forked from redhat-appstudio/infra-deployments
-
Notifications
You must be signed in to change notification settings - Fork 1
161 lines (148 loc) · 8.84 KB
/
bootstrap-cluster.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Bootstrap cluster
on:
schedule:
- cron: '14 4 * * *'
workflow_dispatch:
env:
OC_LOGIN_TOKEN: ${{ secrets.OC_LOGIN_TOKEN }}
LOGIN_SERVER_URL: "https://api.hac-devsandbox.5unc.p1.openshiftapps.com:6443"
jobs:
bootstrap:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run bootstrap script
shell: bash
id: bootstrap
timeout-minutes: 30
env:
# getting secrets from GH
BROKER_PASSWORD: ${{ secrets.BROKER_PASSWORD }}
MY_GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }}
SHARED_SECRET: ${{ secrets.SHARED_SECRET }}
SPI_GITHUB_CLIENT_ID: ${{ secrets.SPI_GITHUB_CLIENT_ID }}
SPI_GITHUB_CLIENT_SECRET: ${{ secrets.SPI_GITHUB_CLIENT_SECRET }}
IMAGE_CONTROLLER_QUAY_TOKEN: ${{ secrets.IMAGE_CONTROLLER_QUAY_TOKEN_KONFLUX_QE }}
REDHAT_APPSTUDIO_USER_WORKLOAD: ${{ secrets.REDHAT_APPSTUDIO_USER_WORKLOAD }}
PAC_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PAC_GITHUB_APP_PRIVATE_KEY_BASE64 }}
PAC_GITHUB_APP_ID: ${{ secrets.PAC_GITHUB_APP_ID }}
PAC_GITHUB_APP_WEBHOOK_SECRET: ${{ secrets.PAC_GITHUB_APP_WEBHOOK_SECRET }}
# setting variables
BROKER_USERNAME: "pactUser"
MY_GIT_FORK_REMOTE: "origin"
MY_GITHUB_ORG: "redhat-hac-qe"
IMAGE_CONTROLLER_QUAY_ORG: "redhat-appstudio-qe"
SPI_TYPE: "Github"
OC_DOWNLOAD_URL: "https://downloads-openshift-console.apps.hac-devsandbox.5unc.p1.openshiftapps.com/amd64/linux/oc.tar"
# Slashes have to be escaped as those variables are given to sed as a param
SPI_API_SERVER: "https:\\/\\/api-toolchain-host-operator.apps.hac-devsandbox.5unc.p1.openshiftapps.com"
HAS_DEFAULT_IMAGE_REPOSITORY: "quay.io\\/redhat-appstudio-qe\\/build_service"
BROKER: true
run: |
# Setup GIT access
git config --global user.name 'Katka92'
git config --global user.email 'kkanova@redhat.com'
#Setup OC and login to cluster
oc login --token=$OC_LOGIN_TOKEN --server=$LOGIN_SERVER_URL --insecure-skip-tls-verify
cp hack/preview-template.env hack/preview.env
# awk -i inplace -v old="PAC_GITHUB_APP_PRIVATE_KEY=" -v new="PAC_GITHUB_APP_PRIVATE_KEY=$PAC_GITHUB_APP_PRIVATE_KEY" '{gsub(old, new)}1' "hack/preview.env"
sed -i "s/PAC_GITHUB_APP_PRIVATE_KEY=.*/PAC_GITHUB_APP_PRIVATE_KEY=${PAC_GITHUB_APP_PRIVATE_KEY}/g" hack/preview.env
sed -i "s/PAC_GITHUB_APP_ID=.*/PAC_GITHUB_APP_ID=${PAC_GITHUB_APP_ID}/g" hack/preview.env
sed -i "s/PAC_GITHUB_APP_WEBHOOK_SECRET=.*/PAC_GITHUB_APP_WEBHOOK_SECRET=${PAC_GITHUB_APP_WEBHOOK_SECRET}/g" hack/preview.env
sed -i "s/BROKER_PASSWORD=.*/BROKER_PASSWORD=${BROKER_PASSWORD}/g" hack/preview.env
sed -i "s/MY_GITHUB_TOKEN=.*/MY_GITHUB_TOKEN=${MY_GITHUB_TOKEN}/g" hack/preview.env
sed -i "s/SHARED_SECRET=.*/SHARED_SECRET=${SHARED_SECRET}/g" hack/preview.env
sed -i "s/SPI_GITHUB_CLIENT_ID=.*/SPI_GITHUB_CLIENT_ID=${SPI_GITHUB_CLIENT_ID}/g" hack/preview.env
sed -i "s/SPI_GITHUB_CLIENT_SECRET=.*/SPI_GITHUB_CLIENT_SECRET=${SPI_GITHUB_CLIENT_SECRET}/g" hack/preview.env
sed -i "s/HAS_DEFAULT_IMAGE_REPOSITORY=.*/HAS_DEFAULT_IMAGE_REPOSITORY=${HAS_DEFAULT_IMAGE_REPOSITORY}/g" hack/preview.env
sed -i "s/SPI_API_SERVER=.*/SPI_API_SERVER=${SPI_API_SERVER}/g" hack/preview.env
sed -i "s/BROKER_USERNAME=.*/BROKER_USERNAME=${BROKER_USERNAME}/g" hack/preview.env
sed -i "s/MY_GIT_FORK_REMOTE=.*/MY_GIT_FORK_REMOTE=${MY_GIT_FORK_REMOTE}/g" hack/preview.env
sed -i "s/MY_GITHUB_ORG=.*/MY_GITHUB_ORG=${MY_GITHUB_ORG}/g" hack/preview.env
sed -i "s/IMAGE_CONTROLLER_QUAY_ORG=.*/IMAGE_CONTROLLER_QUAY_ORG=${IMAGE_CONTROLLER_QUAY_ORG}/g" hack/preview.env
sed -i "s/IMAGE_CONTROLLER_QUAY_TOKEN=.*/IMAGE_CONTROLLER_QUAY_TOKEN=${IMAGE_CONTROLLER_QUAY_TOKEN}/g" hack/preview.env
export PATH=${PATH}:/home/runner/go/bin
