#1239 MBS-Koji integration tests
Merged 5 months ago by mprahl. Opened 5 months ago by mikeb.
mikeb/fm-orchestrator koji-integration  into  master

file modified

file modified
+1 -9

@@ -6,22 +6,14 @@ 

  ```bash

  $ docker build openshift/backend \

      --tag mbs-backend:latest \

-     --build-arg mbs_rpm=<MBS_RPM> \

-     --build-arg mbs_messaging_umb_rpm=<MBS_MESSAGING_UMB_RPM> \

-     --build-arg umb_ca_crt=<UMB_CA_CRT>

+     --build-arg EXTRA_RPMS=<MBS_MESSAGING_UMB_RPM>

  ```

  

  where:

- * MBS_RPM is a path or URL to the Module Build Service RPM. If not specified,

-   MBS [provided by

-   Fedora](https://apps.fedoraproject.org/packages/module-build-service) will be

-   installed in the image.

  * MBS_MESSAGING_UMB_RPM is a path or URL to the [UMB Messaging

    Plugin](https://github.com/release-engineering/mbs-messaging-umb) RPM. If not

    provided, only `fedmsg` and `in_memory` will be available for messaging in the

    image.

- * UMB_CA_CRT is a path or URL to the CA certificate of the message bus to be

-   used by MBS.

  

  ## Build the container image for MBS frontend

  

file modified
+54 -25

@@ -1,28 +1,57 @@ 

- FROM fedora:28

+ FROM fedora:29 AS builder

+ 

+ ARG EXTRA_RPMS=""

+ ARG GIT_REPO=""

+ ARG GIT_REF=""

+ ARG VERSION=""

+ ARG CREATED=""

+ ARG DNF_CMD="dnf -y --setopt=deltarpm=0 --setopt=install_weak_deps=false --setopt=tsflags=nodocs"

+ 

+ COPY . /src

+ WORKDIR /src

+ 

+ RUN ${DNF_CMD} install \

+       'dnf-command(builddep)' rpm-build rpmdevtools rpmlint \

+       python3-tox python3-pytest python3-mock python3-flake8 bandit && \

+     ${DNF_CMD} builddep *.spec && \

+     ${DNF_CMD} clean all

+ RUN rpmdev-setuptree && \

+     python3 setup.py sdist && \

+     rpmbuild --define "_sourcedir $PWD/dist" -ba *.spec && \

+     mv $HOME/rpmbuild/RPMS /srv

+ RUN flake8 && \

+     bandit -r -ll -s B102,B303,B411,B602 module_build_service && \

+     tox -v -e py3

+ 

+ 

+ FROM fedora:29

  LABEL \

-     name="Backend for the Module Build Service (MBS)" \

-     vendor="The Factory 2.0 Team" \

-     license="MIT" \

-     description="The MBS coordinates module builds. This image is to serve as the MBS backend." \

-     usage="https://pagure.io/fm-orchestrator" \

-     build-date=""

- 

- # The caller can chose to provide an already built module-build-service RPM.

- ARG mbs_rpm=module-build-service

- ARG mbs_messaging_umb_rpm

- ARG umb_ca_crt

- 

- RUN dnf -y install \

-             python2-pungi \

-             python2-psycopg2 \

-             https://dl.fedoraproject.org/pub/epel/7Server/x86_64/Packages/s/stomppy-3.1.6-3.el7.noarch.rpm \

-             $mbs_rpm \

-             $mbs_messaging_umb_rpm \

-     && dnf -y clean all

- 

- ADD $umb_ca_crt /etc/pki/ca-trust/source/anchors/umb_serverca.crt

- # Do this as a workaround instead of `update-ca-trust`

- RUN cat /etc/pki/ca-trust/source/anchors/umb_serverca.crt >> /etc/pki/tls/certs/ca-bundle.crt

+     org.opencontainers.image.title="Backend for the Module Build Service (MBS)" \

+     org.opencontainers.image.description="The MBS coordinates module builds. This image is to serve as the MBS backend." \

+     org.opencontainers.image.vendor="The Factory 2.0 Team" \

+     org.opencontainers.image.authors="The Factory 2.0 Team <pnt-factory2-devel@redhat.com>" \

+     org.opencontainers.image.licenses="MIT" \

+     org.opencontainers.image.source="$GIT_REPO" \

+     org.opencontainers.image.revision="$GIT_REF" \

+     org.opencontainers.image.version="$VERSION" \

+     org.opencontainers.image.created="$CREATED" \

+     org.opencontainers.image.url="https://pagure.io/fm-orchestrator" \

+     org.opencontainers.image.documentation="https://pagure.io/fm-orchestrator" \

+     distribution-scope="public"

+ 

+ COPY --from=builder /srv/RPMS /srv/RPMS

+ COPY repos/ /etc/yum.repos.d/

+ 

+ RUN $DNF_CMD install \

+       python3-psycopg2 \

+       python3-docopt \

+       python3-service-identity \

+       /srv/*/*/*.rpm \

+       $EXTRA_RPMS && \

+     $DNF_CMD clean all && \

+     rm -rf /srv/RPMS

+ 

+ USER 1001

  

  VOLUME ["/etc/module-build-service", "/etc/fedmsg.d", "/etc/mbs-certs"]

- ENTRYPOINT fedmsg-hub

+ CMD ["fedmsg-hub-3"]

@@ -0,0 +1,91 @@ 

+ # Template to produce a new BuildConfig and ImageStream for MBS backend image builds.

+ 

+ ---

+ apiVersion: v1

+ kind: Template

+ metadata:

+   name: mbs-backend-build-template

+ labels:

+   template: mbs-backend-build-template

+ parameters:

+ - name: NAME

+   displayName: Short unique identifier for the templated instances.

+   required: true

+   value: mbs-backend

+ - name: MBS_GIT_REPO

+   displayName: MBS Git repo URL

+   description: Default MBS Git repo URL in which to run dev tests against

+   required: true

+   value: https://pagure.io/fm-orchestrator.git

+ - name: MBS_GIT_REF

+   displayName: MBS Git repo ref

+   description: Default MBS Git repo ref in which to run dev tests against

+   required: true

+   value: master

+ - name: MBS_BACKEND_IMAGESTREAM_NAME

+   displayName: ImageStream name of the resulting image

+   required: true

+   value: mbs-backend

+ - name: MBS_BACKEND_IMAGESTREAM_NAMESPACE

+   displayName: Namespace of ImageStream for MBS images

+   required: false

+ - name: MBS_IMAGE_TAG

+   displayName: Tag of resulting image

+   required: true

+   value: latest

+ - name: EXTRA_RPMS

+   displayName: Names of extra rpms to install

+   required: false

+   value: ""

+ - name: CREATED

+   displayName: Creation date

+   description: The date and time the image was built, in RFC 3339 format

+   required: false

+   value: ""

+ objects:

+ - apiVersion: v1

+   kind: ImageStream

+   metadata:

+     name: "${MBS_BACKEND_IMAGESTREAM_NAME}"

+     labels:

+       app: "${NAME}"

+ - kind: "BuildConfig"

+   apiVersion: "v1"

+   metadata:

+     name: "${NAME}"

+     labels:

+       app: "${NAME}"

+   spec:

+     runPolicy: "Parallel"

+     completionDeadlineSeconds: 1800

+     strategy:

+       dockerStrategy:

+         forcePull: true

+         dockerfilePath: openshift/backend/Dockerfile

+         buildArgs:

+         - name: EXTRA_RPMS

+           value: "${EXTRA_RPMS}"

+         - name: GIT_REPO

+           value: "${MBS_GIT_REPO}"

+         - name: GIT_REF

+           value: "${MBS_GIT_REF}"

+         - name: VERSION

+           value: "${MBS_IMAGE_TAG}"

+         - name: CREATED

+           value: "${CREATED}"

+     resources:

+       requests:

+         memory: "768Mi"

+         cpu: "500m"

+       limits:

+        memory: "1Gi"

