The py39 job was mis-named and was using the wrong
file filter pattern to trigger it from running.
The test_helm base unit test class was removed from sysinv,
as part of remove-armada-helmv2 work in March
so adding stub unit tests so tox will not report an
empty test run.
pylint directives are now updated based on the debian
upper constraints, and the unit tests are now validated
by pylint.
tox.ini is cleaned up since python3 is now the only
supported version of python
These changes have no runtime impact. This only
affects tox and zuul.
Test Plan:
PASS: build-pkgs -c -p python3-k8sapp-portieris
PASS: tox
Closes-Bug: #2024005
Related-Bug: #1942909
Change-Id: Iece6e78a98b30111cadb62156e413dd19dd62a37
Signed-off-by: Al Bailey <al.bailey@windriver.com>
This commit enables auto_update for the Portieris application.
This will automatically update the application if a new tarball
is patched to an existing system
Test Cases:
PASS: Build load with this change. Make another change to boost
portieris application version. Apply portieris. Replace
portieris tarball with the boosted version. Ensure that
system application-show and system application-list shows
that the application has been updated to the new version
Story: 2010628
Task: 47926
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
Change-Id: Ic567b42b6864a2e9a009453788f9e963116ff910
Updating the rsa ssh host key based on:
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
Note: In the future, StarlingX should have a zuul job and
secret setup for all repos so we do not need to do this
for every repo.
Needed to rename the secret, because zuul fails if like-named
secrets have diffent values in different branches of the same
repo.
Partial-Bug: #2015246
Change-Id: I0f5167d84feb90ad6473f461ae9a824042779247
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Add support to 'app.starlingx.io/component' to be overwritten
by user override, with possible values being 'platform' and
'application'. With 'platform' being the default value.This
change will also restart the pods if the label in namespace
change.
Test Plan:
PASS: Install portieris and check with 'kubectl edit namespace
portieris' if the 'app.starlingx.io/component' with value
'platform'.
PASS: Add 'app.starlingx.io/component: application' to user override
and check if 'app.starlingx.component' changes to 'application'.
PASS: Use 'system application-apply portieris' when there is a change
to be applied to 'app.starlingx.component' and verify if the pod
is restarted.
PASS: Change the 'app.starlingx.io/component' to a not supported value
during user override apply and verify if 'app.starlingx.io/component'
still 'platform' or 'application'.
PASS: Run tox.ini tests to the current patch of this review.
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Change-Id: If215ed95c3d0d57b3555019880b90baa7e2e22b8
The Debian packaging meta_data file has been changed to reflect all the
latest git commits under the directory, pointed as usable, and to
improve pkg-versioning addressing the first commit as start point to
build packages.
This ensures that any new code submissions under those
directories will increment the versions.
The commit SHA b2f895c371 was chosen to be the BASE_SRCREV of the
portieris-helm's metadata because is the commit that points to the
start of "portieris-helm" directory. The PKG_GITREVCOUNT is set to
true to count git revisions relative to portieris-helm's folder.
(portieris-helm version updated from .stx.4 to .stx.13)
The previous commit SHA chosen to be the BASE_SRCREV of the
python3-k8sapp-portieris's metadata points to the first commit of the
repository. Instead of using this commit SHA, 0677d5def2 was chosen to
be the BASE_SRCREV because is the commit that introduces the package
to the project.
(python3-k8sapp-portieris version was modified from .stx.51 to .stx.52)
The previous commit SHA chosen to be the BASE_SRCREV of the
stx-portieris-helm's metadata points to the first commit of the
repository. Instead of using this commit SHA,b2f895c371 was chosen to
be the BASE_SRCREV of the metadata because is the commit that points
to the start of "stx-portieris-helm" directory. The commit SHA
d0c56528d2 was chosen to be the FILES_GITREVCOUNT of this package
because is the commit that adds the "helm-charts" directory of the
repository referenced in the "src_files".
It is added both GITREVCOUNT and FILES_GITREVCOUNT to calculate the
relevant git commits of "src_path" and "src_files" to this package's
revision.
