summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--playbooks/dco-license/run.yaml4
-rw-r--r--roles/build-docker-image/README.rst3
-rw-r--r--roles/build-docker-image/common.rst98
-rw-r--r--roles/build-docker-image/defaults/main.yaml1
-rw-r--r--roles/build-docker-image/tasks/main.yaml13
-rw-r--r--roles/deploy-openshift/README.rst1
-rw-r--r--roles/deploy-openshift/tasks/main.yaml24
-rw-r--r--roles/install-openshift/README.rst16
-rw-r--r--roles/install-openshift/defaults/main.yaml2
-rw-r--r--roles/install-openshift/tasks/main.yaml44
-rw-r--r--roles/promote-docker-image/README.rst3
-rw-r--r--roles/promote-docker-image/defaults/main.yaml1
-rw-r--r--roles/promote-docker-image/tasks/main.yaml20
-rw-r--r--roles/promote-docker-image/tasks/promote-cleanup.yaml20
-rw-r--r--roles/promote-docker-image/tasks/promote-retag.yaml39
-rw-r--r--roles/upload-docker-image/README.rst3
-rw-r--r--roles/upload-docker-image/defaults/main.yaml1
-rw-r--r--roles/upload-docker-image/tasks/main.yaml6
-rw-r--r--roles/upload-puppetforge/README.rst22
-rw-r--r--roles/upload-puppetforge/defaults/main.yaml3
-rw-r--r--roles/upload-puppetforge/tasks/main.yaml21
-rw-r--r--roles/validate-dco-license/README.rst12
-rw-r--r--roles/validate-dco-license/defaults/main.yaml9
-rw-r--r--roles/validate-dco-license/tasks/main.yaml25
-rw-r--r--zuul.yaml8
25 files changed, 399 insertions, 0 deletions
diff --git a/playbooks/dco-license/run.yaml b/playbooks/dco-license/run.yaml
new file mode 100644
index 0000000..4f617ad
--- /dev/null
+++ b/playbooks/dco-license/run.yaml
@@ -0,0 +1,4 @@
1- hosts: localhost
2 roles:
3 - role: validate-dco-license
4 zuul_work_dir: "{{ zuul.executor.work_root }}/{{ zuul.project.src_dir }}"
diff --git a/roles/build-docker-image/README.rst b/roles/build-docker-image/README.rst
new file mode 100644
index 0000000..f533afa
--- /dev/null
+++ b/roles/build-docker-image/README.rst
@@ -0,0 +1,3 @@
1Build one or more docker images.
2
3.. include:: ../../roles/build-docker-image/common.rst
diff --git a/roles/build-docker-image/common.rst b/roles/build-docker-image/common.rst
new file mode 100644
index 0000000..ccaf68d
--- /dev/null
+++ b/roles/build-docker-image/common.rst
@@ -0,0 +1,98 @@
1This is one of a collection of roles which are designed to work
2together to build, upload, and promote docker images in a gating
3context:
4
5* :zuul:role:`build-docker-image`: Build the images.
6* :zuul:role:`upload-docker-image`: Stage the images on dockerhub.
7* :zuul:role:`promote-docker-image`: Promote previously uploaded images.
8
9The :zuul:role:`build-docker-image` role is designed to be used in
10`check` and `gate` pipelines and simply builds the images. It can be
11used to verify that the build functions, or it can be followed by the
12use of subsequent roles to upload the images to Docker Hub.
13
14The :zuul:role:`upload-docker-image` role uploads the images to Docker
15Hub, but only with a single tag corresponding to the change ID. This
16role is designed to be used in a job in a `gate` pipeline so that the
17build produced by the gate is staged and can later be promoted to
18production if the change is successful.
19
20The :zuul:role:`promote-docker-image` role is designed to be used in a
21`promote` pipeline. It requires no nodes and runs very quickly on the
22Zuul executor. It simply re-tags a previously uploaded image for a
23change with whatever tags are supplied by the
24:zuul:rolevar:`build-docker-image.docker_images.context`. It also
25removes the change ID tag from the repository in Docker Hub, and
26removes any similar change ID tags more than 24 hours old. This keeps
27the repository tidy in the case that gated changes fail to merge after
28uploading their staged images.
29
30They all accept the same input data, principally a list of
31dictionaries representing the images to build. YAML anchors_ can be
32used to supply the same data to all three jobs.
33
34Use the :zuul:role:`install-docker` role to install Docker before
35using this role.
