160 lines
7.2 KiB
YAML
160 lines
7.2 KiB
YAML
{{- define "Job-project" -}}
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ template "helpers.labels.fullname" . }}
|
|
labels: {{- include "helpers.labels.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": post-install,post-upgrade
|
|
"helm.sh/hook-delete-policy": before-hook-creation
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels: {{- include "helpers.labels.labels" . | nindent 8 }}
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
nodeSelector:
|
|
{{ include "helpers.pod.node_selector" ( dict "Global" $ "Application" "project" ) | nindent 8 }}
|
|
containers:
|
|
- name: project
|
|
image: {{ include "helpers.pod.container.image" ( dict "Global" $ "Application" "project" ) }}
|
|
imagePullPolicy: {{ .Values.images.pull.policy | quote }}
|
|
env:
|
|
- name: SSL_CERT_FILE
|
|
value: /usr/local/share/ca-certificates/ca.crt
|
|
- name: JARVIS_PROJECT_NAME
|
|
value: {{ .Release.Name }}
|
|
- name: GERRIT_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "helpers.labels.fullname" . }}
|
|
key: gerrit-username
|
|
- name: GERRIT_HOST
|
|
value: {{ .Values.params.gerrit.host }}
|
|
- name: GERRIT_LDAP_CN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "helpers.labels.fullname" . }}
|
|
key: gerrit-ldap-group-cn
|
|
- name: GERRIT_URL
|
|
value: {{ printf "https://%s" $.Values.params.gerrit.host | quote }}
|
|
- name: HARBOR_URL
|
|
value: {{ printf "https://%s" $.Values.params.harbor.host | quote }}
|
|
- name: PROJECT_LDAP_DN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "helpers.labels.fullname" . }}
|
|
key: harbor-project-ldap-dn
|
|
- name: STAGING_LDAP_DN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "helpers.labels.fullname" . }}
|
|
key: harbor-staging-ldap-dn
|
|
command:
|
|
- sh
|
|
- -cex
|
|
- |
|
|
alias gerrit_ssh="ssh -oStrictHostKeyChecking=accept-new -oUserKnownHostsFile=/dev/null -p 29418 \
|
|
-i /run/jarvis/secret/gerrit-ssh-key ${GERRIT_USERNAME}@${GERRIT_HOST} "
|
|
|
|
# Create gerrit repo
|
|
( \
|
|
gerrit_ssh \
|
|
gerrit ls-projects -r "^$JARVIS_PROJECT_NAME\$" | grep -q "^${JARVIS_PROJECT_NAME}\$" \
|
|
&&
|
|
gerrit_ssh \
|
|
gerrit set-project-parent \
|
|
{{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
|
|
--children-of Non-Verified-Label-Projects \
|
|
) \
|
|
|| \
|
|
gerrit_ssh gerrit create-project "${JARVIS_PROJECT_NAME}" \
|
|
--owner Administrators --owner ldap/${GERRIT_LDAP_CN} \
|
|
{{ if eq $.Values.config.ci.verify true }} --parent Verified-Label-Projects {{ else }} --parent Non-Verified-Label-Projects {{ end }} \
|
|
--submit-type MERGE_IF_NECESSARY \
|
|
--empty-commit
|
|
|
|
# Set up checks on the repo
|
|
jarvis-connector --auth_file /run/jarvis/gerrit-authfile --gerrit $GERRIT_URL --update --repo "${JARVIS_PROJECT_NAME}" --prefix jarvispipeline || \
|
|
jarvis-connector --auth_file /run/jarvis/gerrit-authfile --gerrit $GERRIT_URL --register --repo "${JARVIS_PROJECT_NAME}" --prefix jarvispipeline
|
|
|