(stx-portieris-helm version was modified from .stx.51 to .stx.52)
stx_patch is added to revision section to maintain the upversioning of
python3-k8sapp-portieris and stx-portieris-helm packages.
Test Plan:
PASS: Verify packages versions are updated as expected
PASS: build-pkgs -c -p portieris-helm
PASS: build-pkgs -c -p python3-k8sapp-portieris
PASS: build-pkgs -c -p stx-portieris-helm
Story: 2010550
Task: 47499
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Change-Id: I827955199b38674dae8ca8cb7c9dd7c8e8caa21d
Currently, the debian build system produces a debian package version
with the format: "1.0-1.stx.<revision>"
The rules file then parses this deb pkg version at build time
to produce the app tarball version, which always comes up to
be "1.0-1" at this time [1]. This commit changes the app tarball
version calculation so that the resulting tarball version will
be "1.0-<revision>" [2].
This correction is necessary because the application framework
cannot update an app between instances with the same version.
This commit is part of a set of commits updating the app tarball
version calculation to all apps based off of [3].
[1]: /usr/local/share/applications/helm/<APPNAME>-1.0-1.tgz
[2]: /usr/local/share/applications/helm/<APPNAME>-1.0-<N>.tgz
[3]: https://review.opendev.org/c/starlingx/cert-manager-armada-app/+/872628
Test Plan:
pass - build-pkg
pass - tarball version updated
Story: 2010542
Task: 47529
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: Ie6b80807fd4d127e4c61a51e8b21b4b95f2b304f
Fixed versioning and adjusted some build files
to bring them as close to a standard as possible.
- Removed centos files
- Added version tracking via PKG_GITREVCOUNT
- Fixed mismatch in plugin name, set to python3-k8sapp-<app>
- Standardized plugin debian files (rules, *.install)
- Plugin wheels saved to /plugin instead of /plugin/<app>
Test Plan:
PASS - Build-pkgs -a
PASS - Build-image
PASS - Install, bootstrap, unlock
PASS - app tarball contains wheel file
PASS - wheel versioning updated properly
Story: 2010542
Task: 47190
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: I1532a8281868b1d921f3f23658ccef294235e636
This commit upversions the portieris helm charts to 0.13.1,
which is the newest version at the time. This commit also aligns
our patches to the new helm charts.
- the issues addessed by patch 0001 has been merged upstream, so
the patch was removed
- tolerations and image pull secrets are handled by helm overrides
so the patches were removed
- some patches on code that have been removed upstream were removed
The behavior for portieris changed a bit since our old version.
In the old version, the default behavior is to allow all deployments.
Namespaces with an imagepolicy will follow that imagepolicy.
In the new version(0.13.1), the default behavior is to deny all
deployments. This commit adds a permissive cluster image policy
to allow all deployments, keeping it in line with the old behavior
and preventing any interference with things like kube-system and
our other applications.
Test Cases:
PASS: Build new ISO and ensure the new application tarball uses the
new v0.13.1 helm charts
PASS: Apply portieris and ensure it uses the new v0.13.1 image
PASS: Apply an imagepolicy. Ensure a signed image can be deployed
in a pod and an unsigned image cannot be deployed in a pod
PASS: remove and reapply application
Story: 2010394
Task: 47071
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
Change-Id: Ica6efa081a7b2c1e1358add609b274d6b121bb12
This change will allow this repo to pass zuul now
that this has merged:
https://review.opendev.org/c/zuul/zuul-jobs/+/866943
Tox 4 deprecated whitelist_externals.
Replace whitelist_externals with allowlist_externals
Partial-Bug: #2000399
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Ib19e9522e005531fceb87a74d86222ac222377b1
Set reconciliation interval for all flux helm resources to 1m
to allow it to manage resources by itself in a reasonable time
interval.
