centos-sig-cloud / ci
Alfredo Moralejo committed 2 years ago
Cloud SIG CI
This is the CI repository for the Cloud SIG.
Jenkins
We manage and provision Jenkins jobs through code (IaC) with
the help of jenkins-job-builder.
You can find the jobs definition in github.com/rdo-infra/ci-config
You can propose changes against the associated Gerrit project in review.rdoproject.org
Hosting on OCP
We are hosting Jenkins server and nodes on pods on OCP (OpenShift Container Platform).
Jenkins is configured to spawn nodes in which jobs will be running.
The integration of OCP in Jenkins is handled by CentOS CI team.
The pod template we are using is cico-workspace-rdo with the configuration as below:
Name: cico-workspace-rdo
Labels: cico-workspace-rdo
Usage: Only build job with label expressions matching this node
Pod template to inherit from: cico-workspace
Container Template
Name: jnlp
Docker image: quay.io/rdoinfra/cico-workspace-rdo:latest
Always pull image: opt-in
Working directory: /tmp
Arguments to pass in the command: ${computer.jnlpmac} ${computer.name}
Allocate pseudo-TTY: opt-in
Environment Variable from Secret
Key: CICO_API_KEY
SecretName: duffy-api-key
SecretKey: key
Docker image hosted in Quay
The repository namespace is rdoinfra/cico-workspace-rdo
For each new image build we increment the tag by 1, then we tag it as latest and check if
everything is fine in jobs execution.
If there is an issue with new build, then we can rollback the promotion directly in Tag History menu, by reverting operation in Revert column.
Jenkins server configuration
Plugins installed
Below the list of plugins which are installed by CloudSIG:
- Build Pipeline plugin: used in puppet promotion
- Dashboard View
- Environment Injector plugin: for properties-content
- Gerrit Trigger plugin: used in TripleO quickstart gate jobs
- Nested View
- Multiple SCMs: used in TripleO quickstart gate jobs
- Multiple plugin: used in phase-1-pipelines jobs
- Post Build Task: used in puppet promotion for log collection
- URLTrigger
Note: those plugins are installed in addition to the ones installed by CentOS Infra team.
Gerrit Trigger plugin configuration
We need to add a Gerrit connection in manager.
To do so, add a new Gerrit Server in Manage Jenkins > Uncategorized > Gerrit Trigger with the data below:
- Name: rdo-ci-openstack.org
- Hostname: review.opendev.org
- Frontend URL: https://review.opendev.org/
- SSH port: 29418
- Username: rdo-ci
- SSH Keyfile: /rdo_ci_ssh_key/ssh-privatekey => mount as Volume in DeploymentConfig https://console-openshift-console.apps.ocp.ci.centos.org/k8s/ns/cloudsig-ci/deploymentconfigs/jenkins
- Opt-in "Build Current Patches Only"
- Leave empty fields below "Gerrit Reporting Values" Jenkins is not allowed to vote in Gerrit (it just leaves a comment)
Disable the visualization of Injected Environment variables
- Go to the Jenkins instance;
FromConfigure Global SecurityunderEnvironment Injector Plugin;
CheckDo not show injected variables. - From
Configure Global SecurityunderHidden security warnings;
Click onSecurity Warnings;
UncheckEnvironment Injector Plugin: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier. This will make sure to hide that error message so it doesn’t appear again.
The 2 lines above come from https://stackoverflow.com/a/49368564
Credentials
The credentials with the informations below are created:
| ID | Name | Kind | Description |
|---|---|---|---|
| 1a12dfa4-7fc5-47a7-aa17-cc56572a41c7 | /** | Username with password | |
| d31fc651-105c-4af6-a2a5-ed486a5897ca | DLRN api password | Secret text | DLRN api password |
| 8a8657ce-adba-465d-9ef9-8d9759327fa9 | Rsync Password log server | Secret text | Rsync Password log server |
| 68c0bffe-4663-47aa-9134-abcae35ace47 | rdo-ci (Upstream RDO CI key) | SSH Username with private key | Upstream RDO CI key |
| da788440-7c2e-4118-9fe9-a5264b40bcb1 | RDO REGISTRY TOKEN | Secret text | RDO REGISTRY TOKEN |
The secrets are kept by Cloud-SIG admins.
Jenkins AAA
Authentication
Authentication is done against OpenShift which delegates the operation to accounts.centos.org (Noggin/FreeIPA) through OAuth.
Authorization
From Configure Global Security under Authorization click on Matrix-based security.
- Anonymous Users have
Overall/readandJob/readpermissions. - Authenticated Users have
Overall/readandJob/readpermissions. - admin has
Overall/administraterpermissions. - rhos-prodchain@redhat.com-admin-edit-view has
Overall/administraterpermissions. - tripleo.ci.ruck.rover@gmail.com-admin-edit-view has
Overall/administraterpermissions. - cloud-sig users have
Overall/administraterpermissions.
Note: each user who wants write access needs an account in accounts.centos.org and must be in sig-cloud group.