_ID}-frontend-config - - name: httpd-config - configMap: - name: mbs-${TEST_ID}-httpd-config - - name: wsgi-config - configMap: - name: mbs-${TEST_ID}-wsgi-config - - name: koji-certs - secret: - secretName: mbs-${TEST_ID}-koji-secrets - - name: cacerts-vol - configMap: - name: mbs-${TEST_ID}-cacerts - - name: krb5-conf-vol - configMap: - name: ${KRB5_CONF_CONFIGMAP} - - name: keytab-vol - secret: - secretName: mbs-${TEST_ID}-frontend-keytab - triggers: - - type: ConfigChange diff --git a/resources/openshift/templates/mbs-frontend-noauth.yaml b/resources/openshift/templates/mbs-frontend-noauth.yaml deleted file mode 100644 index aad7f26..0000000 --- a/resources/openshift/templates/mbs-frontend-noauth.yaml +++ /dev/null @@ -1,305 +0,0 @@ ---- -apiVersion: v1 -kind: Template -metadata: - name: mbs-frontend-noauth-template - app: mbs -parameters: -- name: TEST_ID - displayName: Test id - description: Short unique identifier for this test run (e.g. Jenkins job number) - required: true -- name: MBS_FRONTEND_IMAGE - displayName: Image for MBS frontend - description: Image to be used for MBS frontend deployment - required: true -- name: KOJI_URL - displayName: Top level URL of the Koji instance to use - description: Top level URL of the Koji instance to use. Without a '/' at the end. - required: true -- name: FLASK_SECRET_KEY - displayName: The secret key for Flask - generate: expression - from: "[\\w]{16}" -- name: DATABASE_PASSWORD - displayName: Database password - description: The password for the database. - required: true -objects: -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-httpd-config - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - mbs.conf: | - WSGIDaemonProcess mbs user=fedmsg group=fedmsg home=/usr/share/mbs maximum-requests=1000 display-name=mbs processes=2 threads=2 - WSGISocketPrefix run/wsgi - WSGIRestrictStdout Off - WSGIRestrictSignal Off - WSGIPythonOptimize 1 - WSGIApplicationGroup %{GLOBAL} - - WSGIScriptAlias / /usr/share/mbs/mbs.wsgi - - - WSGIProcessGroup mbs - - # Return JSON when authentication fails - ErrorDocument 401 "{\"error\": \"You must be authenticated to perform this action.\"}" - Header always set Content-Type "application/json" "expr=%{REQUEST_STATUS} == 401" - - # No authentication methods avalable. - Require all granted - - - RedirectMatch ^/$ /module-build-service/1/module-builds/ -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-frontend-config - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - config.py: | - class ProdConfiguration(object): - DEBUG = True - - SECRET_KEY = '${FLASK_SECRET_KEY}' - - SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:${DATABASE_PASSWORD}@mbs-${TEST_ID}-database:5432/mbs' - SQLALCHEMY_TRACK_MODIFICATIONS = True - - # Global network-related values, in seconds - NET_TIMEOUT = 120 - NET_RETRY_INTERVAL = 30 - - SYSTEM = 'koji' - MESSAGING = 'umb' - MESSAGING_TOPIC_PREFIX = ['/queue/Consumer.mbs.queue.VirtualTopic.eng'] - KOJI_CONFIG = '/etc/module-build-service/koji.conf' - KOJI_PROFILE = 'test' - ARCHES = ['x86_64'] - KOJI_PROXYUSER = False - KOJI_REPOSITORY_URL = '${KOJI_URL}/kojiroot/repos' - PDC_URL = '' - PDC_INSECURE = False - PDC_DEVELOP = True - SCMURLS = [] - ALLOW_CUSTOM_SCMURLS = True - - RESOLVER = 'koji' - - # This is a whitelist of prefixes of koji tags we're allowed to manipulate - KOJI_TAG_PREFIXES = ['module'] - - DEFAULT_DIST_TAG_PREFIX = 'module+' - - # Use the same priority as all other builds - KOJI_BUILD_PRIORITY = 0 - - # Control where modules get tagged post-build. - BASE_MODULE_NAMES = set(['platform']) - KOJI_CG_TAG_BUILD = False - KOJI_CG_BUILD_TAG_TEMPLATE = '' - KOJI_CG_DEFAULT_BUILD_TAG = '' - - # Disable authentication - NO_AUTH = True - - YAML_SUBMIT_ALLOWED = True - - # Allow maintainers to specify something that differs from the git branch. - ALLOW_NAME_OVERRIDE_FROM_SCM = False - ALLOW_STREAM_OVERRIDE_FROM_SCM = True - - # How often should we resort to polling, in seconds - # Set to zero to disable polling - POLLING_INTERVAL = 600 - - # Determines how many builds that can be submitted to the builder - # and be in the build state at a time. Set this to 0 for no restrictions - # New name - NUM_CONCURRENT_BUILDS = 5 - - RPMS_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/rpms/' - RPMS_ALLOW_REPOSITORY = True - RPMS_DEFAULT_CACHE = '' - RPMS_ALLOW_CACHE = False - MODULES_DEFAULT_REPOSITORY = '' - MODULES_ALLOW_REPOSITORY = False - MODULES_ALLOW_SCRATCH = True - - # Our per-build logs for the Koji content generator go here. - # CG imports are controlled by KOJI_ENABLE_CONTENT_GENERATOR - BUILD_LOGS_DIR = '/var/tmp' - - # Time after which MBS will delete koji targets it created. - KOJI_TARGET_DELETE_TIME = 86400 - - # Whether or not to import modules back to koji. - KOJI_ENABLE_CONTENT_GENERATOR = True - - # Available backends are: console, file. - LOG_BACKEND = 'console' - - # Available log levels are: debug, info, warn, error. - LOG_LEVEL = 'debug' - - REBUILD_STRATEGY_ALLOW_OVERRIDE = True - REBUILD_STRATEGY = 'only-changed' - - KOJI_EXTERNAL_REPO_URL_PREFIX = '${KOJI_URL}/kojiroot/' - - ALLOWED_PRIVILEGED_MODULE_NAMES = ['build'] - - # Placeholder auth settings, unused - AUTH_METHOD = 'oidc' - # These groups are allowed to submit builds. - ALLOWED_GROUPS = [] - # These users don't need to be part of a group to submit builds. - ALLOWED_USERS = [] - # These groups are allowed to cancel the builds of other users. - ADMIN_GROUPS = [] - # These groups are allowed to import the virtual module. - ALLOWED_GROUPS_TO_IMPORT_MODULE = ['packager'] - - KOJI_TAG_EXTRA_OPTS = {u'mock.package_manager': u'dnf', u'mock.yum.module_hotfixes': 1, u'repo_include_all': True, u'mock.new_chroot': 0} - - SCRATCH_BUILD_ONLY_BRANCHES = [ - r'^private-.*', - ] - koji.conf: | - [test] - server = ${KOJI_URL}/kojihub - weburl = ${KOJI_URL}/koji/ - topurl = ${KOJI_URL}/kojiroot/ - authtype = ssl - ;client certificate - cert = /etc/koji-certs/kojiadmin.crt - ;certificate of the CA that issued the client certificate - ;ca = /etc/koji-certs/clientca.crt - ;certificate of the CA that issued the HTTP server certificate - serverca = /etc/koji-certs/koji_ca_cert.crt - mock.cfg: | - config_opts['root'] = '$root' - config_opts['target_arch'] = '$arch' - config_opts['legal_host_arches'] = ('$arch',) - config_opts['chroot_setup_cmd'] = 'install $group' - config_opts['dist'] = '' - config_opts['extra_chroot_dirs'] = [ '/run/lock', ] - config_opts['releasever'] = '' - config_opts['package_manager'] = 'dnf' - config_opts['nosync'] = True - config_opts['use_bootstrap_container'] = False - - config_opts['yum.conf'] = """ - $yum_conf - """ - yum.conf: | - [main] - keepcache=1 - debuglevel=2 - reposdir=/dev/null - logfile=/var/log/yum.log - retries=20 - obsoletes=1 - gpgcheck=0 - assumeyes=1 - syslog_ident=mock - syslog_device= - install_weak_deps=0 - metadata_expire=3600 - mdpolicy=group:primary - - # repos -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: mbs-${TEST_ID}-frontend - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - spec: - replicas: 1 - selector: - app: mbs - service: frontend - environment: test-${TEST_ID} - strategy: - type: Rolling - template: - metadata: - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - spec: - containers: - - name: frontend - image: "${MBS_FRONTEND_IMAGE}" - imagePullPolicy: Always - ports: - - containerPort: 8080 - name: http - - containerPort: 8443 - name: https - livenessProbe: - httpGet: - path: /module-build-service/1/monitor/metrics - port: http - readinessProbe: - httpGet: - path: /module-build-service/1/module-builds/?per_page=1&short=true - port: http - volumeMounts: - - name: fedmsg-config - mountPath: /etc/fedmsg.d - - name: frontend-certs - mountPath: /etc/mbs-certs - - name: mbs-config - mountPath: /etc/module-build-service - - name: httpd-config - subPath: mbs.conf - mountPath: /etc/httpd/conf.d/mbs.conf - - name: wsgi-config - mountPath: /usr/share/mbs - - name: koji-certs - mountPath: /etc/koji-certs - - name: cacerts-vol - subPath: cert-bundle - mountPath: /etc/pki/tls/cert.pem - resources: - limits: - memory: 400Mi - cpu: 300m - volumes: - - name: fedmsg-config - configMap: - name: mbs-${TEST_ID}-frontend-fedmsg-config - - name: frontend-certs - secret: - secretName: mbs-${TEST_ID}-frontend-certs - - name: mbs-config - configMap: - name: mbs-${TEST_ID}-frontend-config - - name: httpd-config - configMap: - name: mbs-${TEST_ID}-httpd-config - - name: wsgi-config - configMap: - name: mbs-${TEST_ID}-wsgi-config - - name: koji-certs - secret: - secretName: mbs-${TEST_ID}-koji-secrets - - name: cacerts-vol - configMap: - name: mbs-${TEST_ID}-cacerts - triggers: - - type: ConfigChange diff --git a/resources/openshift/templates/mbs.yaml b/resources/openshift/templates/mbs.yaml deleted file mode 100644 index 9f6e0af..0000000 --- a/resources/openshift/templates/mbs.yaml +++ /dev/null @@ -1,708 +0,0 @@ ---- -apiVersion: v1 -kind: Template -metadata: - name: mbs-test-template - app: mbs -parameters: -- name: TEST_ID - displayName: Test id - description: Short unique identifier for this test run (e.g. Jenkins job number) - required: true -- name: MBS_BACKEND_IMAGE - displayName: Container image for MBS backend - description: Image to be used for MBS backend deployment - value: 172.30.1.1:5000/myproject/mbs-backend:latest - required: true -- name: MBS_FRONTEND_IMAGE - displayName: Container image for MBS frontend - description: Image to be used for MBS frontend deployment - value: 172.30.1.1:5000/myproject/mbs-frontend:latest - required: true -- name: MESSAGING_CERT - displayName: SSL certificate for messaging - description: base64 encoded SSL certificate for message bus authentication - required: true -- name: MESSAGING_KEY - displayName: SSL key for messaging - description: base64 encoded SSL key for message bus authentication - required: true -- name: FRONTEND_CERT - displayName: SSL certificate for the MBS frontend - description: base64 encoded SSL certificate used by the MBS frontend - required: true -- name: FRONTEND_KEY - displayName: SSL key for the MBS frontend - description: base64 encoded SSL key used by the MBS frontend - required: true -- name: FRONTEND_CA - displayName: MBS frontend CA - description: >- - base64 encoded certificate of the CA - that issued the HTTP frontend certificate for MBS - required: true -- name: KOJI_CERT - displayName: Koji client certificate - description: base 64 encoded client certificate used to authenticate with Koji - required: true -- name: KOJI_SERVERCA - displayName: Koji server CA - description: >- - base64 encoded certificate of the CA - that issued the HTTP server certificate for Koji - required: true -- name: DATABASE_PASSWORD - displayName: Database password - description: The password for the database. - required: true -- name: STOMP_URI - displayName: Messagebus URI - description: Messagebus URI - required: true -- name: KOJI_URL - displayName: Top level URL of the Koji instance to use - description: Top level URL of the Koji instance to use. Without a '/' at the end. - default: https://mbs-brew-hub.usersys.redhat.com - required: true -- name: CA_CERTS - displayName: CA certificates - description: Bundle of CA certificates that should be trusted - required: true -objects: -# frontend -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-frontend-fedmsg-config - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - logging.py: | - bare_format = "[%(asctime)s][%(name)10s %(levelname)7s] %(message)s" - - config = dict( - logging=dict( - version=1, - formatters=dict( - bare={ - "datefmt": "%Y-%m-%d %H:%M:%S", - "format": bare_format - }, - ), - handlers=dict( - console={ - "class": "logging.StreamHandler", - "formatter": "bare", - "level": "DEBUG", - "stream": "ext://sys.stdout", - }, - ), - loggers=dict( - fedmsg={ - "level": "DEBUG", - "propagate": True, - }, - moksha={ - "level": "DEBUG", - "propagate": True, - }, - ), - ), - ) - mbs-logging.py: | - config = dict( - logging=dict( - loggers=dict( - # Quiet this guy down... - requests={ - "level": "WARNING", - "propagate": True, - }, - module_build_service={ - "level": "DEBUG", - "propagate": True, - }, - mbs_messaging_umb={ - "level": "DEBUG", - "propagate": True, - }, - ), - root=dict( - handlers=["console"], - level="DEBUG", - ), - ), - ) - mbs-fedmsg.py: | - config = { - 'zmq_enabled': False, - 'validate_signatures': False, - 'endpoints': {}, - 'stomp_uri': '${STOMP_URI}', - 'stomp_heartbeat': 5000, - 'stomp_ssl_crt': '/etc/mbs-certs/messaging.crt', - 'stomp_ssl_key': '/etc/mbs-certs/messaging.key', - 'stomp_ack_mode': 'auto', - } - mbs-scheduler.py: | - config = { - # The frontend should have these turned off in perpetuity. - 'mbsconsumer': False, - 'mbspoller': False, - } -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-httpd-config - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - mbs.conf: | - WSGIDaemonProcess mbs user=fedmsg group=fedmsg home=/usr/share/mbs maximum-requests=1000 display-name=mbs processes=2 threads=2 - WSGISocketPrefix run/wsgi - WSGIRestrictStdout Off - WSGIRestrictSignal Off - WSGIPythonOptimize 1 - WSGIApplicationGroup %{GLOBAL} - - # For our Authorization bearer token header - WSGIPassAuthorization On - WSGIScriptAlias / /usr/share/mbs/mbs.wsgi - - - WSGIProcessGroup mbs - Require all granted - - - RedirectMatch ^/$ /module-build-service/1/module-builds/ -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-wsgi-config - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - mbs.wsgi: | - #-*- coding: utf-8 -*- - - import logging - logging.basicConfig(level='DEBUG') - - from module_build_service import app as application -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-cacerts - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - binaryData: - cert-bundle: ${CA_CERTS} -- apiVersion: v1 - kind: Secret - metadata: - name: mbs-${TEST_ID}-koji-secrets - labels: - app: mbs - environment: test-${TEST_ID} - data: - kojiadmin.crt: |- - ${KOJI_CERT} - koji_ca_cert.crt: |- - ${KOJI_SERVERCA} -- apiVersion: v1 - kind: Secret - metadata: - name: mbs-${TEST_ID}-frontend-certs - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - data: - messaging.crt: |- - ${MESSAGING_CERT} - messaging.key: |- - ${MESSAGING_KEY} - frontend.crt: |- - ${FRONTEND_CERT} - frontend.key: |- - ${FRONTEND_KEY} - frontendca.crt: |- - ${FRONTEND_CA} -- apiVersion: v1 - kind: Service - metadata: - name: mbs-${TEST_ID}-frontend - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - spec: - selector: - app: mbs - service: frontend - environment: test-${TEST_ID} - ports: - - name: https - port: 443 - targetPort: https - - name: http - port: 80 - targetPort: http -- apiVersion: v1 - kind: Route - metadata: - name: mbs-${TEST_ID}-frontend - labels: - app: mbs - service: frontend - environment: test-${TEST_ID} - spec: - to: - kind: Service - name: mbs-${TEST_ID}-frontend - port: - targetPort: https - tls: - termination: passthrough - insecureEdgeTerminationPolicy: Redirect -# backend -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-backend-fedmsg-config - labels: - app: mbs - service: backend - environment: test-${TEST_ID} - data: - logging.py: | - bare_format = "[%(asctime)s][%(name)10s %(levelname)7s] %(message)s" - - config = dict( - logging=dict( - version=1, - formatters=dict( - bare={ - "datefmt": "%Y-%m-%d %H:%M:%S", - "format": bare_format - }, - ), - handlers=dict( - console={ - "class": "logging.StreamHandler", - "formatter": "bare", - "level": "DEBUG", - "stream": "ext://sys.stdout", - }, - ), - loggers=dict( - fedmsg={ - "level": "DEBUG", - "propagate": True, - }, - moksha={ - "level": "DEBUG", - "propagate": True, - }, - ), - ), - ) - mbs-logging.py: | - config = dict( - logging=dict( - loggers=dict( - # Quiet this guy down... - requests={ - "level": "WARNING", - "propagate": True, - }, - module_build_service={ - "level": "DEBUG", - "propagate": True, - }, - mbs_messaging_umb={ - "level": "DEBUG", - "propagate": True, - }, - ), - root=dict( - handlers=["console"], - level="DEBUG", - ), - ), - ) - mbs-fedmsg.py: | - config = { - 'zmq_enabled': False, - 'validate_signatures': False, - 'endpoints': {}, - 'stomp_uri': '${STOMP_URI}', - 'stomp_heartbeat': 5000, - 'stomp_ssl_crt': '/etc/mbs-certs/messaging.crt', - 'stomp_ssl_key': '/etc/mbs-certs/messaging.key', - 'stomp_ca_certs': None, - 'stomp_ack_mode': 'auto', - } - mbs-scheduler.py: | - config = { - 'mbsconsumer': True, - 'mbspoller': True, - } -- apiVersion: v1 - kind: ConfigMap - metadata: - name: mbs-${TEST_ID}-backend-config - labels: - app: mbs - service: backend - environment: test-${TEST_ID} - data: - config.py: | - class ProdConfiguration(object): - DEBUG = True - - SECRET_KEY = '' - - SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:${DATABASE_PASSWORD}@mbs-${TEST_ID}-database:5432/mbs' - SQLALCHEMY_TRACK_MODIFICATIONS = True - - # Global network-related values, in seconds - NET_TIMEOUT = 120 - NET_RETRY_INTERVAL = 30 - - SYSTEM = 'koji' - MESSAGING = 'umb' - MESSAGING_TOPIC_PREFIX = ['/queue/Consumer.mbs.queue.VirtualTopic.eng'] - KOJI_CONFIG = '/etc/module-build-service/koji.conf' - KOJI_PROFILE = 'test' - ARCHES = ['x86_64'] - KOJI_PROXYUSER = False - KOJI_REPOSITORY_URL = '' - PDC_URL = '' - PDC_INSECURE = True - PDC_DEVELOP = True - SCMURLS = [] - ALLOW_CUSTOM_SCMURLS = True - - RESOLVER = 'db' - - # This is a whitelist of prefixes of koji tags we're allowed to manipulate - KOJI_TAG_PREFIXES = ["module"] - - DEFAULT_DIST_TAG_PREFIX = 'module' - - # Use the same priority as all other builds - KOJI_BUILD_PRIORITY = 0 - - # Control where modules get tagged post-build. - BASE_MODULE_NAMES = ['platform'] - KOJI_CG_BUILD_TAG_TEMPLATE = '' - KOJI_CG_DEFAULT_BUILD_TAG = '' - - # Disable authentication - NO_AUTH = True - - YAML_SUBMIT_ALLOWED = True - - # Allow maintainers to specify something that differs from the git branch. - ALLOW_NAME_OVERRIDE_FROM_SCM = False - ALLOW_STREAM_OVERRIDE_FROM_SCM = False - - # How often should we resort to polling, in seconds - # Set to zero to disable polling - POLLING_INTERVAL = 600 - - # Determines how many builds that can be submitted to the builder - # and be in the build state at a time. Set this to 0 for no restrictions - NUM_CONCURRENT_BUILDS = 2 - - RPMS_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/rpms/' - RPMS_ALLOW_REPOSITORY = False - MODULES_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/modules/' - MODULES_ALLOW_REPOSITORY = False - - # Our per-build logs for the Koji content generator go here. - # CG imports are controlled by KOJI_ENABLE_CONTENT_GENERATOR - BUILD_LOGS_DIR = '/var/tmp' - - # Time after which MBS will delete koji targets it created. - KOJI_TARGET_DELETE_TIME = 86400 - - # Whether or not to import modules back to koji. - KOJI_ENABLE_CONTENT_GENERATOR = True - - # Available backends are: console, file. - LOG_BACKEND = 'console' - - # Available log levels are: debug, info, warn, error. - LOG_LEVEL = 'debug' - - REBUILD_STRATEGY_ALLOW_OVERRIDE = True - REBUILD_STRATEGY = 'only-changed' - koji.conf: | - [test] - server = ${KOJI_URL}/kojihub - weburl = ${KOJI_URL}/koji/ - topurl = ${KOJI_URL}/kojiroot/ - authtype = ssl - ;client certificate - cert = /etc/koji-certs/kojiadmin.crt - ;certificate of the CA that issued the client certificate - ;ca = /etc/koji-certs/clientca.crt - ;certificate of the CA that issued the HTTP server certificate - serverca = /etc/koji-certs/koji_ca_cert.crt - mock.cfg: | - config_opts['root'] = '$root' - config_opts['target_arch'] = '$arch' - config_opts['legal_host_arches'] = ('$arch',) - config_opts['chroot_setup_cmd'] = 'install $group' - config_opts['dist'] = '' - config_opts['extra_chroot_dirs'] = [ '/run/lock', ] - config_opts['releasever'] = '' - config_opts['package_manager'] = 'dnf' - config_opts['nosync'] = True - config_opts['use_bootstrap_container'] = False - - config_opts['yum.conf'] = """ - $yum_conf - """ - yum.conf: | - [main] - keepcache=1 - debuglevel=2 - reposdir=/dev/null - logfile=/var/log/yum.log - retries=20 - obsoletes=1 - gpgcheck=0 - assumeyes=1 - syslog_ident=mock - syslog_device= - install_weak_deps=0 - metadata_expire=3600 - mdpolicy=group:primary - - # repos - platform.yaml: | - document: modulemd - version: 1 - data: - description: Fedora 28 traditional base - name: platform - license: - module: [MIT] - profiles: - buildroot: - rpms: [bash, bzip2, coreutils, cpio, diffutils, fedora-release, findutils, gawk, - gcc, gcc-c++, grep, gzip, info, make, module-build-macros, patch, - redhat-rpm-config, rpm-build, sed, shadow-utils, tar, unzip, - util-linux, which, xz] - srpm-buildroot: - rpms: [bash, fedora-release, fedpkg-minimal, gnupg2, module-build-macros, - redhat-rpm-config, rpm-build, shadow-utils] - stream: f28 - summary: Fedora 28 traditional base - version: 3 - context: 00000000 - xmd: - mbs: - buildrequires: {} - commit: virtual - requires: {} - mse: true - koji_tag: module-f28-build - virtual_streams: [fedora] -- apiVersion: v1 - kind: Secret - metadata: - name: mbs-${TEST_ID}-backend-secrets - labels: - app: mbs - service: backend - environment: test-${TEST_ID} - data: - messaging.crt: |- - ${MESSAGING_CERT} - messaging.key: |- - ${MESSAGING_KEY} -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: mbs-${TEST_ID}-backend - labels: - app: mbs - service: backend - environment: test-${TEST_ID} - spec: - replicas: 1 - selector: - app: mbs - service: backend - environment: test-${TEST_ID} - strategy: - type: Rolling - rollingParams: - pre: - failurePolicy: Abort - execNewPod: - containerName: backend - command: - - /bin/sh - - -i - - -c - - | - # try for 10 minutes (600 seconds) - e=$(( $(date +%s) + 600 )) - i=0 - while [ $(date +%s) -lt $e ]; do - echo 'TRY #'$((++i)) - if mbs-upgradedb ; then - mbs-manager import_module /etc/module-build-service/platform.yaml - exit 0 - fi - done - exit 1 - volumes: - - mbs-config - template: - metadata: - labels: - app: mbs - service: backend - environment: test-${TEST_ID} - spec: - containers: - - name: backend - image: "${MBS_BACKEND_IMAGE}" - imagePullPolicy: Always - volumeMounts: - - name: fedmsg-config - mountPath: /etc/fedmsg.d - readOnly: true - - name: mbs-config - mountPath: /etc/module-build-service - readOnly: true - - name: backend-certificates - mountPath: /etc/mbs-certs - readOnly: true - - name: koji-certificates - mountPath: /etc/koji-certs - readOnly: true - - name: cacerts-vol - mountPath: /etc/pki/tls/cert.pem - subPath: cert-bundle - readOnly: true - resources: - limits: - memory: 400Mi - cpu: 300m - volumes: - - name: fedmsg-config - configMap: - name: mbs-${TEST_ID}-backend-fedmsg-config - - name: mbs-config - configMap: - name: mbs-${TEST_ID}-backend-config - - name: backend-certificates - secret: - secretName: mbs-${TEST_ID}-backend-secrets - - name: koji-certificates - secret: - secretName: mbs-${TEST_ID}-koji-secrets - - name: cacerts-vol - configMap: - name: mbs-${TEST_ID}-cacerts - triggers: - - type: ConfigChange -# postgresql -- apiVersion: v1 - kind: Secret - metadata: - name: mbs-${TEST_ID}-database-secret - labels: - app: mbs - service: database - environment: test-${TEST_ID} - stringData: - database-password: "${DATABASE_PASSWORD}" -- apiVersion: v1 - kind: Service - metadata: - name: mbs-${TEST_ID}-database - labels: - app: mbs - service: database - environment: test-${TEST_ID} - spec: - selector: - app: mbs - service: database - environment: test-${TEST_ID} - ports: - - name: postgresql - port: 5432 - targetPort: 5432 -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: mbs-${TEST_ID}-database - labels: - app: mbs - service: database - environment: test-${TEST_ID} - spec: - replicas: 1 - strategy: - type: Recreate - selector: - app: mbs - service: database - environment: test-${TEST_ID} - template: - metadata: - labels: - app: mbs - service: database - environment: test-${TEST_ID} - spec: - containers: - - name: postgresql - image: registry.access.redhat.com/rhscl/postgresql-95-rhel7:latest - imagePullPolicy: Always - ports: - - containerPort: 5432 - protocol: TCP - resources: - limits: - memory: 512Mi - cpu: 400m - readinessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 5 - exec: - command: [ /bin/sh, -i, -c, "psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 'SELECT 1'" ] - livenessProbe: - timeoutSeconds: 1 - initialDelaySeconds: 30 - tcpSocket: - port: 5432 - env: - - name: POSTGRESQL_USER - value: mbs - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: mbs-${TEST_ID}-database-secret - key: database-password - - name: POSTGRESQL_DATABASE - value: mbs - triggers: - - type: ConfigChange diff --git a/resources/openshift/templates/umb.yaml b/resources/openshift/templates/umb.yaml deleted file mode 100644 index 89f812f..0000000 --- a/resources/openshift/templates/umb.yaml +++ /dev/null @@ -1,331 +0,0 @@ -# Template to deploy a new UMB in OpenShift. -# -# To create an environment from the template, process and apply it: -# oc process -f openshift/umb-test-template.yaml -p TEST_ID=123 | oc apply -f - -# To clean up the environment, use a selector on the environment label: -# oc delete all -l environment=test-123 -# Or use the app label to delete things related to UMB: -# oc delete all -l app=umb - ---- -apiVersion: v1 -kind: Template -metadata: - name: umb-test-template -parameters: -- name: TEST_ID - displayName: Test id - description: Short unique identifier for this test run (e.g. Jenkins job number) - required: true -- name: UMB_IMAGE - displayName: JBossAMQ container image - description: Image to be used for JBossAMQ deployement - value: docker-registry.upshift.redhat.com/factory2/umb:latest - required: true -- name: BROKER_KEYSTORE_DATA - displayName: Broker keystore data - description: Java keystore containing the broker SSL certificate and private key, encoded as a Base64 string - required: true -- name: BROKER_KEYSTORE_PASSWORD - displayName: Broker keystore password - description: The password for the broker keystore - required: true -- name: BROKER_TRUSTSTORE_DATA - displayName: Broker truststore data - description: Java truststore containing the CA certificates the broker will trust, encoded as a Base64 string - required: true -- name: BROKER_TRUSTSTORE_PASSWORD - displayName: Broker truststore password - description: The password for the broker truststore - required: true -objects: -- apiVersion: v1 - kind: Secret - metadata: - name: umb-${TEST_ID}-secrets - labels: - app: umb - service: broker - environment: test-${TEST_ID} - stringData: - broker_keystore_password: ${BROKER_KEYSTORE_PASSWORD} - broker_truststore_password: ${BROKER_TRUSTSTORE_PASSWORD} -- apiVersion: v1 - kind: ConfigMap - metadata: - name: umb-${TEST_ID}-config - labels: - app: umb - service: broker - environment: test-${TEST_ID} - data: - broker_keystore: /var/jbossamq/broker-certs/broker.ks - broker_truststore: /var/jbossamq/broker-certs/broker.ts - activemq.xml: | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - setenv: | - export JAVA_MIN_MEM=256m - export JAVA_MAX_MEM=1024m - export KARAF_OPTS="-Dactivemq.port=61617" -- apiVersion: v1 - kind: Secret - metadata: - name: umb-${TEST_ID}-broker-certs - labels: - app: umb - service: broker - environment: test-${TEST_ID} - data: - broker.ks: ${BROKER_KEYSTORE_DATA} - broker.ts: ${BROKER_TRUSTSTORE_DATA} -- apiVersion: v1 - kind: DeploymentConfig - metadata: - name: umb-${TEST_ID}-broker - labels: - app: umb - service: broker - environment: test-${TEST_ID} - spec: - selector: - app: umb - service: broker - environment: test-${TEST_ID} - replicas: 1 - triggers: - - type: ConfigChange - template: - metadata: - labels: - app: umb - service: broker - environment: test-${TEST_ID} - spec: - containers: - - name: umb - image: ${UMB_IMAGE} - imagePullPolicy: Always - command: - - /var/lib/jboss-amq/bin/amq - args: - - server - env: - - name: BROKER_KEYSTORE - valueFrom: - configMapKeyRef: - name: umb-${TEST_ID}-config - key: broker_keystore - - name: BROKER_KEYSTORE_PASS - valueFrom: - secretKeyRef: - name: umb-${TEST_ID}-secrets - key: broker_keystore_password - - name: BROKER_TRUSTSTORE - valueFrom: - configMapKeyRef: - name: umb-${TEST_ID}-config - key: broker_truststore - - name: BROKER_TRUSTSTORE_PASS - valueFrom: - secretKeyRef: - name: umb-${TEST_ID}-secrets - key: broker_truststore_password - volumeMounts: - - mountPath: /var/jbossamq/broker - name: umb-config-volume - readOnly: true - - mountPath: /var/jbossamq/broker-certs - name: umb-broker-certs-volume - readOnly: true - - mountPath: /var/lib/jboss-amq/bin/setenv - name: umb-config-volume - subPath: setenv - resources: - requests: - memory: 256Mi - cpu: 300m - limits: - memory: 1024Mi - cpu: 1000m - readinessProbe: - initialDelaySeconds: 20 - timeoutSeconds: 1 - tcpSocket: - port: 61617 - ports: - - containerPort: 1099 - name: rmi-management - - containerPort: 5671 - name: amqps - - containerPort: 5672 - name: amqp - - containerPort: 8181 - name: web-console - - containerPort: 61612 - name: stomp-ssl - - containerPort: 61613 - name: stomp - - containerPort: 61616 - name: openwire-ssl - - containerPort: 61617 - name: openwire - volumes: - - name: umb-config-volume - configMap: - name: umb-${TEST_ID}-config - - name: umb-broker-certs-volume - secret: - secretName: umb-${TEST_ID}-broker-certs -- apiVersion: v1 - kind: Service - metadata: - name: umb-${TEST_ID}-broker - labels: - app: umb - service: broker - environment: test-${TEST_ID} - spec: - type: NodePort - ports: - - name: amqps - port: 5671 - targetPort: amqps - - name: web-console - port: 8181 - targetPort: web-console - - name: stomp-ssl - port: 61612 - targetPort: stomp-ssl - - name: openwire-ssl - port: 61616 - targetPort: openwire-ssl - selector: - app: umb - service: broker - environment: test-${TEST_ID} -- apiVersion: v1 - kind: Route - metadata: - name: umb-${TEST_ID}-web - labels: - app: umb - service: broker - environment: test-${TEST_ID} - spec: - port: - targetPort: web-console - tls: - insecureEdgeTerminationPolicy: Redirect - termination: edge - to: - kind: Service - name: umb-${TEST_ID}-broker diff --git a/resources/python/callMethod.py b/resources/python/callMethod.py deleted file mode 100644 index f5cc718..0000000 --- a/resources/python/callMethod.py +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/python3 - -import sys -import koji -import json - - -def convert_args(args): - newargs = [] - newkws = {} - for arg in args: - if '=' in arg: - key, val = arg.split('=', 1) - newkws[key] = convert_arg(val) - else: - newargs.append(convert_arg(arg)) - return newargs, newkws - -def convert_arg(arg): - if arg.lower() == 'true': - return True - elif arg.lower() == 'false': - return False - elif arg.lower() in ['nil', 'null', 'none']: - return None - elif arg.isdigit(): - return int(arg) - else: - return arg - - -opts = koji.read_config(sys.argv[2], user_config=sys.argv[1] + '/config') -session_opts = koji.grab_session_options(opts) -session = koji.ClientSession(opts['server'], session_opts) - -login = convert_arg(sys.argv[3]) -if login: - session.ssl_login(cert=opts['cert'], serverca=opts['serverca']) - -name = sys.argv[4] -method = getattr(session, name) -args, kws = convert_args(sys.argv[5:]) -output = method(*args, **kws) - -json.dump(output, sys.stdout) diff --git a/resources/python/listBuilds.py b/resources/python/listBuilds.py deleted file mode 100644 index 209df17..0000000 --- a/resources/python/listBuilds.py +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/python3 - -import sys -import koji -import json - -opts = koji.read_config(sys.argv[2], user_config=sys.argv[1] + '/config') -session_opts = koji.grab_session_options(opts) -session = koji.ClientSession(opts['server'], session_opts) -builds = session.listBuilds() - -json.dump(builds, sys.stdout) diff --git a/resources/python/listGroups.py b/resources/python/listGroups.py deleted file mode 100644 index 195df27..0000000 --- a/resources/python/listGroups.py +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/python3 - -import sys -import koji -import json - -opts = koji.read_config(sys.argv[2], user_config=sys.argv[1] + '/config') -session_opts = koji.grab_session_options(opts) -session = koji.ClientSession(opts['server'], session_opts) -groups = session.getTagGroups(sys.argv[3]) - -json.dump(groups, sys.stdout) diff --git a/resources/python/listTagInheritance.py b/resources/python/listTagInheritance.py deleted file mode 100644 index 8235ad0..0000000 --- a/resources/python/listTagInheritance.py +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/python3 - -import sys -import koji -import json - -tags = [] - -opts = koji.read_config(sys.argv[2], user_config=sys.argv[1] + '/config') -session_opts = koji.grab_session_options(opts) -session = koji.ClientSession(opts['server'], session_opts) -for tag in session.getFullInheritance(sys.argv[3]): - tags.append(tag['name']) - -json.dump(tags, sys.stdout) diff --git a/resources/python/listTargets.py b/resources/python/listTargets.py deleted file mode 100644 index c9839fb..0000000 --- a/resources/python/listTargets.py +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/python3 - -import sys -import koji -import json - -opts = koji.read_config(sys.argv[2], user_config=sys.argv[1] + '/config') -session_opts = koji.grab_session_options(opts) -session = koji.ClientSession(opts['server'], session_opts) -targets = session.getBuildTargets() - -json.dump(targets, sys.stdout) diff --git a/resources/python/listTasks.py b/resources/python/listTasks.py deleted file mode 100644 index cacea9a..0000000 --- a/resources/python/listTasks.py +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/python3 - -import sys -import koji -import json - -opts = koji.read_config(sys.argv[2], user_config=sys.argv[1] + '/config') -session_opts = koji.grab_session_options(opts) -session = koji.ClientSession(opts['server'], session_opts) -tasks = session.listTasks(opts={'decode': True}) - -json.dump(tasks, sys.stdout) diff --git a/resources/python/tagInfo.py b/resources/python/tagInfo.py deleted file mode 100644 index 4d1196a..0000000 --- a/resources/python/tagInfo.py +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/python3 - -import sys -import koji -import json - -opts = koji.read_config(sys.argv[2], user_config=sys.argv[1] + '/config') -session_opts = koji.grab_session_options(opts) -session = koji.ClientSession(opts['server'], session_opts) -taginfo = session.getTag(sys.argv[3]) - -json.dump(taginfo, sys.stdout) diff --git a/src/com/redhat/c3i/util/Krb5Client.groovy b/src/com/redhat/c3i/util/Krb5Client.groovy deleted file mode 100644 index 9192ad8..0000000 --- a/src/com/redhat/c3i/util/Krb5Client.groovy +++ /dev/null @@ -1,121 +0,0 @@ -// Interact with a Kerberos 5 KDC. -// Mike Bonnet (mikeb@redhat.com), 2019-10-22 - -package com.redhat.c3i.util - -class Krb5Client implements Serializable { - String realm - String domain - String kdc_host - String admin_host - String kpasswd_host - String principal - String password - String keytab - String confDir - Boolean kinit - def steps - - def init() { - for (param in ['realm', 'domain', 'kdc_host', 'admin_host', 'kpasswd_host', 'principal']) { - if (!this."${param}") { - steps.error "The ${param} must be specified" - } - } - if (kinit == null) { - kinit = true - } - if (!confDir) { - confDir = "${steps.pwd(tmp: true)}/krb5/${principal.replace('/', '_')}" - } - steps.dir(confDir) { - if (!steps.fileExists('krb5.conf')) { - steps.writeFile file: 'krb5.conf', text: """\ - [libdefaults] - dns_lookup_kdc = false - dns_lookup_realm = false - dns_canonicalize_hostname = false - ticket_lifetime = 24h - renew_lifetime = 7d - forwardable = true - pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt - spake_preauth_groups = edwards25519 - default_realm = ${realm} - default_ccache_name = FILE:${confDir}/ccache - - [realms] - ${realm} = { - kdc = ${kdc_host} - admin_server = ${admin_host} - kpasswd_server = ${kpasswd_host} - } - - [domain_realm] - .