Test Plan (tested as part of [1]):
PASS: bootstrap
PASS: unlocked enabled available
PASS: apps applied
PASS: inspect flux pod logs for errors
PASS: re-test known trigger for 1996747 and 1995748
PASS: re-test known trigger 1997368
[1] https://review.opendev.org/c/starlingx/config/+/866862
Partial-Bug: 1999032
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Change-Id: I514c719106ca7cff29bbf75a09f45fb6e4fb6366
Move the packages of "portieris-armada-app" from stx-std.lst
to debian_iso_image.inc
A subsequent commit will be sent to clean up stx-std.lst.
Test Plan:
Pass: build-pkgs -c -a
Pass: build-image
Pass: boot
Story: 2008862
Task: 46924
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I8c202a80e1ec6a2c05291007c94aa728fbb70568
Upstream has deprecated 'node-role.kubernetes.io/master'
to use 'node-role.kubernetes.io/control-plane' in k8s 1.24.
Platform and applications need to be updated to use 'control-plane'
with nodeSelector/Tolerations so we may move away from 'master'.
This updates pod Tolerations to support both:
- 'node-role.kubernetes.io/master'
- 'node-role.kubernetes.io/control-plane'
Created new patch file to add Tolerations for deployment and jobs
Note: Portieris is not supported in the current release so we just
need the code inspection for now.
Story: 2010301
Task: 46676
Signed-off-by: Boovan Rajendran <boovan.rajendran@windriver.com>
Change-Id: Ic41f7702c3b017ad2dc5c8666184970c94ccee41
The ubuntu-jammy nodeset gets selected by default
and is causing problems during setup.
Collecting cffi>=1.1
Failed to build cffi
ubuntu-bionic works if using stein upper-constraints.
ubuntu-focal works if using the debian upper-constraints.
Need to update a file that is monitored by zuul
in order to trigger the failing zuul jobs.
Partial-Bug: 1994843
Signed-off-by: Al Bailey <al.bailey@windriver.com>
Change-Id: Ib6180ec2143526d1f1819a47dc47adc5f27aeb57
As part of Armada deprecation we need to remove all Armada application
builds for all applications that have been migrated to FluxCD.
This patch removes the armada app build from centos and debian.
TEST PLAN:
PASS: Build centos
PASS: Build debian
PASS: deb package does not have armada tarball
PASS: rpm package does not have armada tarball
PASS: FluxCD tarball is unchanged
Story: 2009138
Task: 46095
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: If9b8f0394940fe3802b557626f3ed773e6f616f4
The pip team is planning to depreciate the
'--use-deprecated legacy-resolver'install option.
While a firm date has yet to be set, We need to be
ready for the change.
Test Plan*:
PASS: Verified that tox runs without issues
PASS: Generate portieris package.
PASS: Upload and apply portieris package and check if pod
is running.
Note(*): Tested on kubernetes 1.21.8
Closes-bug: 1966072
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Change-Id: Ifc48062f95f3bc44de4a1e1703f9e04b8118d430
Test Cases:
PASS: Check deb install and application upload + apply on debian
PASS: Perform simple functional test on debian
PASS: Check application remove and delete on debian
Logs: https://paste.opendev.org/show/bUDc0XfuXHLAZByl6m2G/
Story: 2009138
Task: 44647
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: I48b240399bdb26dd7e1456ddeb6c273035838b59
This commit switches portieris to use the fluxcd app by default and
also preserves the armada app on the build for future tests.
TEST PLAN
PASS Build iso and verify apps
PASS Upload
PASS Apply
PASS Verify resources
PASS Remove
PASS Delete
Logs: https://paste.opendev.org/show/bmdUjzPBcSE32jx1Tfjr/
Story: 2009138
Task: 45348
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: If26df1a928c1fb047cf04098e5ee8384a924eb84
Add new manifest files to the Portieris app to enable FluxCD support.
