diff --git a/Makefile b/Makefile index 6bbb02230..4a1522d42 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ define tkn_update sed -e 's%%$(1)%g' -e 's%%$(2)%g' tkn/template/infra-aws-mac.yaml > tkn/infra-aws-mac.yaml sed -e 's%%$(1)%g' -e 's%%$(2)%g' tkn/template/infra-aws-rhel.yaml > tkn/infra-aws-rhel.yaml sed -e 's%%$(1)%g' -e 's%%$(2)%g' tkn/template/infra-aws-windows-server.yaml > tkn/infra-aws-windows-server.yaml + sed -e 's%%$(1)%g' -e 's%%$(2)%g' tkn/template/infra-azure-aks.yaml > tkn/infra-azure-aks.yaml sed -e 's%%$(1)%g' -e 's%%$(2)%g' tkn/template/infra-azure-rhel.yaml > tkn/infra-azure-rhel.yaml sed -e 's%%$(1)%g' -e 's%%$(2)%g' tkn/template/infra-azure-fedora.yaml > tkn/infra-azure-fedora.yaml sed -e 's%%$(1)%g' -e 's%%$(2)%g' tkn/template/infra-azure-windows-desktop.yaml > tkn/infra-azure-windows-desktop.yaml diff --git a/hacks/azure/azure_setup.sh b/hacks/azure/azure_setup.sh old mode 100644 new mode 100755 diff --git a/oci/Containerfile b/oci/Containerfile index 4019168e6..a16b60fbd 100644 --- a/oci/Containerfile +++ b/oci/Containerfile @@ -36,6 +36,8 @@ ENV AZ_CLI_VERSION 2.61.0 # Pulumi plugins # renovate: datasource=github-releases depName=pulumi/pulumi-aws ARG PULUMI_AWS_VERSION=v6.37.1 +# Install this +# https://releases.hashicorp.com/terraform-provider-aws/5.75.1/terraform-provider-aws_5.75.1_linux_amd64.zip # renovate: datasource=github-releases depName=pulumi/pulumi-aws ARG PULUMI_AWSX_VERSION=v2.3.0 # renovate: datasource=github-releases depName=pulumi/pulumi-azure-native diff --git a/tkn/infra-aws-fedora.yaml b/tkn/infra-aws-fedora.yaml index 2374f0828..9d2609718 100644 --- a/tkn/infra-aws-fedora.yaml +++ b/tkn/infra-aws-fedora.yaml @@ -6,22 +6,25 @@ metadata: labels: app.kubernetes.io/version: "0.8.0-dev" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, fedora tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | Task provision a fedora dedicated on host on AWS - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + # mapt params + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -38,22 +41,35 @@ spec: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + - name: host-access-secret + description: name from the secret holding the host-info created during create operation. This is required only destroy operation + default: "''" + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: arch @@ -74,8 +90,8 @@ spec: # Fedora params - name: version - description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 40. - default: '40' + description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 41. + default: '41' # Topology params - name: airgap @@ -94,9 +110,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -106,104 +119,70 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path - + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + labels: + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh + set -euo pipefail # If debug add verbosity if [[ $(params.debug) == "true" ]]; then - set -xuo + set -xeuo pipefail fi # Credentials export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + BUCKET=$(cat /opt/aws-credentials/bucket) # Run mapt cmd="mapt aws fedora $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-fedora-$(params.id) " + cmd+="--backed-url s3://${BUCKET}/mapt/fedora/$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " - if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " - fi - cmd="$cmd --version $(params.version) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) " + cmd+="--cpus $(params.cpus) " + cmd+="--memory $(params.memory) " + cmd+="--version $(params.version) " + if $($(params.nested-virt)); then cmd+="--nested-virt "; fi + if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " + cmd+="--spot " fi if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--airgap " fi + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -211,4 +190,54 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-fedora- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + diff --git a/tkn/infra-aws-mac.yaml b/tkn/infra-aws-mac.yaml index 00f00fe09..8404514aa 100644 --- a/tkn/infra-aws-mac.yaml +++ b/tkn/infra-aws-mac.yaml @@ -6,22 +6,24 @@ metadata: labels: app.kubernetes.io/version: "0.8.0-dev" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, mac tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | - Task provision a mac dedicated host on AWS, and handle mac machines on top of it + Task provision a mac dedicated host on AWS, and handle mac machines on top of it. - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -30,31 +32,38 @@ spec: kind: Secret metadata: name: aws-${name} - labels: - app.kubernetes.io/component: ${name} - app.kubernetes.io/part-of: qe-platform type: Opaque data: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. + # Mac params # Dedicated Host - name: arch @@ -76,9 +85,6 @@ spec: - name: fixed-location description: if this flag is set the host will be created only on the region set by the AWS Env (AWS_DEFAULT_REGION). default: 'false' - - name: spot - description: Check best spot option to spin the machine and will create resources on that region. - default: 'true' # Topology params - name: airgap @@ -97,9 +103,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -109,117 +112,75 @@ spec: default: 'false' results: - - name: host-id - description: id for the dedicated host. It will be used as input when use this task to create new mac machines on the dedicated host - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + # host + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh + set -euo pipefail # If debug add verbosity if [[ $(params.debug) == "true" ]]; then - set -xuo + set -xeuo pipefail fi # Credentials export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi - + BUCKET=$(cat /opt/aws-credentials/bucket) + # Run mapt cmd="mapt aws mac $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-mac-$(params.id) " + cmd+="--backed-url s3://${BUCKET}/mapt/mac/$(params.id) " if [[ $(params.only-host) == "true" ]]; then - cmd="$cmd --only-host " + cmd+="--only-host " fi if [[ $(params.only-machine) == "true" ]]; then - cmd="$cmd --only-machine " + cmd+="--only-machine " fi if [[ $(params.operation) == "create" ]]; then + cmd+="--conn-details-output /opt/host-info " if [[ $(params.fixed-location) == "true" ]]; then - cmd="$cmd --fixed-location " + cmd+="--fixed-location " fi # Host params - cmd="$cmd --arch $(params.arch) " - if [[ $(params.host-id) != "" ]]; then - cmd="$cmd --host-id $(params.host-id) " - fi + cmd+="--arch $(params.arch) " # Mac machine params - cmd="$cmd --version $(params.version) " - cmd="$cmd --conn-details-output ${workspace_path} " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - fi + cmd+="--version $(params.version) " if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--airgap " fi - + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/dedicatedHostID" | tee $(results.host-id.path) - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -227,4 +188,55 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-mac- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + + fi diff --git a/tkn/infra-aws-rhel.yaml b/tkn/infra-aws-rhel.yaml index 56a3b77a2..3971a44c8 100644 --- a/tkn/infra-aws-rhel.yaml +++ b/tkn/infra-aws-rhel.yaml @@ -6,22 +6,28 @@ metadata: labels: app.kubernetes.io/version: "0.8.0-dev" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, rhel tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | Task provision a RHEL dedicated