${domain} = ${realm} - ${domain} = ${realm} - """.stripIndent() - if (kinit) { - if (keytab) { - steps.writeFile file: 'keytab', text: keytab, encoding: 'Base64' - run("kinit -V -k -t keytab -c ccache ${principal}") - } else if (password) { - run("kinit -V -c ccache ${principal} <<<'${password}'") - } else { - steps.error "Either a password or a keytab must be specified" - } - } - } - } - } - - def run(Closure body) { - init() - steps.withEnv(["KRB5_CONFIG=${confDir}/krb5.conf"]) { - return body() - } - } - - def run(Map args=[:], String cmd) { - return run({ steps.sh script: cmd, - returnStdout: args.returnStdout ?: false, - returnStatus: args.returnStatus ?: false }) - } - - def runAdmin(String cmd) { - if (!password) { - steps.error "The admin password must be specified" - } - run("${cmd} <<<'${password}'") - } - - def addPrincipal(String princ, String password) { - runAdmin("kadmin -p ${principal} add_principal -pw '${password}' ${princ}") - } - - def addService(String svc) { - runAdmin("kadmin -p ${principal} add_principal -randkey ${svc}") - } - - def getKeytab(String svc) { - steps.dir(steps.pwd(tmp: true)) { - def ktfile = "${svc.replace('/', '_')}.kt" - if (!steps.fileExists(ktfile)) { - runAdmin("kadmin -p ${principal} ktadd -k ${ktfile} ${svc}") - } - return steps.readFile(file: ktfile, encoding: 'Base64') - } - } - - def changePassword(String newpass) { - if (!password) { - steps.error "The current password must be specified" - } - run("""\ - kpasswd < - call.methodName == 'sh' && - call.args == ['openssl genrsa -out ca-key.pem'] - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args == ['openssl req -config ssl.cnf -batch -new -x509 -key ca-key.pem -out ca-cert.pem'] - }) - assertEquals(1, helper.methodCallCount('stash')) - assertEquals('/workspace/.ca-123', ca.env.CA_PATH as String) - } - - @Test - void testGenCaPath() { - ca.gen_ca('/test/ca') - assertEquals(1, helper.methodCallCount('deleteDir')) - assertEquals(2, helper.methodCallCount('sh')) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args == ['openssl genrsa -out ca-key.pem'] - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args == ['openssl req -config ssl.cnf -batch -new -x509 -key ca-key.pem -out ca-cert.pem'] - }) - assertEquals(1, helper.methodCallCount('stash')) - assertEquals('/test/ca', ca.env.CA_PATH) - } - - @Test - void testGetCa() { - ca.get_ca() - assertEquals(2, helper.methodCallCount('sh')) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args == ['openssl genrsa -out ca-key.pem'] - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args == ['openssl req -config ssl.cnf -batch -new -x509 -key ca-key.pem -out ca-cert.pem'] - }) - assertEquals(1, helper.methodCallCount('stash')) - } - - @Test - void testGetCaAgain() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('unstash', [String.class], null) - ca.get_ca() - assertEquals(1, helper.methodCallCount('unstash')) - assertEquals(0, helper.methodCallCount('sh')) - assertEquals(0, helper.methodCallCount('writeFile')) - assertEquals(0, helper.methodCallCount('stash')) - } - - @Test - void testGetCaCert() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('unstash', [String.class], null) - helper.registerAllowedMethod('readFile', [String.class], { 'certdata' }) - def result = ca.get_ca_cert() - assertEquals(1, helper.methodCallCount('unstash')) - assertEquals(1, helper.methodCallCount('readFile')) - assertEquals(['cert': 'certdata'], result) - } - - @Test - void testGenSslCert() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('unstash', [String.class], null) - ca.gen_ssl_cert('testcert') - assertEquals(1, helper.methodCallCount('unstash')) - assertEquals(1, helper.methodCallCount('libraryResource')) - assertEquals(1, helper.methodCallCount('writeFile')) - assertTrue(helper.callStack.any { call -> - call.methodName == 'writeFile' && - call.args[0].file == 'ssl.cnf' && - call.args[0].text =~ /(?m)^subjectAltName\s+=\s+DNS:testcert$/ - }) - assertEquals(2, helper.methodCallCount('sh')) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].split() == [ - 'openssl', 'req', '-config', 'ssl.cnf', '-batch', '-new', '-newkey', 'rsa:2048', '-nodes', - '-keyout', '"${SERVERNAME}-key.pem"', '-out', '"${SERVERNAME}-req.pem"' - ] - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].split() == [ - 'openssl', 'ca', '-config', 'ssl.cnf', '-batch', '-notext', - '-in', '"${SERVERNAME}-req.pem"', '-out', '"${SERVERNAME}-cert.pem"' - ] - }) - assertEquals(1, helper.methodCallCount('stash')) - } - - @Test - void testGenSslCertSans() { - helper.registerAllowedMethod('unstash', [String.class], null) - ca.gen_ssl_cert('testcert', 'san1', 'san2') - assertTrue(helper.callStack.any { call -> - call.methodName == 'writeFile' && - call.args[0].file == 'ssl.cnf' && - call.args[0].text =~ /(?m)^subjectAltName\s+=\s+DNS:testcert,DNS:san1,DNS:san2$/ - }) - } - - @Test - void testGetSslCert() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('fileExists', [String.class], { false }) - helper.registerAllowedMethod('unstash', [String.class], null) - helper.registerAllowedMethod('readFile', [String.class], { 'certdata' }) - def result = ca.get_ssl_cert('testcert') - assertEquals(2, helper.methodCallCount('unstash')) - assertEquals(1, helper.methodCallCount('libraryResource')) - assertEquals(1, helper.methodCallCount('writeFile')) - assertEquals(2, helper.methodCallCount('sh')) - assertEquals(1, helper.methodCallCount('stash')) - assertEquals(['cert': 'certdata', 'key': 'certdata'], result) - } - - @Test - void testGetSslCertSans() { - helper.registerAllowedMethod('fileExists', [String.class], { false }) - helper.registerAllowedMethod('unstash', [String.class], null) - ca.get_ssl_cert('testcert', 'san1', 'san2') - assertTrue(helper.callStack.any { call -> - call.methodName == 'writeFile' && - call.args[0].file == 'ssl.cnf' && - call.args[0].text =~ /(?m)^subjectAltName\s+=\s+DNS:testcert,DNS:san1,DNS:san2$/ - }) - } - - @Test - void testGetSslCertExists() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('fileExists', [String.class], { true }) - helper.registerAllowedMethod('unstash', [String.class], null) - helper.registerAllowedMethod('readFile', [String.class], { 'certdata' }) - def result = ca.get_ssl_cert('testcert') - assertEquals(1, helper.methodCallCount('unstash')) - assertEquals(0, helper.methodCallCount('libraryResource')) - assertEquals(0, helper.methodCallCount('writeFile')) - assertEquals(0, helper.methodCallCount('sh')) - assertEquals(0, helper.methodCallCount('stash')) - assertEquals(2, helper.methodCallCount('readFile')) - assertEquals(['cert': 'certdata', 'key': 'certdata'], result) - } - - @Test - void testGenKeystore() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('fileExists', [String.class], { true }) - helper.registerAllowedMethod('unstash', [String.class], null) - helper.registerAllowedMethod('readFile', [String.class], { 'certdata' }) - ca.gen_keystore('testserver', 'testpass') - assertTrue(helper.callStack.any { call -> - call.methodName == 'writeFile' && - call.args[0].file == 'testserver.pem' - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].split() == [ - 'openssl', 'pkcs12', '-export', - '-in', '"${SERVERNAME}.pem"', '-out', '"${SERVERNAME}.ks"', - '-name', '"${SERVERNAME}"', '-passout', 'env:PASSWD' - ] - }) - assertEquals(1, helper.methodCallCount('stash')) - } - - @Test - void testGetKeystore() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('fileExists', [String.class], { true }) - helper.registerAllowedMethod('unstash', [String.class], null) - helper.registerAllowedMethod('readFile', [Map.class], { 'certdata' }) - ca.get_keystore('testserver', 'testpass') - assertTrue(helper.callStack.any { call -> - call.methodName == 'readFile' && - call.args[0].file == 'testserver.ks' && - call.args[0].encoding == 'Base64' - }) - assertEquals(0, helper.methodCallCount('stash')) - } - - @Test - void testGenTruststore() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('fileExists', [String.class], { true }) - helper.registerAllowedMethod('unstash', [String.class], null) - helper.registerAllowedMethod('readFile', [String.class], { 'certdata' }) - ca.gen_truststore('testpass') - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].split() == [ - 'keytool', '-importcert', '-file', 'ca-cert.pem', '-alias', 'testca', - '-keystore', 'truststore.ts', '-storetype', 'jks', - '-storepass', '"${PASSWD}"', '-trustcacerts', '-noprompt' - ] - }) - assertEquals(1, helper.methodCallCount('stash')) - } - - @Test - void testGetTruststore() { - ca.env.CA_PATH = '/workspace/ca' - helper.registerAllowedMethod('fileExists', [String.class], { true }) - helper.registerAllowedMethod('unstash', [String.class], null) - helper.registerAllowedMethod('readFile', [Map.class], { 'certdata' }) - ca.get_truststore('testpass') - assertTrue(helper.callStack.any { call -> - call.methodName == 'readFile' && - call.args[0].file == 'truststore.ts' && - call.args[0].encoding == 'Base64' - }) - assertEquals(0, helper.methodCallCount('stash')) - } - -} diff --git a/test/Krb5Test.groovy b/test/Krb5Test.groovy deleted file mode 100644 index 3c4a43a..0000000 --- a/test/Krb5Test.groovy +++ /dev/null @@ -1,370 +0,0 @@ -import org.junit.* -import com.lesfurets.jenkins.unit.cps.BasePipelineTestCPS -import static groovy.test.GroovyAssert.