README.md

Cloud SIG CI

This is the CI repository for the Cloud SIG.

Jenkins

We manage and provision Jenkins jobs through code (IaC) with the help of jenkins-job-builder.
You can find the jobs definition in github.com/rdo-infra/ci-config
You can propose changes against the associated Gerrit project in review.rdoproject.org

Hosting on OCP

We are hosting Jenkins server and nodes on pods on OCP (OpenShift Container Platform).
Jenkins is configured to spawn nodes in which jobs will be running.
The integration of OCP in Jenkins is handled by CentOS CI team.

The pod template we are using is cico-workspace-rdo with the configuration as below:

Name: cico-workspace-rdo
Labels: cico-workspace-rdo
Usage: Only build job with label expressions matching this node
Pod template to inherit from: cico-workspace
Container Template
  Name: jnlp
  Docker image: quay.io/rdoinfra/cico-workspace-rdo:latest
  Always pull image: opt-in
  Working directory: /tmp
  Arguments to pass in the command: ${computer.jnlpmac} ${computer.name}
  Allocate pseudo-TTY: opt-in
  Environment Variable from Secret
    Key: CICO_API_KEY
    SecretName: duffy-api-key
    SecretKey: key

Docker image hosted in Quay

The repository namespace is rdoinfra/cico-workspace-rdo
For each new image build we increment the tag by 1, then we tag it as latest and check if everything is fine in jobs execution.
If there is an issue with new build, then we can rollback the promotion directly in Tag History menu, by reverting operation in Revert column.

Jenkins server configuration

Plugins installed

Below the list of plugins which are installed by CloudSIG:

  • Build Pipeline plugin: used in puppet promotion
  • Dashboard View
  • Environment Injector plugin: for properties-content
  • Gerrit Trigger plugin: used in TripleO quickstart gate jobs
  • Nested View
  • Multiple SCMs: used in TripleO quickstart gate jobs
  • Multiple plugin: used in phase-1-pipelines jobs
  • Post Build Task: used in puppet promotion for log collection
  • URLTrigger

Note: those plugins are installed in addition to the ones installed by CentOS Infra team.

Gerrit Trigger plugin configuration

We need to add a Gerrit connection in manager.
To do so, add a new Gerrit Server in Manage Jenkins > Uncategorized > Gerrit Trigger with the data below:

Disable the visualization of Injected Environment variables

  1. Go to the Jenkins instance;
    From Configure Global Security under Environment Injector Plugin;
    Check Do not show injected variables.
  2. From Configure Global Security under Hidden security warnings;
    Click on Security Warnings;
    Uncheck Environment Injector Plugin: Exposure of sensitive build variables stored by EnvInject 1.90 and earlier. This will make sure to hide that error message so it doesn’t appear again.

The 2 lines above come from https://stackoverflow.com/a/49368564

Credentials

The credentials with the informations below are created:

ID Name Kind Description
1a12dfa4-7fc5-47a7-aa17-cc56572a41c7 /** Username with password
d31fc651-105c-4af6-a2a5-ed486a5897ca DLRN api password Secret text DLRN api password
8a8657ce-adba-465d-9ef9-8d9759327fa9 Rsync Password log server Secret text Rsync Password log server
68c0bffe-4663-47aa-9134-abcae35ace47 rdo-ci (Upstream RDO CI key) SSH Username with private key Upstream RDO CI key
da788440-7c2e-4118-9fe9-a5264b40bcb1 RDO REGISTRY TOKEN Secret text RDO REGISTRY TOKEN

The secrets are kept by Cloud-SIG admins.

Jenkins AAA

Authentication

Authentication is done against OpenShift which delegates the operation to accounts.centos.org (Noggin/FreeIPA) through OAuth.

Authorization

From Configure Global Security under Authorization click on Matrix-based security.

  • Anonymous Users have Overall/read and Job/read permissions.
  • Authenticated Users have Overall/read and Job/read permissions.
  • admin has Overall/administrater permissions.
  • rhos-prodchain@redhat.com-admin-edit-view has Overall/administrater permissions.
  • tripleo.ci.ruck.rover@gmail.com-admin-edit-view has Overall/administrater permissions.
  • cloud-sig users have Overall/administrater permissions.

Note: each user who wants write access needs an account in accounts.centos.org and must be in sig-cloud group.