| |
@@ -1,349 +0,0 @@
|
| |
- ---
|
| |
- apiVersion: v1
|
| |
- kind: Template
|
| |
- metadata:
|
| |
- name: mbs-frontend-krb5-template
|
| |
- app: mbs
|
| |
- parameters:
|
| |
- - name: TEST_ID
|
| |
- displayName: Test id
|
| |
- description: Short unique identifier for this test run (e.g. Jenkins job number)
|
| |
- required: true
|
| |
- - name: MBS_FRONTEND_IMAGE
|
| |
- displayName: Image for MBS frontend
|
| |
- description: Image to be used for MBS frontend deployment
|
| |
- required: true
|
| |
- - name: KOJI_URL
|
| |
- displayName: Top level URL of the Koji instance to use
|
| |
- description: Top level URL of the Koji instance to use. Without a '/' at the end.
|
| |
- required: true
|
| |
- - name: FLASK_SECRET_KEY
|
| |
- displayName: The secret key for Flask
|
| |
- generate: expression
|
| |
- from: "[\\w]{16}"
|
| |
- - name: DATABASE_PASSWORD
|
| |
- displayName: Database password
|
| |
- description: The password for the database.
|
| |
- required: true
|
| |
- - name: FRONTEND_KEYTAB
|
| |
- displayName: Base64-encoded Kerberos keytab used by the frontend
|
| |
- required: true
|
| |
- - name: KRB5_CONF_CONFIGMAP
|
| |
- displayName: Name of the ConfigMap containing the krb5.conf required for Kerberos auth
|
| |
- required: true
|
| |
- - name: KRB5_USER
|
| |
- displayName: A user who will be allowed to authenticate to the MBS.
|
| |
- required: false
|
| |
- value: mbs-admin
|
| |
- objects:
|
| |
- - apiVersion: v1
|
| |
- kind: Secret
|
| |
- metadata:
|
| |
- name: mbs-${TEST_ID}-frontend-keytab
|
| |
- labels:
|
| |
- app: mbs
|
| |
- service: frontend
|
| |
- environment: test-${TEST_ID}
|
| |
- data:
|
| |
- keytab: ${FRONTEND_KEYTAB}
|
| |
- - apiVersion: v1
|
| |
- kind: ConfigMap
|
| |
- metadata:
|
| |
- name: mbs-${TEST_ID}-httpd-config
|
| |
- labels:
|
| |
- app: mbs
|
| |
- service: frontend
|
| |
- environment: test-${TEST_ID}
|
| |
- data:
|
| |
- mbs.conf: |
|
| |
- WSGIDaemonProcess mbs user=fedmsg group=fedmsg home=/usr/share/mbs maximum-requests=1000 display-name=mbs processes=2 threads=2
|
| |
- WSGISocketPrefix run/wsgi
|
| |
- WSGIRestrictStdout Off
|
| |
- WSGIRestrictSignal Off
|
| |
- WSGIPythonOptimize 1
|
| |
- WSGIApplicationGroup %{GLOBAL}
|
| |
-
|
| |
- WSGIScriptAlias / /usr/share/mbs/mbs.wsgi
|
| |
-
|
| |
- <Location />
|
| |
- WSGIProcessGroup mbs
|
| |
-
|
| |
- # Return JSON when authentication fails
|
| |
- ErrorDocument 401 "{\"error\": \"You must be authenticated to perform this action.\"}"
|
| |
- Header always set Content-Type "application/json" "expr=%{REQUEST_STATUS} == 401"
|
| |
-
|
| |
- AuthType GSSAPI
|
| |
- AuthName "MBS Kerberos negotiate authentication based on GSSAPI"
|
| |
- GssapiSSLonly On
|
| |
- GssapiCredStore keytab:/etc/mbs.keytab
|
| |
-
|
| |
- # GET methods are allowed for everyone, but any other method
|
| |
- # needs a valid-user.
