This is the CI repository for the Cloud SIG.
We manage and provision Jenkins jobs through code (IaC) with
the help of jenkins-job-builder.
You can find the jobs definition in github.com/rdo-infra/ci-config
You can propose changes against the associated Gerrit project in review.rdoproject.org
We are hosting Jenkins server and nodes on pods on OCP (OpenShift Container Platform).
Jenkins is configured to spawn nodes in which jobs will be running.
The integration of OCP in Jenkins is handled by CentOS CI team.
The pod template
we are using is cico-workspace-rdo
with the configuration as below:
Name: cico-workspace-rdo Labels: cico-workspace-rdo Usage: Only build job with label expressions matching this node Pod template to inherit from: cico-workspace Container Template Name: jnlp Docker image: quay.io/rdoinfra/cico-workspace-rdo:latest Always pull image: opt-in Working directory: /tmp Arguments to pass in the command: ${computer.jnlpmac} ${computer.name} Allocate pseudo-TTY: opt-in Environment Variable from Secret Key: CICO_API_KEY SecretName: duffy-api-key SecretKey: key
The repository namespace is rdoinfra/cico-workspace-rdo
For each new image build we increment the tag by 1, then we tag it as latest
and check if
everything is fine in jobs execution.
If there is an issue with new build, then we can rollback the promotion directly in Tag History menu, by reverting operation in Revert
column.
Below the list of plugins which are installed by CloudSIG:
Note: those plugins are installed in addition to the ones installed by CentOS Infra team.
We need to add a Gerrit connection in manager.
To do so, add a new Gerrit Server
in Manage Jenkins > Uncategorized > Gerrit Trigger
with the data below:
Configure Global Security
under Environment Injector Plugin
;Do not show injected variables
.Configure Global Security
under Hidden security warnings
;Security Warnings
;Environment Injector Plugin: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier
. This will make sure to hide that error message so it doesn’t appear again.The 2 lines above come from https://stackoverflow.com/a/49368564
The credentials with the informations below are created:
ID | Name | Kind | Description |
---|---|---|---|
1a12dfa4-7fc5-47a7-aa17-cc56572a41c7 | /** | Username with password | |
d31fc651-105c-4af6-a2a5-ed486a5897ca | DLRN api password | Secret text | DLRN api password |
8a8657ce-adba-465d-9ef9-8d9759327fa9 | Rsync Password log server | Secret text | Rsync Password log server |
68c0bffe-4663-47aa-9134-abcae35ace47 | rdo-ci (Upstream RDO CI key) | SSH Username with private key | Upstream RDO CI key |
da788440-7c2e-4118-9fe9-a5264b40bcb1 | RDO REGISTRY TOKEN | Secret text | RDO REGISTRY TOKEN |
The secrets are kept by Cloud-SIG admins.
Authentication is done against OpenShift which delegates the operation to accounts.centos.org (Noggin/FreeIPA) through OAuth.
From Configure Global Security
under Authorization
click on Matrix-based security
.
Overall/read
and Job/read
permissions.Overall/read
and Job/read
permissions.Overall/administrater
permissions.Overall/administrater
permissions.Overall/administrater
permissions.Overall/administrater
permissions.Note: each user who wants write
access needs an account in accounts.centos.org and must be in sig-cloud group.