+        cpu: "800m"

+     source:

+       git:

+         uri: "${MBS_GIT_REPO}"

+         ref: "${MBS_GIT_REF}"

+     output:

+       to:

+         kind: "ImageStreamTag"

+         name: "${MBS_BACKEND_IMAGESTREAM_NAME}:${MBS_IMAGE_TAG}"

+         namespace: "${MBS_BACKEND_IMAGESTREAM_NAMESPACE}"

file modified
+49 -22

@@ -1,27 +1,54 @@ 

  # See `../backend/` for building `mbs-backend:latest`

  FROM mbs-backend:latest

+ 

+ ARG GIT_REPO=""

+ ARG GIT_REF=""

+ ARG VERSION=""

+ ARG CREATED=""

+ ARG DNF_CMD="dnf -y --setopt=deltarpm=0 --setopt=install_weak_deps=false --setopt=tsflags=nodocs"

+ 

  LABEL \

-     name="Frontend for the Module Build Service (MBS)" \

-     vendor="The Factory 2.0 Team" \

-     license="MIT" \

-     description="The MBS coordinates module builds. This image is to serve as the MBS frontend." \

-     usage="https://pagure.io/fm-orchestrator" \

-     build-date=""

- 

- RUN dnf -y install \

-             httpd \

-             mod_wsgi \

-     && dnf -y clean all

+     org.opencontainers.image.title="Frontend for the Module Build Service (MBS)" \

+     org.opencontainers.image.description="The MBS coordinates module builds. This image is to serve as the MBS frontend." \

+     org.opencontainers.image.vendor="The Factory 2.0 Team" \

+     org.opencontainers.image.authors="The Factory 2.0 Team <pnt-factory2-devel@redhat.com>" \

+     org.opencontainers.image.licenses="MIT" \

+     org.opencontainers.image.source="$GIT_REPO" \

+     org.opencontainers.image.revision="$GIT_REF" \

+     org.opencontainers.image.version="$VERSION" \

+     org.opencontainers.image.created="$CREATED" \

+     org.opencontainers.image.url="https://pagure.io/fm-orchestrator" \

+     org.opencontainers.image.documentation="https://pagure.io/fm-orchestrator" \

+     io.openshift.expose-services="8080:http,8443:https" \

+     distribution-scope="public"

+ 

+ USER root

+ 

+ RUN $DNF_CMD install \

+       nss_wrapper httpd mod_ssl python3-mod_wsgi && \

+     $DNF_CMD clean all

+ 

+ RUN chmod a+rwx /run/httpd && \

+     sed -i -r -e 's!Listen 80!Listen 8080!' \

Optional: I'd prefer if we just had an httpd.conf that we copy as part of building the image instead of all these sed statements. It's just easier to read that way in my opinion.

Noted. I'll see about making that change in a future PR.

+               -e 's!^User apache!User default!' \

+               -e 's!^Group apache!Group root!' \

+               -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!' \

+               -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!' \

+         /etc/httpd/conf/httpd.conf && \

+     sed -i -r -e 's!Listen 443!Listen 8443!' \

+               -e 's!_default_:443!_default_:8443!' \

+               -e 's!^(\s*CustomLog)\s+\S+!\1 /proc/self/fd/1!' \

+               -e 's!^(\s*TransferLog)\s+\S+!\1 /proc/self/fd/1!' \

+               -e 's!^(\s*ErrorLog)\s+\S+!\1 /proc/self/fd/2!' \

+               -e 's!^(SSLCertificateFile)\s+\S+!\1 /etc/mbs-certs/frontend.crt!' \

+               -e 's!^(SSLCertificateKeyFile)\s+\S+!\1 /etc/mbs-certs/frontend.key!' \

+               -e 's!^#(SSLCertificateChainFile)\s+\S+!\1 /etc/mbs-certs/frontendca.crt!' \

+         /etc/httpd/conf.d/ssl.conf

+ 

+ COPY openshift/frontend/run-httpd /usr/bin

+ 

+ USER 1001

  

- EXPOSE 8080/tcp 8443/tcp

  VOLUME ["/etc/module-build-service", "/etc/fedmsg.d", "/etc/mbs-certs", "/etc/httpd/conf.d"]

- ENTRYPOINT ["mod_wsgi-express", "start-server", "/usr/share/mbs/mbs.wsgi"]

- CMD [\

-     "--user", "fedmsg", "--group", "fedmsg", \

-     "--port", "8080", "--threads", "1", \

-     "--include-file", "/etc/httpd/conf.d/mbs.conf", \

-     "--log-level", "info", \

-     "--log-to-terminal", \

-     "--access-log", \

-     "--startup-log" \

- ]

+ EXPOSE 8080/tcp 8443/tcp

+ CMD ["/usr/bin/run-httpd"]

@@ -0,0 +1,96 @@ 

+ # Template to produce a new BuildConfig and ImageStream for MBS frontend image builds.

+ 

+ ---

+ apiVersion: v1

+ kind: Template

+ metadata:

+   name: mbs-frontend-build-template

+ labels:

+   template: mbs-frontend-build-template

+ parameters:

+ - name: NAME

+   displayName: Short unique identifier for the templated instances.

+   required: true

+   value: mbs-frontend

+ - name: MBS_GIT_REPO

+   displayName: MBS Git repo URL

+   description: Default MBS Git repo URL in which to run dev tests against

+   required: true

+   value: https://pagure.io/fm-orchestrator.git

+ - name: MBS_GIT_REF

+   displayName: MBS Git repo ref

+   description: Default MBS Git repo ref in which to run dev tests against

+   required: true

+   value: master

+ - name: MBS_FRONTEND_IMAGESTREAM_NAME

+   displayName: ImageStream name of the resulting image

+   required: true

+   value: mbs-frontend

+ - name: MBS_FRONTEND_IMAGESTREAM_NAMESPACE

+   displayName: Namespace of ImageStream for MBS images

+   required: false

+ - name: MBS_IMAGE_TAG

+   displayName: Tag of resulting image

+   required: true

+   value: latest

+ - name: MBS_BACKEND_IMAGESTREAM_NAME

+   displayName: ImageStream name of the MBS backend image

+   required: true

+   value: mbs-frontend

+ - name: MBS_BACKEND_IMAGESTREAM_NAMESPACE

+   displayName: Namespace of ImageStream for MBS backend image

+   required: false

+ - name: CREATED

+   displayName: Creation date

+   description: The date and time the image was built, in RFC 3339 format

+   required: false

+   value: ""

+ objects:

+ - apiVersion: v1

+   kind: ImageStream

+   metadata:

+     name: "${MBS_FRONTEND_IMAGESTREAM_NAME}"

+     labels:

+       app: "${NAME}"

+ - kind: "BuildConfig"

+   apiVersion: "v1"

+   metadata:

+     name: "${NAME}"

+     labels:

+       app: "${NAME}"

+   spec:

+     runPolicy: "Parallel"

+     completionDeadlineSeconds: 1800

+     strategy:

+       dockerStrategy:

+         forcePull: true

+         dockerfilePath: openshift/frontend/Dockerfile

+         buildArgs:

+         - name: GIT_REPO

+           value: "${MBS_GIT_REPO}"

+         - name: GIT_REF

+           value: "${MBS_GIT_REF}"

+         - name: VERSION

+           value: "${MBS_IMAGE_TAG}"

+         - name: CREATED

+           value: "${CREATED}"

+         from:

+           kind: ImageStreamTag

+           name: "${MBS_BACKEND_IMAGESTREAM_NAME}:${MBS_IMAGE_TAG}"

+           namespace: "${MBS_BACKEND_IMAGESTREAM_NAMESPACE}"

+     resources:

+       requests:

+         memory: "768Mi"

+         cpu: "500m"

+       limits:

+        memory: "1Gi"

+        cpu: "800m"

+     source:

+       git:

+         uri: "${MBS_GIT_REPO}"

+         ref: "${MBS_GIT_REF}"

+     output:

+       to:

+         kind: "ImageStreamTag"

+         name: "${MBS_FRONTEND_IMAGESTREAM_NAME}:${MBS_IMAGE_TAG}"

+         namespace: "${MBS_FRONTEND_IMAGESTREAM_NAMESPACE}"

@@ -0,0 +1,25 @@ 

+ #!/bin/bash

+ 

+ set -eu

+ 

+ # OpenShift containers run as a user with a random uid, which does not appear in

+ # /etc/passwd. httpd tries to look up the uid for the user it is running as

+ # (default in this case), and will exit if it cannot find that user in

+ # /etc/passwd. This script copies /etc/passwd to /tmp to make it writable, and

+ # appends an entry to /etc/passwd for the "default" user, using the current uid

+ # and gid. It then uses libnss_wrapper.so to redirect references from

+ # /etc/passwd to our modified file in /tmp, so httpd can run as "default".

