From 73bdf1f2df9b52852344a546cf239e3738d6210d Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Wed, 31 Jan 2024 14:34:52 -0800 Subject: [PATCH] Add zuul-tenant-conf-check role/job This performs static validation of Zuul tenant config files. Change-Id: I5d439d6cfb963e55d07b2a0058de76f030fe47b3 --- doc/source/general-jobs.rst | 1 + doc/source/general-roles.rst | 1 + playbooks/zuul-tenant-conf-check/pre.yaml | 3 + playbooks/zuul-tenant-conf-check/run.yaml | 3 + roles/zuul-tenant-conf-check/README.rst | 50 +++++++++++++++++ .../zuul-tenant-conf-check/defaults/main.yaml | 1 + roles/zuul-tenant-conf-check/tasks/main.yaml | 53 ++++++++++++++++++ .../zuul-tenant-conf-check/main.yaml | 8 +++ .../zuul-tenant-conf-check/zuul.conf | 22 ++++++++ zuul-tests.d/general-roles-jobs.yaml | 13 +++++ zuul.d/general-jobs.yaml | 55 +++++++++++++++++++ 11 files changed, 210 insertions(+) create mode 100644 playbooks/zuul-tenant-conf-check/pre.yaml create mode 100644 playbooks/zuul-tenant-conf-check/run.yaml create mode 100644 roles/zuul-tenant-conf-check/README.rst create mode 100644 roles/zuul-tenant-conf-check/defaults/main.yaml create mode 100644 roles/zuul-tenant-conf-check/tasks/main.yaml create mode 100644 test-playbooks/zuul-tenant-conf-check/main.yaml create mode 100644 test-playbooks/zuul-tenant-conf-check/zuul.conf diff --git a/doc/source/general-jobs.rst b/doc/source/general-jobs.rst index 751fb6bff..b0856fbf8 100644 --- a/doc/source/general-jobs.rst +++ b/doc/source/general-jobs.rst @@ -12,3 +12,4 @@ General Purpose Jobs .. zuul:autojob:: shake-build .. zuul:autojob:: upload-git-mirror .. zuul:autojob:: validate-zone-db +.. zuul:autojob:: zuul-tenant-conf-check diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst index cb278a343..1eada46f6 100644 --- a/doc/source/general-roles.rst +++ b/doc/source/general-roles.rst @@ -59,3 +59,4 @@ General Purpose Roles .. zuul:autorole:: validate-zone-db .. zuul:autorole:: version-from-git .. zuul:autorole:: write-inventory +.. zuul:autorole:: zuul-tenant-conf-check diff --git a/playbooks/zuul-tenant-conf-check/pre.yaml b/playbooks/zuul-tenant-conf-check/pre.yaml new file mode 100644 index 000000000..4db32be83 --- /dev/null +++ b/playbooks/zuul-tenant-conf-check/pre.yaml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - ensure-docker diff --git a/playbooks/zuul-tenant-conf-check/run.yaml b/playbooks/zuul-tenant-conf-check/run.yaml new file mode 100644 index 000000000..cea420517 --- /dev/null +++ b/playbooks/zuul-tenant-conf-check/run.yaml @@ -0,0 +1,3 @@ +- hosts: all + roles: + - zuul-tenant-conf-check diff --git a/roles/zuul-tenant-conf-check/README.rst b/roles/zuul-tenant-conf-check/README.rst new file mode 100644 index 000000000..77de6dcdd --- /dev/null +++ b/roles/zuul-tenant-conf-check/README.rst @@ -0,0 +1,50 @@ +Run the zuul-admin tenant-conf-check command. + +This requires a partial zuul.conf (it only needs the connection +entries, and those without any credential information) and a tenant +config file. It will validate the syntax of the tenant config file +(but not the job configuration of any projects in the tenants). + +**Role Variables** + +.. zuul:rolevar:: zuul_tenant_conf_check_zuul_conf_path + + The path to the partial zuul.conf to use. This must contain the + connection entries, but no credentials are required. Any other + sections are ignored. + +.. zuul:rolevar:: zuul_tenant_conf_check_tenant_config_path + + The path to the tenant config file to check. + +.. zuul:rolevar:: zuul_tenant_conf_check_image + :default: quay.io/zuul-ci/zuul-scheduler:latest + + The Zuul scheduler container image which contains the zuul-admin + command to run. + +.. zuul:rolevar:: zuul_tenant_conf_check_registry_credentials + + An optional value, expected in the form of a secret, that supplies + credential information if zuul_tenant_conf_check_image is in a + registry that requires authentication. The format is a dictionary + keyed by the registry name. Example: + + .. code-block:: yaml + + zuul_tenant_conf_check_registry_credentials: + docker.io: + username: 'username' + password: 'password' + + .. zuul:rolevar:: [registry_name] + + The dictionary key should be the name of the registry + + .. zuul:rolevar:: username + + The registry username. + + .. zuul:rolevar:: password + + The registry password. diff --git a/roles/zuul-tenant-conf-check/defaults/main.yaml b/roles/zuul-tenant-conf-check/defaults/main.yaml new file mode 100644 index 000000000..a7b5e5d53 --- /dev/null +++ b/roles/zuul-tenant-conf-check/defaults/main.yaml @@ -0,0 +1 @@ +zuul_tenant_conf_check_image: quay.io/zuul-ci/zuul-scheduler:latest diff --git a/roles/zuul-tenant-conf-check/tasks/main.yaml b/roles/zuul-tenant-conf-check/tasks/main.yaml new file mode 100644 index 000000000..98a38593f --- /dev/null +++ b/roles/zuul-tenant-conf-check/tasks/main.yaml @@ -0,0 +1,53 @@ +- name: Create temporary directory + tempfile: + state: directory + register: zj_zuul_tenant_conf_check_tempdir + +- name: Copy zuul.conf to temporary directory + copy: + src: "{{ zuul_tenant_conf_check_zuul_conf_path }}" + dest: "{{ zj_zuul_tenant_conf_check_tempdir.path }}/zuul.conf" + +- name: Copy tenant config to temporary directory + copy: + src: "{{ zuul_tenant_conf_check_tenant_config_path }}" + dest: "{{ zj_zuul_tenant_conf_check_tempdir.path }}/main.yaml" + +- name: Update zuul.conf with tenant config path + ini_file: + path: "{{ zj_zuul_tenant_conf_check_tempdir.path }}/zuul.conf" + section: scheduler + option: tenant_config + value: "/work/main.yaml" + state: present + +- name: Identify container registry for authentication + when: zuul_tenant_conf_check_registry_credentials is defined + set_fact: + _registry: "{{ (zuul_tenant_conf_check_image | split('/', 1)).0 }}" + _repopath: "{{ (zuul_tenant_conf_check_image | split('/', 1)).1 }}" + +- name: Log into container registry + when: zuul_tenant_conf_check_registry_credentials is defined + command: >- + docker login + -u "{{ zuul_tenant_conf_check_registry_credentials[_registry].username }}" + -p "{{ zuul_tenant_conf_check_registry_credentials[_registry].password }}" + {{ _registry }} + +- name: Run tenant-conf-check + block: + - name: Run tenant-conf-check + command: >- + docker run --rm -t + -v "{{ zj_zuul_tenant_conf_check_tempdir.path }}:/work" + {{ zuul_tenant_conf_check_image }} + zuul-admin -c /work/zuul.conf tenant-conf-check + always: + - name: Remove temporary directory + file: + path: "{{ zj_zuul_tenant_conf_check_tempdir.path }}" + state: absent + - name: Log out of container registry + when: zuul_tenant_conf_check_registry_credentials is defined + command: docker logout diff --git a/test-playbooks/zuul-tenant-conf-check/main.yaml b/test-playbooks/zuul-tenant-conf-check/main.yaml new file mode 100644 index 000000000..89002cc6d --- /dev/null +++ b/test-playbooks/zuul-tenant-conf-check/main.yaml @@ -0,0 +1,8 @@ +- tenant: + name: opendev + max-nodes-per-job: 10 + source: + gerrit: + config-projects: + - opendev/project-config + - opendev/base-jobs diff --git a/test-playbooks/zuul-tenant-conf-check/zuul.conf b/test-playbooks/zuul-tenant-conf-check/zuul.conf