airship
/
charts
Code Issues Proposed changes

Merge "Add image CVE scan report link to Gerrit"

This commit is contained in:
Zuul 2021-03-05 16:29:58 +00:00 committed by Gerrit Code Review
parent d9b3897fc6 e2a4819184
commit 7381fdb2cc
6 changed files with 70 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
charts/jarvis-system/templates/Task-createFailure.yaml
View File

@ -16,15 +16,41 @@ spec:
- name: pipelineRunNamespace
steps:
- name: createfailure
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_curl" ) }}
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_results" ) }}
volumeMounts:
- name: gerrit-netrc
mountPath: /run/jarvis/gerrit-netrc
subPath: gerrit-netrc
script: |
#!/bin/sh
#!/bin/bash
set -eu -o pipefail -x
# Get project information from Harbor
PROJECT_INFO=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json")
PROJECT_ID=$(echo $PROJECT_INFO | jq -r '.project'[0].'project_id')
# Get the taskRun uid from the microflow-setup-image pod
TASK_RUN_NAMESPACE="jarvis-$(params.changeNumber)-$(params.patchSetNumber)"
TASK_RUN_DEV_PIPELINE=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" | grep microflow-setup-image | awk '{print $1}') || true
if [[ -z "$TASK_RUN_DEV_PIPELINE" ]]; then
# Do not append the CVE report link, if there is no 'microflow-setup-image' pod to get the taskRun uid from
REPO_COUNT=0
else
TASK_RUN_UID=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" "${TASK_RUN_DEV_PIPELINE}" -o jsonpath='{.metadata.uid}')
# For first time run, there may be no repositories, so only check for artifacts if the project has repositories
REPO_COUNT=$(echo $PROJECT_INFO | jq -r '.project'[0].'repo_count')
fi
MESSAGE="Jarvis failed to process the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project)"
if [ $REPO_COUNT -gt 0 ]; then
REPOSITORY_NAME=$(echo $PROJECT_INFO | jq -r '.repository'[0].'repository_name' | awk -F"/" '{print $2}')
# Grabs the SHA256 of the corresponding artifact based off taskrun uid
SHA256=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest')
MESSAGE="${MESSAGE}\n\n----- Image Scan Report -----\nhttps://{{ .Values.params.harbor.dashboard.host }}/harbor/projects/${PROJECT_ID}/repositories/${REPOSITORY_NAME}/artifacts/${SHA256}"
fi
curl \
--netrc-file /run/jarvis/gerrit-netrc \
--fail \
@ -37,7 +63,7 @@ spec:
"checker_uuid": "$(params.checkerUUID)",
"state": "FAILED",
"url": "https://{{ .Values.params.grafana.dashboard.host }}/d/{{ .Values.params.grafana.dashboard.uid }}/{{ .Values.params.grafana.dashboard.title }}?orgId={{ .Values.params.grafana.dashboard.orgid }}&var-namespace=$(params.pipelineRunNamespace)&var-tekton_dev_pipeline=$(params.pipelineName)&var-tekton_dev_pipelineRun=$(params.pipelineRunName)&var-tekton_dev_taskRun=All",
"message": "Jarvis failed to process the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project) repo",
"message": "${MESSAGE}",
"finished": "$(date --utc '+%F %T.%N')"
}
EOF