36
37**Role Variables**
38
39.. zuul:rolevar:: zuul_work_dir
40 :default: {{ zuul.project.src_dir }}
41
42 The project directory. Serves as the base for
43 :zuul:rolevar:`build-docker-image.docker_images.context`.
44
45.. zuul:rolevar:: credentials
46 :type: dict
47
48 This is only required for the upload and promote roles. This is
49 expected to be a Zuul Secret with two keys:
50
51 .. zuul:rolevar:: username
52
53 The Docker Hub username.
54
55 .. zuul:rolevar:: username
56
57 The Docker Hub password
58
59.. zuul:rolevar:: docker_images
60 :type: list
61
62 A list of images to build. Each item in the list should have:
63
64 .. zuul:rolevar:: context
65
66 The docker build context; this should be a directory underneath
67 :zuul:rolevar:`build-docker-image.zuul_work_dir`.
68
69 .. zuul:rolevar:: repository
70
71 The name of the target repository in dockerhub for the
72 image. Supply this even if the image is not going to be
73 uploaded (it will be tagged with this in the local
74 registry).
75
76 .. zuul:rolevar:: path
77
78 Optional: the directory that should be passed to docker build.
79 Useful for building images with a Dockerfile in the context
80 directory but a source repository elsewhere.
81
82 .. zuul:jobvar:: build_args
83 :type: list
84
85 Optional: a list of values to pass to the docker ``--build-arg``
86 parameter.
87
88 .. zuul:rolevar:: target
89
90 Optional: the target for a multi-stage build.
91
92 .. zuul:jobvar:: tags
93 :type: list
94 :default: ['latest']
95
96 A list of tags to be added to the image when promoted.
97
98.. _anchors: https://yaml.org/spec/1.2/spec.html#&%20anchor//
diff --git a/roles/build-docker-image/defaults/main.yaml b/roles/build-docker-image/defaults/main.yaml
new file mode 100644
index 0000000..9739eb1
--- /dev/null
+++ b/roles/build-docker-image/defaults/main.yaml
@@ -0,0 +1 @@
zuul_work_dir: "{{ zuul.project.src_dir }}"
diff --git a/roles/build-docker-image/tasks/main.yaml b/roles/build-docker-image/tasks/main.yaml
new file mode 100644
index 0000000..5db9050
--- /dev/null
+++ b/roles/build-docker-image/tasks/main.yaml
@@ -0,0 +1,13 @@
1- name: Build a docker image
2 command: >-
3 docker build {{ item.path | default('.') }} -f Dockerfile
4 {% if target | default(false) -%}
5 --target {{ target }}
6 {% endif -%}
7 {% for build_arg in item.build_args | default([]) -%}
8 --build-arg {{ build_arg }}
9 {% endfor -%}
10 --tag {{ item.repository }}:change_{{ zuul.change }}
11 args:
12 chdir: "{{ zuul_work_dir }}/{{ item.context }}"
13 loop: "{{ images }}"
diff --git a/roles/deploy-openshift/README.rst b/roles/deploy-openshift/README.rst
new file mode 100644
index 0000000..bb1f498
--- /dev/null
+++ b/roles/deploy-openshift/README.rst
@@ -0,0 +1 @@
Deploy openshift using oc cluster up.
diff --git a/roles/deploy-openshift/tasks/main.yaml b/roles/deploy-openshift/tasks/main.yaml
new file mode 100644
index 0000000..aa41364
--- /dev/null
+++ b/roles/deploy-openshift/tasks/main.yaml
@@ -0,0 +1,24 @@
1---
2- name: Deploy local openshift cluster
3 command: "oc cluster up --insecure-skip-tls-verify=true --public-hostname={{ ansible_hostname }}"
4 become: yes
5
6- name: Create zuul user .kube directory
7 file:
8 path: "{{ ansible_user_dir }}/.kube"
9 state: directory
10
11- name: Setup zuul user kube config
12 copy:
13 src: /root/.kube/config
14 dest: "{{ ansible_env.HOME }}/.kube/config"
15 owner: "{{ ansible_env.USER }}"
16 mode: 0600
17 remote_src: yes
18 become: yes
19
20- name: Login as system:admin
21 command: oc login -u system:admin
22
23- name: Who am i
24 command: oc whoami -c
diff --git a/roles/install-openshift/README.rst b/roles/install-openshift/README.rst
new file mode 100644
index 0000000..758245c
--- /dev/null
+++ b/roles/install-openshift/README.rst
@@ -0,0 +1,16 @@
1Setup openshift requirements and pull the container images.
2The deploy-openshift role can be used to start the services.
3
4This role only works on CentOS.