|
| |
- <RequireAny>
|
| |
- Require method GET OPTIONS
|
| |
- Require valid-user
|
| |
- </RequireAny>
|
| |
- </Location>
|
| |
-
|
| |
- RedirectMatch ^/$ /module-build-service/1/module-builds/
|
| |
- - apiVersion: v1
|
| |
- kind: ConfigMap
|
| |
- metadata:
|
| |
- name: mbs-${TEST_ID}-frontend-config
|
| |
- labels:
|
| |
- app: mbs
|
| |
- service: frontend
|
| |
- environment: test-${TEST_ID}
|
| |
- data:
|
| |
- config.py: |
|
| |
- class ProdConfiguration(object):
|
| |
- DEBUG = True
|
| |
-
|
| |
- SECRET_KEY = '${FLASK_SECRET_KEY}'
|
| |
-
|
| |
- SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:${DATABASE_PASSWORD}@mbs-${TEST_ID}-database:5432/mbs'
|
| |
- SQLALCHEMY_TRACK_MODIFICATIONS = True
|
| |
-
|
| |
- # Global network-related values, in seconds
|
| |
- NET_TIMEOUT = 120
|
| |
- NET_RETRY_INTERVAL = 30
|
| |
-
|
| |
- SYSTEM = 'koji'
|
| |
- MESSAGING = 'umb'
|
| |
- MESSAGING_TOPIC_PREFIX = ['/queue/Consumer.mbs.queue.VirtualTopic.eng']
|
| |
- KOJI_CONFIG = '/etc/module-build-service/koji.conf'
|
| |
- KOJI_PROFILE = 'test'
|
| |
- ARCHES = ['x86_64']
|
| |
- KOJI_PROXYUSER = False
|
| |
- KOJI_REPOSITORY_URL = '${KOJI_URL}/kojiroot/repos'
|
| |
- PDC_URL = ''
|
| |
- PDC_INSECURE = False
|
| |
- PDC_DEVELOP = True
|
| |
- SCMURLS = []
|
| |
- ALLOW_CUSTOM_SCMURLS = True
|
| |
-
|
| |
- RESOLVER = 'koji'
|
| |
-
|
| |
- # This is a whitelist of prefixes of koji tags we're allowed to manipulate
|
| |
- KOJI_TAG_PREFIXES = ['module']
|
| |
-
|
| |
- DEFAULT_DIST_TAG_PREFIX = 'module+'
|
| |
-
|
| |
- # Use the same priority as all other builds
|
| |
- KOJI_BUILD_PRIORITY = 0
|
| |
-
|
| |
- # Control where modules get tagged post-build.
|
| |
- BASE_MODULE_NAMES = set(['platform'])
|
| |
- KOJI_CG_TAG_BUILD = False
|
| |
- KOJI_CG_BUILD_TAG_TEMPLATE = ''
|
| |
- KOJI_CG_DEFAULT_BUILD_TAG = ''
|
| |
-
|
| |
- # Enable authentication
|
| |
- NO_AUTH = False
|
| |
-
|
| |
- YAML_SUBMIT_ALLOWED = True
|
| |
-
|
| |
- # Allow maintainers to specify something that differs from the git branch.
|
| |
- ALLOW_NAME_OVERRIDE_FROM_SCM = False
|
| |
- ALLOW_STREAM_OVERRIDE_FROM_SCM = True
|
| |
-
|
| |
- # How often should we resort to polling, in seconds
|
| |
- # Set to zero to disable polling
|
| |
- POLLING_INTERVAL = 600
|
| |
-
|
| |
- # Determines how many builds that can be submitted to the builder
|
| |
- # and be in the build state at a time. Set this to 0 for no restrictions
|
| |
- # New name
|
| |
- NUM_CONCURRENT_BUILDS = 5
|
| |
-
|
| |
- RPMS_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/rpms/'
|
| |
- RPMS_ALLOW_REPOSITORY = True
|
| |
- RPMS_DEFAULT_CACHE = ''
|
| |
- RPMS_ALLOW_CACHE = False
|
| |
- MODULES_DEFAULT_REPOSITORY = ''
|
| |
- MODULES_ALLOW_REPOSITORY = False
|
| |
- MODULES_ALLOW_SCRATCH = True
|
| |
-
|
| |
- # Our per-build logs for the Koji content generator go here.
|
| |
- # CG imports are controlled by KOJI_ENABLE_CONTENT_GENERATOR
|
| |
- BUILD_LOGS_DIR = '/var/tmp'
|
| |
-
|
| |
- # Time after which MBS will delete koji targets it created.