on host on AWS - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: rh-credentials + secret: + secretName: $(params.secret-rh-credentials) + optional: true + - name: host-info + emptyDir: {} + + params: + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -30,21 +36,20 @@ spec: kind: Secret metadata: name: aws-${name} - labels: - app.kubernetes.io/component: ${name} - app.kubernetes.io/part-of: qe-platform type: Opaque data: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - name: rh-account-secret - optional: true + bucket: ${bucket} + - name: secret-rh-credentials + default: 'non-existent-secret' description: | - ocp secret holding the credentials for a valid rh user to subscribe VM. Secret should be accessible to this task. + ocp secret holding the credentials for a rh user to manage RHEL subscription. + + As this credentials are optional we set a non-existent name for the secret which + will be mounted as an empty volume - Sample format for valid Secret --- apiVersion: v1 kind: Secret @@ -54,23 +59,32 @@ spec: data: user: ${user} password: ${password} - mountPath: /opt/rh-account-secret - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. + # VM type params - name: arch description: Architecture for the machine. Allowed x86_64 or arm64 (default "x86_64") @@ -117,9 +131,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -129,112 +140,81 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + labels: + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: rh-credentials + mountPath: /opt/rh-account-secret + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh + set -euo pipefail # If debug add verbosity if [[ $(params.debug) == "true" ]]; then - set -xuo + set -xeuo pipefail fi # Credentials export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + BUCKET=$(cat /opt/aws-credentials/bucket) # Run mapt cmd="mapt aws rhel $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-rhel-$(params.id) " + cmd+="--backed-url s3://${BUCKET}/mapt/rhel/$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) " + cmd+="--cpus $(params.cpus) " + cmd+="--memory $(params.memory) " if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " + cmd+="--nested-virt " fi - cmd="$cmd --version $(params.version) " + cmd+="--version $(params.version) " if [[ $(params.vm-types) != "" ]]; then - cmd="$cmd --vm-types $(params.vm-types) " - fi - cmd="$cmd --rh-subscription-username $(cat /opt/rh-account-secret/user) " - cmd="$cmd --rh-subscription-password $(cat /opt/rh-account-secret/password) " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " + cmd+="--vm-types $(params.vm-types) " fi - if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " + if [[ -f /opt/rh-account-secret/user ]]; then + cmd+="--rh-subscription-username $(cat /opt/rh-account-secret/user) " fi - if [[ $(params.profile-snc) == "true" ]]; then - cmd="$cmd --snc " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + if [[ -f /opt/rh-account-secret/password ]]; then + cmd+="--rh-subscription-password $(cat /opt/rh-account-secret/password) " fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + if [[ $(params.airgap) == "true" ]]; then cmd+="--airgap "; fi + if [[ $(params.profile-snc) == "true" ]]; then cmd+="--snc "; fi + cmd+="--tags $(params.tags) " fi eval "${cmd}" - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -242,4 +222,53 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-rhel- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi \ No newline at end of file diff --git a/tkn/infra-aws-windows-server.yaml b/tkn/infra-aws-windows-server.yaml index c08e96e08..2a09888a4 100644 --- a/tkn/infra-aws-windows-server.yaml +++ b/tkn/infra-aws-windows-server.yaml @@ -6,22 +6,26 @@ metadata: labels: app.kubernetes.io/version: "0.8.0-dev" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, windows-server tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | Task provision a windows server dedicated on host on AWS The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -30,28 +34,14 @@ spec: kind: Secret metadata: name: aws-${name} - labels: - app.kubernetes.io/component: ${name} - app.kubernetes.io/part-of: qe-platform type: Opaque data: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) @@ -85,9 +75,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -97,107 +84,123 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + labels: + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} + steps: - - name: provisioner - image: quay.io/redhat-developer/mapt:v0.8.0-dev - imagePullPolicy: Always - script: | - #!/bin/sh - - # If debug add verbosity - if [[ $(params.debug) == "true" ]]; then - set -xuo - fi - - # Credentials - export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) - export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) - export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi - - # Run mapt - cmd="mapt aws windows $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi - if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --ami-name $(params.ami-name) " - cmd="$cmd --ami-username $(params.ami-username) " - cmd="$cmd --ami-owner $(params.ami-owner) " - cmd="$cmd --ami-lang $(params.ami-lang) " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - fi - if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " + - name: provisioner + image: quay.io/redhat-developer/mapt:v0.8.0-dev + imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/sh + + set -euo pipefail + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xeuo pipefail fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + + # Credentials + export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) + export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) + export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) + BUCKET=$(cat /opt/aws-credentials/bucket) + + # Run mapt + cmd="mapt aws windows $(params.operation) " + cmd+="--project-name mapt-windows-$(params.id) " + # Set the backed url + cmd+="--backed-url s3://${BUCKET}/mapt/windows/$(params.id) " + if [[ $(params.operation) == "create" ]]; then + cmd+="--conn-details-output /opt/host-info " + cmd+="--ami-name $(params.ami-name) " + cmd+="--ami-username $(params.ami-username) " + cmd+="--ami-owner $(params.ami-owner) " + cmd+="--ami-lang $(params.ami-lang) " + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + if [[ $(params.airgap) == "true" ]]; then cmd+="--airgap "; fi + cmd+="--tags $(params.tags) " fi - fi - eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" + eval "${cmd}" + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "600Mi" + cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-windows- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: - requests: - memory: "200Mi" - cpu: "100m" - limits: - memory: "600Mi" - cpu: "300m" + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi - \ No newline at end of file + \ No newline at end of file diff --git a/tkn/infra-azure-aks.yaml b/tkn/infra-azure-aks.yaml new file mode 100644 index 000000000..4647df6d0 --- /dev/null +++ b/tkn/infra-azure-aks.yaml @@ -0,0 +1,212 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: infra-azure-aks + labels: + app.kubernetes.io/version: "0.8.0-dev" + annotations: + tekton.dev/pipelines.minVersion: "0.44.x" + tekton.dev/categories: infrastructure + tekton.dev/tags: infrastructure, azure + tekton.dev/displayName: "azure manager" + tekton.dev/platforms: "linux/amd64, linux/arm64" +spec: + description: | + This task will provision / decomission azure aks cluster + + The output will give required information to connect within the remote provisioned cluster + + volumes: + - name: az-credentials + secret: + secretName: $(params.secret-az-credentials) + - name: ckuster-info + emptyDir: {} + + params: + - name: secret-az-credentials + description: | + ocp secret holding the azure credentials. Secret should be accessible to this task. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment + - name: operation + description: operation to execute within the infrastructure. Current values (create, destroy) + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. + + # AKS params + - name: k8s-version + description: AKS K8s cluster version (default "1.30") + default: '1.30' + - name: only-system-pool + description: if we do not need bunch of resources we can run only the systempool. More info https://learn.microsoft.com/es-es/azure/aks/use-system-pools?tabs=azure-cli#system-and-user-node-pools. (default false) + default: 'false' + - name: enable-app-routing + description: enable application routing add-on with NGINX. (default false) + default: 'false' + + # VM type params for pools + - name: spot + description: in case spot is set to true it 'ill check for best spot price and create the VM on the target region + default: 'true' + - name: spot-eviction-tolerance + description: 'if spot is enable we can define the minimum tolerance level of eviction. Allowed value are: lowest, low, medium, high or highest' + default: 'lowest' + + # Metadata params + - name: tags + description: tags for the resources created on the providers + default: "''" + + # Control params + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' + + results: + - name: cluster-access-secret + description: | + ocp secret holding the information to connect to the cluster + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + kubeconfig: ${kubeconfig} + + steps: + - name: provisioner + image: quay.io/redhat-developer/mapt:v0.8.0-dev + imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: cluster-info + mountPath: /opt/cluster-info + script: | + #!/bin/sh + + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo + fi + + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) + + + # Run mapt + cmd="mapt azure aks $(params.operation) " + cmd+="--project-name mapt-aks-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/aks-$(params.id) " + if [[ $(params.operation) == "create" ]]; then + cmd+="--conn-details-output /opt/cluster-info " + cmd+="--version $(params.k8s-version) " + if [[ $(params.only-system-pool) == "true" ]]; then + cmd+="--only-system-pool " + fi + if [[ $(params.enable-app-routing) == "true" ]]; then + cmd+="--enable-app-routing " + fi + if [[ $(params.spot) == "true" ]]; then + cmd+="--spot --spot-eviction-tolerance $(params.spot-eviction-tolerance) " + fi + cmd+="--tags $(params.tags) " + fi + eval "${cmd}" + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "600Mi" + cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: cluster-info + mountPath: /opt/cluster-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < cluster-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-aks- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + kubeconfig: $(cat /opt/cluster-info/kubeconfig | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/cluster-info/* + fi + + NAME=$(oc create -f cluster-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.cluster-access-secret.path) + fi diff --git a/tkn/infra-azure-fedora.yaml b/tkn/infra-azure-fedora.yaml index a56ad594d..fb14e08ac 100644 --- a/tkn/infra-azure-fedora.yaml +++ b/tkn/infra-azure-fedora.yaml @@ -10,44 +10,64 @@ metadata: tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | This task will provision / decomission fedora on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials - description: | - ocp secret holding the azure credentials. Secret should be accessible to this task. - - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url + - name: secret-az-credentials description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). + ocp secret holding the azure credentials. Secret should be accessible to this task. - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning - - name: operation + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment + - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: arch @@ -83,90 +103,76 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) - fi - - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo fi + + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure fedora $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-fedora-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/fedora-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) --cpus $(params.cpus) " + cmd+="--memory $(params.memory) --version $(params.version) " if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " + cmd+="--nested-virt " fi - cmd="$cmd --version $(params.version) " if [[ $(params.vmsize) != "" ]]; then - cmd="$cmd --vmsize $(params.vmsize) " - fi - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--vmsize $(params.vmsize) " fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + # Spot tolerance only be applied if spot is enabled + cmd+="--spot-eviction-tolerance $(params.spot-eviction-tolerance) " + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -174,3 +180,47 @@ spec: limits: memory: "600Mi" cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-fedora- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + diff --git a/tkn/infra-azure-rhel.yaml b/tkn/infra-azure-rhel.yaml index 35b9adba9..83898811d 100644 --- a/tkn/infra-azure-rhel.yaml +++ b/tkn/infra-azure-rhel.yaml @@ -10,60 +10,64 @@ metadata: tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | This task will provision / decomission rhel on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials - description: | - ocp secret holding the azure credentials. Secret should be accessible to this task. + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials - - name: rh-account-secret - optional: true + params: + - name: secret-az-credentials description: | - ocp secret holding the credentials for a valid rh user to subscribe VM. Secret should be accessible to this task. - - Sample format for valid Secret + ocp secret holding the azure credentials. Secret should be accessible to this task. + --- apiVersion: v1 kind: Secret metadata: - name: credentials-${configname} + name: ${name} type: Opaque data: - user: ${user} - password: ${password} - mountPath: /opt/rh-account-secret - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: arch @@ -103,95 +107,76 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo fi - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure rhel $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-rhel-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/rhel-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) --cpus $(params.cpus) " + cmd+="--memory $(params.memory) --version $(params.version) " if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " + cmd+="--nested-virt " fi if [[ $(params.vmsize) != "" ]]; then - cmd="$cmd --vmsize $(params.vmsize) " - fi - cmd="$cmd --version $(params.version) " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - cmd="$cmd --rh-subscription-username $(cat /opt/rh-account-secret/user) " - cmd="$cmd --rh-subscription-password $(cat /opt/rh-account-secret/password) " - if [[ $(params.profile-snc) == "true" ]]; then - cmd="$cmd --snc " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--vmsize $(params.vmsize) " fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + # Spot tolerance only be applied if spot is enabled + cmd+="--spot-eviction-tolerance $(params.spot-eviction-tolerance) " + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -199,3 +184,46 @@ spec: limits: memory: "600Mi" cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-rhel- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi diff --git a/tkn/infra-azure-windows-desktop.yaml b/tkn/infra-azure-windows-desktop.yaml index 1201ff477..d03834944 100644 --- a/tkn/infra-azure-windows-desktop.yaml +++ b/tkn/infra-azure-windows-desktop.yaml @@ -6,47 +6,68 @@ metadata: labels: app.kubernetes.io/version: "0.8.0-dev" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | This task will provision / decomission windows desktop machines on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials - description: | - ocp secret holding the azure credentials. Secret should be accessible to this task. - - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} params: - - name: project-name - description: identifier for project. - - name: backed-url + - name: secret-az-credentials description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). + ocp secret holding the azure credentials. Secret should be accessible to this task. - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: cpus @@ -82,97 +103,127 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: userpassword - description: password for the user to connect to the provisioned machine - - name: key-filename - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + userpassword: ${userpassword} + adminusername: ${adminusername} + adminuserpassword: ${adminuserpassword} steps: - name: provisioner image: quay.io/redhat-developer/mapt:v0.8.0-dev imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo fi - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure windows $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-windows-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/windows-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --windows-featurepack $(params.windows-featurepack) " - cmd="$cmd --windows-version $(params.windows-version) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " - if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " - fi - if [[ $(params.vmsize) != "" ]]; then - cmd="$cmd --vmsize $(params.vmsize) " - fi - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " - fi - fi - eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - cat "${workspace_path}/userpassword" | tee $(results.userpassword.path) - echo -n "id_rsa" | tee $(results.key-filename.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 + cmd+="--conn-details-output /opt/host-info " + cmd+="--windows-featurepack $(params.windows-featurepack) " + cmd+="--windows-version $(params.windows-version) " + cmd+="--cpus $(params.cpus) " + cmd+="--memory $(params.memory) " + if [[ $(params.nested-virt) == "true" ]]; then cmd+="--nested-virt "; fi + if [[ -z $(params.vmsize) ]]; then cmd+="--vmsize $(params.vmsize) "; fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + # Spot tolerance only be applied if spot is enabled + cmd+="--spot-eviction-tolerance $(params.spot-eviction-tolerance) " + cmd+="--tags $(params.tags) " fi - + eval "${cmd}" resources: requests: - memory: "200Mi" - cpu: "100m" + memory: "300Mi" + cpu: "150m" limits: - memory: "600Mi" - cpu: "300m" + memory: "900Mi" + cpu: "400m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-windows- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + userpassword: $(cat /opt/host-info/userpassword | base64 -w0) + adminusername: $(cat /opt/host-info/adminusername | base64 -w0) + adminuserpassword: $(cat /opt/host-info/adminuserpassword | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi diff --git a/tkn/template/infra-aws-fedora.yaml b/tkn/template/infra-aws-fedora.yaml index 2f7963f54..428d81e33 100644 --- a/tkn/template/infra-aws-fedora.yaml +++ b/tkn/template/infra-aws-fedora.yaml @@ -6,22 +6,25 @@ metadata: labels: app.kubernetes.io/version: "" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, fedora tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | Task provision a fedora dedicated on host on AWS - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + # mapt params + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -38,22 +41,35 @@ spec: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + - name: host-access-secret + description: name from the secret holding the host-info created during create operation. This is required only destroy operation + default: "''" + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: arch @@ -74,8 +90,8 @@ spec: # Fedora params - name: version - description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 40. - default: '40' + description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 41. + default: '41' # Topology params - name: airgap @@ -94,9 +110,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -106,104 +119,70 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path - + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + labels: + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh + set -euo pipefail # If debug add verbosity if [[ $(params.debug) == "true" ]]; then - set -xuo + set -xeuo pipefail fi # Credentials export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + BUCKET=$(cat /opt/aws-credentials/bucket) # Run mapt cmd="mapt aws fedora $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-fedora-$(params.id) " + cmd+="--backed-url s3://${BUCKET}/mapt/fedora/$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " - if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " - fi - cmd="$cmd --version $(params.version) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) " + cmd+="--cpus $(params.cpus) " + cmd+="--memory $(params.memory) " + cmd+="--version $(params.version) " + if $($(params.nested-virt)); then cmd+="--nested-virt "; fi + if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " + cmd+="--spot " fi if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--airgap " fi + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -211,4 +190,54 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-fedora- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + diff --git a/tkn/template/infra-aws-mac.yaml b/tkn/template/infra-aws-mac.yaml index 065fe5199..878f65936 100644 --- a/tkn/template/infra-aws-mac.yaml +++ b/tkn/template/infra-aws-mac.yaml @@ -6,22 +6,24 @@ metadata: labels: app.kubernetes.io/version: "" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, mac tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | - Task provision a mac dedicated host on AWS, and handle mac machines on top of it + Task provision a mac dedicated host on AWS, and handle mac machines on top of it. - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -30,31 +32,38 @@ spec: kind: Secret metadata: name: aws-${name} - labels: - app.kubernetes.io/component: ${name} - app.kubernetes.io/part-of: qe-platform type: Opaque data: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. + # Mac params # Dedicated Host - name: arch @@ -76,9 +85,6 @@ spec: - name: fixed-location description: if this flag is set the host will be created only on the region set by the AWS Env (AWS_DEFAULT_REGION). default: 'false' - - name: spot - description: Check best spot option to spin