|
# Create project in harbor if it doesn't already exists
|
|
project_in_harbor(){
|
|
for PROJECT_NAME; do
|
|
PROJECT_CHECK_RESP=`curl -s -o /dev/null -I -w "%{http_code}" \
|
|
"${HARBOR_URL}/api/v2.0/projects?project_name=${PROJECT_NAME}" \
|
|
--netrc-file /run/jarvis/harbor-netrc/harbor-netrc \
|
|
-H 'accept: application/json'`
|
|
|
|
case "${PROJECT_CHECK_RESP}" in
|
|
"200") echo "${PROJECT_NAME} project already in harbor" ;;
|
|
"404") `curl -X POST "${HARBOR_URL}/api/v2.0/projects" \
|
|
--netrc-file /run/jarvis/harbor-netrc/harbor-netrc \
|
|
-H "accept: application/json" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{ \"project_name\": \"${PROJECT_NAME}\", \"public\": false, \"metadata\": { \"auto_scan\": \"true\" }}"` ;;
|
|
*) echo "Unable to retrieve projects in harbor: ${PROJECT_CHECK_RESP} response code."; exit 1
|
|
esac
|
|
done
|
|
}
|
|
add_ldap_member_to_project(){
|
|
project_name=$1
|
|
ldap_dn=$2
|
|
project_json=$(curl -sSL --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X GET \
|
|
-H "Accept: application/json" \
|
|
${HARBOR_URL}/api/v2.0/projects?name=${project_name})
|
|
project_id=$(echo $project_json | grep -o '"project_id":[[:digit:]]*' | head -1 | awk -F':' '{print $2}')
|
|
|
|
curl -sSL -D - --netrc-file /run/jarvis/harbor-netrc/harbor-netrc -X POST \
|
|
-H "Content-Type: application/json" \
|
|
--data-raw '{
|
|
"role_id": 2,
|
|
"member_group": {
|
|
"group_name": "'${project_name}'-users-group",
|
|
"ldap_group_dn": "'${ldap_dn}'",
|
|
"group_type": 1
|
|
}
|
|
}' ${HARBOR_URL}/api/v2.0/projects/${project_id}/members
|
|
}
|
|
|
|
# Add project and staging project in harbor
|
|
project_in_harbor "${JARVIS_PROJECT_NAME}" "${JARVIS_PROJECT_NAME}-staging"
|
|
add_ldap_member_to_project "${JARVIS_PROJECT_NAME}" "${PROJECT_LDAP_DN}"
|
|
add_ldap_member_to_project "${JARVIS_PROJECT_NAME}-staging" "${STAGING_LDAP_DN}"
|
|
volumeMounts:
|
|
- name: gerrit-creds
|
|
mountPath: /run/jarvis/gerrit-authfile
|
|
subPath: gerrit-authfile
|
|
- name: gerrit-creds
|
|
mountPath: /run/jarvis/secret/gerrit-ssh-key
|
|
subPath: gerrit-ssh-key
|
|
- name: jarvis-ca-crt
|
|
mountPath: /usr/local/share/ca-certificates/ca.crt
|
|
subPath: ca.crt
|
|
- name: netrc
|
|
mountPath: /run/jarvis/harbor-netrc
|
|
volumes:
|
|
- name: gerrit-creds
|
|
secret:
|
|
secretName: {{ template "helpers.labels.fullname" . }}
|
|
defaultMode: 0400
|
|
items:
|
|
- key: gerrit-ssh-key
|
|
path: gerrit-ssh-key
|
|
- key: gerrit-authfile
|
|
path: gerrit-authfile
|
|
# NOTE: We are making the assumption that the ca for gerrit is the same as that for the tekton eventlistener
|
|
- name: jarvis-ca-crt
|
|
secret:
|
|
secretName: {{ template "helpers.labels.fullname" . }}-project-tls
|
|
items:
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
- name: netrc
|
|
secret:
|
|
secretName: {{ template "helpers.labels.fullname" . }}-netrc
|
|
...
|
|
{{- end -}}
|
|
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "Job-project" ) }}
|