+ 

+ export USER_ID=$(id -u)

+ export GROUP_ID=$(id -g)

+ 

+ cp /etc/passwd /tmp/passwd

+ cat >> /tmp/passwd <<EOF

+ default:x:${USER_ID}:${GROUP_ID}:Default Application User:${HOME}:/sbin/nologin

+ EOF

+ 

+ export LD_PRELOAD=libnss_wrapper.so

+ export NSS_WRAPPER_PASSWD=/tmp/passwd

+ export NSS_WRAPPER_GROUP=/etc/group

+ 

+ exec httpd -D FOREGROUND $@

@@ -0,0 +1,91 @@ 

+ MBS-Koji integration tests

+ ==========================

+ 

+ ### Background

+ This directory contains a set of Jenkins pipelines for building MBS container images and running

+ integration tests between MBS and Koji. These are based on the

+ [WaiverDB](https://pagure.io/waiverdb)

+ [pipeline](https://pagure.io/waiverdb/blob/master/f/openshift) structure. Please see the

+ extensive documentation there for information on the pipeline layout and workflows.

+ 

+ ### Getting started

+ 

+ #### Deploying a Jenkins master

+ Before you can run these pipelines you need to have a Jenkins master configured to communicate with

+ an OpenShift project. The simplest way to do this is to run your Jenkins master in your OpenShift

+ project. The first time you create a `BuildConfig` with `strategy.type: JenkinsPipeline`, OpenShift

+ will deploy a Jenkins master using the default settings. However, these pipelines will not run

+ using the default settings. It is recommended that before creating any `BuildConfigs`, you setup

+ your Jenkins master using:

+ ```bash

+ make -C openshift/integration/koji/pipelines install-jenkins

+ ```

+ This will deploy and configure your Jenkins master with the required set of plugins. **Note:** The

+ Jenkins master will be configured to disable script security. Be very careful when running untrusted

+ code, as scripts will have full access to your Jenkins environment. If you don't wish to disable

+ script security, you may edit `openshift/integration/koji/pipelines/Makefile` to change that

+ setting. You will need to allow scripts to access a number of Groovy/Java APIs before the pipelines

+ will run successfully.

+ 

+ #### Configuring the pipelines

+ To load the pipelines into OpenShift (and Jenkins) run:

+ ```bash

+ make -C openshift/integration/koji/pipelines install

+ ```

+ This will create all the objects required for running the pipelines.

+ 

+ #### Configuring secrets for pushing images

+ If you're going to be pushing your images anywhere other than the OpenShift internal registry,

+ you'll need to configure secrets which give you permission to push to that registry.

+ 

+ - Go to your registry dashboard and create a robot account.

+ - Backup your docker-config-json file (`$HOME/.docker/config.json`) if present.

+ - Run `docker login` with the robot account you just created to produce a new docker-config-json file.

+ - Create a new [OpenShift secret for a private registry] named `factory2-pipeline-registry-credentials` from your docker-config-json file:

+ ```bash

+   oc create secret generic factory2-pipeline-registry-credentials \

+     --from-file=.dockerconfigjson="$HOME/.docker/config.json" \

+     --type=kubernetes.io/dockerconfigjson

+ ```

+ 

+ #### Configuring a Pagure API key

+ If you would like the pipelines to provide feedback on PRs and commits, you need to configure a Pagure API key.

+ - Go to your Pagure repository settings, and go to the 'API Keys' section.

+ - Click on the `Create new key` button to add new API key with the `Flag a pull-request`, `Comment on a pull-request`, and `Flag a commit` permissions.

+ - Add your newly-created API key to OpenShift:

+ ```bash

+ make -C openshift/integration/koji/pipelines update-pagure-api-key KEY=<value from Pagure>

+ ```

+ 

+ #### Building a Jenkins slave image

+ Before you can run the pipelines, you need an image to use as the Jenkins slave. This step should

+ be repeated any time the `Dockerfile`

+ (`openshift/integration/koji/containers/jenkins-slave/Dockerfile`) for the Jenkins slaves is

+ updated.

+ ```bash

+ oc start-build mbs-premerge-jenkins-slave

+ ```

+ **Note:** The `mbs-premerge-jenkins-slave` and `mbs-postmerge-jenkins-slave` jobs produce the same

+ output. Either may be used.

+ 

+ #### Setting up Jenkins jobs

+ 

+ ##### Polling

+ If you want the `premerge` and `postmerge` jobs to be triggered automatically based on SCM changes,

+ you need to run the following jobs once manually, so Jenkins initates polling:

+ - mbs-polling-for-prs

+ - mbs-polling-for-master

+ 

+ ##### Message bus

+ **Note:** This requires the `Red Hat CI Plugin` to be installed.

+ If you're using message bus integration to enable automatic triggering of test jobs and promotion,

+ you need to run the trigger jobs once manually so Jenkins can setup required message consumers. The

+ following jobs should be triggered manually:

+ - mbs-trigger-on-latest-tag

+ - mbs-trigger-on-stage-tag

+ - mbs-backend-greenwave-promote-to-stage

+ - mbs-backend-greenwave-promote-to-prod

+ - mbs-frontend-greenwave-promote-to-stage

+ - mbs-frontend-greenwave-promote-to-prod

+ 

+ [OpenShift secret for a private registry]: https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#using-docker-credentials-for-private-registries

@@ -0,0 +1,78 @@ 

+ # Based on the rad-jenkins image, which is in turn based on:

I am just wondering if we should have a Fedora Jenkins-slave base image publicly on quay.io.

+ # https://github.com/jenkinsci/docker-jnlp-slave/blob/master/Dockerfile

+ # https://github.com/jenkinsci/docker-slave/blob/master/Dockerfile

+ 

+ FROM fedora:29

+ LABEL \

+     org.opencontainers.image.title="Jenkins slave for Module Build Service (MBS) pipelines" \

+     org.opencontainers.image.description="The MBS coordinates module builds. This image is to serve as the slave for executing build and test pipelines." \

+     org.opencontainers.image.vendor="The Factory 2.0 Team" \

+     org.opencontainers.image.authors="The Factory 2.0 Team <pnt-factory2-devel@redhat.com>" \

+     org.opencontainers.image.licenses="GPLv2+" \

+     org.opencontainers.image.url="https://pagure.io/fm-orchestrator" \

+     org.opencontainers.image.documentation="https://pagure.io/fm-orchestrator" \

+     distribution-scope="private"

+ 

+ ARG USER=jenkins

+ ARG UID=10000

+ ARG HOME_DIR=/var/lib/jenkins

+ ARG SLAVE_VERSION=3.29

+ ARG TINI_VERSION=0.18.0

+ ARG DNF_CMD="dnf -y --setopt=deltarpm=0 --setopt=install_weak_deps=false --setopt=tsflags=nodocs"

+ ARG CA_URLS=""