33
charts/jarvis-system/templates/Task-createSuccess.yaml
View File

@ -16,15 +16,41 @@ spec:
- name: pipelineRunNamespace
steps:
- name: createsuccess
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_curl" ) }}
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "task_results" ) }}
volumeMounts:
- name: gerrit-netrc
mountPath: /run/jarvis/gerrit-netrc
subPath: gerrit-netrc
script: |
#!/bin/sh
#!/bin/bash
set -eu -o pipefail -x
# Get project information from Harbor
PROJECT_INFO=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/search?q=$(params.project)-staging" -H "accept: application/json")
PROJECT_ID=$(echo $PROJECT_INFO | jq -r '.project'[0].'project_id')
# Get the taskRun uid from the microflow-setup-image pod
TASK_RUN_NAMESPACE="jarvis-$(params.changeNumber)-$(params.patchSetNumber)"
TASK_RUN_DEV_PIPELINE=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" | grep microflow-setup-image | awk '{print $1}') || true
if [[ -z "$TASK_RUN_DEV_PIPELINE" ]]; then
# Do not append the CVE report link, if there is no 'microflow-setup-image' pod to get the taskRun uid from
REPO_COUNT=0
else
TASK_RUN_UID=$(kubectl get taskrun -n "${TASK_RUN_NAMESPACE}" "${TASK_RUN_DEV_PIPELINE}" -o jsonpath='{.metadata.uid}')
# For first time run, there may be no repositories, so only check for artifacts if the project has repositories
REPO_COUNT=$(echo $PROJECT_INFO | jq -r '.project'[0].'repo_count')
fi
MESSAGE="Jarvis has successfully processed the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project) repo"
if [ $REPO_COUNT -gt 0 ]; then
REPOSITORY_NAME=$(echo $PROJECT_INFO | jq -r '.repository'[0].'repository_name' | awk -F"/" '{print $2}')
# Grabs the SHA256 of the corresponding artifact based off taskrun uid
SHA256=$(curl -k -X GET "https://{{ .Values.params.harbor.dashboard.host }}/api/v2.0/projects/$(params.project)-staging/repositories/${REPOSITORY_NAME}/artifacts/${TASK_RUN_UID}" -H "accept: application/json" | jq -r '.digest')
MESSAGE="${MESSAGE}\n\n----- Image Scan Report -----\nhttps://{{ .Values.params.harbor.dashboard.host }}/harbor/projects/${PROJECT_ID}/repositories/${REPOSITORY_NAME}/artifacts/${SHA256}"
fi
curl \
--netrc-file /run/jarvis/gerrit-netrc \
--fail \
@ -37,7 +63,8 @@ spec:
"checker_uuid": "$(params.checkerUUID)",
"state": "SUCCESSFUL",
"url": "https://{{ .Values.params.grafana.dashboard.host }}/d/{{ .Values.params.grafana.dashboard.uid }}/{{ .Values.params.grafana.dashboard.title }}?orgId={{ .Values.params.grafana.dashboard.orgid }}&var-namespace=$(params.pipelineRunNamespace)&var-tekton_dev_pipeline=$(params.pipelineName)&var-tekton_dev_pipelineRun=$(params.pipelineRunName)&var-tekton_dev_taskRun=All",
"message": "Jarvis has successfully processed the run for change #$(params.changeNumber) ps #$(params.patchSetNumber) to the $(params.project) repo"
"message": "${MESSAGE}",
"finished": "$(date --utc '+%F %T.%N')"
}
EOF

1
charts/jarvis-system/templates/TriggerTemplate-createFailure.yaml
View File

@ -20,6 +20,7 @@ spec:
metadata:
generateName: {{ template "helpers.labels.fullname" . }}-createfailure-
spec:
serviceAccountName: jarvis-system-el
pipelineRef:
name: {{ template "helpers.labels.fullname" . }}-createfailure
params:

1
charts/jarvis-system/templates/TriggerTemplate-createSuccess.yaml
View File

@ -20,6 +20,7 @@ spec:
metadata:
generateName: {{ template "helpers.labels.fullname" . }}-createsuccess-
spec:
serviceAccountName: jarvis-system-el
pipelineRef:
name: {{ template "helpers.labels.fullname" . }}-createsuccess
params:

9
charts/jarvis-system/values.yaml
View File

@ -20,6 +20,10 @@ images:
tag: "1.0"
name: standard-container
repo: docker.io
task_results:
tag: "1.0"
name: standard-container
repo: docker.io
task_curl:
tag: "3.8"
name: evl.ms/curl
@ -54,4 +58,7 @@ params:
host: grafana.jarvis.local
title: loki-pipeline-logs-dashboard
uid: lokiPipelineDash
orgid: 1
orgid: 1
harbor:
dashboard:
host: harbor-core.jarvis.local

1
tools/gate/jarvis/800-deploy-jarvis-projects.sh
View File

@ -90,6 +90,7 @@ for jarvis_project in `find ./tools/gate/jarvis/5G-SA-core -maxdepth 1 -mindepth
while true; do
result="$(curl -L https://gerrit.jarvis.local/changes/${CHANGE_ID_COUNTER}/revisions/1/checks | tail -1 | jq -r .[].state)"
[ $result == "SUCCESSFUL" ] && break || true
[ $result == "FAILED" ] && exit 1 || true
sleep 25
now=$(date +%s)
if [ $now -gt $end ] ; then