From 37467218a5008d26a27d5fc48c197abea89adeb3 Mon Sep 17 00:00:00 2001 From: Adrian Riobo Date: Tue, 12 Nov 2024 10:22:16 +0100 Subject: [PATCH] chore: migrate tekton tasks resulting host info to secrets Signed-off-by: Adrian Riobo --- hacks/azure/azure_setup.sh | 0 hacks/azure/mapt-aks-role.json | 14 ++ oci/Containerfile | 2 + tkn/infra-aws-fedora.yaml | 185 +++++++++--------- tkn/infra-azure-aks.yaml | 146 -------------- tkn/infra-azure-windows-desktop.yaml | 163 ++++++++------- tkn/template/infra-aws-fedora.yaml | 185 +++++++++--------- tkn/template/infra-azure-windows-desktop.yaml | 163 ++++++++------- 8 files changed, 400 insertions(+), 458 deletions(-) mode change 100644 => 100755 hacks/azure/azure_setup.sh create mode 100644 hacks/azure/mapt-aks-role.json delete mode 100644 tkn/infra-azure-aks.yaml diff --git a/hacks/azure/azure_setup.sh b/hacks/azure/azure_setup.sh old mode 100644 new mode 100755 diff --git a/hacks/azure/mapt-aks-role.json b/hacks/azure/mapt-aks-role.json new file mode 100644 index 000000000..3f383fd42 --- /dev/null +++ b/hacks/azure/mapt-aks-role.json @@ -0,0 +1,14 @@ +{ + "Name": "Mapt AKS Operator", + "IsCustom": true, + "Description": "Can create aks clusters with mapt features.", + "Actions": [ + "Microsoft.Authorization/roleAssignments/*" + ], + "NotActions": [], + "DataActions": [], + "NotDataActions": [], + "AssignableScopes": [ + "/subscriptions/b0ad4737-8299-4c0a-9dd5-959cbcf8d81c" + ] +} diff --git a/oci/Containerfile b/oci/Containerfile index 4019168e6..a16b60fbd 100644 --- a/oci/Containerfile +++ b/oci/Containerfile @@ -36,6 +36,8 @@ ENV AZ_CLI_VERSION 2.61.0 # Pulumi plugins # renovate: datasource=github-releases depName=pulumi/pulumi-aws ARG PULUMI_AWS_VERSION=v6.37.1 +# Install this +# https://releases.hashicorp.com/terraform-provider-aws/5.75.1/terraform-provider-aws_5.75.1_linux_amd64.zip # renovate: datasource=github-releases depName=pulumi/pulumi-aws ARG PULUMI_AWSX_VERSION=v2.3.0 # renovate: datasource=github-releases depName=pulumi/pulumi-azure-native diff --git a/tkn/infra-aws-fedora.yaml b/tkn/infra-aws-fedora.yaml index 2374f0828..dd959bf09 100644 --- a/tkn/infra-aws-fedora.yaml +++ b/tkn/infra-aws-fedora.yaml @@ -6,22 +6,25 @@ metadata: labels: app.kubernetes.io/version: "0.8.0-dev" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, fedora tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64,inux/arm64" spec: description: | Task provision a fedora dedicated on host on AWS - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + # mapt params + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -38,22 +41,14 @@ spec: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + - name: host-access-secret + description: name from the secret holding the host-info created during create operation. This is required only destroy operation + default: "''" # VM type params - name: arch @@ -74,8 +69,8 @@ spec: # Fedora params - name: version - description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 40. - default: '40' + description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 41. + default: '41' # Topology params - name: airgap @@ -93,10 +88,6 @@ spec: description: tags for the resources created on the providers default: "''" - # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -106,23 +97,36 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path - + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: aws-${name} + labels: + app.kubernetes.io/component: ${name} + app.kubernetes.io/part-of: qe-platform + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh @@ -135,27 +139,14 @@ spec: export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + BUCKET=$(cat /opt/aws-credentials/bucket) # Run mapt cmd="mapt aws fedora $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd="$cmd --project-name mapt-fedora-$(params.id) " + cmd="$cmd --backed-url s3://${BUCKET}/mapt/fedora/$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " + cmd="$cmd --conn-details-output /opt/host-info " cmd="$cmd --arch $(params.arch) " cmd="$cmd --cpus $(params.cpus) " cmd="$cmd --memory $(params.memory) " @@ -174,36 +165,6 @@ spec: fi fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -211,4 +172,50 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-fedora- + namespace: $NAMESPACE + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + + if [[ $(params.operation) == "destroy" ]]; then + if [[ $(params.host-access-secret) == "" ]]; then + echo "On destroy host-access-secret param is mandatory" + exit 1 + fi + oc delete secret $(params.host-access-secret) + fi diff --git a/tkn/infra-azure-aks.yaml b/tkn/infra-azure-aks.yaml deleted file mode 100644 index 2f809e8fc..000000000 --- a/tkn/infra-azure-aks.yaml +++ /dev/null @@ -1,146 +0,0 @@ ---- -apiVersion: tekton.dev/v1beta1 -kind: Task -metadata: - name: infra-azure-aks - labels: - app.kubernetes.io/version: "0.8.0-dev" - annotations: - tekton.dev/pipelines.minVersion: "0.44.x" - tekton.dev/categories: infrastructure - tekton.dev/tags: infrastructure, azure - tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" -spec: - description: | - This task will provision / decomission azure aks cluster - - The output will give required information to connect within the remote provisioned cluster - - workspaces: - - name: az-credentials - description: | - ocp secret holding the azure credentials. Secret should be accessible to this task. - - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: external az storage (i.e azblob://existing-storage). - - name: operation - description: operation to execute within the infrastructure. Current values (create, destroy) - default: create - - # AKS params - - name: k8s-version - description: AKS K8s cluster version (default "1.30") - default: '1.30' - - name: only-system-pool - description: if we do not need bunch of resources we can run only the systempool. More info https://learn.microsoft.com/es-es/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools. (default false) - default: 'false' - - name: enable-app-routing - description: enable application routing add-on with NGINX. (default false) - default: 'false' - - # VM type params for pools - - name: spot - description: in case spot is set to true it 'ill check for best spot price and create the VM on the target region - default: 'true' - - name: spot-eviction-tolerance - description: 'if spot is enable we can define the minimum tolerance level of eviction. Allowed value are: lowest, low, medium, high or highest' - default: 'lowest' - - - # Metadata params - - name: tags - description: tags for the resources created on the providers - default: "''" - - # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - - results: - - name: kubeconfig - description: kubeconfig file - - steps: - - name: provisioner - image: quay.io/redhat-developer/mapt:v0.8.0-dev - imagePullPolicy: Always - script: | - #!/bin/sh - - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) - fi - - # Output folder - mkdir -p aks-kubeconfig - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi - - # Run mapt - cmd="mapt azure aks $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - cmd="$cmd --backed-url $(params.backed-url) " - if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output aks-kubeconfig " - cmd="$cmd --version $(params.k8s-version) " - if [[ $(params.only-system-pool) == "true" ]]; then - cmd="$cmd --only-system-pool " - fi - if [[ $(params.enable-app-routing) == "true" ]]; then - cmd="$cmd --enable-app-routing " - fi - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " - fi - fi - eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "aks-kubeconfig/kubeconfig" | tee $(results.kubeconfig.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - - resources: - requests: - memory: "200Mi" - cpu: "100m" - limits: - memory: "600Mi" - cpu: "300m" diff --git a/tkn/infra-azure-windows-desktop.yaml b/tkn/infra-azure-windows-desktop.yaml index 1201ff477..c38f8da4d 100644 --- a/tkn/infra-azure-windows-desktop.yaml +++ b/tkn/infra-azure-windows-desktop.yaml @@ -6,21 +6,26 @@ metadata: labels: app.kubernetes.io/version: "0.8.0-dev" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64,linux/arm64" spec: description: | This task will provision / decomission windows desktop machines on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} + + params: + - name: secret-az-credentials description: | ocp secret holding the azure credentials. Secret should be accessible to this task. @@ -31,22 +36,14 @@ spec: * client_secret * storage_account (optional if we use remote az storage) * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials - - params: - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + * blob (optional if we use remote az storage) + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + - name: host-access-secret + description: name from the secret holding the host-info created during create operation. This is required only destroy operation + default: "''" # VM type params - name: cpus @@ -85,21 +82,42 @@ spec: - name: remove-lock description: in case a previous run fails the stack can be locked. This value allows to control if remove lock default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: userpassword - description: password for the user to connect to the provisioned machine - - name: key-filename - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: aws-${name} + labels: + app.kubernetes.io/component: ${name} + app.kubernetes.io/part-of: qe-platform + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh @@ -107,36 +125,20 @@ spec: set -xuo # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) - fi - - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure windows $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd="$cmd --project-name mapt-windows-$(params.id) " + cmd="$cmd --backed-url azblob://${BLOB}/windows-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " + cmd="$cmd --conn-details-output /opt/host-info " cmd="$cmd --windows-featurepack $(params.windows-featurepack) " cmd="$cmd --windows-version $(params.windows-version) " cmd="$cmd --cpus $(params.cpus) " @@ -155,20 +157,7 @@ spec: cmd="$cmd --tags $(params.tags) " fi fi - eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - cat "${workspace_path}/userpassword" | tee $(results.userpassword.path) - echo -n "id_rsa" | tee $(results.key-filename.