+ 

+ # Provide a default HOME location and set some default git user details

+ # Set LANG to UTF-8 to support it in stdout/stderr

+ ENV HOME=${HOME_DIR} \

+     GIT_COMMITTER_NAME="The Factory 2.0 Team" \

+     GIT_COMMITTER_EMAIL=pnt-factory2-devel@redhat.com \

+     LANG=en_US.UTF-8

+ 

+ USER root

+ 

+ RUN ${DNF_CMD} install -y \

+     java-1.8.0-openjdk nss_wrapper gettext git \

+     tar gzip skopeo wget make bind-utils \

+     origin-clients \

+     # Jenkins pipeline 'sh' steps seem to require ps

+     procps-ng \

+     # Tools to interface with our test instances

+     koji && \

+     ${DNF_CMD} clean all

+ 

+ # CA Certs

+ WORKDIR /etc/pki/ca-trust/source/anchors/

+ RUN for ca_url in ${CA_URLS}; do curl -skO ${ca_url}; done && \

+     update-ca-trust

+ 

+ # Setup the user for non-arbitrary UIDs with OpenShift

+ # https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-origin-specific-guidelines

+ RUN useradd -d ${HOME_DIR} -u ${UID} -g 0 -m -s /bin/bash ${USER} && \

+     chmod -R g+rwx ${HOME_DIR}

+ 

+ # Make /etc/passwd writable for root group

+ # so we can add dynamic user to the system in entrypoint script

+ RUN chmod g+rw /etc/passwd

+ 

+ # Retrieve jenkins slave client

+ RUN curl --create-dirs -sSLo /usr/share/jenkins/slave.jar \

+     https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/${SLAVE_VERSION}/remoting-${SLAVE_VERSION}.jar && \

+     chmod 755 /usr/share/jenkins && \

+     chmod 644 /usr/share/jenkins/slave.jar

+ 

+ # Entry point script to run jenkins slave client

+ COPY jenkins-slave /usr/local/bin/jenkins-slave

+ RUN chmod 755 /usr/local/bin/jenkins-slave

+ 

+ # install tini, a tiny but valid init for containers

+ # install wait-for-it.sh, to allow containers to wait for other services to come up

+ RUN curl -L -o /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini" \

+     && chmod +rx /usr/local/bin/tini \

+     && curl -L -o /usr/local/bin/wait-for-it "https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh" \

+     && chmod +rx /usr/local/bin/tini /usr/local/bin/wait-for-it \

+     && ${DNF_CMD} clean all

+ 

+ # For OpenShift we MUST use the UID of the user and not the name.

+ USER ${UID}

+ WORKDIR ${HOME_DIR}

+ ENTRYPOINT ["/usr/local/bin/tini", "--", "jenkins-slave"]

@@ -0,0 +1,116 @@ 

+ #!/usr/bin/env bash

+ 

+ # The MIT License

+ #

+ #  Copyright (c) 2015, CloudBees, Inc.

+ #

+ #  Permission is hereby granted, free of charge, to any person obtaining a copy

+ #  of this software and associated documentation files (the "Software"), to deal

+ #  in the Software without restriction, including without limitation the rights

+ #  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

+ #  copies of the Software, and to permit persons to whom the Software is

+ #  furnished to do so, subject to the following conditions:

+ #

+ #  The above copyright notice and this permission notice shall be included in

+ #  all copies or substantial portions of the Software.

+ #

+ #  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

+ #  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

+ #  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

+ #  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

+ #  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

+ #  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

+ #  THE SOFTWARE.

+ 

+ # Usage jenkins-slave.sh [options] -url http://jenkins [SECRET] [AGENT_NAME]

+ # Optional environment variables :

+ # * JENKINS_TUNNEL : HOST:PORT for a tunnel to route TCP traffic to jenkins host, when jenkins can't be directly accessed over network

+ # * JENKINS_URL : alternate jenkins URL

+ # * JENKINS_SECRET : agent secret, if not set as an argument

+ # * JENKINS_AGENT_NAME : agent name, if not set as an argument

+ # * JENKINS_JAR_CACHE : directory for cached jar files

+ #

+ # Credentials are also supported for authentication to jenkins. If desired,

+ # create the directory /etc/jenkins/credentials with "username" and "password"

+ # files within.

+ #

+ # This script was originally adopted from:

+ # https://github.com/jenkinsci/docker-jnlp-slave/blob/master/jenkins-slave

+ 

+ # Dynamically create a passwd file for non-arbitrary UIDs.

+ # Taken from: https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-origin-specific-guidelines

+ # Adjusted using: https://github.com/openshift/jenkins/commit/20a511b8ccf71a8ebd80519440403e530ccb6337

+ export USER_ID=$(id -u)

+ export GROUP_ID=$(id -g)

+ 

+ # Skip for root user

+ if [ x"$USER_ID" != x"0" ]; then

+     export NSS_WRAPPER_PASSWD=/tmp/passwd

+     export NSS_WRAPPER_GROUP=/etc/group

+     export LD_PRELOAD=/usr/lib64/libnss_wrapper.so

+ 

+     cp /etc/passwd $NSS_WRAPPER_PASSWD

+     echo "jenkins:x:${USER_ID}:${GROUP_ID}:jenkins:${HOME}:/bin/bash" >> $NSS_WRAPPER_PASSWD

+ fi

+ 

+ if [ $# -eq 1 ]; then

+ 

+     # if `docker run` only has one arguments, we assume user is running alternate command like `bash` to inspect the image

+     exec "$@"

+ 

+ else

+ 

+     # if -tunnel is not provided try env vars

+     if [[ "$@" != *"-tunnel "* ]]; then

+         if [ ! -z "$JENKINS_TUNNEL" ]; then

+             TUNNEL="-tunnel $JENKINS_TUNNEL"

+         fi

+     fi

+ 

+     if [ -n "$JENKINS_URL" ]; then

+         URL="-url $JENKINS_URL"

+     fi

+ 

+     if [ -n "$JENKINS_NAME" ]; then

+         JENKINS_AGENT_NAME="$JENKINS_NAME"

+     fi

+ 

+     if [ -n "$JENKINS_JAR_CACHE" ]; then

+         JAR_CACHE="-jar-cache $JENKINS_JAR_CACHE"

+     fi

+ 

+     if [ -d "/etc/jenkins/credentials" ]; then

+         USERNAME="$(cat /etc/jenkins/credentials/username)"

+         PASSWORD="$(cat /etc/jenkins/credentials/password)"

+         CREDENTIALS="-credentials ${USERNAME}:${PASSWORD}"

+     fi

+ 

+     if [ -z "$JNLP_PROTOCOL_OPTS" ]; then

+         echo "Warning: JnlpProtocol3 is disabled by default, use JNLP_PROTOCOL_OPTS to alter the behavior"

+         JNLP_PROTOCOL_OPTS="-Dorg.jenkinsci.remoting.engine.JnlpProtocol3.disabled=true"

+     fi

+ 

+     # If both required options are defined, do not pass the parameters

+     OPT_JENKINS_SECRET=""

+     if [ -n "$JENKINS_SECRET" ]; then

+         if [[ "$@" != *"${JENKINS_SECRET}"* ]]; then

+             OPT_JENKINS_SECRET="${JENKINS_SECRET}"

+         else

+             echo "Warning: SECRET is defined twice in command-line arguments and the environment variable"

+         fi

+     fi

+ 

+     OPT_JENKINS_AGENT_NAME=""

+     if [ -n "$JENKINS_AGENT_NAME" ]; then

+         if [[ "$@" != *"${JENKINS_AGENT_NAME}"* ]]; then

+             OPT_JENKINS_AGENT_NAME="${JENKINS_AGENT_NAME}"

+         else

+             echo "Warning: AGENT_NAME is defined twice in command-line arguments and the environment variable"

+         fi

+     fi

+ 

+     #TODO: Handle the case when the command-line and Environment variable contain different values.

+     #It is fine it blows up for now since it should lead to an error anyway.