The new spec will now generate 2 rpms:
- the original one that contains the armada manifest yaml
- a new one that contains the new FluxCD yaml
TEST PLAN:
- build, ISO image includes in progress fluxcd commits
- verify the armada app version of Portieris
- verify the fluxcd app version of Portieris
- test case for both includes asserting that Portieris is effective at
enforcing an example policy
The following are soft dependancies (dependancies for fluxcd), the
commit has no depends unless fluxcd is enabled:
- application framework for fluxcd
- https://review.opendev.org/c/starlingx/ansible-playbooks/+/828592
Story: 2009138
Task: 44619
Change-Id: Ie88de7506d411b63349012b4c2e1b48be9dfc2a9
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
Replace dl_hook with "src_path" and "src_files"
Test Plan:
Pass: successfully build stx-portieris-helm
Pass: No difference comparing with the result of dl_hook
Story: 2009101
Task: 43845
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Change-Id: I498c7b00e46b1687c080cf53db8e42c0faeefa92
Add "dl_path" to download the source tarball.
Add "src_files" to copy local files to build directory.
Copy patches to deb_folder/patches, and remove the patching commands
from rules.
Remove dl_hook.
Test Plan:
Pass: successfully build portieris-helm
Pass: No difference comparing with the result of dl_hook
Story: 2009101
Task: 43845
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Change-Id: I128bac3c74e791458d4fcac6d437653abc322206
A toleration needs to be added to all resources that creates pods since
the node-role.kubernetes.io/master taint will be restored to all master
nodes. This will ensure that the pods will run on the master node.
Tested in an AIO-SX by enabling the taint and:
- Deleting pods
- Performing an application update
- Removing and reinstalling the application
- Deleting the MutatingWebhookConfiguration and reapplying the app
In every case mentioned the resources would come up again.
Story: 2009232
Task: 43347
Change-Id: Ida1a152d86fe0bed34a7877644fdc350b3c3698f
Signed-off-by: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
Due to a recent change in fm-api's directory structure, unit tests would
fail since the virtualenv would not be able to find fm-api/setup.py.
Adjust the tox.ini to point to the correct directory. Tested locally
by running tox.ini.
Depends-On: https://review.opendev.org/c/starlingx/fault/+/806046
Story: 2009101
Task: 43091
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I19a40c00cb024681fc40a0b59096af4ea790522e
The webhooks will not run as root with pod security policies enabled.
The error reported is "container has runAsNonRoot and image will run as
root".
Use the same securityContext as Portieris chart; run as 'portieris'
service account (Values.securityContext.runAsUser)
Fix subsequent jobs that fail with the absent securityContext,
permissions necessary to run those jobs. Add the 'patch' verb to
customresourcedefinitions for portieris service account.
Depends-On: I4682765efddc217e792b37c659ae5833379bf054
Closes-Bug: 1895722
Change-Id: I8b5206cb6fadd029e6597e3da2b85857133ea95e
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
Backup & Restore with portieris app fail at controller restore because
its helm chart creates a mutating webhook configuration that blocks pods
creation if the portieris pod isn't running.
The proposed solution is to use the lifecycle operator to delete the
mutating webhook before the backup. With this, the backup of the etcd
etcd database will not contain the webhook and the restore will succeed.
Note that this checks if the mutating webhook is currently present on
the system and after backup and after restore, if necessary, the
portieris app is reapplied in order to recreate the mutating webhook
configuration.
Tested on an AIO-SX by applying portieris and backing up and restoring
the system (with and without the mutating webhook).
Partial-Bug: 1890630
Change-Id: I828deeddccae52b702f11c751775d47170c9ff1e
Depends-on: I4682765efddc217e792b37c659ae5833379bf054
Depends-on: I84cd8afc09c504f7278e57ccce1c089415627620
Signed-off-by: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
A lot of work has gone into making sure that StarlingX is python3
compatible. To ensure future compatibility, enable the python3
portability checks. Disable the checks that are raising errors.
Another set of commits will address the offending code.
Story: 2006796
Task: 43207
Signed-off-by: Bernardo Decco <bernardo.deccodesiqueira@windriver.com>
Change-Id: I24509f6f392b070c307c3b05ab2cc802714503c8
Add support for tox testing under Debian Bullseye by
enabling a python3.9 gate and tox target for exercsing
unit tests.