5
6**Role Variables**
7
8.. zuul:rolevar:: origin_repo
9 :default: centos-release-openshift-origin39
10
11 The origin repository.
12
13.. zuul:rolevar:: origin_version
14 :default: v3.9.0
15
16 The origin version.
diff --git a/roles/install-openshift/defaults/main.yaml b/roles/install-openshift/defaults/main.yaml
new file mode 100644
index 0000000..6f77c75
--- /dev/null
+++ b/roles/install-openshift/defaults/main.yaml
@@ -0,0 +1,2 @@
1origin_repo: centos-release-openshift-origin39
2origin_version: v3.9.0
diff --git a/roles/install-openshift/tasks/main.yaml b/roles/install-openshift/tasks/main.yaml
new file mode 100644
index 0000000..3b5497d
--- /dev/null
+++ b/roles/install-openshift/tasks/main.yaml
@@ -0,0 +1,44 @@
1- name: Install origin repository
2 yum:
3 name: "{{ origin_repo }}"
4 become: yes
5
6- name: Install requirements
7 yum:
8 name: "{{ item }}"
9 with_items:
10 - origin
11 - docker
12 become: yes
13
14- name: Fix docker start options
15 lineinfile:
16 dest: /etc/sysconfig/docker
17 regexp: "^OPTIONS="
18 line: "OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 172.30.0.0/16'"
19 become: yes
20
21# See: https://github.com/openshift/origin/issues/15038
22- name: Fix rhel secret issue
23 file:
24 path: /usr/share/rhel/secrets
25 state: absent
26 become: yes
27
28- name: Start docker service
29 service:
30 name: docker
31 state: started
32 become: yes
33
34- name: Pull origin images
35 command: "docker pull docker.io/openshift/{{ item }}:{{ origin_version }}"
36 with_items:
37 - origin-web-console
38 - origin-docker-registry
39 - origin-haproxy-router
40 - origin-deployer
41 - origin-sti-builder
42 - origin-pod
43 - origin
44 become: yes
diff --git a/roles/promote-docker-image/README.rst b/roles/promote-docker-image/README.rst
new file mode 100644
index 0000000..abce78f
--- /dev/null
+++ b/roles/promote-docker-image/README.rst
@@ -0,0 +1,3 @@
1Promote one or more previously uploaded docker images.
2
3.. include:: ../../roles/build-docker-image/common.rst
diff --git a/roles/promote-docker-image/defaults/main.yaml b/roles/promote-docker-image/defaults/main.yaml
new file mode 100644
index 0000000..9739eb1
--- /dev/null
+++ b/roles/promote-docker-image/defaults/main.yaml
@@ -0,0 +1 @@
zuul_work_dir: "{{ zuul.project.src_dir }}"
diff --git a/roles/promote-docker-image/tasks/main.yaml b/roles/promote-docker-image/tasks/main.yaml
new file mode 100644
index 0000000..025303a
--- /dev/null
+++ b/roles/promote-docker-image/tasks/main.yaml
@@ -0,0 +1,20 @@
1# This is used by the delete tasks
2- name: Get dockerhub JWT token
3 no_log: true
4 uri:
5 url: "https://hub.docker.com/v2/users/login/"
6 body_format: json
7 body:
8 username: "{{ credentials.username }}"
9 password: "{{ credentials.password }}"
10 register: jwt_token
11- name: Promote image
12 loop: "{{ images }}"
13 loop_control:
14 loop_var: image
15 include_tasks: promote-retag.yaml
16- name: Delete obsolete tags
17 loop: "{{ images }}"
18 loop_control:
19 loop_var: image
20 include_tasks: promote-cleanup.yaml
diff --git a/roles/promote-docker-image/tasks/promote-cleanup.yaml b/roles/promote-docker-image/tasks/promote-cleanup.yaml
new file mode 100644
index 0000000..d8435b4
--- /dev/null
+++ b/roles/promote-docker-image/tasks/promote-cleanup.yaml
@@ -0,0 +1,20 @@
1- name: List tags
2 uri:
3 url: "https://hub.docker.com/v2/repositories/{{ image.repository }}/tags?page_size=1000"
4 status_code: 200
5 register: tags
6- name: Set cutoff timestamp to 24 hours ago
7 command: "python3 -c \"import datetime; print((datetime.datetime.utcnow()-datetime.timedelta(days=1)).strftime('%Y-%m-%dT%H:%M:%fZ'))\""