* - -class Krb5Test extends BasePipelineTestCPS { - def krb5 - - @Before - void setUp() { - super.setUp() - helper.registerAllowedMethod('writeFile', [Map.class], null) - helper.registerAllowedMethod('withEnv', [List.class, Closure.class], null) - helper.registerAllowedMethod('pwd', [Map.class], { '/tmp/dir' }) - helper.registerAllowedMethod('fileExists', [String.class], { false }) - helper.registerAllowedMethod('error', [String.class], { throw new RuntimeException(it) }) - krb5 = loadScript('vars/krb5.groovy') - binding.setVariable('steps', krb5) - binding.setVariable('env', [ - KRB5_REALM: 'DEFAULT.REALM', - KRB5_DOMAIN: 'default.domain', - KRB5_KDC_HOST: 'defaultkdc:88', - KRB5_ADMIN_HOST: 'defaultadmin:794', - KRB5_KPASSWD_HOST: 'defaultkpasswd:464', - ]) - } - - @Test - void testClientArgs() { - def client = krb5.client( - principal: 'testprinc', - password: 'testpass', - keytab: 'kt', - realm: 'REALM', - domain: 'some.domain', - kdc_host: 'kdc:88', - admin_host: 'admin:794', - kpasswd_host: 'kpasswd:464', - ) - assertEquals('testprinc', client.principal) - assertEquals('testpass', client.password) - assertEquals('kt', client.keytab) - assertEquals('REALM', client.realm) - assertEquals('some.domain', client.domain) - assertEquals('kdc:88', client.kdc_host) - assertEquals('admin:794', client.admin_host) - assertEquals('kpasswd:464', client.kpasswd_host) - } - - @Test - void testClientEnv() { - krb5.env.KRB5_PRINCIPAL = 'envprinc' - krb5.env.KRB5_PASSWORD = 'envpass' - krb5.env.KRB5_KEYTAB = 'kt' - krb5.env.KRB5_REALM = 'REALM' - krb5.env.KRB5_DOMAIN = 'some.domain' - krb5.env.KRB5_KDC_HOST = 'kdc:88' - krb5.env.KRB5_ADMIN_HOST = 'admin:794' - krb5.env.KRB5_KPASSWD_HOST = 'kpasswd:464' - def client = krb5.client() - assertEquals('envprinc', client.principal) - assertEquals('envpass', client.password) - assertEquals('kt', client.keytab) - assertEquals('REALM', client.realm) - assertEquals('some.domain', client.domain) - assertEquals('kdc:88', client.kdc_host) - assertEquals('admin:794', client.admin_host) - assertEquals('kpasswd:464', client.kpasswd_host) - } - - @Test - void testClientArgsOverride() { - krb5.env.KRB5_PRINCIPAL = 'envprinc' - krb5.env.KRB5_PASSWORD = 'envpass' - def client = krb5.client( - principal: 'testprinc', - password: 'testpass', - ) - assertEquals('testprinc', client.principal) - assertEquals('testpass', client.password) - } - - @Test - void testInitMissingParams() { - krb5.env.KRB5_PRINCIPAL = 'testprinc' - krb5.env.clone().each { key, value -> - krb5.env.remove(key) - def client = krb5.client(kinit: false) - def exc = shouldFail { - client.init() - } - assertEquals("The ${key.replace('KRB5_', '').toLowerCase()} must be specified" as String, exc.message) - krb5.env.put(key, value) - } - } - - @Test - void testInitPasswd() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - def client = krb5.client( - principal: 'testprinc', - password: 'testpass', - ) - client.init() - assertEquals(true, client.kinit) - assertTrue(helper.callStack.any { call -> - call.methodName == 'pwd' && - call.args[0].tmp == true - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'dir' && - call.args[0] == '/tmp/dir/krb5/testprinc' - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'writeFile' && - call.args[0].file == 'krb5.conf' - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == "kinit -V -c ccache testprinc <<<'testpass'" - }) - } - - @Test - void testInitKeytab() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - def client = krb5.client( - principal: 'testprinc', - keytab: 'a1b2c3', - ) - client.init() - assertEquals(true, client.kinit) - assertTrue(helper.callStack.any { call -> - call.methodName == 'pwd' && - call.args[0].tmp == true - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'dir' && - call.args[0] == '/tmp/dir/krb5/testprinc' - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'writeFile' && - call.args[0].file == 'krb5.conf' - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'writeFile' && - call.args[0].file == 'keytab' && - call.args[0].encoding == 'Base64' - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == 'kinit -V -k -t keytab -c ccache testprinc' - }) - } - - @Test - void testRun() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - def client = krb5.client( - principal: 'testprinc', - password: 'testpass' - ) - client.run('ls') - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == "kinit -V -c ccache testprinc <<<'testpass'" - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'withEnv' && - call.args[0][0].startsWith('KRB5_CONFIG=') - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == 'ls' && - call.args[0].returnStdout == false && - call.args[0].returnStatus == false - }) - } - - @Test - void testRunReturnStdout() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - def client = krb5.client( - principal: 'testprinc', - password: 'testpass' - ) - client.run('ls', returnStdout: true) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == 'ls' && - call.args[0].returnStdout == true && - call.args[0].returnStatus == false - }) - } - - @Test - void testRunReturnStatus() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - def client = krb5.client( - principal: 'testprinc', - password: 'testpass' - ) - client.run('ls', returnStatus: true) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == 'ls' && - call.args[0].returnStdout == false && - call.args[0].returnStatus == true - }) - } - - @Test - void testChangePassword() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - def client = krb5.client( - principal: 'testprinc', - password: 'testpass' - ) - client.changePassword('newpass') - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script.startsWith('kpasswd < - call.methodName == 'sh' && - call.args[0].script == "ls <<<'testpass'" - }) - assertFalse(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script.startsWith('kinit') - }) - } - - @Test - void testAddPrincipal() { - def client = krb5.adminClient(password: 'testpass') - client.addPrincipal('newprinc', 'newpass') - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == "kadmin -p kadmin/admin add_principal -pw 'newpass' newprinc <<<'testpass'" - }) - } - - @Test - void testAddService() { - def client = krb5.adminClient(password: 'testpass') - client.addService('new/svc') - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == "kadmin -p kadmin/admin add_principal -randkey new/svc <<<'testpass'" - }) - } - - @Test - void testGetKeytab() { - helper.registerAllowedMethod('readFile', [Map.class], { 'ktdata' }) - def client = krb5.adminClient(password: 'testpass') - def result = client.getKeytab('some/svc') - assertEquals('ktdata', result) - assertEquals(2, helper.methodCallCount('pwd')) - assertEquals(2, helper.methodCallCount('dir')) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script.startsWith('kadmin -p kadmin/admin ktadd') && - call.args[0].script.endsWith("some/svc <<<'testpass'") - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'readFile' && - call.args[0].file == 'some_svc.kt' && - call.args[0].encoding == 'Base64' - }) - } - - @Test - void testGetKeytabExists() { - helper.registerAllowedMethod('fileExists', [String.class], { true }) - helper.registerAllowedMethod('readFile', [Map.class], { 'ktdata' }) - def client = krb5.adminClient(password: 'testpass') - def result = client.getKeytab('some/svc') - assertEquals('ktdata', result) - assertEquals(1, helper.methodCallCount('pwd')) - assertEquals(1, helper.methodCallCount('dir')) - assertEquals(0, helper.methodCallCount('sh')) - assertTrue(helper.callStack.any { call -> - call.methodName == 'readFile' && - call.args[0].file == 'some_svc.kt' && - call.args[0].encoding == 'Base64' - }) - } - - @Test - void testWithKrbArgs() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - def result = krb5.withKrb(principal: 'testprinc', password: 'testpass') { - return 'output' - } - assertEquals('output', result) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == "kinit -V -c ccache testprinc <<<'testpass'" - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'withEnv' && - call.args[0][0].startsWith('KRB5_CONFIG=') - }) - } - - @Test - void testWithKrbEnv() { - def first = true - helper.registerAllowedMethod('fileExists', [String.class], { if (first) { first = false; false } else { true } }) - krb5.env.KRB5_PRINCIPAL = 'testprinc' - krb5.env.KRB5_PASSWORD = 'testpass' - def result = krb5.withKrb() { - return 'output' - } - assertEquals('output', result) - assertTrue(helper.callStack.any { call -> - call.methodName == 'sh' && - call.args[0].script == "kinit -V -c ccache testprinc <<<'testpass'" - }) - assertTrue(helper.callStack.any { call -> - call.methodName == 'withEnv' && - call.args[0][0].startsWith('KRB5_CONFIG=') - }) - } - -} diff --git a/vars/ca.groovy b/vars/ca.groovy deleted file mode 100644 index 149c976..0000000 --- a/vars/ca.groovy +++ /dev/null @@ -1,115 +0,0 @@ -def gen_ca(path='') { - def conftmpl = libraryResource 'ca/ssl.cnf.in' - def conf = conftmpl.replace('${servername}', "Test Certificate Authority ${env.BUILD_NUMBER}") - conf = conf.replace('${commonName}', "Test Certificate Authority ${env.BUILD_NUMBER}") - conf = conf.replace('${subjectAltNames}', '') - env.CA_PATH = path ?: "${env.WORKSPACE}/.ca-${env.BUILD_NUMBER}" - dir(env.CA_PATH) { - deleteDir() - writeFile file: 'ssl.cnf', text: conf - writeFile file: 'index.txt', text: '' - writeFile file: 'index.txt.attr', text: '' - writeFile file: 'serial', text: '01\n' - sh 'openssl genrsa -out ca-key.pem' - sh 'openssl req -config ssl.cnf -batch -new -x509 -key ca-key.pem -out ca-cert.pem' - stash name: 'ca' - } -} - -def get_ca() { - if (env.CA_PATH) { - dir(env.CA_PATH) { - unstash 'ca' - } - } else { - gen_ca() - } -} - -def get_ca_cert() { - get_ca() - dir(env.CA_PATH) { - def cert = readFile 'ca-cert.pem' - return ['cert': cert] - } -} - -def gen_ssl_cert(servername, String... sans) { - get_ca() - def sanslist = "DNS:${servername}" - for (san in sans) { - sanslist += ",DNS:${san}" - } - def conftmpl = libraryResource 'ca/ssl.cnf.in' - def conf = conftmpl.replace('${servername}', servername) - conf = conf.replace('${commonName}', servername.tokenize('.')