From ac1f2fb26d853544e3ecb237e739d8ac7a04bbc8 Mon Sep 17 00:00:00 2001 From: Joel Capitao Date: Nov 02 2021 14:10:09 +0000 Subject: Add README This is a consolidation of the notes we added in [1]. [1] https://review.rdoproject.org/etherpad/p/jenkins-migration --- diff --git a/README.md b/README.md new file mode 100644 index 0000000..3d63c79 --- /dev/null +++ b/README.md @@ -0,0 +1,118 @@ +# Cloud SIG CI + +This is the CI repository for the Cloud SIG. + +## Jenkins + +We manage and provision Jenkins jobs through code (IaC) with +the help of [jenkins-job-builder](https://docs.openstack.org/infra/jenkins-job-builder/).
+You can find the jobs definition in [github.com/rdo-infra/ci-config](https://github.com/rdo-infra/ci-config/tree/master/jenkins-v2/jobs)
+You can propose changes against the associated Gerrit project in [review.rdoproject.org](https://review.rdoproject.org/r/q/project:rdo-infra/ci-config)
+ + +## Hosting on OCP + +We are hosting Jenkins server and nodes on pods on OCP (OpenShift Container Platform).
+Jenkins is configured to spawn nodes in which jobs will be running.
+The integration of OCP in Jenkins is handled by CentOS CI team.
+ +The `pod template` we are using is `cico-workspace-rdo` with the configuration as below: +``` +Name: cico-workspace-rdo +Labels: cico-workspace-rdo +Usage: Only build job with label expressions matching this node +Pod template to inherit from: cico-workspace +Container Template + Name: jnlp + Docker image: quay.io/rdoinfra/cico-workspace-rdo:latest + Always pull image: opt-in + Working directory: /tmp + Arguments to pass in the command: ${computer.jnlpmac} ${computer.name} + Allocate pseudo-TTY: opt-in + Environment Variable from Secret + Key: CICO_API_KEY + SecretName: duffy-api-key + SecretKey: key +``` + +### Docker image hosted in Quay + +The repository namespace is [rdoinfra/cico-workspace-rdo](https://quay.io/repository/rdoinfra/cico-workspace-rdo?tab=tags)
+For each new image build we increment the tag by 1, then we tag it as `latest` and check if +everything is fine in jobs execution.
+If there is an issue with new build, then we can rollback the promotion directly in [Tag History](https://quay.io/repository/rdoinfra/cico-workspace-rdo?tab=history) menu, by reverting operation in `Revert` column. + +## Jenkins server configuration + +### Plugins installed + +Below the list of plugins which are installed by CloudSIG: + +- **Build Pipeline plugin**: used in puppet promotion +- **Dashboard View** +- **Environment Injector plugin**: for properties-content +- **Gerrit Trigger plugin**: used in TripleO quickstart gate jobs +- **Nested View** +- **Multiple SCMs**: used in TripleO quickstart gate jobs +- **Multiple plugin**: used in phase-1-pipelines jobs +- **Post Build Task**: used in puppet promotion for log collection +- **URLTrigger** + +**Note**: those plugins are installed in addition to the ones installed by CentOS Infra team. + +### Gerrit Trigger plugin configuration + +We need to add a Gerrit connection in manager.
+To do so, add a new `Gerrit Server` in `Manage Jenkins > Uncategorized > Gerrit Trigger` with the data below: + +- **Name**: rdo-ci-openstack.org
+- **Hostname**: review.opendev.org
+- **Frontend URL**: https://review.opendev.org/
+- **SSH port**: 29418
+- **Username**: rdo-ci
+- **SSH Keyfile**: /rdo_ci_ssh_key/ssh-privatekey => mount as Volume in DeploymentConfig https://console-openshift-console.apps.ocp.ci.centos.org/k8s/ns/cloudsig-ci/deploymentconfigs/jenkins
+- Opt-in "Build Current Patches Only"
+- Leave empty fields below "Gerrit Reporting Values" Jenkins is not allowed to vote in Gerrit (it just leaves a comment)
+ +### Disable the visualization of Injected Environment variables + +1. Go to the Jenkins instance;
+ From `Configure Global Security` under `Environment Injector Plugin`;
+ Check `Do not show injected variables`.
+2. From `Configure Global Security` under `Hidden security warnings`;
+ Click on `Security Warnings`;
+ Uncheck `Environment Injector Plugin: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier`. This will make sure to hide that error message so it doesn’t appear again.
+ +The 2 lines above come from https://stackoverflow.com/a/49368564 + +### Credentials + +The credentials with the informations below are created: + +| ID | Name | Kind | Description | +| -- | ---- | ---- | ----------- | +| 1a12dfa4-7fc5-47a7-aa17-cc56572a41c7 | /****** | Username with password | | +| d31fc651-105c-4af6-a2a5-ed486a5897ca | DLRN api password | Secret text | DLRN api password | +| 8a8657ce-adba-465d-9ef9-8d9759327fa9 | Rsync Password log server | Secret text | Rsync Password log server | +| 68c0bffe-4663-47aa-9134-abcae35ace47 | rdo-ci (Upstream RDO CI key) | SSH Username with private key | Upstream RDO CI key | +| da788440-7c2e-4118-9fe9-a5264b40bcb1 | RDO REGISTRY TOKEN | Secret text | RDO REGISTRY TOKEN | + +The secrets are kept by Cloud-SIG admins. + + +### Jenkins AAA + +#### Authentication +Authentication is done against OpenShift which delegates the operation to [accounts.centos.org](https://accounts.centos.org/) (Noggin/FreeIPA) through OAuth.
+ +#### Authorization +From `Configure Global Security` under `Authorization` click on `Matrix-based security`. + +- Anonymous Users have `Overall/read` and `Job/read` permissions. +- Authenticated Users have `Overall/read` and `Job/read` permissions. +- admin has `Overall/administrater` permissions. +- rhos-prodchain@redhat.com-admin-edit-view has `Overall/administrater` permissions. +- tripleo.ci.ruck.rover@gmail.com-admin-edit-view has `Overall/administrater` permissions. +- cloud-sig users have `Overall/administrater` permissions. + +**Note:** each user who wants `write` access needs an account in [accounts.centos.org](https://accounts.centos.org/) and must be in [sig-cloud group](https://accounts.centos.org/group/sig-cloud/).