8 register: cutoff
9- name: Delete all change tags older than the cutoff
10 no_log: true
11 loop: "{{ tags.json.results }}"
12 loop_control:
13 loop_var: docker_tag
14 when: docker_tag.last_updated < cutoff.stdout and docker_tag.name.startswith('change_')
15 uri:
16 url: "https://hub.docker.com/v2/repositories/{{ image.repository }}/tags/{{ docker_tag.name }}/"
17 method: DELETE
18 status_code: 204
19 headers:
20 Authorization: "JWT {{ jwt_token.json.token }}"
diff --git a/roles/promote-docker-image/tasks/promote-retag.yaml b/roles/promote-docker-image/tasks/promote-retag.yaml
new file mode 100644
index 0000000..77b611a
--- /dev/null
+++ b/roles/promote-docker-image/tasks/promote-retag.yaml
@@ -0,0 +1,39 @@
1- name: Get dockerhub token
2 no_log: true
3 uri:
4 url: "https://auth.docker.io/token?service=registry.docker.io&scope=repository:{{ image.repository }}:pull,push"
5 user: "{{ credentials.username }}"
6 password: "{{ credentials.password }}"
7 force_basic_auth: true
8 register: token
9- name: Get manifest
10 no_log: true
11 uri:
12 url: "https://registry.hub.docker.com/v2/{{ image.repository }}/manifests/change_{{ zuul.change }}"
13 status_code: 200
14 headers:
15 Accept: "application/vnd.docker.distribution.manifestv2+json"
16 Authorization: "Bearer {{ token.json.token }}"
17 return_content: true
18 register: manifest
19- name: "Put manifest"
20 no_log: true
21 loop: "{{ image.tags | default(['latest']) }}"
22 loop_control:
23 loop_var: new_tag
24 uri:
25 url: "https://registry.hub.docker.com/v2/{{ image.repository }}/manifests/{{ new_tag }}"
26 method: PUT
27 status_code: 201
28 body: "{{ manifest.content | string }}"
29 headers:
30 Content-Type: "application/vnd.docker.distribution.manifestv2+json"
31 Authorization: "Bearer {{ token.json.token }}"
32- name: Delete the current change tag
33 no_log: true
34 uri:
35 url: "https://hub.docker.com/v2/repositories/{{ image.repository }}/tags/change_{{ zuul.change }}/"
36 method: DELETE
37 status_code: 204
38 headers:
39 Authorization: "JWT {{ jwt_token.json.token }}"
diff --git a/roles/upload-docker-image/README.rst b/roles/upload-docker-image/README.rst
new file mode 100644
index 0000000..2b04c2e
--- /dev/null
+++ b/roles/upload-docker-image/README.rst
@@ -0,0 +1,3 @@
1Upload one or more docker images.
2
3.. include:: ../../roles/build-docker-image/common.rst
diff --git a/roles/upload-docker-image/defaults/main.yaml b/roles/upload-docker-image/defaults/main.yaml
new file mode 100644
index 0000000..9739eb1
--- /dev/null
+++ b/roles/upload-docker-image/defaults/main.yaml
@@ -0,0 +1 @@
zuul_work_dir: "{{ zuul.project.src_dir }}"
diff --git a/roles/upload-docker-image/tasks/main.yaml b/roles/upload-docker-image/tasks/main.yaml
new file mode 100644
index 0000000..ff49915
--- /dev/null
+++ b/roles/upload-docker-image/tasks/main.yaml
@@ -0,0 +1,6 @@
1- name: Log in to dockerhub
2 command: "docker login -u {{ credentials.username }} -p {{ credentials.password }}"
3 no_log: true
4- name: Upload to dockerhub
5 command: "docker push {{ item.repository }}:change_{{ zuul.change }}"
6 loop: "{{ images }}"
diff --git a/roles/upload-puppetforge/README.rst b/roles/upload-puppetforge/README.rst
new file mode 100644
index 0000000..5eae36a
--- /dev/null
+++ b/roles/upload-puppetforge/README.rst
@@ -0,0 +1,22 @@
1Upload puppet module to Puppet Forge
2
3**Role Variables**
4
5 .. zuul:rolevar:: puppet_module_dir
6 :default: {{ zuul.project.src_dir }}
7
8 The folder where the puppet module code is that it can
9 switch folder to.