# Workaround issue that we can't update OSD cluster to 4.15 but pipelines requires new version of kubernetes
sed -i "s/quay.io\/openshift-pipeline\/openshift-pipelines-pipelines-operator-bundle-container-index@.*/quay.io\/openshift-pipeline\/openshift-pipelines-pipelines-operator-bundle-container-index@sha256:99d1e1ba1c24d950db7147e26041193304247ed92e88788023b58eb787282a9a/" components/pipeline-service/development/main-pipeline-service-configuration.yaml
sed -i "s/artifacts.pipelinerun.enable-deep-inspection: \"true\"/artifacts.pipelinerun.enable-deep-inspection: true/" components/pipeline-service/development/main-pipeline-service-configuration.yaml
git status
git commit -am "fix: install older pipelines"
# Bootstrap the cluster
hack/bootstrap-cluster.sh preview --toolchain --keycloak
# Set the docker secret to push HAS images to quay if doesn't exist yet
if [[ ! $(oc get secrets -n build-templates | grep redhat-appstudio-user-workload) ]]; then
echo $REDHAT_APPSTUDIO_USER_WORKLOAD >> docker.config
oc create secret docker-registry redhat-appstudio-user-workload -n build-templates --from-file=.dockerconfigjson=docker.config
fi
# Deploy proxy plugin to enable tekton-results
if [[ ! $(oc get proxyplugins -n toolchain-host-operator | grep tekton-results) ]]; then
echo "Deploying proxy plugin for tekton-results"
cat .github/proxyplugin.yml | oc apply -f -
fi
- name: Unseal vault if sealed
if: failure()
env:
POD_NAME: "vault-0"
run: |
oc project spi-vault
status=$(oc get pod $POD_NAME -o=jsonpath='{.status.phase}')
if [ "$status" != "Running" ]; then
echo "Status of a pod ${POD_NAME} is ${status}. Executing poststart.sh."
oc exec $POD_NAME -- sh /vault/userconfig/scripts/poststart.sh
else
echo "Status of a pod ${POD_NAME} is ${status}."
fi
- name: Check Application statuses
id: statuscheck
if: failure()
run: |
oc project openshift-gitops
echo "Checking Apps statuses till they're Healthy and Synced."
echo "10 attempts with 3 minute waits."
healthyAndSynced=false
for i in {1..10}; do
echo "$i. try, checking app statuses."
unhealthy=$(oc get applications.argoproj.io --no-headers | { grep -v "Healthy" || true; } )
unsynced=$(oc get applications.argoproj.io --no-headers | { grep -v "Synced" || true; } )
if [[ $unhealthy == "" && $unsynced == "" ]]; then
echo "All apps are healthy and synced".
healthyAndSynced=true
break
else
echo "Some apps are not ready:"
oc get applications.argoproj.io
echo "Sleeping for 3 minutes and retrying."
sleep 180
fi
done
echo "healthy_and_synced=${healthyAndSynced}" >> $GITHUB_OUTPUT
- name: Send a message to Slack
shell: bash
if: always()
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
BOOTSTRAP_JOB_STATUS: ${{ steps.bootstrap.outcome }}
HEALTHY_AND_SYNCED: ${{ steps.statuscheck.outputs.healthy_and_synced }}
CHANNEL_ID: "C04U7TA1BT8" # forum-rhtap-test-execution-alerts
ACTION_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
run: |
if [[ $HEALTHY_AND_SYNCED == true ]]; then
statusMessage="Bootstrap script failed but application statuses seem ok. Cluster is probably not updated or Vault was not unsealed."
icon=":failed:"
elif [[ $HEALTHY_AND_SYNCED == "" ]]; then
statusMessage="Bootstrap script succeeded, cluster is OK."
icon=":done-circle-check:"
else
statusMessage="Bootstrap script failed and applications are not healthy. Cluster is probably broken."
icon=":failed:"
fi;
curl -H "Authorization: Bearer ${SLACK_BOT_TOKEN}" -d "text=${icon} Job *bootstrap* ended. ${statusMessage} <$ACTION_URL|View logs>" -d "channel=${CHANNEL_ID}" -X POST https://slack.com/api/chat.postMessage
cleanup:
runs-on: ubuntu-latest
steps:
- name: Prune user signups
run: |
oc login --token=$OC_LOGIN_TOKEN --server=$LOGIN_SERVER_URL --insecure-skip-tls-verify
echo "Prune any user spaces older than 2 days"
oc project toolchain-host-operator
oc get usersignup -o json | jq -r --argjson timestamp 172800 '.items[] | select ((.metadata.creationTimestamp | fromdateiso8601 < now - $timestamp) and (.metadata.name != "user1")).metadata.name' | xargs -r -L1 oc delete usersignup