+ 

+     exec java $JAVA_OPTS $JNLP_PROTOCOL_OPTS -cp /usr/share/jenkins/slave.jar hudson.remoting.jnlp.Main -headless $CREDENTIALS $JAR_CACHE $TUNNEL $URL $OPT_JENKINS_SECRET $OPT_JENKINS_AGENT_NAME "$@"

+ fi

@@ -0,0 +1,55 @@ 

+ OC:=oc

+ OCFLAGS:=

+ JOBS_DIR:=jobs

+ TEMPLATES_DIR:=templates

+ JOB_PARAM_FILES:=$(wildcard $(JOBS_DIR)/*.env)

+ JOBS:=$(patsubst $(JOBS_DIR)/%.env,%,$(JOB_PARAM_FILES))

+ 

+ OC_CMD=$(OC) $(OCFLAGS)

+ 

+ help:

+ 	@echo TARGETS

+ 	@echo -e "\tinstall\t\tInstall or update pipelines to OpenShift"

+ 	@echo -e "\tuninstall\tDelete installed pipelines from OpenShift"

+ 	@echo

+ 	@echo VARIABLES

+ 	@echo -e "\tJOBS\t\tSpace seperated list of pipeline jobs to install"

+ 	@echo -e "\tJOBS_DIR\tLooking for pipeline job definitions in an alternate directory."

+ 	@echo -e "\tTEMPLATES_DIR\tLooking for pipeline job templates in an alternate directory."

+ 	@echo -e "\tOC\t\tUse this oc command"

+ 	@echo -e "\tOCFLAGS\t\tOptions to append to the oc command arguments"

+ install:

+ 	@$(OC_CMD) project

+ 	@for job in $(JOBS); do \

+ 		echo "[PIPELINE] Updating pipeline job \"$${job}\"..." ; \

+ 	  template_file=$$(cat ./$(JOBS_DIR)/$${job}.tmpl); \

+ 		$(OC_CMD) process --local -f ./$(TEMPLATES_DIR)/$${template_file} \

+ 			--param-file ./$(JOBS_DIR)/$${job}.env | $(OC_CMD) apply -f -; \

+ 		echo "[PIPELINE] Pipeline job \"$${job}\" updated" ; \

+ 	done

+ uninstall:

+ 	@$(OC_CMD) project

+ 	@for job in $(JOBS); do \

+ 	  template_file=$$(cat ./$(JOBS_DIR)/$${job}.tmpl); \

+ 		template_name=$${template_file%.y?ml}; \

+ 		template_name=$${template_name%-template}; \

+ 		echo "[PIPELINE] Deleting pipeline job \"$${job}\"..." ; \

+ 		$(OC_CMD) delete all -l template="$$template_name" -l app="$$job" ;\

+ 		echo "[PIPELINE] Pipeline job \"$${job}\" deleted" ; \

+ 	done

+ create-jenkins-is:

+ 	$(OC_CMD) import-image jenkins:2 --confirm --scheduled=true \

+ 		--from=registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11

+ install-jenkins: create-jenkins-is

+ 	$(OC_CMD) new-app --template=jenkins-persistent \

+ 		-p MEMORY_LIMIT=2Gi \

+ 		-p VOLUME_CAPACITY=10Gi \

+ 		-p NAMESPACE=$(shell $(OC_CMD) project -q) \

+ 		-e INSTALL_PLUGINS=script-security:1.46,permissive-script-security:0.3,timestamper:1.9,http_request:1.8.22,ownership:0.12.1,antisamy-markup-formatter:1.5,update-sites-manager:2.0.0 \

+ 		-e JENKINS_JAVA_OVERRIDES="-Dpermissive-script-security.enabled=no_security"

+ update-pagure-api-key:

+ 	[ -n "$(KEY)" ] # You must specify KEY=<key value>

+ 	$(OC_CMD) delete secret pagure-api-key --ignore-not-found=true

+ 	$(OC_CMD) create secret generic pagure-api-key --from-literal=secrettext=$(KEY)

+ 	$(OC_CMD) label secret pagure-api-key credential.sync.jenkins.openshift.io=true

+ .PHONY: help install uninstall create-jenkins-is install-jenkins update-api-key

@@ -0,0 +1,7 @@ 

+ NAME=mbs-backend-greenwave-promote-to-prod

+ DECISION_CONTEXT_REGEX=c3i_promote_stage_to_prod

+ SUBJECT_IDENTIFIER_REGEX=^factory2/mbs-backend@sha256:

+ SOURCE_CONTAINER_REPO=quay.io/factory2/mbs-backend

+ TARGET_TAG=prod

+ MESSAGING_TOPIC=Consumer.rh-jenkins-ci-plugin.c3i-mbs-backend-greenwave-promote-to-prod.VirtualTopic.eng.greenwave.decision.update

+ IMAGE_PROMOTION_JOB=mbs-backend-promoting-to-prod

@@ -0,0 +1,1 @@ 

+ mbs-greenwave-trigger.yaml

@@ -0,0 +1,7 @@ 

+ NAME=mbs-backend-greenwave-promote-to-stage

+ DECISION_CONTEXT_REGEX=c3i_promote_dev_to_stage

+ SUBJECT_IDENTIFIER_REGEX=^factory2/mbs-backend@sha256:

+ SOURCE_CONTAINER_REPO=quay.io/factory2/mbs-backend

+ TARGET_TAG=stage

+ MESSAGING_TOPIC=Consumer.rh-jenkins-ci-plugin.c3i-mbs-backend-greenwave-promote-to-stage.VirtualTopic.eng.greenwave.decision.update

+ IMAGE_PROMOTION_JOB=mbs-backend-promoting-to-stage

@@ -0,0 +1,1 @@ 

+ mbs-greenwave-trigger.yaml

@@ -0,0 +1,5 @@ 

+ NAME=mbs-backend-promoting-to-prod

+ PROMOTING_DESTINATIONS=quay.io/factory2/mbs-backend

+ DEST_TAG=prod

+ TAG_INTO_IMAGESTREAM=true

+ DEST_IMAGESTREAM_NAME=mbs-backend

@@ -0,0 +1,1 @@ 

+ mbs-image-promotion-template.yaml

@@ -0,0 +1,5 @@ 

+ NAME=mbs-backend-promoting-to-stage

+ PROMOTING_DESTINATIONS=quay.io/factory2/mbs-backend

+ DEST_TAG=stage

+ TAG_INTO_IMAGESTREAM=true

+ DEST_IMAGESTREAM_NAME=mbs-backend

@@ -0,0 +1,1 @@ 

+ mbs-image-promotion-template.yaml

@@ -0,0 +1,1 @@ 

+ NAME=mbs-dev-integration-test

@@ -0,0 +1,1 @@ 

+ mbs-integration-test-template.yaml

@@ -0,0 +1,7 @@ 

+ NAME=mbs-frontend-greenwave-promote-to-prod

+ DECISION_CONTEXT_REGEX=c3i_promote_stage_to_prod

+ SUBJECT_IDENTIFIER_REGEX=^factory2/mbs-frontend@sha256:

+ SOURCE_CONTAINER_REPO=quay.io/factory2/mbs-frontend

+ TARGET_TAG=prod

+ MESSAGING_TOPIC=Consumer.rh-jenkins-ci-plugin.c3i-mbs-frontend-greenwave-promote-to-prod.VirtualTopic.eng.greenwave.decision.update

+ IMAGE_PROMOTION_JOB=mbs-frontend-promoting-to-prod

@@ -0,0 +1,1 @@ 

+ mbs-greenwave-trigger.yaml

@@ -0,0 +1,7 @@ 

+ NAME=mbs-frontend-greenwave-promote-to-stage

+ DECISION_CONTEXT_REGEX=c3i_promote_dev_to_stage

+ SUBJECT_IDENTIFIER_REGEX=^factory2/mbs-frontend@sha256:

+ SOURCE_CONTAINER_REPO=quay.io/factory2/mbs-frontend

+ TARGET_TAG=stage

+ MESSAGING_TOPIC=Consumer.rh-jenkins-ci-plugin.c3i-mbs-frontend-greenwave-promote-to-stage.VirtualTopic.eng.greenwave.decision.update