[0]) - conf = conf.replace('${subjectAltNames}', sanslist) - dir(env.CA_PATH) { - writeFile file: 'ssl.cnf', text: conf - withEnv(["SERVERNAME=${servername}"]) { - sh 'openssl req -config ssl.cnf -batch -new -newkey rsa:2048 -nodes' + \ - ' -keyout "${SERVERNAME}-key.pem" -out "${SERVERNAME}-req.pem"' - sh 'openssl ca -config ssl.cnf -batch -notext' + \ - ' -in "${SERVERNAME}-req.pem" -out "${SERVERNAME}-cert.pem"' - } - stash name: 'ca' - } -} - -def get_ssl_cert(servername, String... sans) { - get_ca() - dir(env.CA_PATH) { - if (!fileExists("${servername}-cert.pem")) { - gen_ssl_cert(servername, sans) - } - def cert = readFile "${servername}-cert.pem" - def key = readFile "${servername}-key.pem" - return ['cert': cert, 'key': key] - } -} - -def gen_keystore(servername, passwd) { - data = get_ssl_cert(servername) - dir(env.CA_PATH) { - writeFile file: "${servername}.pem", text: data['cert'] + data['key'] - withEnv(["SERVERNAME=${servername}", "PASSWD=${passwd}"]) { - sh 'openssl pkcs12 -export -in "${SERVERNAME}.pem" -out "${SERVERNAME}.ks"' + \ - ' -name "${SERVERNAME}" -passout env:PASSWD' - } - stash name: 'ca' - } -} - -def get_keystore(servername, passwd) { - get_ca() - dir(env.CA_PATH) { - if (!fileExists("${servername}.ks")) { - gen_keystore(servername, passwd) - } - return readFile(file: "${servername}.ks", encoding: 'Base64') - } -} - -def gen_truststore(passwd) { - get_ca() - // Java 7 doesn't support PKCS12 truststores. - // Switch this to using PKCS12 when everything is running on Java 8+ - dir(env.CA_PATH) { - withEnv(["PASSWD=${passwd}"]) { - sh 'keytool -importcert -file ca-cert.pem -alias testca' + \ - ' -keystore truststore.ts -storetype jks' + \ - ' -storepass "${PASSWD}" -trustcacerts -noprompt' - } - stash name: 'ca' - } -} - -def get_truststore(passwd) { - get_ca() - dir(env.CA_PATH) { - if (!fileExists('truststore.ts')) { - gen_truststore(passwd) - } - return readFile(file: 'truststore.ts', encoding: 'Base64') - } -} diff --git a/vars/koji.groovy b/vars/koji.groovy deleted file mode 100644 index 9c3c3df..0000000 --- a/vars/koji.groovy +++ /dev/null @@ -1,143 +0,0 @@ -// Functions to deploy a containerized Koji instance, and check its status. -// Mike Bonnet (mikeb@redhat.com), 2019-01-03 - -import groovy.transform.Field - -@Field _confdir = "/tmp/_kojiconfig-${currentBuild.id}" -@Field _confname = "koji-${currentBuild.id}" -@Field _kojicmd = "koji -q -c ${_confdir}/config -p ${_confname}" -@Field _config = null - -/** - * Deploy a Koji instance suitable for testing. - * @param args.script The script calling the method. - * @param args.test_id A unique {@code String} used to identify this instance. - * @param args.hubca A {@code Map} containing certificate data for the CA certificate. The "cert" entry - * must contain the certificate in text (PEM) format. - * @param args.hubcert A {@code Map} containing certificate data for the HTTPS certificate. The "cert" entry - * must contain the certificate in text (PEM) format. The "key" entry must contain the - * private key in text (PEM) format. - * @param args.brokerurl The URL to the ActiveMQ messaging broker. - * @param args.brokercert A {@code Map} containing the certificate data for the broker client certificate. - * The "cert" entry must contain the certificate in text (PEM) format. The "key" entry must contain - * the private key in text (PEM) format. - * @param args.admin_user The name of the user to be created and configured as the Koji admin. - * @param args.hub_image The pull spec of the Koji container image to use. - * @return An OpenShift selector representing the DeploymentConfigs rolled out. - */ -def deploy(Map args) { - if (!args.hub_image) { - args.hub_image = 'quay.io/factory2/koji:latest' - } - def yaml = libraryResource "openshift/templates/koji.yaml" - def template = readYaml text: yaml - def models = args.script.openshift.process(template, - '-p', "TEST_ID=${args.test_id}", - '-p', "KOJI_CA_CERT=" + args.hubca.cert.bytes.encodeBase64().toString(), - '-p', "KOJI_HUB_CERT=" + args.hubcert.cert.bytes.encodeBase64().toString(), - '-p', "KOJI_HUB_KEY=" + args.hubcert.key.bytes.encodeBase64().toString(), - '-p', "KOJI_MESSAGING_URL=${args.brokerurl}", - '-p', "KOJI_MESSAGING_CERT_AND_KEY=" + (args.brokercert.cert + args.brokercert.key).bytes.encodeBase64().toString(), - '-p', "KOJI_ADMIN_USER=${args.admin_user}", - '-p', "KOJI_HUB_IMAGE=${args.hub_image}", - '-l', 'c3i.redhat.com/app=koji', - '-l', "c3i.redhat.com/test=${args.test_id}", - ) - return c3i.deploy(script: args.script, objs: models) -} - -def _writeConfig() { - if (!_config) { - throw new IllegalStateException("setConfig() must be called before using this method") - } - if (!fileExists(_confdir)) { - dir(_confdir) { - writeFile(file: "client.pem", text: _config.cert + _config.key) - writeFile(file: "cacerts.pem", text: _config.cacerts) - writeFile(file: "config", text: """[${_confname}] -server = ${_config.huburl} -topurl = ${_config.topurl} -authtype = ssl -cert = ${_confdir}/client.pem -serverca = ${_confdir}/cacerts.pem -""") - } - } -} - -def setConfig(huburl, topurl, cert, key, cacerts) { - _config = ["huburl": huburl, - "topurl": topurl, - "cert": cert, - "key": key, - "cacerts": cacerts] -} - -def runCmd(cmd, Object... args) { - _writeConfig() - def kojicmd = "${_kojicmd} ${cmd}" - for (arg in args) { - kojicmd = "${kojicmd} ${arg}" - } - return sh(script: kojicmd, returnStdout: true).trim() -} - -def addTag(name, Object... args) { - def newargs = [name] - for (arg in args) { - newargs.add(arg) - } - return runCmd("add-tag", newargs as Object[]) -} - -def _runScript(name, Object... args) { - _writeConfig() - def script = libraryResource "python/${name}.py" - writeFile(file: "${_confdir}/cmd", text: script) - def cmd = "python3 ${_confdir}/cmd ${_confdir} ${_confname}" - for (arg in args) { - cmd = "${cmd} ${arg}" - } - def output = sh(script: cmd, returnStdout: true).trim() - return readJSON(text: output) -} - -def listTargets() { - return _runScript("listTargets") -} - -def listTagInheritance(tag) { - return _runScript("listTagInheritance", tag) -} - -def tagInfo(tag) { - return _runScript("tagInfo", tag) -} - -def listGroups(tag) { - return _runScript("listGroups", tag) -} - -def listTasks() { - return _runScript("listTasks") -} - -def listBuilds() { - return _runScript("listBuilds") -} - -def callMethod(name, Object... args) { - return _handleCall("false", name, args) -} - -def callMethodLogin(name, Object... args) { - return _handleCall("true", name, args) -} - -def _handleCall(login, name, args) { - def newargs = [login, name] - for (arg in args) { - newargs.add(arg) - } - return _runScript("callMethod", newargs as Object[]) -} diff --git a/vars/krb5.groovy b/vars/krb5.groovy deleted file mode 100644 index 6e2188c..0000000 --- a/vars/krb5.groovy +++ /dev/null @@ -1,90 +0,0 @@ -// Functions to deploy a containerized Kerberos KDC. -// Mike Bonnet (mikeb@redhat.com), 2019-10-22 - -/** - * Deploy a Kerberos 5 KDC suitable for testing. - * @param args.script The script calling the method. - * @param args.test_id A unique {@code String} used to identify this instance. - * @param args.realm The Kerberos realm to manage. - * @param args.domain The DNS domain to associate with the Kerberos realm. - * @param args.admin_password The password for the admin user. - * @param args.init_users A comma-separated list of initial users to define, in username:password format. - * @param args.image The pull spec of the Kerberos container image to use. - * @return An OpenShift selector representing the DeploymentConfigs rolled out. - */ -def deploy(Map args) { - if (!args.image) { - args.image = 'quay.io/factory2/krb5-fedora:latest' - } - def yaml = libraryResource "openshift/templates/krb5.yaml" - def template = readYaml text: yaml - def models = args.script.openshift.process(template, - '-p', "TEST_ID=${args.test_id}", - '-p', "REALM=${args.realm ?: 'CLUSTER.LOCAL'}", - '-p', "DOMAIN=${args.domain ?: 'cluster.local'}", - '-p', "ADMIN_PASSWORD=${args.admin_password}", - '-p', "INIT_USERS=${args.init_users ?: ''}", - '-p', "IMAGE=${args.image}", - '-l', 'c3i.redhat.com/app=krb5', - '-l', "c3i.redhat.com/test=${args.test_id}", - ) - return c3i.deploy(script: args.script, objs: models) -} - -/** - * Return a client that can be used for interacting with the KDC. - * @param args.principal The Kerberos principal to use to contact the KDC. If not specified, - * it will be retrieved from {@code env.KRB5_PRINCIPAL}. - * @param args.password The password for the Kerberos principal. If not specified, - * it will be retrieved from {@code env.KRB5_PASSWORD}. - * @param args.keytab The Base64-encoded keytab for the Kerberos principal. If not specified, - * it will be retrieved from {@code env.KRB5_KEYTAB}. - * @param args.realm The Kerberos realm. If not