10
11 .. zuul:rolevar:: blacksmith_forge_url
12 :default: https://forgeapi.puppetlabs.com
13
14 The URL to the Puppet Forge API.
15
16 .. zuul:rolevar:: blacksmith_forge_username
17
18 Username to use to log in to Puppet Forge.
19
20 .. zuul:rolevar:: blacksmith_forge_password
21
22 Password to use to log in to Puppet Forge.
diff --git a/roles/upload-puppetforge/defaults/main.yaml b/roles/upload-puppetforge/defaults/main.yaml
new file mode 100644
index 0000000..c93ad60
--- /dev/null
+++ b/roles/upload-puppetforge/defaults/main.yaml
@@ -0,0 +1,3 @@
1---
2puppet_module_dir: "{{ zuul.project.src_dir }}"
3blacksmith_forge_url: "https://forgeapi.puppetlabs.com"
diff --git a/roles/upload-puppetforge/tasks/main.yaml b/roles/upload-puppetforge/tasks/main.yaml
new file mode 100644
index 0000000..52fa288
--- /dev/null
+++ b/roles/upload-puppetforge/tasks/main.yaml
@@ -0,0 +1,21 @@
1- name: Install required gems
2 gem:
3 name: "{{ item }}"
4 with_items:
5 - rake
6 - puppetlabs_spec_helper
7 - puppet-blacksmith
8
9- name: Install new Rakefile
10 copy:
11 content: "require 'puppet_blacksmith/rake_tasks'"
12 dest: "{{ puppet_module_dir }}/Rakefile"
13
14- name: Publish puppet module
15 command: "rake module:push"
16 args:
17 chdir: "{{ puppet_module_dir }}"
18 environment:
19 BLACKSMITH_FORGE_URL: "{{ blacksmith_forge_url }}"
20 BLACKSMITH_FORGE_USERNAME: "{{ blacksmith_forge_username }}"
21 BLACKSMITH_FORGE_PASSWORD: "{{ blacksmith_forge_password }}"
diff --git a/roles/validate-dco-license/README.rst b/roles/validate-dco-license/README.rst
new file mode 100644
index 0000000..2cf9b0b
--- /dev/null
+++ b/roles/validate-dco-license/README.rst
@@ -0,0 +1,12 @@
1Validate all commits have Signed-off-by header
2
3**Role Variables**
4
5.. zuul:rolevar:: dco_license_failure
6
7 Message to display when Signed-off-by header is missing.
8
9.. zuul:rolevar:: zuul_work_dir
10 :default: {{ zuul.project.src_dir }}
11
12 Directory to DCO license check in.
diff --git a/roles/validate-dco-license/defaults/main.yaml b/roles/validate-dco-license/defaults/main.yaml
new file mode 100644
index 0000000..2a6712c
--- /dev/null
+++ b/roles/validate-dco-license/defaults/main.yaml
@@ -0,0 +1,9 @@
1---
2dco_license_failure: |
3 One or more commits have not been signed properly using --signoff.
4
5 The meaning of a signoff depends on the project, but it typically certifies
6 that committer has the rights to submit this work under the same license and
7 agrees to a Developer Certificate of Origin
8 (see http://developercertificate.org/ for more information).
9zuul_work_dir: "{{ zuul.project.src_dir }}"
diff --git a/roles/validate-dco-license/tasks/main.yaml b/roles/validate-dco-license/tasks/main.yaml
new file mode 100644
index 0000000..47228af
--- /dev/null
+++ b/roles/validate-dco-license/tasks/main.yaml
@@ -0,0 +1,25 @@
1- name: Developer Certificate of Origin (DCO) license check
2 shell:
3 cmd: |
4 set -e
5 result=0
6 for commit in $(git cherry -v origin/{{ zuul.branch }} HEAD | cut -d " " -f2)
7 do
8 if ! git show -s $commit | grep -q "Signed-off-by:"; then
9 echo "---"
10 git show -s $commit
11 echo "---"
12 echo "does not have a Signed-off-by header"
13 result=1
14 fi
15 done
16 exit $result
17 chdir: "{{ zuul_work_dir }}"
18 executable: /bin/bash
19 register: _dco
20 failed_when: _dco.rc > 1
21
22- name: License check failed
23 fail:
24 msg: "{{ dco_license_failure }}"
25 when: _dco.rc != 0
diff --git a/zuul.yaml b/zuul.yaml
index c9aeb37..761951e 100644
--- a/zuul.yaml
+++ b/zuul.yaml
@@ -2,6 +2,14 @@
2# Assumes a 'base' job defined elsewhere 2# Assumes a 'base' job defined elsewhere
3 3
4- job: 4- job:
5 name: dco-license
6 description: |
7 A job to validate all new commits have been signed using --signoff.
8 run: playbooks/dco-license/run.yaml
9 nodeset:
10 nodes: []
11
12- job:
5 name: unittests 13 name: unittests
6 abstract: true 14 abstract: true
7 description: | 15 description: |