airship/charts
Code Issues Proposed changes

feat(ldap): adds LDAP group to gerrit repo

Browse Source 
This adds LDAP group as memeber to the gerrit project in the repository.

Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I8e619a9033b9a25d546a458225b921b18222a8f8
This commit is contained in:
Tin Lam 2021-03-05 09:16:22 -06:00
parent 8377c131d9
commit 710dbe71ae
19 changed files with 115 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
charts/gerrit/values_overrides/default.yaml
View File

@ -59,8 +59,11 @@ gerrit:
accountBase = ou=Users,dc=jarvis,dc=local
accountPattern = (&(objectClass=inetOrgPerson)(uid=${username}))
accountFullName = ${cn}
accountScope = sub
groupBase = ou=Groups,dc=jarvis,dc=local
groupMemberPattern = (member=${dn})
groupScope = sub
groupPattern = (&(objectClass=groupOfUniqueNames)(cn=${groupname}))
groupMemberPattern = (&(objectClass=groupOfUniqueNames)(uniqueMember=${dn}))
localUsernameToLowerCase = true
[httpd]
# If using an ingress use proxy-http or proxy-https
@ -92,4 +95,4 @@ gerrit:
# [remote "replica"]
# url = http://gerrit-replica.example.com/git/${name}.git
# replicationDelay = 0
# timeout = 30
# timeout = 30

27
charts/jarvis-project/templates/Job-project.yaml
View File

@ -32,10 +32,15 @@ spec:
key: gerrit-username
- name: GERRIT_HOST
value: {{ .Values.params.gerrit.host }}
- name: GERRIT_LDAP_CN
valueFrom:
secretKeyRef:
name: {{ template "helpers.labels.fullname" . }}
key: gerrit-ldap-group-cn
- name: GERRIT_URL
value: "https://{{ .Values.params.gerrit.host }}"
value: {{ printf "https://%s" $.Values.params.gerrit.host | quote }}
- name: HARBOR_URL
value: "https://{{ .Values.params.harbor.host }}"
value: {{ printf "https://%s" $.Values.params.harbor.host | quote }}
- name: PROJECT_LDAP_DN
valueFrom:
secretKeyRef:
@ -50,26 +55,22 @@ spec:
- sh
- -cex
- |
alias gerrit_ssh="ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null -p 29418 \
-i /run/jarvis/secret/gerrit-ssh-key ${GERRIT_USERNAME}@${GERRIT_HOST} "
# Create gerrit repo
( \
ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
-p 29418 \
-i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
gerrit_ssh \
gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" \
&&
ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
-p 29418 \
-i /run/jarvis/secret/gerrit-ssh-key "${GERRIT_USERNAME}@${GERRIT_HOST}" \
gerrit_ssh \
gerrit set-project-parent \
{{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
--children-of Non-Verified-Label-Projects \
) \
|| \
ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null \
-p 29418 \
-i /run/jarvis/secret/gerrit-ssh-key ${GERRIT_USERNAME}@${GERRIT_HOST} \
gerrit create-project "${JARVIS_PROJECT_NAME}" \
--owner Administrators \
gerrit_ssh gerrit create-project "${JARVIS_PROJECT_NAME}" \
--owner Administrators --owner ldap/${GERRIT_LDAP_CN} \
{{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
--submit-type MERGE_IF_NECESSARY \
--empty-commit

1
charts/jarvis-project/templates/Secret-project.yaml
View File

@ -11,6 +11,7 @@ data:
gerrit-ssh-key: "{{ b64enc ( .Values.params.gerrit.ssh_key ) }}"
harbor-project-ldap-dn: "{{ b64enc ( .Values.params.harbor.member_ldap_dn.project ) }}"
harbor-staging-ldap-dn: "{{ b64enc ( .Values.params.harbor.member_ldap_dn.staging ) }}"
gerrit-ldap-group-cn: "{{ b64enc ( .Values.params.gerrit.ldap_group_cn ) }}"
...
{{- end -}}
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-project" ) }}