specified, - * it will be retrieved from the {@code env.KRB5_REALM} variable. - * @param args.domain The domain associated with the realm. If not specified, - * it will be retrieved from the {@code env.KRB5_DOMAIN} variable. - * @param args.kdc_host The hostname:port for the KDC. If not specified, - * it will be retrieved from the {@code env.KRB5_KDC_HOST} variable. - * @param args.admin_host The hostname:port for the admin server. If not specified, - * it will be retrieved from the {@code env.KRB5_ADMIN_HOST} variable. - * @param args.kpasswd_host The hostname:port for the kpasswd server. If not specified, - * it will be retrieved from the {@code env.KRB5_KPASSWD_HOST} variable. - * @return A {@code Krb5Client} instance. - */ -def client(Map args=[:]) { - args.principal = args.principal ?: env.KRB5_PRINCIPAL - args.password = args.password ?: env.KRB5_PASSWORD - args.keytab = args.keytab ?: env.KRB5_KEYTAB - args.realm = args.realm ?: env.KRB5_REALM - args.domain = args.domain ?: env.KRB5_DOMAIN - args.kdc_host = args.kdc_host ?: env.KRB5_KDC_HOST - args.admin_host = args.admin_host ?: env.KRB5_ADMIN_HOST - args.kpasswd_host = args.kpasswd_host ?: env.KRB5_KPASSWD_HOST - args.steps = steps - return new com.redhat.c3i.util.Krb5Client(args) -} - -/** - * Return a client that can be used for issuing admin commands to the KDC. - * @param args.password The admin password for the KDC. If not specified, - * it will be retrieved from {@code env.KRB5_ADMIN_PASSWORD} if - * defined, otherwise from {@code env.KRB5_PASSWORD}. - * @return A {@code Krb5Client} instance. - */ -def adminClient(Map args=[:]) { - args.principal = 'kadmin/admin' - args.password = args.password ?: env.KRB5_ADMIN_PASSWORD - args.kinit = false - return client(args) -} - -/** - * Run a block of code with Kerberos authentication configured. - * @params args The same arguments accepted by {@code client()}. - * @params body The {@code Closure} to execute. - * @return The return value of the {@code Closure}. - */ -def withKrb(Map args=[:], Closure body) { - def client = client(args) - return client.run(body) -} diff --git a/vars/mbs.groovy b/vars/mbs.groovy deleted file mode 100644 index d9897c3..0000000 --- a/vars/mbs.groovy +++ /dev/null @@ -1,98 +0,0 @@ -// Functions to deploy a containerized MBS -// Mike Bonnet (mikeb@redhat.com), 2019-01-07 - -/** - * Deploy a MBS instance suitable for testing. - * @param args.script The script calling the method. - * @param args.test_id A unique {@code String} used to identify this instance. - * @param args.kojicert A {@code Map} containing client certificate data for authenticating to Koji. - * The "cert" entry must contain the certificate in text (PEM) format. The "key" entry - * must contain the private key in text (PEM) format. - * @param args.kojica A {@code Map} containing certificate data for the CA certificate that - * issued the Koji client certificate. The "cert" entry must contain the certificate in - * text (PEM) format. - * @param args.brokercert A {@code Map} containing client certificate data for authenticating to the - * ActiveMQ messaging broker. The "cert" entry must contain the certificate in text (PEM) - * format. The "key" entry must contain the private key in text (PEM) format. - * @param args.frontendcert A {@code Map} containing certificate data for the HTTPS certificate for - * the MBS frontend. The "cert" entry must contain the certificate in text (PEM) format. - * The "key" entry must contain the private key in text (PEM) format. - * @param args.frontendca A {@code Map} containing certificate data for the CA certificate that - * issued the frontend certificate. The "cert" entry must contain the certificate in - * text (PEM) format. - * @param args.frontend_keytab A Kerberos keytab to be used by the frontend for authentication, - * as a Base64-encoded {@String}. If not specified, Kerberos authentication will not be - * enabled. - * @param args.krb5_conf_configmap The name of the ConfigMap containing the krb5.conf required - * for Kerberos auth. If not specified, Kerberos authentication will not be enabled. - * @param args.krb5_user The name of a user who will be allowed to authenticate to the MBS - * via Kerberos. Kerberos support is not configured, this is ignored. If not specified, - * defaults to "mbs-admin". - * @param args.cacerts A {@code Map} containing certificate data for the CA certificates that - * should be trusted by MBS. The "cert" entry must contain the certificates in text (PEM) - * format. - * @param args.kojiurl The URL to the Koji instance. - * @param args.stompuri The URI used to connect to the ActiveMQ broker via the STOMP protocol. - * @param args.backend_image The pull spec of the MBS backend container image to use. - * @param args.frontend_image The pull spec of the MBS frontend container image to use. - * @return An OpenShift selector representing the DeploymentConfigs rolled out. - * @return The number of pods deployed. - */ -def deploy(Map args) { - if (!args.backend_image) { - args.backend_image = 'quay.io/factory2/mbs-backend:latest' - } - if (!args.frontend_image) { - args.frontend_image = 'quay.io/factory2/mbs-frontend:latest' - } - def dbpasswd = UUID.randomUUID().toString().take(12) - def yaml = libraryResource "openshift/templates/mbs.yaml" - def template = readYaml text: yaml - def models = args.script.openshift.process(template, - '-p', "TEST_ID=${args.test_id}", - '-p', "KOJI_CERT=" + (args.kojicert.cert + args.kojicert.key).bytes.encodeBase64().toString(), - '-p', "KOJI_SERVERCA=" + args.kojica.cert.bytes.encodeBase64().toString(), - '-p', "MESSAGING_CERT=" + args.brokercert.cert.bytes.encodeBase64().toString(), - '-p', "MESSAGING_KEY=" + args.brokercert.key.bytes.encodeBase64().toString(), - '-p', "FRONTEND_CERT=" + args.frontendcert.cert.bytes.encodeBase64().toString(), - '-p', "FRONTEND_KEY=" + args.frontendcert.key.bytes.encodeBase64().toString(), - '-p', "FRONTEND_CA=" + args.frontendca.cert.bytes.encodeBase64().toString(), - '-p', "CA_CERTS=" + args.cacerts.bytes.encodeBase64().toString(), - '-p', "KOJI_URL=${args.kojiurl}", - '-p', "STOMP_URI=${args.stompuri}", - '-p', "DATABASE_PASSWORD=${dbpasswd}", - '-p', "MBS_BACKEND_IMAGE=${args.backend_image}", - '-p', "MBS_FRONTEND_IMAGE=${args.frontend_image}", - '-l', 'c3i.redhat.com/app=mbs', - '-l', "c3i.redhat.com/test=${args.test_id}", - ) - def frontend - if (args.frontend_keytab && args.krb5_conf_configmap) { - yaml = libraryResource 'openshift/templates/mbs-frontend-krb5.yaml' - template = readYaml text: yaml - frontend = args.script.openshift.process(template, - '-p', "TEST_ID=${args.test_id}", - '-p', "KOJI_URL=${args.kojiurl}", - '-p', "FRONTEND_KEYTAB=${args.frontend_keytab}", - '-p', "KRB5_CONF_CONFIGMAP=${args.krb5_conf_configmap}", - '-p', "KRB5_USER=${args.krb5_user ?: 'mbs-admin'}", - '-p', "DATABASE_PASSWORD=${dbpasswd}", - '-p', "MBS_FRONTEND_IMAGE=${args.frontend_image}", - '-l', 'c3i.redhat.com/app=mbs', - '-l', "c3i.redhat.com/test=${args.test_id}", - ) - } else { - yaml = libraryResource 'openshift/templates/mbs-frontend-noauth.yaml' - template = readYaml text: yaml - frontend = args.script.openshift.process(template, - '-p', "TEST_ID=${args.test_id}", - '-p', "KOJI_URL=${args.kojiurl}", - '-p', "DATABASE_PASSWORD=${dbpasswd}", - '-p', "MBS_FRONTEND_IMAGE=${args.frontend_image}", - '-l', 'c3i.redhat.com/app=mbs', - '-l', "c3i.redhat.com/test=${args.test_id}", - ) - } - models.addAll(frontend) - return c3i.deploy(script: args.script, objs: models) -} diff --git a/vars/umb.groovy b/vars/umb.groovy deleted file mode 100644 index 8647368..0000000 --- a/vars/umb.groovy +++ /dev/null @@ -1,32 +0,0 @@ -// Functions to deploy a containerized UMB instance. -// Mike Bonnet (mikeb@redhat.com), 2019-01-04 - -/** - * Deploy a UMB instance suitable for testing. - * @param args.script The script calling the method. - * @param args.test_id A unique {@code String} used to identify this instance. - * @param args.keystore_data A Base64-encoded Java keystore. - * @param args.keystore_password The password to the keystore encoded in {@code keystore_data}. - * @param args.truststore_data A Base64-encoded Java truststore. - * @param args.truststore_password The password to the truststore encoded in {@code truststore_data}. - * @param args.broker_image The pull spec of the UMB container image to use. - * @return An OpenShift selector representing the DeploymentConfigs rolled out. - */ -def deploy(Map args) { - if (!args.broker_image) { - args.broker_image = 'docker-registry.upshift.redhat.com/factory2/umb:latest' - } - def yaml = libraryResource "openshift/templates/umb.yaml" - def template = readYaml text: yaml - def models = args.script.openshift.process(template, - '-p', "TEST_ID=${args.test_id}", - '-p', "BROKER_KEYSTORE_DATA=${args.keystore_data}", - '-p', "BROKER_KEYSTORE_PASSWORD=${args.keystore_password}", - '-p', "BROKER_TRUSTSTORE_DATA=${args.truststore_data}", - '-p', "BROKER_TRUSTSTORE_PASSWORD=${args.truststore_password}", - '-p', "UMB_IMAGE=${args.broker_image}", - '-l', 'c3i.redhat.com/app=umb', - '-l', "c3i.redhat.com/test=${args.test_id}", - ) - return c3i.deploy(script: args.script, objs: models) -}