Bootstrap cluster #771
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Bootstrap cluster | |
on: | |
schedule: | |
- cron: '14 4 * * *' | |
workflow_dispatch: | |
env: | |
OC_LOGIN_TOKEN: ${{ secrets.OC_LOGIN_TOKEN }} | |
LOGIN_SERVER_URL: "https://api.hac-devsandbox.5unc.p1.openshiftapps.com:6443" | |
jobs: | |
bootstrap: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Run bootstrap script | |
shell: bash | |
id: bootstrap | |
timeout-minutes: 30 | |
env: | |
# getting secrets from GH | |
BROKER_PASSWORD: ${{ secrets.BROKER_PASSWORD }} | |
MY_GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }} | |
SHARED_SECRET: ${{ secrets.SHARED_SECRET }} | |
SPI_GITHUB_CLIENT_ID: ${{ secrets.SPI_GITHUB_CLIENT_ID }} | |
SPI_GITHUB_CLIENT_SECRET: ${{ secrets.SPI_GITHUB_CLIENT_SECRET }} | |
IMAGE_CONTROLLER_QUAY_TOKEN: ${{ secrets.IMAGE_CONTROLLER_QUAY_TOKEN_KONFLUX_QE }} | |
REDHAT_APPSTUDIO_USER_WORKLOAD: ${{ secrets.REDHAT_APPSTUDIO_USER_WORKLOAD }} | |
PAC_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PAC_GITHUB_APP_PRIVATE_KEY_BASE64 }} | |
PAC_GITHUB_APP_ID: ${{ secrets.PAC_GITHUB_APP_ID }} | |
PAC_GITHUB_APP_WEBHOOK_SECRET: ${{ secrets.PAC_GITHUB_APP_WEBHOOK_SECRET }} | |
# setting variables | |
BROKER_USERNAME: "pactUser" | |
MY_GIT_FORK_REMOTE: "origin" | |
MY_GITHUB_ORG: "redhat-hac-qe" | |
IMAGE_CONTROLLER_QUAY_ORG: "redhat-appstudio-qe" | |
SPI_TYPE: "Github" | |
OC_DOWNLOAD_URL: "https://downloads-openshift-console.apps.hac-devsandbox.5unc.p1.openshiftapps.com/amd64/linux/oc.tar" | |
# Slashes have to be escaped as those variables are given to sed as a param | |
SPI_API_SERVER: "https:\\/\\/api-toolchain-host-operator.apps.hac-devsandbox.5unc.p1.openshiftapps.com" | |
HAS_DEFAULT_IMAGE_REPOSITORY: "quay.io\\/redhat-appstudio-qe\\/build_service" | |
BROKER: true | |
run: | | |
# Setup GIT access | |
git config --global user.name 'Katka92' | |
git config --global user.email 'kkanova@redhat.com' | |
#Setup OC and login to cluster | |
oc login --token=$OC_LOGIN_TOKEN --server=$LOGIN_SERVER_URL --insecure-skip-tls-verify | |
cp hack/preview-template.env hack/preview.env | |
# awk -i inplace -v old="PAC_GITHUB_APP_PRIVATE_KEY=" -v new="PAC_GITHUB_APP_PRIVATE_KEY=$PAC_GITHUB_APP_PRIVATE_KEY" '{gsub(old, new)}1' "hack/preview.env" | |
sed -i "s/PAC_GITHUB_APP_PRIVATE_KEY=.*/PAC_GITHUB_APP_PRIVATE_KEY=${PAC_GITHUB_APP_PRIVATE_KEY}/g" hack/preview.env | |
sed -i "s/PAC_GITHUB_APP_ID=.*/PAC_GITHUB_APP_ID=${PAC_GITHUB_APP_ID}/g" hack/preview.env | |
sed -i "s/PAC_GITHUB_APP_WEBHOOK_SECRET=.*/PAC_GITHUB_APP_WEBHOOK_SECRET=${PAC_GITHUB_APP_WEBHOOK_SECRET}/g" hack/preview.env | |
sed -i "s/BROKER_PASSWORD=.*/BROKER_PASSWORD=${BROKER_PASSWORD}/g" hack/preview.env | |
sed -i "s/MY_GITHUB_TOKEN=.*/MY_GITHUB_TOKEN=${MY_GITHUB_TOKEN}/g" hack/preview.env | |
sed -i "s/SHARED_SECRET=.*/SHARED_SECRET=${SHARED_SECRET}/g" hack/preview.env | |
sed -i "s/SPI_GITHUB_CLIENT_ID=.*/SPI_GITHUB_CLIENT_ID=${SPI_GITHUB_CLIENT_ID}/g" hack/preview.env | |
sed -i "s/SPI_GITHUB_CLIENT_SECRET=.*/SPI_GITHUB_CLIENT_SECRET=${SPI_GITHUB_CLIENT_SECRET}/g" hack/preview.env | |
sed -i "s/HAS_DEFAULT_IMAGE_REPOSITORY=.*/HAS_DEFAULT_IMAGE_REPOSITORY=${HAS_DEFAULT_IMAGE_REPOSITORY}/g" hack/preview.env | |
sed -i "s/SPI_API_SERVER=.*/SPI_API_SERVER=${SPI_API_SERVER}/g" hack/preview.env | |
sed -i "s/BROKER_USERNAME=.*/BROKER_USERNAME=${BROKER_USERNAME}/g" hack/preview.env | |
sed -i "s/MY_GIT_FORK_REMOTE=.*/MY_GIT_FORK_REMOTE=${MY_GIT_FORK_REMOTE}/g" hack/preview.env | |
sed -i "s/MY_GITHUB_ORG=.*/MY_GITHUB_ORG=${MY_GITHUB_ORG}/g" hack/preview.env | |
sed -i "s/IMAGE_CONTROLLER_QUAY_ORG=.*/IMAGE_CONTROLLER_QUAY_ORG=${IMAGE_CONTROLLER_QUAY_ORG}/g" hack/preview.env | |
sed -i "s/IMAGE_CONTROLLER_QUAY_TOKEN=.*/IMAGE_CONTROLLER_QUAY_TOKEN=${IMAGE_CONTROLLER_QUAY_TOKEN}/g" hack/preview.env | |
export PATH=${PATH}:/home/runner/go/bin | |
# Workaround issue that we can't update OSD cluster to 4.15 but pipelines requires new version of kubernetes | |
sed -i "s/quay.io\/openshift-pipeline\/openshift-pipelines-pipelines-operator-bundle-container-index@.*/quay.io\/openshift-pipeline\/openshift-pipelines-pipelines-operator-bundle-container-index@sha256:99d1e1ba1c24d950db7147e26041193304247ed92e88788023b58eb787282a9a/" components/pipeline-service/development/main-pipeline-service-configuration.yaml | |