|
| |
- KOJI_TARGET_DELETE_TIME = 86400
|
| |
-
|
| |
- # Whether or not to import modules back to koji.
|
| |
- KOJI_ENABLE_CONTENT_GENERATOR = True
|
| |
-
|
| |
- # Available backends are: console, file.
|
| |
- LOG_BACKEND = 'console'
|
| |
-
|
| |
- # Available log levels are: debug, info, warn, error.
|
| |
- LOG_LEVEL = 'debug'
|
| |
-
|
| |
- REBUILD_STRATEGY_ALLOW_OVERRIDE = True
|
| |
- REBUILD_STRATEGY = 'only-changed'
|
| |
-
|
| |
- KOJI_EXTERNAL_REPO_URL_PREFIX = '${KOJI_URL}/kojiroot/'
|
| |
-
|
| |
- ALLOWED_PRIVILEGED_MODULE_NAMES = ['build']
|
| |
-
|
| |
- # Settings for Kerberos + LDAP auth
|
| |
- AUTH_METHOD = 'kerberos'
|
| |
- KERBEROS_KEYTAB = '/etc/mbs.keytab'
|
| |
- LDAP_URI = ''
|
| |
- LDAP_GROUPS_DN = ''
|
| |
- # These groups are allowed to submit builds.
|
| |
- ALLOWED_GROUPS = []
|
| |
- # These users don't need to be part of a group to submit builds.
|
| |
- ALLOWED_USERS = ['${KRB5_USER}']
|
| |
- # These groups are allowed to cancel the builds of other users.
|
| |
- ADMIN_GROUPS = []
|
| |
- # These groups are allowed to import the virtual module.
|
| |
- ALLOWED_GROUPS_TO_IMPORT_MODULE = ['packager']
|
| |
-
|
| |
- KOJI_TAG_EXTRA_OPTS = {u'mock.package_manager': u'dnf', u'mock.yum.module_hotfixes': 1, u'repo_include_all': True, u'mock.new_chroot': 0}
|
| |
-
|
| |
- SCRATCH_BUILD_ONLY_BRANCHES = [
|
| |
- r'^private-.*',
|
| |
- ]
|
| |
- koji.conf: |
|
| |
- [test]
|
| |
- server = ${KOJI_URL}/kojihub
|
| |
- weburl = ${KOJI_URL}/koji/
|
| |
- topurl = ${KOJI_URL}/kojiroot/
|
| |
- authtype = ssl
|
| |
- ;client certificate
|
| |
- cert = /etc/koji-certs/kojiadmin.crt
|
| |
- ;certificate of the CA that issued the client certificate
|
| |
- ;ca = /etc/koji-certs/clientca.crt
|
| |
- ;certificate of the CA that issued the HTTP server certificate
|
| |
- serverca = /etc/koji-certs/koji_ca_cert.crt
|
| |
- mock.cfg: |
|
| |
- config_opts['root'] = '$root'
|
| |
- config_opts['target_arch'] = '$arch'
|
| |
- config_opts['legal_host_arches'] = ('$arch',)
|
| |
- config_opts['chroot_setup_cmd'] = 'install $group'
|
| |
- config_opts['dist'] = ''
|
| |
- config_opts['extra_chroot_dirs'] = [ '/run/lock', ]
|
| |
- config_opts['releasever'] = ''
|
| |
- config_opts['package_manager'] = 'dnf'
|
| |
- config_opts['nosync'] = True
|
| |
- config_opts['use_bootstrap_container'] = False
|
| |
-
|
| |
- config_opts['yum.conf'] = """
|
| |
- $yum_conf
|
| |
- """
|
| |
- yum.conf: |
|
| |
- [main]
|
| |
- keepcache=1
|
| |
- debuglevel=2
|
| |
- reposdir=/dev/null
|
| |
- logfile=/var/log/yum.log
|
| |
- retries=20
|
| |
- obsoletes=1
|
| |
- gpgcheck=0
|
| |
- assumeyes=1
|
| |
- syslog_ident=mock
|
| |
- syslog_device=
|
| |
- install_weak_deps=0
|
| |
- metadata_expire=3600