new file mode 100644 index 000000000..9b723faae --- /dev/null +++ b/test-playbooks/zuul-tenant-conf-check/zuul.conf @@ -0,0 +1,22 @@ +[connection "smtp"] +driver=smtp +server=localhost +port=25 + +[connection "gerrit"] +driver=gerrit +server=review.opendev.org +user=openstack-zuul + +[connection "opendaylight"] +driver=gerrit +server=git.opendaylight.org +user=openstack-zuul + +[connection "github"] +driver=github + +[connection "googlesource"] +driver=gerrit +server=gerrit-review.googlesource.com +user=git-infra-root.openstack.org diff --git a/zuul-tests.d/general-roles-jobs.yaml b/zuul-tests.d/general-roles-jobs.yaml index b8857a9f7..3cb893058 100644 --- a/zuul-tests.d/general-roles-jobs.yaml +++ b/zuul-tests.d/general-roles-jobs.yaml @@ -925,6 +925,18 @@ vars: zuul_use_fetch_output: false +- job: + name: zuul-jobs-test-zuul-tenant-conf-check + description: Test the zuul-tenant-conf-check role + parent: zuul-tenant-conf-check + files: + - roles/zuul-tenant-conf-check/.* + vars: + zuul_tenant_conf_check_zuul_conf_path: '{{ zuul.executor.work_root }}/{{ zuul.project.src_dir + }}/test-playbooks/zuul-tenant-conf-check/zuul.conf' + zuul_tenant_conf_check_tenant_config_path: '{{ zuul.executor.work_root }}/{{ + zuul.project.src_dir }}/test-playbooks/zuul-tenant-conf-check/main.yaml' + # -* AUTOGENERATED *- # The following project section is autogenerated by # tox -e update-test-platforms @@ -1001,6 +1013,7 @@ - zuul-jobs-test-stage-output - zuul-jobs-test-fetch-translation-output - zuul-jobs-test-fetch-translation-output-synchronize + - zuul-jobs-test-zuul-tenant-conf-check gate: jobs: *id001 periodic-weekly: diff --git a/zuul.d/general-jobs.yaml b/zuul.d/general-jobs.yaml index a9d579be1..8bf4b3269 100644 --- a/zuul.d/general-jobs.yaml +++ b/zuul.d/general-jobs.yaml @@ -152,3 +152,58 @@ pre-run: playbooks/shake/pre.yaml run: playbooks/shake/run.yaml + +- job: + name: zuul-tenant-conf-check + description: | + Run the zuul-admin tenant-conf-check command. + + This requires a partial zuul.conf (it only needs the connection + entries, and those without any credential information) and a + tenant config file. It will validate the syntax of the tenant + config file (but not the job configuration of any projects in + the tenants). + + .. zuul:jobvar:: zuul_tenant_conf_check_zuul_conf_path + + The path to the partial zuul.conf to use. This must contain the + connection entries, but no credentials are required. Any other + sections are ignored. + + .. zuul:jobvar:: zuul_tenant_conf_check_tenant_config_path + + The path to the tenant config file to check. + + .. zuul:jobvar:: zuul_tenant_conf_check_image + :default: quay.io/zuul-ci/zuul-scheduler:latest + + The Zuul scheduler container image which contains the zuul-admin + command to run. + + .. zuul:jobvar:: zuul_tenant_conf_check_registry_credentials + + An optional value, expected in the form of a secret, that supplies + credential information if zuul_tenant_conf_check_image is in a + registry that requires authentication. The format is a dictionary + keyed by the registry name. Example: + + .. code-block:: yaml + + zuul_tenant_conf_check_registry_credentials: + docker.io: + username: 'username' + password: 'password' + + .. zuul:jobvar:: [registry_name] + + The dictionary key should be the name of the registry + + .. zuul:jobvar:: username + + The registry username. + + .. zuul:jobvar:: password + + The registry password. + pre-run: playbooks/zuul-tenant-conf-check/pre.yaml + run: playbooks/zuul-tenant-conf-check/run.yaml