Story: 2009101
Task: 43187
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Id00936d92962e50221ebfe714307e96ecbc4e043
The backup and restore procedure will set ReapplyAdmissionWebhook to
true to force an "upgrade" of an already installed Portieris
application. The webhooks job is run on the helm chart's post-upgrade
hook. The chart value ReapplyAdmissionWebhook is reserved to simplify
its handling by backup and restore.
This resolves the issue of forcing the webhook to reapply after it has
been manually removed before a backup operation. The 'post-install'
helm.sh/hook for example is only run after the chart is installed. We
need to trigger the webhook creation after backup and restore
operations. Setting an application override as follows will trigger an
upgrade of the helm chart when the application is reapplied:
system helm-override-update \
--reuse-values \
portieris portieris portieris \
--set ReapplyAdmissionWebhook=true
Partial-Bug: 1890630
Change-Id: I4682765efddc217e792b37c659ae5833379bf054
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
The restrictions caused pip to fail to find available packages. Delete
requirements until tox starts working.
Partial-Bug: 1890630
Change-Id: I73858baf272bea2184c838b04df0460e9f7643c4
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
stx-portieris-helm contains both portieris-helm and
python-k8sapp-portieris. Declare the relationship so that the
build-avoidance will pick the right package versions When any of these
is updated.
Partial-Bug: 1940309
Change-Id: I07b10b4eb67bf043ece8acaf16afee2243407508
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
Pulling portieris from registry.local will fail without
imagePullSecrets set. containerd.log shows "failed to resolve
reference" for the image:tag.
Partial-Bug: 1912696
Change-Id: I5dbfaaa80873135d03b7a40304a925817d0380ae
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
Packages defined in a spec with no files do not result in an RPM
produced by the build. On a rebuild, the build tools scan the spec and
sees the package defined but does not find a corresponding RPM, and so
flags the package for a rebuild as a result.
This commit removes the empty package definition from the spec.
Partial-Bug: 1910439
Signed-off-by: Don Penney <don.penney@windriver.com>
Change-Id: I04c6c687b41d8ced41410ccfb432249a0e9cea22
Update remaining StarlingX packages with hardcoded TIS_PATCH_VER to
use PKG_GITREVCOUNT where possible, with offsets as needed to ensure
the version is incremented above the hardcoded version.
Story: 2008455
Task: 41464
Signed-off-by: Don Penney <don.penney@windriver.com>
Change-Id: I96794127a2849612f11cdaadaa53bfb2bfe3e93b
Set default replicaCount to 3, as is the default in upstream portieris.
This should increase resilience if one pod goes down, and improve concurrency.
The replica count can also be overridden with the following command:
system helm-override-update portieris portieris portieris --set replicaCount=1
Story: 2007348
Task: 39597
Change-Id: I0dec645cf1896e2bfa4f9a5c6dfd8417487712af
Signed-off-by: Joseph Richard <joseph.richard@windriver.com>
Applying platform-integ-apps was causing portieris to be removed,
because its prefix was stx. Change prefix to portieris to prevent
this.
Also move portieris helm charts to stx-platform repo, for consistency
with other charts.
Closes-bug: 1889935
Change-Id: I72c517c2e9ca8561f0e7e120aefed2936282bd82
Signed-off-by: Joseph Richard <joseph.richard@windriver.com>
In order to allow uniqueness across helm applications, rename the
psp-rolebinding helm chart to portieris-psp-rolebinding
Also fix up issue with loading psp-rolebinding helm plugin.
Related-bug: 1889019
Story: 2007348
Task: 40430
Change-Id: Ic113732d93d93c6cd154ddc4660ba15f5424c737
Signed-off-by: Joseph Richard <joseph.richard@windriver.com>
Including portieris-helm as requirement for stx-portieris-helm causes
it to be installed on system. portieris-helm is included in armada
application, and it not required outside of it, so the package should
not have this dependency.
Story: 2007348
Task: 40414
Change-Id: Ic58883406c38b6237b076b50a587ceea513cafd5
Signed-off-by: Joseph Richard <joseph.richard@windriver.com>
Al Bailey