+ IMAGE_PROMOTION_JOB=mbs-frontend-promoting-to-stage

@@ -0,0 +1,1 @@ 

+ mbs-greenwave-trigger.yaml

@@ -0,0 +1,5 @@ 

+ NAME=mbs-frontend-promoting-to-prod

+ PROMOTING_DESTINATIONS=quay.io/factory2/mbs-frontend

+ DEST_TAG=prod

+ TAG_INTO_IMAGESTREAM=true

+ DEST_IMAGESTREAM_NAME=mbs-frontend

@@ -0,0 +1,1 @@ 

+ mbs-image-promotion-template.yaml

@@ -0,0 +1,5 @@ 

+ NAME=mbs-frontend-promoting-to-stage

+ PROMOTING_DESTINATIONS=quay.io/factory2/mbs-frontend

+ DEST_TAG=stage

+ TAG_INTO_IMAGESTREAM=true

+ DEST_IMAGESTREAM_NAME=mbs-frontend

@@ -0,0 +1,1 @@ 

+ mbs-image-promotion-template.yaml

@@ -0,0 +1,1 @@ 

+ NAME=mbs-polling-for-master

@@ -0,0 +1,1 @@ 

+ mbs-polling-pagure.yaml

@@ -0,0 +1,2 @@ 

+ NAME=mbs-polling-for-prs

+ PAGURE_POLLING_FOR_PR=true

@@ -0,0 +1,1 @@ 

+ mbs-polling-pagure.yaml

@@ -0,0 +1,4 @@ 

+ NAME=mbs-postmerge

+ EXTRA_REPOS=https://copr.fedorainfracloud.org/coprs/mikeb/mbs-messaging-umb/repo/fedora-29/mikeb-mbs-messaging-umb-fedora-29.repo

+ EXTRA_RPMS=mbs-messaging-umb

+ MAIL_ADDRESS=pnt-factory2-alerts@redhat.com

@@ -0,0 +1,1 @@ 

+ mbs-build-template.yaml

@@ -0,0 +1,4 @@ 

+ NAME=mbs-premerge

+ EXTRA_REPOS=https://copr.fedorainfracloud.org/coprs/mikeb/mbs-messaging-umb/repo/fedora-29/mikeb-mbs-messaging-umb-fedora-29.repo

+ EXTRA_RPMS=mbs-messaging-umb

+ MAIL_ADDRESS=pnt-factory2-alerts@redhat.com

@@ -0,0 +1,1 @@ 

+ mbs-build-template.yaml

@@ -0,0 +1,4 @@ 

+ NAME=mbs-prod-integration-test

+ KOJI_IMAGE=quay.io/factory2/koji:prod

+ UMB_IMAGE=docker-registry.engineering.redhat.com/factory2/umb:prod

+ ENVIRONMENT=prod

@@ -0,0 +1,1 @@ 

+ mbs-integration-test-template.yaml

@@ -0,0 +1,4 @@ 

+ NAME=mbs-stage-integration-test

+ KOJI_IMAGE=quay.io/factory2/koji:stage

+ UMB_IMAGE=docker-registry.engineering.redhat.com/factory2/umb:stage

+ ENVIRONMENT=stage

@@ -0,0 +1,1 @@ 

+ mbs-integration-test-template.yaml

@@ -0,0 +1,4 @@ 

+ NAME=mbs-trigger-on-latest-tag

+ MESSAGING_TOPIC=Consumer.rh-jenkins-ci-plugin.c3i-mbs-trigger-on-latest-tag.VirtualTopic.eng.repotracker.container.tag.>

+ TEST_JOB_NAME=mbs-stage-integration-test

+ TRACKED_TAG=latest

@@ -0,0 +1,1 @@ 

+ mbs-repotracker-trigger.yaml

@@ -0,0 +1,4 @@ 

+ NAME=mbs-trigger-on-stage-tag

+ MESSAGING_TOPIC=Consumer.rh-jenkins-ci-plugin.c3i-mbs-trigger-on-stage-tag.VirtualTopic.eng.repotracker.container.tag.>

+ TEST_JOB_NAME=mbs-prod-integration-test

+ TRACKED_TAG=stage

@@ -0,0 +1,1 @@ 

+ mbs-repotracker-trigger.yaml

@@ -0,0 +1,272 @@ 

+ # Template to produce a new MBS build job in OpenShift.

+ #

+ # MBS build job is a part of the MBS C3I pipeline, covering the following steps:

+ #

+ # - Run Flake8 and Bandit checks

+ # - Run unit tests

+ # - Build SRPM

+ # - Build RPM

+ # - Invoke Rpmlint

+ # - Build container

+ # - Run integration tests against the latest Koji images

+ # - Push container

+ #

+ # Required Jenkins Plugins:

+ # - Openshift Sync plugin

+ # - Openshift Client plugin

+ # - Kubernetes plugin

+ # - SSH Agent plugin

+ # - Timestamper plugin

+ # - HTTP Request plugin

+ # - Red Hat CI Plugin

+ #

+ ---

+ apiVersion: v1

+ kind: Template

+ metadata:

+   name: mbs-build-pipeline

+ parameters:

+ - name: NAME

+   displayName: Short unique identifier for the templated instances

+   description: This field is used to deploy multiple pipelines to one OpenShift project from this template.

+   required: true

+   value: mbs-build

+ - name: MBS_GIT_REPO

+   displayName: MBS Git repo URL

+   description: Default MBS Git repo URL in which to run dev tests against

+   required: true

+   value: https://pagure.io/fm-orchestrator.git

+ - name: MBS_GIT_REF

+   displayName: MBS Git repo ref

+   description: Default MBS Git repo ref in which to run dev tests against

+   required: true

+   value: master

+ - name: MBS_MAIN_BRANCH

+   displayName: Name of the main branch.

+   description: If MBS_MAIN_BRANCH equals MBS_GIT_REF, this is a post-merge build, otherwise it's a pre-merge build.

+   value: master

+   required: true

+ - name: JENKINS_AGENT_CLOUD_NAME

+   displayName: Name of OpenShift cloud in Jenkins master configuration

+   required: true

+   value: openshift

+ - name: JENKINS_AGENT_IMAGE

+   displayName: Container image for Jenkins slave pods

+   required: true

+   value: quay.io/factory2/mbs-jenkins-slave:latest

+ - name: JENKINS_AGENT_CA_URLS

+   displayName: Space-separated list of URLs to CA certificates to install in the agent image

+   required: false

+   value: ""

+ - name: MBS_BACKEND_DEV_IMAGE_DESTINATIONS

+   displayName: Comma seperated list of container repositories (without tag) to which the built MBS backend dev image will be pushed

+   description: OpenShift registries must be prefixed with 'atomic:'

+   required: false

+   value: "quay.io/factory2/mbs-backend"

+ - name: MBS_FRONTEND_DEV_IMAGE_DESTINATIONS

+   displayName: Comma seperated list of container repositories (without tag) to which the built MBS frontend dev image will be pushed

+   description: OpenShift registries must be prefixed with 'atomic:'

+   required: false

+   value: "quay.io/factory2/mbs-frontend"

+ - name: CONTAINER_REGISTRY_CREDENTIALS

+   displayName: Secret name of container registries used for pulling and pushing images

+   value: factory2-pipeline-registry-credentials

+   required: false

+ - name: MBS_DEV_IMAGE_TAG

+   displayName: Tag name of the resulting container image for development environment

+   value: "latest"