1
charts/jarvis-project/values.yaml
View File

@ -24,6 +24,7 @@ params:
password: ""
ssh_key: ""
host: gerrit.jarvis.local
ldap_group_cn: ""
harbor:
host: harbor-core.jarvis.local
member_ldap_dn:

4
charts/jarvis-system/templates/Secret-gerrit.yaml
View File

@ -8,6 +8,8 @@ metadata:
data:
gerrit-authfile: "{{ b64enc ( printf "%s:%s" .Values.params.gerrit.user .Values.params.gerrit.password ) }}"
gerrit-netrc: "{{ b64enc ( printf "machine %s login %s password %s" "gerrit.jarvis.local" .Values.params.gerrit.user .Values.params.gerrit.password ) }}"
gerrit-user: "{{ b64enc (.Values.params.gerrit.user) }}"
gerrit-password: "{{ b64enc (.Values.params.gerrit.password) }}"
...
{{- end -}}
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-gerrit" ) }}
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Secret-gerrit" ) }}

12
charts/jarvis-system/templates/Task-createProjectAccess.yaml
View File

@ -123,9 +123,8 @@ spec:
- name: checkout-repo
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_git" ) }}
script: |
#!/bin/sh
set -eu -o pipefail -x
#!/bin/bash
set -ex
# A change ref has the format refs/changes/X/Y/Z where X is
# the last two digits of the change number, Y is the entire
# change number, and Z is the patch set. For example, if
@ -134,7 +133,6 @@ spec:
change_ref="refs/changes/$(echo "0$(params.changeNumber)" | awk '{ print substr( $0, length($0) - 1, length($0) ) }')/$(params.changeNumber)/$(params.patchSetNumber)"
echo $change_ref
CHECKOUT_DIR="$(workspaces.output.path)"
cleandir() {
@ -142,7 +140,7 @@ spec:
#
# We don't just "rm -rf $CHECKOUT_DIR" because $CHECKOUT_DIR might be "/"
# or the root of a mounted volume.
if [[ -d "$CHECKOUT_DIR" ]] ; then
if [ -d "$CHECKOUT_DIR" ] ; then
# Delete non-hidden files and directories
rm -rf "$CHECKOUT_DIR"/*
# Delete files and directories starting with . but excluding ..
@ -157,6 +155,10 @@ spec:
git init
git config http.sslVerify "false"
git config advice.detachedHead "false"
set +x
git config credential.username $(kubectl -n {{ $.Release.Namespace }} get secret {{ template "helpers.labels.fullname" . }}-gerrit -o=json | jq -r '.data."gerrit-user"' | base64 -d)
git config credential.helper "!echo password=$(kubectl -n {{ $.Release.Namespace }} get secret {{ template "helpers.labels.fullname" . }}-gerrit -o=json | jq -r '.data."gerrit-password"' | base64 -d); echo"
set -x
git fetch $(params.repoRoot)/$(params.project) $change_ref
git checkout FETCH_HEAD

6
charts/jarvis-system/values.yaml
View File

@ -9,9 +9,9 @@ images:
name: attcomdev/jarvis-connector
repo: quay.io
task_git:
tag: v0.18.1
name: tekton-releases/github.com/tektoncd/pipeline/cmd/git-init
repo: gcr.io
tag: "1.0"
name: standard-container
repo: docker.io
task_create_namespace:
tag: "1.0"
name: standard-container

8
tools/gate/jarvis/500-deploy-gerrit.sh
View File

@ -145,19 +145,19 @@ function gerrit_bootstrap() {
streamEvents = group Service Users
[access "refs/*"]
read = group Administrators
read = group Anonymous Users
read = group Project Owners
revert = group Registered Users
[access "refs/for/*"]
addPatchSet = group Registered Users
[access "refs/for/refs/*"]
push = group Registered Users
pushMerge = group Registered Users
push = group Project Owners
pushMerge = group Project Owners
[access "refs/heads/*"]
create = group Administrators
create = group Project Owners
editTopicName = +force group Administrators
editTopicName = +force group Project Owners
forgeAuthor = group Registered Users
forgeAuthor = group Project Owners
forgeCommitter = group Administrators
forgeCommitter = group Project Owners
push = group Administrators