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - + eval "${cmd}" resources: requests: memory: "200Mi" @@ -176,3 +165,43 @@ spec: limits: memory: "600Mi" cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-windows- + namespace: $NAMESPACE + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + + if [[ $(params.operation) == "destroy" ]]; then + if [[ $(params.host-access-secret) == "" ]]; then + echo "On destroy host-access-secret param is mandatory" + exit 1 + fi + oc delete secret $(params.host-access-secret) + fi diff --git a/tkn/template/infra-aws-fedora.yaml b/tkn/template/infra-aws-fedora.yaml index 2f7963f54..c6911e022 100644 --- a/tkn/template/infra-aws-fedora.yaml +++ b/tkn/template/infra-aws-fedora.yaml @@ -6,22 +6,25 @@ metadata: labels: app.kubernetes.io/version: "" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, fedora tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64,inux/arm64" spec: description: | Task provision a fedora dedicated on host on AWS - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + # mapt params + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -38,22 +41,14 @@ spec: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + - name: host-access-secret + description: name from the secret holding the host-info created during create operation. This is required only destroy operation + default: "''" # VM type params - name: arch @@ -74,8 +69,8 @@ spec: # Fedora params - name: version - description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 40. - default: '40' + description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 41. + default: '41' # Topology params - name: airgap @@ -93,10 +88,6 @@ spec: description: tags for the resources created on the providers default: "''" - # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -106,23 +97,36 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path - + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: aws-${name} + labels: + app.kubernetes.io/component: ${name} + app.kubernetes.io/part-of: qe-platform + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh @@ -135,27 +139,14 @@ spec: export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + BUCKET=$(cat /opt/aws-credentials/bucket) # Run mapt cmd="mapt aws fedora $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd="$cmd --project-name mapt-fedora-$(params.id) " + cmd="$cmd --backed-url s3://${BUCKET}/mapt/fedora/$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " + cmd="$cmd --conn-details-output /opt/host-info " cmd="$cmd --arch $(params.arch) " cmd="$cmd --cpus $(params.cpus) " cmd="$cmd --memory $(params.memory) " @@ -174,36 +165,6 @@ spec: fi fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -211,4 +172,50 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-fedora- + namespace: $NAMESPACE + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + + if [[ $(params.operation) == "destroy" ]]; then + if [[ $(params.host-access-secret) == "" ]]; then + echo "On destroy host-access-secret param is mandatory" + exit 1 + fi + oc delete secret $(params.host-access-secret) + fi diff --git a/tkn/template/infra-azure-windows-desktop.yaml b/tkn/template/infra-azure-windows-desktop.yaml index e15e94b34..12f422181 100644 --- a/tkn/template/infra-azure-windows-desktop.yaml +++ b/tkn/template/infra-azure-windows-desktop.yaml @@ -6,21 +6,26 @@ metadata: labels: app.kubernetes.io/version: "" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64,linux/arm64" spec: description: | This task will provision / decomission windows desktop machines on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} + + params: + - name: secret-az-credentials description: | ocp secret holding the azure credentials. Secret should be accessible to this task. @@ -31,22 +36,14 @@ spec: * client_secret * storage_account (optional if we use remote az storage) * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials - - params: - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + * blob (optional if we use remote az storage) + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + - name: host-access-secret + description: name from the secret holding the host-info created during create operation. This is required only destroy operation + default: "''" # VM type params - name: cpus @@ -85,21 +82,42 @@ spec: - name: remove-lock description: in case a previous run fails the stack can be locked. This value allows to control if remove lock default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: userpassword - description: password for the user to connect to the provisioned machine - - name: key-filename - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: aws-${name} + labels: + app.kubernetes.io/component: ${name} + app.kubernetes.io/part-of: qe-platform + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh @@ -107,36 +125,20 @@ spec: set -xuo # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) - fi - - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure windows $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd="$cmd --project-name mapt-windows-$(params.id) " + cmd="$cmd --backed-url azblob://${BLOB}/windows-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " + cmd="$cmd --conn-details-output /opt/host-info " cmd="$cmd --windows-featurepack $(params.windows-featurepack) " cmd="$cmd --windows-version $(params.windows-version) " cmd="$cmd --cpus $(params.cpus) " @@ -155,20 +157,7 @@ spec: cmd="$cmd --tags $(params.tags) " fi fi - eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - cat "${workspace_path}/userpassword" | tee $(results.userpassword.path) - echo -n "id_rsa" | tee $(results.key-filename.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - + eval "${cmd}" resources: requests: memory: "200Mi" @@ -176,3 +165,43 @@ spec: limits: memory: "600Mi" cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-windows- + namespace: $NAMESPACE + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + + if [[ $(params.operation) == "destroy" ]]; then + if [[ $(params.host-access-secret) == "" ]]; then + echo "On destroy host-access-secret param is mandatory" + exit 1 + fi + oc delete secret $(params.host-access-secret) + fi