|
| |
- mdpolicy=group:primary
|
| |
-
|
| |
- # repos
|
| |
- - apiVersion: v1
|
| |
- kind: DeploymentConfig
|
| |
- metadata:
|
| |
- name: mbs-${TEST_ID}-frontend
|
| |
- labels:
|
| |
- app: mbs
|
| |
- service: frontend
|
| |
- environment: test-${TEST_ID}
|
| |
- spec:
|
| |
- replicas: 1
|
| |
- selector:
|
| |
- app: mbs
|
| |
- service: frontend
|
| |
- environment: test-${TEST_ID}
|
| |
- strategy:
|
| |
- type: Rolling
|
| |
- template:
|
| |
- metadata:
|
| |
- labels:
|
| |
- app: mbs
|
| |
- service: frontend
|
| |
- environment: test-${TEST_ID}
|
| |
- spec:
|
| |
- containers:
|
| |
- - name: frontend
|
| |
- image: "${MBS_FRONTEND_IMAGE}"
|
| |
- imagePullPolicy: Always
|
| |
- ports:
|
| |
- - containerPort: 8080
|
| |
- name: http
|
| |
- - containerPort: 8443
|
| |
- name: https
|
| |
- livenessProbe:
|
| |
- httpGet:
|
| |
- path: /module-build-service/1/monitor/metrics
|
| |
- port: http
|
| |
- readinessProbe:
|
| |
- httpGet:
|
| |
- path: /module-build-service/1/module-builds/?per_page=1&short=true
|
| |
- port: http
|
| |
- volumeMounts:
|
| |
- - name: fedmsg-config
|
| |
- mountPath: /etc/fedmsg.d
|
| |
- - name: frontend-certs
|
| |
- mountPath: /etc/mbs-certs
|
| |
- - name: mbs-config
|
| |
- mountPath: /etc/module-build-service
|
| |
- - name: httpd-config
|
| |
- subPath: mbs.conf
|
| |
- mountPath: /etc/httpd/conf.d/mbs.conf
|
| |
- - name: wsgi-config
|
| |
- mountPath: /usr/share/mbs
|
| |
- - name: koji-certs
|
| |
- mountPath: /etc/koji-certs
|
| |
- - name: cacerts-vol
|
| |
- subPath: cert-bundle
|
| |
- mountPath: /etc/pki/tls/cert.pem
|
| |
- - name: krb5-conf-vol
|
| |
- subPath: krb5.conf
|
| |
- mountPath: /etc/krb5.conf
|
| |
- - name: keytab-vol
|
| |
- subPath: keytab
|
| |
- mountPath: /etc/mbs.keytab
|
| |
- resources:
|
| |
- limits:
|
| |
- memory: 400Mi
|
| |
- cpu: 300m
|
| |
- volumes:
|
| |
- - name: fedmsg-config
|
| |
- configMap:
|
| |
- name: mbs-${TEST_ID}-frontend-fedmsg-config
|
| |
- - name: frontend-certs
|
| |
- secret:
|
| |
- secretName: mbs-${TEST_ID}-frontend-certs
|
| |
- - name: mbs-config
|
| |
- configMap:
|
| |
- name: mbs-${TEST_ID}-frontend-config
|
| |
- - name: httpd-config
|
| |
- configMap:
|
| |
- name: mbs-${TEST_ID}-httpd-config
|
| |
- - name: wsgi-config
|
| |
- configMap:
|
| |
- name: mbs-${TEST_ID}-wsgi-config
|
| |
- - name: koji-certs
|
| |
- secret:
|
| |
- secretName: mbs-${TEST_ID}-koji-secrets
|
| |
- - name: cacerts-vol
|
| |
- configMap:
|
| |
- name: mbs-${TEST_ID}-cacerts
|
| |
- - name: krb5-conf-vol
|
| |
- configMap:
|
| |
- name: ${KRB5_CONF_CONFIGMAP}
|
| |
- - name: keytab-vol
|
| |
- secret:
|
| |
- secretName: mbs-${TEST_ID}-frontend-keytab
|
| |
- triggers:
|
| |
- - type: ConfigChange
|
| |