34
tools/gate/jarvis/5G-SA-core/amf/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -5,26 +5,28 @@ metadata:
data:
cluster.json: |
{
"namespace": "{{ $.Values.namespace }}",
"use_existing_cluster": "true"
"namespace": "{{ $.Values.namespace }}",
"use_existing_cluster": "true"
}
image.json: |
[
{
"image_from": "harbor-core.jarvis.local/library/ubuntu:focal",
"build_from_source": true,
"image_name": "amf",
"project": "amf",
"repo": "amf",
"image_fullname": "amf/amf:1.0",
"path": "images/amf",
"namespace": "{{ $.Values.namespace }}",
"build": {
"image_from": "harbor-core.jarvis.local/library/ubuntu:focal",
"build_from_source": true,
"image_name": "amf",
"project": "amf",
"repo": "amf",
"image_fullname": "amf/amf:1.0",
"path": "images/amf",
"namespace": "{{ $.Values.namespace }}",
"build": {
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/amf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
}
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
}
}
]
chart.json: |
@ -39,7 +41,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/amf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "amf",
@ -88,5 +92,5 @@ data:
}
cleanup.json: |
{
"remove_artifacts": "true"
"remove_artifacts": "true"
}

8
tools/gate/jarvis/5G-SA-core/ausf/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -23,7 +23,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/ausf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
}
}
]
@ -39,7 +41,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/ausf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "ausf",

8
tools/gate/jarvis/5G-SA-core/mongodb/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -20,7 +20,9 @@ data:
"path": "",
"build": {
"git_repo": "docker.io/bitnami/mongodb-sharded",
"tag": "4.4.3-debian-10-r44"
"tag": "4.4.3-debian-10-r44",
"user": "",
"password": ""
}
}
]
@ -35,7 +37,9 @@ data:
"build": {
"name": "https://charts.bitnami.com/bitnami",
"local_repo": "bitnami_mongodb",
"target_loc": "/src/fetch/charts"
"target_loc": "/src/fetch/charts",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "mongodb-bitnami",

8
tools/gate/jarvis/5G-SA-core/nrf/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -23,7 +23,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/nrf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
}
}
]
@ -39,7 +41,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/nrf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "nrf",

8
tools/gate/jarvis/5G-SA-core/pcf/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -23,7 +23,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/pcf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
}
}
]
@ -39,7 +41,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/pcf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "pcf",

8
tools/gate/jarvis/5G-SA-core/smf/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -23,7 +23,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/smf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
}
}
]
@ -39,7 +41,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/smf",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "smf",

8
tools/gate/jarvis/5G-SA-core/udm/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -23,7 +23,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/udm",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
}
}
]
@ -39,7 +41,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/udm",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "udm",

8
tools/gate/jarvis/5G-SA-core/udr/jarvis/development-pipeline/templates/config_map.yaml
View File

@ -23,7 +23,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/udr",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
}
}]
chart.json: |
@ -38,7 +40,9 @@ data:
"git_repo": "{{ $.Values.git_repo }}",
"target_loc": "/src/checkout/udr",
"refspec": "{{ $.Values.refspec }}",
"version": "refs/changes/*:refs/changes/*"
"version": "refs/changes/*:refs/changes/*",
"user": "jarvis",
"password": "password"
},
"namespace": "{{ $.Values.namespace }}",
"release_name": "udr",