+   required: true

+ - name: MBS_BACKEND_IMAGESTREAM_NAME

+   displayName: Name of ImageStream for MBS backend images

+   required: true

+   value: mbs-backend

+ - name: MBS_BACKEND_IMAGESTREAM_NAMESPACE

+   displayName: Namespace of ImageStream for MBS backend images

+   required: false

+ - name: MBS_FRONTEND_IMAGESTREAM_NAME

+   displayName: Name of ImageStream for MBS frontend images

+   required: true

+   value: mbs-frontend

+ - name: MBS_FRONTEND_IMAGESTREAM_NAMESPACE

+   displayName: Namespace of ImageStream for MBS frontend images

+   required: false

+ - name: MBS_INTEGRATION_TEST_BUILD_CONFIG_NAME

+   displayName: Name of BuildConfig for running integration tests

+   required: true

+   value: mbs-dev-integration-test

+ - name: MBS_INTEGRATION_TEST_BUILD_CONFIG_NAMESPACE

+   displayName: Namespace of BuildConfig for running integration tests

+   required: false

+ - name: FORCE_PUBLISH_IMAGE

+   displayName: Whether to push the resulting image regardless of the Git branch

+   value: "false"

+   required: true

+ - name: TAG_INTO_IMAGESTREAM

+   displayName: Whether to tag the pushed image as dev

+   value: "true"

+   required: true

+ - name: PAGURE_URL

+   displayName: Pagure URL

+   value: "https://pagure.io"

+ - name: PAGURE_REPO_NAME

+   value: fm-orchestrator

+ - name: PAGURE_REPO_IS_FORK

+   value: "false"

+ - name: PAGURE_API_KEY_SECRET_NAME

+   displayName: Name of Pagure API key secret for updating Pagure pull-request statuses

+   value: "pagure-api-key"

+ - name: MAIL_ADDRESS

+   displayName: If set, build failure messages to this mail address.

+ - name: MBS_SPEC_FILE

+   displayName: Repo to the rpm specfile for the module-build-service

+   required: true

+   value: "https://src.fedoraproject.org/rpms/module-build-service/raw/master/f/module-build-service.spec"

+ - name: EXTRA_REPOS

+   displayName: Space-separated list of URLs to .repo files to install in the images

+   required: false

+   value: ""

+ - name: EXTRA_RPMS

+   displayName: Space-separated list of rpm names to install in the images

+   required: false

+   value: ""

+ - name: TESTCASES

+   displayName: >-

+     Space-separated list of testcases to run as part of the pipeline. An empty string (the default)

+     causes all available testcases to run. The value "skip" causes no testcases to be run.

+   required: false

+   value: ""

+ - name: CLEANUP

+   displayName: Cleanup objects after the pipeline is complete

+   required: true

+   value: "true"

+ labels:

+   template: mbs-build

+ objects:

+ - kind: "BuildConfig"

+   apiVersion: "v1"

+   metadata:

+     name: "${NAME}-jenkins-slave"

+     labels:

+       app: "${NAME}"

+   spec:

+     runPolicy: "Serial"

+     completionDeadlineSeconds: 1800

+     strategy:

+       dockerStrategy:

+         forcePull: true

+         dockerfilePath: Dockerfile

+         buildArgs:

+         - name: CA_URLS

+           value: "${JENKINS_AGENT_CA_URLS}"

+     resources:

+       requests:

+         memory: 512Mi

+         cpu: 300m

+       limits:

+        memory: 768Mi

+        cpu: 500m

+     source:

+       contextDir: openshift/integration/koji/containers/jenkins-slave

+       git:

+         uri: "${MBS_GIT_REPO}"

+         ref: "${MBS_GIT_REF}"

+     output:

+       to:

+         kind: DockerImage

+         name: "${JENKINS_AGENT_IMAGE}"

+       pushSecret:

+        name: "${CONTAINER_REGISTRY_CREDENTIALS}"

+ 

+ - kind: ServiceAccount

+   apiVersion: v1

+   metadata:

+     name: "${NAME}-jenkins-slave"

+     labels:

+       app: "${NAME}"

+ 

+ - kind: RoleBinding

+   apiVersion: v1

+   metadata:

+     name: "${NAME}-jenkins-slave_edit"

+     labels:

+       app: "${NAME}"

+   subjects:

+   - kind: ServiceAccount

+     name: "${NAME}-jenkins-slave"

+   roleRef:

+     name: edit

+ 

+ - kind: "BuildConfig"

+   apiVersion: "v1"

+   metadata:

+     name: "${NAME}"

+     labels:

+       app: "${NAME}"

+   spec:

+     runPolicy: "Serial"

+     completionDeadlineSeconds: 1800

+     source:

+       git:

+         uri: "${MBS_GIT_REPO}"

+         ref: "${MBS_GIT_REF}"

+     strategy:

+       type: JenkinsPipeline

+       jenkinsPipelineStrategy:

+         env:

+         - name: MBS_GIT_REPO

+           value: "${MBS_GIT_REPO}"

+         - name: MBS_GIT_REF

+           value: "${MBS_GIT_REF}"

+         - name: JENKINS_AGENT_CLOUD_NAME

+           value: "${JENKINS_AGENT_CLOUD_NAME}"

+         - name: JENKINS_AGENT_IMAGE

+           value: "${JENKINS_AGENT_IMAGE}"

+         - name: JENKINS_AGENT_SERVICE_ACCOUNT

+           value: "${NAME}-jenkins-slave"

+         - name: MBS_BACKEND_DEV_IMAGE_DESTINATIONS

+           value: "${MBS_BACKEND_DEV_IMAGE_DESTINATIONS}"

+         - name: MBS_FRONTEND_DEV_IMAGE_DESTINATIONS

+           value: "${MBS_FRONTEND_DEV_IMAGE_DESTINATIONS}"

+         - name: CONTAINER_REGISTRY_CREDENTIALS

+           value: "${CONTAINER_REGISTRY_CREDENTIALS}"

+         - name: FORCE_PUBLISH_IMAGE

+           value: "${FORCE_PUBLISH_IMAGE}"

+         - name: TAG_INTO_IMAGESTREAM

+           value: "${TAG_INTO_IMAGESTREAM}"

+         - name: MBS_DEV_IMAGE_TAG

+           value: "${MBS_DEV_IMAGE_TAG}"

+         - name: MBS_BACKEND_IMAGESTREAM_NAME

+           value: "${MBS_BACKEND_IMAGESTREAM_NAME}"

+         - name: MBS_BACKEND_IMAGESTREAM_NAMESPACE

+           value: "${MBS_BACKEND_IMAGESTREAM_NAMESPACE}"

+         - name: MBS_FRONTEND_IMAGESTREAM_NAME

+           value: "${MBS_FRONTEND_IMAGESTREAM_NAME}"

+         - name: MBS_FRONTEND_IMAGESTREAM_NAMESPACE

+           value: "${MBS_FRONTEND_IMAGESTREAM_NAMESPACE}"

+         - name: MBS_MAIN_BRANCH

+           value: "${MBS_MAIN_BRANCH}"

+         - name: MBS_INTEGRATION_TEST_BUILD_CONFIG_NAME

+           value: "${MBS_INTEGRATION_TEST_BUILD_CONFIG_NAME}"

+         - name: MBS_INTEGRATION_TEST_BUILD_CONFIG_NAMESPACE

+           value: "${MBS_INTEGRATION_TEST_BUILD_CONFIG_NAMESPACE}"

+         - name: PAGURE_REPO_NAME

+           value: "${PAGURE_REPO_NAME}"

+         - name: PAGURE_REPO_IS_FORK

+           value: "${PAGURE_REPO_IS_FORK}"

+         - name: PAGURE_URL

+           value: "${PAGURE_URL}"

+         - name: PAGURE_API_KEY_SECRET_NAME

+           value: "${PAGURE_API_KEY_SECRET_NAME}"

+         - name: MAIL_ADDRESS

+           value: "${MAIL_ADDRESS}"

+         - name: MBS_SPEC_FILE

+           value: "${MBS_SPEC_FILE}"

+         - name: EXTRA_REPOS

+           value: "${EXTRA_REPOS}"

+         - name: EXTRA_RPMS

+           value: "${EXTRA_RPMS}"

+         - name: TESTCASES

+           value: "${TESTCASES}"

+         - name: CLEANUP

+           value: "${CLEANUP}"

+         jenkinsfilePath: openshift/integration/koji/pipelines/templates/mbs-build.Jenkinsfile