the machine and will create resources on that region. - default: 'true' # Topology params - name: airgap @@ -97,9 +103,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -109,117 +112,75 @@ spec: default: 'false' results: - - name: host-id - description: id for the dedicated host. It will be used as input when use this task to create new mac machines on the dedicated host - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + # host + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh + set -euo pipefail # If debug add verbosity if [[ $(params.debug) == "true" ]]; then - set -xuo + set -xeuo pipefail fi # Credentials export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi - + BUCKET=$(cat /opt/aws-credentials/bucket) + # Run mapt cmd="mapt aws mac $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-mac-$(params.id) " + cmd+="--backed-url s3://${BUCKET}/mapt/mac/$(params.id) " if [[ $(params.only-host) == "true" ]]; then - cmd="$cmd --only-host " + cmd+="--only-host " fi if [[ $(params.only-machine) == "true" ]]; then - cmd="$cmd --only-machine " + cmd+="--only-machine " fi if [[ $(params.operation) == "create" ]]; then + cmd+="--conn-details-output /opt/host-info " if [[ $(params.fixed-location) == "true" ]]; then - cmd="$cmd --fixed-location " + cmd+="--fixed-location " fi # Host params - cmd="$cmd --arch $(params.arch) " - if [[ $(params.host-id) != "" ]]; then - cmd="$cmd --host-id $(params.host-id) " - fi + cmd+="--arch $(params.arch) " # Mac machine params - cmd="$cmd --version $(params.version) " - cmd="$cmd --conn-details-output ${workspace_path} " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - fi + cmd+="--version $(params.version) " if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--airgap " fi - + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/dedicatedHostID" | tee $(results.host-id.path) - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -227,4 +188,55 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-mac- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + + fi diff --git a/tkn/template/infra-aws-rhel.yaml b/tkn/template/infra-aws-rhel.yaml index a281dee91..607658321 100644 --- a/tkn/template/infra-aws-rhel.yaml +++ b/tkn/template/infra-aws-rhel.yaml @@ -6,22 +6,28 @@ metadata: labels: app.kubernetes.io/version: "" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, rhel tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | Task provision a RHEL dedicated on host on AWS - The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: rh-credentials + secret: + secretName: $(params.secret-rh-credentials) + optional: true + - name: host-info + emptyDir: {} + + params: + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -30,21 +36,20 @@ spec: kind: Secret metadata: name: aws-${name} - labels: - app.kubernetes.io/component: ${name} - app.kubernetes.io/part-of: qe-platform type: Opaque data: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - name: rh-account-secret - optional: true + bucket: ${bucket} + - name: secret-rh-credentials + default: 'non-existent-secret' description: | - ocp secret holding the credentials for a valid rh user to subscribe VM. Secret should be accessible to this task. + ocp secret holding the credentials for a rh user to manage RHEL subscription. + + As this credentials are optional we set a non-existent name for the secret which + will be mounted as an empty volume - Sample format for valid Secret --- apiVersion: v1 kind: Secret @@ -54,23 +59,32 @@ spec: data: user: ${user} password: ${password} - mountPath: /opt/rh-account-secret - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. + # VM type params - name: arch description: Architecture for the machine. Allowed x86_64 or arm64 (default "x86_64") @@ -117,9 +131,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -129,112 +140,81 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + labels: + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: rh-credentials + mountPath: /opt/rh-account-secret + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh + set -euo pipefail # If debug add verbosity if [[ $(params.debug) == "true" ]]; then - set -xuo + set -xeuo pipefail fi # Credentials export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + BUCKET=$(cat /opt/aws-credentials/bucket) # Run mapt cmd="mapt aws rhel $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-rhel-$(params.id) " + cmd+="--backed-url s3://${BUCKET}/mapt/rhel/$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) " + cmd+="--cpus $(params.cpus) " + cmd+="--memory $(params.memory) " if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " + cmd+="--nested-virt " fi - cmd="$cmd --version $(params.version) " + cmd+="--version $(params.version) " if [[ $(params.vm-types) != "" ]]; then - cmd="$cmd --vm-types $(params.vm-types) " - fi - cmd="$cmd --rh-subscription-username $(cat /opt/rh-account-secret/user) " - cmd="$cmd --rh-subscription-password $(cat /opt/rh-account-secret/password) " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " + cmd+="--vm-types $(params.vm-types) " fi - if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " + if [[ -f /opt/rh-account-secret/user ]]; then + cmd+="--rh-subscription-username $(cat /opt/rh-account-secret/user) " fi - if [[ $(params.profile-snc) == "true" ]]; then - cmd="$cmd --snc " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + if [[ -f /opt/rh-account-secret/password ]]; then + cmd+="--rh-subscription-password $(cat /opt/rh-account-secret/password) " fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + if [[ $(params.airgap) == "true" ]]; then cmd+="--airgap "; fi + if [[ $(params.profile-snc) == "true" ]]; then cmd+="--snc "; fi + cmd+="--tags $(params.tags) " fi eval "${cmd}" - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" - fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -242,4 +222,53 @@ spec: limits: memory: "600Mi" cpu: "300m" - \ No newline at end of file + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-rhel- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + if [[ $(params.airgap) == "true" ]]; then + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF + fi + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi \ No newline at end of file diff --git a/tkn/template/infra-aws-windows-server.yaml b/tkn/template/infra-aws-windows-server.yaml index 449610b7c..8b7137946 100644 --- a/tkn/template/infra-aws-windows-server.yaml +++ b/tkn/template/infra-aws-windows-server.yaml @@ -6,22 +6,26 @@ metadata: labels: app.kubernetes.io/version: "" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, aws, windows-server tekton.dev/displayName: "aws manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | Task provision a windows server dedicated on host on AWS The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine - workspaces: - - name: storage - description: volume to store outputs to connect within the target machine + state file for the infrastructure - mountPath: /opt/storage + volumes: - name: aws-credentials + secret: + secretName: $(params.secret-aws-credentials) + - name: host-info + emptyDir: {} + + params: + - name: secret-aws-credentials description: | ocp secret holding the aws credentials. Secret should be accessible to this task. @@ -30,28 +34,14 @@ spec: kind: Secret metadata: name: aws-${name} - labels: - app.kubernetes.io/component: ${name} - app.kubernetes.io/part-of: qe-platform type: Opaque data: access-key: ${access_key} secret-key: ${secret_key} region: ${region} - mountPath: /opt/aws-credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + bucket: ${bucket} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) @@ -85,9 +75,6 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' - name: debug description: | Warning setting this param to true expose credentials @@ -97,107 +84,123 @@ spec: default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at workspace-resources-path - - name: bastion-host - description: if airgap is set we get the bastion host as result - - name: bastion-username - description: if airgap is set we get the bastion username to connect as result - - name: bastion-key - description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + labels: + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + # If airgap data for bastion host + bastion-host: ${bastion-host} + bastion-username: ${bastion-username} + bastion-id_rsa: ${bastion-id_rsa} + steps: - - name: provisioner - image: - imagePullPolicy: Always - script: | - #!