13
tools/gate/jarvis/800-deploy-jarvis-projects.sh
View File

@ -17,7 +17,7 @@ EOF
generate_gerrit_creds_override
COUNTER=0
for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth 1 -type d -printf '%f\n'`; do
for jarvis_project in $(find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth 1 -type d -printf '%f\n'); do
# Half of Jarvis-Projects will be made with required CI, half will be made with optional CI to
# offer examples to developers using Jarvis.
if (( COUNTER % 2 ));
@ -37,6 +37,8 @@ params:
member_ldap_dn:
project: cn=${jarvis_project}-harbor-users-group,ou=Groups,dc=jarvis,dc=local
staging: cn=${jarvis_project}-harbor-staging-users-group,ou=Groups,dc=jarvis,dc=local
gerrit:
ldap_group_cn: ${jarvis_project}-dev-users-group
EOF
# shellcheck disable=SC2046
@ -76,7 +78,7 @@ EOF
git add -A
git commit -asm "Add project code and .gitreview file"
git review
change_id=`git log -1 | grep Change-Id: | awk '{print $2}'`
change_id=$(git log -1 | grep Change-Id: | awk '{print $2}')
popd
sleep 180
if (( COUNTER == 0 ));
@ -88,13 +90,14 @@ EOF
done
voting_ci="false"
for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth 1 -type d -printf '%f\n'`; do
for jarvis_project in $(find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth 1 -type d -printf '%f\n'); do
echo "--- processing ${jarvis_project} with voting_ci = ${voting_ci}"
# Check jarvis pipeline run
end=$(date +%s)
timeout="4000"
end=$((end + timeout))
while true; do
result="$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/checks | tail -1 | jq -r .[].state)"
result="$(curl -u jarvis:password -SsL https://gerrit.jarvis.local/a/changes/${CHANGE_ID_COUNTER}/revisions/1/checks | tail -1 | jq -r .[].state)"
[ $result == "SUCCESSFUL" ] && break || true
[ $result == "FAILED" ] && exit 1 || true
sleep 25
@ -111,7 +114,7 @@ for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth
end=$((end + timeout))
while true; do
# Check that Jarvis-System has reported the success of the pipeline run to Gerrit, by checking the value of the Verified label
VERIFIED="$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/review/ | tail -1 | jq -r .labels.Verified.all[0].value)"
VERIFIED="$(curl -u jarvis:password -SsL https://gerrit.jarvis.local/a/changes/${CHANGE_ID_COUNTER}/revisions/1/review/ | tail -1 | jq -r .labels.Verified.all[0].value)"
[ "$VERIFIED" == 1 ] && break || true
sleep 5
now=$(date +%s)

2
tools/gate/jarvis/standard-container/assets/playbooks/git-microflow.yaml
View File

@ -11,7 +11,7 @@
- name: Run git clone task
include_tasks: ./roles/git/tasks/main.yaml
when: data.stdout_lines |length > 0
when: data.stdout_lines | length > 0
loop: "{{ data.stdout_lines | map('from_json') | batch(clone_async_batch_size) | list }}"
loop_control:
loop_var: "repos"

12
tools/gate/jarvis/standard-container/assets/playbooks/roles/git/tasks/main.yaml
View File

@ -4,11 +4,13 @@
_delay: "{{ git_check_status_delay | default(3) }}"
- name: Run async git clone
git:
repo: "{{ repo.build.git_repo }}"
dest: "{{ repo.build.target_loc }}"
version: "{{ repo.build.refspec }}"
refspec: "refs/changes/*:refs/changes/*"
shell: |
if [ -n "{{ repo.build.user | default("", true) }}" ] && [ -n "{{ repo.build.password | default("", true) }}" ]; then \
git config --global credential.username {{ repo.build.user }} && git config --global credential.helper "!echo password={{ repo.build.password }}; echo"; \
fi
git clone {{ repo.build.git_repo }} {{ repo.build.target_loc }};
cd {{ repo.build.target_loc }};
git pull {{ repo.build.git_repo }} {{ repo.build.refspec }};
async: "{{ _async }}"
poll: 0
loop: "{{ repos }}"