sed -i "s/artifacts.pipelinerun.enable-deep-inspection: \"true\"/artifacts.pipelinerun.enable-deep-inspection: true/" components/pipeline-service/development/main-pipeline-service-configuration.yaml | |
git status | |
git commit -am "fix: install older pipelines" | |
# Bootstrap the cluster | |
hack/bootstrap-cluster.sh preview --toolchain --keycloak | |
# Set the docker secret to push HAS images to quay if doesn't exist yet | |
if [[ ! $(oc get secrets -n build-templates | grep redhat-appstudio-user-workload) ]]; then | |
echo $REDHAT_APPSTUDIO_USER_WORKLOAD >> docker.config | |
oc create secret docker-registry redhat-appstudio-user-workload -n build-templates --from-file=.dockerconfigjson=docker.config | |
fi | |
# Deploy proxy plugin to enable tekton-results | |
if [[ ! $(oc get proxyplugins -n toolchain-host-operator | grep tekton-results) ]]; then | |
echo "Deploying proxy plugin for tekton-results" | |
cat .github/proxyplugin.yml | oc apply -f - | |
fi | |
- name: Unseal vault if sealed | |
if: failure() | |
env: | |
POD_NAME: "vault-0" | |
run: | | |
oc project spi-vault | |
status=$(oc get pod $POD_NAME -o=jsonpath='{.status.phase}') | |
if [ "$status" != "Running" ]; then | |
echo "Status of a pod ${POD_NAME} is ${status}. Executing poststart.sh." | |
oc exec $POD_NAME -- sh /vault/userconfig/scripts/poststart.sh | |
else | |
echo "Status of a pod ${POD_NAME} is ${status}." | |
fi | |
- name: Check Application statuses | |
id: statuscheck | |
if: failure() | |
run: | | |
oc project openshift-gitops | |
echo "Checking Apps statuses till they're Healthy and Synced." | |
echo "10 attempts with 3 minute waits." | |
healthyAndSynced=false | |
for i in {1..10}; do | |
echo "$i. try, checking app statuses." | |
unhealthy=$(oc get applications.argoproj.io --no-headers | { grep -v "Healthy" || true; } ) | |
unsynced=$(oc get applications.argoproj.io --no-headers | { grep -v "Synced" || true; } ) | |
if [[ $unhealthy == "" && $unsynced == "" ]]; then | |
echo "All apps are healthy and synced". | |
healthyAndSynced=true | |
break | |
else | |
echo "Some apps are not ready:" | |
oc get applications.argoproj.io | |
echo "Sleeping for 3 minutes and retrying." | |
sleep 180 | |
fi | |
done | |
echo "healthy_and_synced=${healthyAndSynced}" >> $GITHUB_OUTPUT | |
- name: Send a message to Slack | |
shell: bash | |
if: always() | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
BOOTSTRAP_JOB_STATUS: ${{ steps.bootstrap.outcome }} | |
HEALTHY_AND_SYNCED: ${{ steps.statuscheck.outputs.healthy_and_synced }} | |
CHANNEL_ID: "C04U7TA1BT8" # forum-rhtap-test-execution-alerts | |
ACTION_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
run: | | |
if [[ $HEALTHY_AND_SYNCED == true ]]; then | |
statusMessage="Bootstrap script failed but application statuses seem ok. Cluster is probably not updated or Vault was not unsealed." | |
icon=":failed:" | |
elif [[ $HEALTHY_AND_SYNCED == "" ]]; then | |
statusMessage="Bootstrap script succeeded, cluster is OK." | |
icon=":done-circle-check:" | |
else | |
statusMessage="Bootstrap script failed and applications are not healthy. Cluster is probably broken." | |
icon=":failed:" | |
fi; | |
curl -H "Authorization: Bearer ${SLACK_BOT_TOKEN}" -d "text=${icon} Job *bootstrap* ended. ${statusMessage} <$ACTION_URL|View logs>" -d "channel=${CHANNEL_ID}" -X POST https://slack.com/api/chat.postMessage | |
cleanup: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Prune user signups | |
run: | | |
oc login --token=$OC_LOGIN_TOKEN --server=$LOGIN_SERVER_URL --insecure-skip-tls-verify | |
echo "Prune any user spaces older than 2 days" | |
oc project toolchain-host-operator | |
oc get usersignup -o json | jq -r --argjson timestamp 172800 '.items[] | select ((.metadata.creationTimestamp | fromdateiso8601 < now - $timestamp) and (.metadata.name != "user1")).metadata.name' | xargs -r -L1 oc delete usersignup |