/bin/sh - - # If debug add verbosity - if [[ $(params.debug) == "true" ]]; then - set -xuo - fi - - # Credentials - export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) - export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) - export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) - - # Output folder - workspace_path=/opt/storage/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi - - # Run mapt - cmd="mapt aws windows $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - # Set the backed url - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi - if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --ami-name $(params.ami-name) " - cmd="$cmd --ami-username $(params.ami-username) " - cmd="$cmd --ami-owner $(params.ami-owner) " - cmd="$cmd --ami-lang $(params.ami-lang) " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - fi - if [[ $(params.airgap) == "true" ]]; then - cmd="$cmd --airgap " + - name: provisioner + image: + imagePullPolicy: Always + volumeMounts: + - name: aws-credentials + mountPath: /opt/aws-credentials + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/sh + + set -euo pipefail + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xeuo pipefail fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + + # Credentials + export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key) + export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key) + export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region) + BUCKET=$(cat /opt/aws-credentials/bucket) + + # Run mapt + cmd="mapt aws windows $(params.operation) " + cmd+="--project-name mapt-windows-$(params.id) " + # Set the backed url + cmd+="--backed-url s3://${BUCKET}/mapt/windows/$(params.id) " + if [[ $(params.operation) == "create" ]]; then + cmd+="--conn-details-output /opt/host-info " + cmd+="--ami-name $(params.ami-name) " + cmd+="--ami-username $(params.ami-username) " + cmd+="--ami-owner $(params.ami-owner) " + cmd+="--ami-lang $(params.ami-lang) " + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + if [[ $(params.airgap) == "true" ]]; then cmd+="--airgap "; fi + cmd+="--tags $(params.tags) " fi - fi - eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path) - cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path) - echo -n "bastion_id_rsa" | tee $(results.bastion-key.path) - fi - - # If debug print credentials - if [[ $(params.debug) == "true" ]]; then - echo "Credentials to access target machine \n" - cat "${workspace_path}/host" - cat "${workspace_path}/username" - cat "${workspace_path}/id_rsa" + eval "${cmd}" + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "600Mi" + cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-aws-windows- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF if [[ $(params.airgap) == "true" ]]; then - cat "${workspace_path}/bastion_host" - cat "${workspace_path}/bastion_username" - cat "${workspace_path}/bastion_id_rsa" + cat <> host-info.yaml + bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0) + bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0) + bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0) + EOF fi - fi - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: - requests: - memory: "200Mi" - cpu: "100m" - limits: - memory: "600Mi" - cpu: "300m" + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi - \ No newline at end of file + \ No newline at end of file diff --git a/tkn/template/infra-azure-aks.yaml b/tkn/template/infra-azure-aks.yaml index a58c137a7..3bb56f6b6 100644 --- a/tkn/template/infra-azure-aks.yaml +++ b/tkn/template/infra-azure-aks.yaml @@ -10,36 +10,64 @@ metadata: tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | This task will provision / decomission azure aks cluster The output will give required information to connect within the remote provisioned cluster - workspaces: + volumes: - name: az-credentials + secret: + secretName: $(params.secret-az-credentials) + - name: ckuster-info + emptyDir: {} + + params: + - name: secret-az-credentials description: | ocp secret holding the azure credentials. Secret should be accessible to this task. - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: external az storage (i.e azblob://existing-storage). - - name: operation + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment + - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # AKS params - name: k8s-version @@ -60,83 +88,80 @@ spec: description: 'if spot is enable we can define the minimum tolerance level of eviction. Allowed value are: lowest, low, medium, high or highest' default: 'lowest' - # Metadata params - name: tags description: tags for the resources created on the providers default: "''" - + # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: kubeconfig - description: kubeconfig file + - name: cluster-access-secret + description: | + ocp secret holding the information to connect to the cluster + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + kubeconfig: ${kubeconfig} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: cluster-info + mountPath: /opt/cluster-info script: | #!/bin/sh - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) - fi - - # Output folder - mkdir -p aks-kubeconfig - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo fi - + + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) + + # Run mapt cmd="mapt azure aks $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - cmd="$cmd --backed-url $(params.backed-url) " + cmd+="--project-name mapt-aks-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/aks-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output aks-kubeconfig " - cmd="$cmd --version $(params.k8s-version) " + cmd+="--conn-details-output /opt/cluster-info " + cmd+="--version $(params.k8s-version) " if [[ $(params.only-system-pool) == "true" ]]; then - cmd="$cmd --only-system-pool " + cmd+="--only-system-pool " fi if [[ $(params.enable-app-routing) == "true" ]]; then - cmd="$cmd --enable-app-routing " + cmd+="--enable-app-routing " fi if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--spot --spot-eviction-tolerance $(params.spot-eviction-tolerance) " fi + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "aks-kubeconfig/kubeconfig" | tee $(results.kubeconfig.