@@ -0,0 +1,526 @@ 

+ library identifier: 'c3i@master', changelog: false,

+   retriever: modernSCM([$class: 'GitSCMSource', remote: 'https://pagure.io/c3i-library.git'])

+ import static org.apache.commons.lang.StringEscapeUtils.escapeHtml;

+ pipeline {

+   agent {

+     kubernetes {

+       cloud params.JENKINS_AGENT_CLOUD_NAME

+       label "jenkins-slave-${UUID.randomUUID().toString()}"

+       serviceAccount params.JENKINS_AGENT_SERVICE_ACCOUNT

+       defaultContainer 'jnlp'

+       yaml """

+       apiVersion: v1

+       kind: Pod

+       metadata:

+         labels:

+           app: "jenkins-${env.JOB_BASE_NAME.take(50)}"

+           factory2-pipeline-kind: "mbs-build-pipeline"

+           factory2-pipeline-build-number: "${env.BUILD_NUMBER}"

+       spec:

+         containers:

+         - name: jnlp

+           image: "${params.JENKINS_AGENT_IMAGE}"

+           imagePullPolicy: Always

+           tty: true

+           env:

+           - name: REGISTRY_CREDENTIALS

+             valueFrom:

+               secretKeyRef:

+                 name: "${params.CONTAINER_REGISTRY_CREDENTIALS}"

+                 key: ".dockerconfigjson"

+           resources:

+             requests:

+               memory: 512Mi

+               cpu: 300m

+             limits:

+               memory: 768Mi

+               cpu: 500m

+       """

+     }

+   }

+   options {

+     timestamps()

+     timeout(time: 120, unit: 'MINUTES')

+     buildDiscarder(logRotator(numToKeepStr: '10'))

+   }

+   environment {

+     PIPELINE_NAMESPACE = readFile("/run/secrets/kubernetes.io/serviceaccount/namespace").trim()

+     PAGURE_API = "${params.PAGURE_URL}/api/0"

+     PAGURE_REPO_IS_FORK = "${params.PAGURE_REPO_IS_FORK}"

+     PAGURE_REPO_HOME = "${env.PAGURE_URL}${env.PAGURE_REPO_IS_FORK == 'true' ? '/fork' : ''}/${params.PAGURE_REPO_NAME}"

+   }

+   stages {

+     stage('Prepare') {

+       steps {

+         script {

+           // check out specified branch/commit

+           checkout([$class: 'GitSCM',

+             branches: [[name: params.MBS_GIT_REF]],

+             userRemoteConfigs: [[url: params.MBS_GIT_REPO, refspec: '+refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pull/*/head']],

+           ])

+ 

+           // get current commit ID

+           // FIXME: Due to a bug discribed in https://issues.jenkins-ci.org/browse/JENKINS-45489,

+           // the return value of checkout() is unreliable.

+           // Not working: env.MBS_GIT_COMMIT = scmVars.GIT_COMMIT

+           env.MBS_GIT_COMMIT = sh(returnStdout: true, script: 'git rev-parse HEAD').trim()

+           echo "Build ${params.MBS_GIT_REF}, commit=${env.MBS_GIT_COMMIT}"

+ 

+           // Is the current branch a pull-request? If no, env.PR_NO will be empty.

+           env.PR_NO = getPrNo(params.MBS_GIT_REF)

+ 

+           // Generate a version-release number for the target Git commit

+           env.MBS_VERSION = sh(script: """grep -m 1 -P -o "(?<=version=')[^']+" setup.py""", returnStdout: true).trim()

+           env.BUILD_SUFFIX = ".jenkins${currentBuild.id}.git${env.MBS_GIT_COMMIT.take(7)}"

+           env.TEMP_TAG = "${env.MBS_VERSION}${env.BUILD_SUFFIX}"

+ 

+           def resp = httpRequest params.MBS_SPEC_FILE

+           env.SPEC_FILE_NAME = params.MBS_SPEC_FILE.split("/").last()

+           writeFile file: env.SPEC_FILE_NAME, text: resp.content

+           sh """

+             sed -i \

+                 -e 's/Version:.*/Version:        ${env.MBS_VERSION}/' \

+                 -e 's/%{?dist}/${env.BUILD_SUFFIX}%{?dist}/' \

+                 ${env.SPEC_FILE_NAME}

+ 

+           """

+           sh 'mkdir repos'

+           params.EXTRA_REPOS.split().each {

+             resp = httpRequest it

+             writeFile file: "repos/${it.split("/").last()}", text: resp.content

+           }

+           sh """

+             sed -i \

+                 -e '/enum34/d' \

+                 -e '/funcsigs/d' \

+                 -e '/futures/d' \

+                 -e '/koji/d' \

+                 requirements.txt

+           """

+           sh """

+             sed -i \

+                 -e 's/py.test/py.test-3/g' \

+                 -e '/basepython/d' \

+                 -e '/sitepackages/a setenv = PYTHONPATH={toxinidir}' \

+                 tox.ini

+           """

+         }

+       }

+     }

+     stage('Update Build Info') {

+       when {

+         expression {

+           return params.PAGURE_URL && params.PAGURE_REPO_NAME

+         }

+       }

+       steps {

+         script {

+           // Set friendly display name and description

+           if (env.PR_NO) { // is pull-request

+             env.PR_URL = "${env.PAGURE_REPO_HOME}/pull-request/${env.PR_NO}"

+             echo "Building PR #${env.PR_NO}: ${env.PR_URL}"

+             // NOTE: Old versions of OpenShift Client Jenkins plugin are buggy to handle arguments

+             // with special bash characters (like whitespaces, #, etc).

+             // https://bugzilla.redhat.com/show_bug.cgi?id=1625518

+             currentBuild.displayName = "PR#${env.PR_NO}"

+             // To enable HTML syntax in build description, go to `Jenkins/Global Security/Markup Formatter` and select 'Safe HTML'.

+             def pagureLink = """<a href="${env.PR_URL}">${currentBuild.displayName}</a>"""

+             try {

+               def prInfo = withPagure {

+                 it.getPR(env.PR_NO)

+               }

+               pagureLink = """<a href="${env.PR_URL}">PR#${env.PR_NO}: ${escapeHtml(prInfo.title)}</a>"""

+               // set PR status to Pending

+               if (params.PAGURE_API_KEY_SECRET_NAME)

+                 setBuildStatusOnPagurePR(null, 'Building...')

+             } catch (Exception e) {

+               echo "Error using pagure API: ${e}"

+             }

+             currentBuild.description = pagureLink

+           } else { // is a branch

+             currentBuild.displayName = "${env.MBS_GIT_REF}: ${env.MBS_GIT_COMMIT.take(7)}"

+             currentBuild.description = """<a href="${env.PAGURE_REPO_HOME}/c/${env.MBS_GIT_COMMIT}">${currentBuild.displayName}</a>"""

+             if (params.PAGURE_API_KEY_SECRET_NAME) {

+               try {

+                 flagCommit('pending', null, 'Building...')

+                 echo "Updated commit ${env.MBS_GIT_COMMIT} status to PENDING."

+               } catch (e) {

+ 		echo "Error updating commit ${env.MBS_GIT_COMMIT} status to PENDING: ${e}"

+               }

+             }

+           }

+ 	}

+       }

+     }

+     stage('Build backend image') {

+       environment {

+         BACKEND_BUILDCONFIG_ID = "mbs-backend-build-${currentBuild.id}-${UUID.randomUUID().toString().take(7)}"

+       }

+       steps {

+         script {

+           openshift.withCluster() {

+             // OpenShift BuildConfig doesn't support specifying a tag name at build time.

+             // We have to create a new BuildConfig for each image build.

+             echo 'Creating a BuildConfig for mbs-backend build...'

+             def created = new Date().format("yyyy-MM-dd'T'HH:mm:ss'Z'", TimeZone.getTimeZone('UTC'))

+             def template = readYaml file: 'openshift/backend/mbs-backend-build-template.yaml'