{{- define "Job-project" -}} --- apiVersion: batch/v1 kind: Job metadata: name: {{ template "helpers.labels.fullname" . }} labels: {{- include "helpers.labels.labels" . | nindent 4 }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation spec: template: metadata: labels: {{- include "helpers.labels.labels" . | nindent 8 }} spec: restartPolicy: OnFailure nodeSelector: {{ include "helpers.pod.node_selector" ( dict "Global" $ "Application" "project" ) | nindent 8 }} containers: - name: project image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "project" ) }} imagePullPolicy: {{ .Values.images.pull.policy | quote }} env: - name: SSL_CERT_FILE value: /usr/local/share/ca-certificates/ca.crt - name: JARVIS_PROJECT_NAME value: {{ .Release.Name }} - name: GERRIT_USERNAME valueFrom: secretKeyRef: name: {{ template "helpers.labels.fullname" . }} key: gerrit-username - name: GERRIT_HOST value: {{ .Values.params.gerrit.host }} - name: GERRIT_LDAP_CN valueFrom: secretKeyRef: name: {{ template "helpers.labels.fullname" . }} key: gerrit-ldap-group-cn - name: GERRIT_URL value: {{ printf "https://%s" $.Values.params.gerrit.host | quote }} - name: HARBOR_URL value: {{ printf "https://%s" $.Values.params.harbor.host | quote }} - name: PROJECT_LDAP_DN valueFrom: secretKeyRef: name: {{ template "helpers.labels.fullname" . }} key: harbor-project-ldap-dn - name: STAGING_LDAP_DN valueFrom: secretKeyRef: name: {{ template "helpers.labels.fullname" . }} key: harbor-staging-ldap-dn command: - sh - -cex - | alias gerrit_ssh="ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null -p 29418 \ -i /run/jarvis/secret/gerrit-ssh-key ${GERRIT_USERNAME}@${GERRIT_HOST} " # Create gerrit repo ( \ gerrit_ssh \ gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" \ && gerrit_ssh \ gerrit set-project-parent \ {{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \ --children-of Non-Verified-Label-Projects \ ) \ || \ gerrit_ssh gerrit create-project "${JARVIS_PROJECT_NAME}" \ --owner Administrators --owner ldap/${GERRIT_LDAP_CN} \ {{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \ --submit-type MERGE_IF_NECESSARY \ --empty-commit # Set up checks on the repo jarvis-connector --auth_file /run/jarvis/gerrit-authfile --gerrit $GERRIT_URL --update --repo "${JARVIS_PROJECT_NAME}" --prefix jarvispipeline || \ jarvis-connector --auth_file /run/jarvis/gerrit-authfile --gerrit $GERRIT_URL --register --repo "${JARVIS_PROJECT_NAME}" --prefix jarvispipeline # Create project in harbor if it doesn't already exists project_in_harbor(){ for PROJECT_NAME; do PROJECT_CHECK_RESP=`curl -s -o /dev/null -I -w "%{http_code}" \ "${HARBOR_URL}/api/v2.0/projects?project_name=${PROJECT_NAME}" \ --netrc-file /run/jarvis/harbor-netrc/harbor-netrc \ -H 'accept: application/json'` case "${PROJECT_CHECK_RESP}" in "200") echo "${PROJECT_NAME} project already in harbor" ;; "404") `curl -X POST "${HARBOR_URL}/api/v2.0/projects" \ --netrc-file /run/jarvis/harbor-netrc/harbor-netrc \ -H "accept: application/json" \ -H "Content-Type: application/json" \ -d "{ \"project_name\": \"${PROJECT_NAME}\", \"public\": false, \"metadata\": { \"auto_scan\": \"true\" }}"` ;; *) echo "Unable to retrieve projects in harbor: ${PROJECT_CHECK_RESP} response code."; exit 1 esac done } add_ldap_member_to_project(){ project_name=$1 ldap_dn=$2 project_json=$(curl -sSL --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X GET \ -H "Accept: application/json" \ ${HARBOR_URL}/api/v2.0/projects?name=${project_name}) project_id=$(echo $project_json | grep -o '"project_id":[[:digit:]]*' | head -1 | awk -F':' '{print $2}') curl -sSL -D - --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X POST \ -H "Content-Type: application/json" \ --data-raw '{ "role_id": 2, "member_group": { "group_name": "'${project_name}'-users-group", "ldap_group_dn": "'${ldap_dn}'", "group_type": 1 } }' ${HARBOR_URL}/api/v2.0/projects/${project_id}/members } # Add project and staging project in harbor project_in_harbor "${JARVIS_PROJECT_NAME}" "${JARVIS_PROJECT_NAME}-staging" add_ldap_member_to_project "${JARVIS_PROJECT_NAME}" "${PROJECT_LDAP_DN}" add_ldap_member_to_project "${JARVIS_PROJECT_NAME}-staging" "${STAGING_LDAP_DN}" volumeMounts: - name: gerrit-creds mountPath: /run/jarvis/gerrit-authfile subPath: gerrit-authfile - name: gerrit-creds mountPath: /run/jarvis/secret/gerrit-ssh-key subPath: gerrit-ssh-key - name: jarvis-ca-crt mountPath: /usr/local/share/ca-certificates/ca.crt subPath: ca.crt - name: netrc mountPath: /run/jarvis/harbor-netrc volumes: - name: gerrit-creds secret: secretName: {{ template "helpers.labels.fullname" . }} defaultMode: 0400 items: - key: gerrit-ssh-key path: gerrit-ssh-key - key: gerrit-authfile path: gerrit-authfile # NOTE: We are making the assumption that the ca for gerrit is the same as that for the tekton eventlistener - name: jarvis-ca-crt secret: secretName: {{ template "helpers.labels.fullname" . }}-project-tls items: - key: ca.crt path: ca.crt - name: netrc secret: secretName: {{ template "helpers.labels.fullname" . }}-netrc ... {{- end -}} {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Job-project" ) }}