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -144,3 +169,44 @@ spec: limits: memory: "600Mi" cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: cluster-info + mountPath: /opt/cluster-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < cluster-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-aks- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + kubeconfig: $(cat /opt/cluster-info/kubeconfig | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/cluster-info/* + fi + + NAME=$(oc create -f cluster-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.cluster-access-secret.path) + fi diff --git a/tkn/template/infra-azure-fedora.yaml b/tkn/template/infra-azure-fedora.yaml index 54fe5a0b4..eead3d9ad 100644 --- a/tkn/template/infra-azure-fedora.yaml +++ b/tkn/template/infra-azure-fedora.yaml @@ -10,44 +10,64 @@ metadata: tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | This task will provision / decomission fedora on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials - description: | - ocp secret holding the azure credentials. Secret should be accessible to this task. - - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url + - name: secret-az-credentials description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). + ocp secret holding the azure credentials. Secret should be accessible to this task. - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning - - name: operation + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment + - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: arch @@ -83,90 +103,76 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) - fi - - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo fi + + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure fedora $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-fedora-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/fedora-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) --cpus $(params.cpus) " + cmd+="--memory $(params.memory) --version $(params.version) " if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " + cmd+="--nested-virt " fi - cmd="$cmd --version $(params.version) " if [[ $(params.vmsize) != "" ]]; then - cmd="$cmd --vmsize $(params.vmsize) " - fi - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--vmsize $(params.vmsize) " fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + # Spot tolerance only be applied if spot is enabled + cmd+="--spot-eviction-tolerance $(params.spot-eviction-tolerance) " + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -174,3 +180,47 @@ spec: limits: memory: "600Mi" cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-fedora- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi + diff --git a/tkn/template/infra-azure-rhel.yaml b/tkn/template/infra-azure-rhel.yaml index f48e74b25..14111ee8d 100644 --- a/tkn/template/infra-azure-rhel.yaml +++ b/tkn/template/infra-azure-rhel.yaml @@ -10,60 +10,64 @@ metadata: tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | This task will provision / decomission rhel on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials - description: | - ocp secret holding the azure credentials. Secret should be accessible to this task. + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials - - name: rh-account-secret - optional: true + params: + - name: secret-az-credentials description: | - ocp secret holding the credentials for a valid rh user to subscribe VM. Secret should be accessible to this task. + ocp secret holding the azure credentials. Secret should be accessible to this task. - Sample format for valid Secret --- apiVersion: v1 kind: Secret metadata: - name: credentials-${configname} + name: ${name} type: Opaque data: - user: ${user} - password: ${password} - mountPath: /opt/rh-account-secret - - params: - # mapt params - - name: project-name - description: identifier for project. - - name: backed-url - description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). - - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: arch @@ -103,95 +107,76 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: key - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo fi - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure rhel $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-rhel-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/rhel-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --arch $(params.arch) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " + cmd+="--conn-details-output /opt/host-info " + cmd+="--arch $(params.arch) --cpus $(params.cpus) " + cmd+="--memory $(params.memory) --version $(params.version) " if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " + cmd+="--nested-virt " fi if [[ $(params.vmsize) != "" ]]; then - cmd="$cmd --vmsize $(params.vmsize) " - fi - cmd="$cmd --version $(params.version) " - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - cmd="$cmd --rh-subscription-username $(cat /opt/rh-account-secret/user) " - cmd="$cmd --rh-subscription-password $(cat /opt/rh-account-secret/password) " - if [[ $(params.profile-snc) == "true" ]]; then - cmd="$cmd --snc " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " + cmd+="--vmsize $(params.vmsize) " fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + # Spot tolerance only be applied if spot is enabled + cmd+="--spot-eviction-tolerance $(params.spot-eviction-tolerance) " + cmd+="--tags $(params.tags) " fi eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - echo -n "id_rsa" | tee $(results.key.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 - fi - resources: requests: memory: "200Mi" @@ -199,3 +184,46 @@ spec: limits: memory: "600Mi" cpu: "300m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-rhel- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi diff --git a/tkn/template/infra-azure-windows-desktop.yaml b/tkn/template/infra-azure-windows-desktop.yaml index e15e94b34..e74b1fe55 100644 --- a/tkn/template/infra-azure-windows-desktop.yaml +++ b/tkn/template/infra-azure-windows-desktop.yaml @@ -6,47 +6,68 @@ metadata: labels: app.kubernetes.io/version: "" annotations: - tekton.dev/pipelines.minVersion: "0.24.x" + tekton.dev/pipelines.minVersion: "0.44.x" tekton.dev/categories: infrastructure tekton.dev/tags: infrastructure, azure tekton.dev/displayName: "azure manager" - tekton.dev/platforms: "linux/amd64" + tekton.dev/platforms: "linux/amd64, linux/arm64" spec: description: | This task will provision / decomission windows desktop machines on azure The output will give required information to connect within the remote provisioned host - workspaces: - - name: pipelines-data - description: workspace to store outputs to connect within the target machine + state file for the infrastructure + volumes: - name: az-credentials - description: | - ocp secret holding the azure credentials. Secret should be accessible to this task. - - To be a valid secret it should contains the following fields: - * tenant_id - * subscription_id - * client_id - * client_secret - * storage_account (optional if we use remote az storage) - * storage_key (optional if we use remote az storage) - mountPath: /opt/credentials + secret: + secretName: $(params.secret-az-credentials) + - name: host-info + emptyDir: {} params: - - name: project-name - description: identifier for project. - - name: backed-url + - name: secret-az-credentials description: | - If we want to backed resources externally we can use az storage setting this param(i.e azblob://existing-storage). + ocp secret holding the azure credentials. Secret should be accessible to this task. - If default will be store on storage workspace at path set by param ws-output-path. - default: "''" - - name: ws-output-path - description: path on workspace where to store ephemeral assets related with the provisioning + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + tenant_id: ${tenant_id} + subscription_id: ${subscription_id} + client_id: ${client_id} + client_secret: ${client_secret} + storage_account: ${storage_account} + storage_key: ${storage_key} + blob: ${blob} + - name: id + description: identifier for the provisioned environment - name: operation description: operation to execute within the infrastructure. Current values (create, destroy) - default: create + + # Secret result ownership + - name: ownerKind + type: string + default: PipelineRun + description: | + The type of resource that should own the generated SpaceRequest. + Deletion of this resource will trigger deletion of the SpaceRequest. + Supported values: `PipelineRun`, `TaskRun`. + - name: ownerName + type: string + description: | + The name of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.name)` + or `$(context.taskRun.name)` depending on the value of `ownerKind`. + - name: ownerUid + type: string + description: | + The uid of the resource that should own the generated SpaceRequest. + This should either be passed the value of `$(context.pipelineRun.uid)` + or `$(context.taskRun.uid)` depending on the value of `ownerKind`. # VM type params - name: cpus @@ -82,97 +103,127 @@ spec: default: "''" # Control params - - name: remove-lock - description: in case a previous run fails the stack can be locked. This value allows to control if remove lock - default: 'true' + - name: debug + description: | + Warning setting this param to true expose credentials + + The parameter is intended to add verbosity on the task execution and also print credentials on stdout + to easily access to remote machice + default: 'false' results: - - name: host - description: ip to connect to the provisioned machine - - name: username - description: username to connect to the provisioned machine - - name: userpassword - description: password for the user to connect to the provisioned machine - - name: key-filename - description: filename for the private key. The key is located at ws-output-path + - name: host-access-secret + description: | + ocp secret holding the information to connect with the target machine. + + --- + apiVersion: v1 + kind: Secret + metadata: + name: ${name} + type: Opaque + data: + host: ${host} + username: ${username} + id_rsa: ${id_rsa} + userpassword: ${userpassword} + adminusername: ${adminusername} + adminuserpassword: ${adminuserpassword} steps: - name: provisioner image: imagePullPolicy: Always + volumeMounts: + - name: az-credentials + mountPath: /opt/az-credentials + - name: host-info + mountPath: /opt/host-info script: | #!/bin/sh - # Added verbosity - set -xuo - - # Credentials - export ARM_TENANT_ID=$(cat /opt/credentials/tenant_id) - export ARM_SUBSCRIPTION_ID=$(cat /opt/credentials/subscription_id) - export ARM_CLIENT_ID=$(cat /opt/credentials/client_id) - export ARM_CLIENT_SECRET=$(cat /opt/credentials/client_secret) - if ! [ -f /opt/credentials/storage_account ]; then - export AZURE_STORAGE_ACCOUNT=$(cat /opt/credentials/storage_account) - fi - if ! [ -f /opt/credentials/storage_key ]; then - export AZURE_STORAGE_KEY=$(cat /opt/credentials/storage_key) + # If debug add verbosity + if [[ $(params.debug) == "true" ]]; then + set -xuo fi - # Output folder - workspace_path=$(workspaces.pipelines-data.path)/$(params.ws-output-path) - mkdir -p ${workspace_path} - - # Remove lock - if [[ $(params.remove-lock) == "true" ]]; then - rm -rf ${workspace_path}/.pulumi/locks/* - fi + # Credentials + export ARM_TENANT_ID=$(cat /opt/az-credentials/tenant_id) + export ARM_SUBSCRIPTION_ID=$(cat /opt/az-credentials/subscription_id) + export ARM_CLIENT_ID=$(cat /opt/az-credentials/client_id) + export ARM_CLIENT_SECRET=$(cat /opt/az-credentials/client_secret) + export AZURE_STORAGE_ACCOUNT=$(cat /opt/az-credentials/storage_account) + export AZURE_STORAGE_KEY=$(cat /opt/az-credentials/storage_key) + BLOB=$(cat /opt/az-credentials/blob) # Run mapt cmd="mapt azure windows $(params.operation) " - cmd="$cmd --project-name $(params.project-name) " - if [[ $(params.backed-url) != "" ]]; then - cmd="$cmd --backed-url $(params.backed-url) " - else - cmd="$cmd --backed-url file://${workspace_path} " - fi + cmd+="--project-name mapt-windows-$(params.id) " + cmd+="--backed-url azblob://${BLOB}/windows-$(params.id) " if [[ $(params.operation) == "create" ]]; then - cmd="$cmd --conn-details-output ${workspace_path} " - cmd="$cmd --windows-featurepack $(params.windows-featurepack) " - cmd="$cmd --windows-version $(params.windows-version) " - cmd="$cmd --cpus $(params.cpus) " - cmd="$cmd --memory $(params.memory) " - if [[ $(params.nested-virt) == "true" ]]; then - cmd="$cmd --nested-virt " - fi - if [[ $(params.vmsize) != "" ]]; then - cmd="$cmd --vmsize $(params.vmsize) " - fi - if [[ $(params.spot) == "true" ]]; then - cmd="$cmd --spot " - cmd="$cmd --spot-eviction-tolerance $(params.spot-eviction-tolerance) " - fi - if [[ $(params.tags) != "" ]]; then - cmd="$cmd --tags $(params.tags) " - fi - fi - eval "${cmd}" - - create_exit_code=$? - - # set task results - cat "${workspace_path}/host" | tee $(results.host.path) - cat "${workspace_path}/username" | tee $(results.username.path) - cat "${workspace_path}/userpassword" | tee $(results.userpassword.path) - echo -n "id_rsa" | tee $(results.key-filename.path) - - if [[ ${create_exit_code} -ne 0 ]]; then - exit 1 + cmd+="--conn-details-output /opt/host-info " + cmd+="--windows-featurepack $(params.windows-featurepack) " + cmd+="--windows-version $(params.windows-version) " + cmd+="--cpus $(params.cpus) " + cmd+="--memory $(params.memory) " + if [[ $(params.nested-virt) == "true" ]]; then cmd+="--nested-virt "; fi + if [[ -z $(params.vmsize) ]]; then cmd+="--vmsize $(params.vmsize) "; fi + if [[ $(params.spot) == "true" ]]; then cmd+="--spot "; fi + # Spot tolerance only be applied if spot is enabled + cmd+="--spot-eviction-tolerance $(params.spot-eviction-tolerance) " + cmd+="--tags $(params.tags) " fi - + eval "${cmd}" resources: requests: - memory: "200Mi" - cpu: "100m" + memory: "300Mi" + cpu: "150m" limits: - memory: "600Mi" - cpu: "300m" + memory: "900Mi" + cpu: "400m" + - name: host-info-secret + image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49 + env: + - name: NAMESPACE + value: $(context.taskRun.namespace) + - name: OWNER_KIND + value: $(params.ownerKind) + - name: OWNER_NAME + value: $(params.ownerName) + - name: OWNER_UID + value: $(params.ownerUid) + volumeMounts: + - name: host-info + mountPath: /opt/host-info + script: | + #!/bin/bash + set -eo pipefail + if [[ $(params.operation) == "create" ]]; then + cat < host-info.yaml + apiVersion: v1 + kind: Secret + metadata: + generateName: mapt-azure-windows- + namespace: $NAMESPACE + ownerReferences: + - apiVersion: tekton.dev/v1 + kind: $OWNER_KIND + name: $OWNER_NAME + uid: $OWNER_UID + type: Opaque + data: + host: $(cat /opt/host-info/host | base64 -w0) + username: $(cat /opt/host-info/username | base64 -w0) + id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0) + userpassword: $(cat /opt/host-info/userpassword | base64 -w0) + adminusername: $(cat /opt/host-info/adminusername | base64 -w0) + adminuserpassword: $(cat /opt/host-info/adminuserpassword | base64 -w0) + EOF + + if [[ $(params.debug) == "true" ]]; then + cat /opt/host-info/* + fi + + NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}') + echo -n "${NAME}" | tee $(results.host-access-secret.path) + fi