From 44209d48d8e71cf432668ae88a37f4dc371623e5 Mon Sep 17 00:00:00 2001 From: Bo Meng Date: Mon, 18 May 2026 10:22:52 +1000 Subject: [PATCH] ROSAENG-1067: add gcp marketplace testing to rosa-e2e --- ...shift-online-rosa-e2e-main__periodics.yaml | 17 ++++ ...nshift-online-rosa-e2e-main-periodics.yaml | 86 +++++++++++++++++++ .../osd-ccs-cluster-deprovision-commands.sh | 16 +++- .../osd-ccs-cluster-provision-gcp-commands.sh | 41 +++++++-- .../osd-ccs-cluster-provision-gcp-ref.yaml | 3 + .../osd-ccs/gcp/wif-config/OWNERS | 15 ++++ .../osd-ccs/gcp/wif-config/deprovision/OWNERS | 15 ++++ ...ccs-gcp-wif-config-deprovision-commands.sh | 42 +++++++++ ...p-wif-config-deprovision-ref.metadata.json | 21 +++++ ...sd-ccs-gcp-wif-config-deprovision-ref.yaml | 17 ++++ .../osd-ccs/gcp/wif-config/provision/OWNERS | 15 ++++ ...d-ccs-gcp-wif-config-provision-commands.sh | 58 +++++++++++++ ...gcp-wif-config-provision-ref.metadata.json | 21 +++++ .../osd-ccs-gcp-wif-config-provision-ref.yaml | 23 +++++ .../step-registry/rosa/e2e/osd-gcp/OWNERS | 10 +++ .../rosa-e2e-osd-gcp-workflow.metadata.json | 17 ++++ .../osd-gcp/rosa-e2e-osd-gcp-workflow.yaml | 28 ++++++ 17 files changed, 436 insertions(+), 9 deletions(-) create mode 100644 ci-operator/step-registry/osd-ccs/gcp/wif-config/OWNERS create mode 100644 ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS create mode 100755 ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh create mode 100644 ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.metadata.json create mode 100644 ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml create mode 100644 ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS create mode 100755 ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-commands.sh create mode 100644 ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.metadata.json create mode 100644 ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.yaml create mode 100644 ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS create mode 100644 ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json create mode 100644 ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml diff --git a/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml b/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml index 71a6294a65fc6..fa2e957d926c6 100644 --- a/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml +++ b/ci-operator/config/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main__periodics.yaml @@ -3,6 +3,10 @@ base_images: name: nested-podman namespace: ci tag: latest + ocm-cli: + name: ocm-cli + namespace: ci + tag: latest rosa-aws-cli: name: rosa-aws-cli namespace: ci @@ -151,6 +155,19 @@ tests: REPLICAS: "2" STS: "true" workflow: rosa-e2e-classic +- as: osd-gcp-e2e-candidate-4-22 + cron: 30 7 * * * + steps: + cluster_profile: rosa-e2e-03 + env: + CHANNEL_GROUP: candidate + CLUSTER_TOPOLOGY: osd-gcp + LABEL_FILTER: Platform:OSD-GCP && !Access:MC + OCM_LOGIN_ENV: staging + OPENSHIFT_VERSION: "4.22" + REGION: us-east1 + SUBSCRIPTION_TYPE: marketplace-gcp + workflow: rosa-e2e-osd-gcp zz_generated_metadata: branch: main org: openshift-online diff --git a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml index 7d4d5a06ee4f8..dcf35f07a8902 100644 --- a/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml +++ b/ci-operator/jobs/openshift-online/rosa-e2e/openshift-online-rosa-e2e-main-periodics.yaml @@ -1655,6 +1655,92 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator +- agent: kubernetes + cluster: build09 + cron: 30 7 * * * + decorate: true + decoration_config: + sparse_checkout_files: + - Containerfile + extra_refs: + - base_ref: main + org: openshift-online + repo: rosa-e2e + sparse_checkout_files: + - Containerfile + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: rosa-e2e-03 + ci-operator.openshift.io/variant: periodics + ci.openshift.io/generator: prowgen + job-release: "4.22" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-online-rosa-e2e-main-periodics-osd-gcp-e2e-candidate-4-22 + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=osd-gcp-e2e-candidate-4-22 + - --variant=periodics + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 7 * * * diff --git a/ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh b/ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh index a5dd3953f6e5c..4d44c954ff07e 100755 --- a/ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh +++ b/ci-operator/step-registry/osd-ccs/cluster/deprovision/osd-ccs-cluster-deprovision-commands.sh @@ -8,9 +8,19 @@ trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wa # Log in OCM_VERSION=$(ocm version) -OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token") -echo "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}" -ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}" +OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true) +SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true) +SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true) +if [[ -n "${OCM_TOKEN}" ]]; then + echo "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}" +elif [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then + echo "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}" +else + echo "Cannot login! You need to securely supply an ocm-token or SSO credentials!" + exit 1 +fi # Deprovision cluster CLUSTER_ID=$(cat "${SHARED_DIR}/cluster-id") diff --git a/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh b/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh index df0c1f4fb799a..6433f92e1559a 100755 --- a/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh +++ b/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-commands.sh @@ -129,6 +129,7 @@ CHANNEL_GROUP=${CHANNEL_GROUP:-"stable"} ETCD_ENCRYPTION=${ETCD_ENCRYPTION:-false} DISABLE_WORKLOAD_MONITORING=${DISABLE_WORKLOAD_MONITORING:-false} SUBSCRIPTION_TYPE=${SUBSCRIPTION_TYPE:-"standard"} +ENABLE_WIF=${ENABLE_WIF:-"no"} REGION=${REGION:-"${LEASED_RESOURCE}"} CLUSTER_TIMEOUT=${CLUSTER_TIMEOUT} BOOTSTRAP_TIMEOUT=${BOOTSTRAP_TIMEOUT} @@ -145,9 +146,19 @@ fi # Log in OCM_VERSION=$(ocm version) -OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token") -logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}" -ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}" +OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true) +SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true) +SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true) +if [[ -n "${OCM_TOKEN}" ]]; then + logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}" +elif [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then + logger "INFO" "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}" +else + logger "ERROR" "Cannot login! You need to securely supply an ocm-token or SSO credentials!" + exit 1 +fi # Check whether the cluster with the same cluster name existes. OLD_CLUSTER_ID=$(ocm list clusters --columns=id --parameter search="name is '${CLUSTER_NAME}'" | tail -n 1) @@ -157,8 +168,17 @@ if [[ "$OLD_CLUSTER_ID" != ID* ]]; then exit 1 fi -# Required +# GCP credentials / WIF config GCP_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/osd-ccs-gcp.json" +WIF_CONFIG_ID="" +if [[ "${ENABLE_WIF}" == "yes" ]]; then + WIF_CONFIG_ID=$(cat "${SHARED_DIR}/wif-config-id" 2>/dev/null || true) + if [[ -z "${WIF_CONFIG_ID}" ]]; then + logger "ERROR" "ENABLE_WIF is set but no WIF config ID found in SHARED_DIR/wif-config-id" + exit 1 + fi + logger "INFO" "Using WIF config: ${WIF_CONFIG_ID}" +fi versionList=$(ocm list versions --channel-group ${CHANNEL_GROUP}) logger "INFO" "Available cluster versions:" @@ -266,6 +286,10 @@ echo " Disable workload monitoring: ${DISABLE_WORKLOAD_MONITORING}" echo " Subscription type: ${SUBSCRIPTION_TYPE}" echo " Secure boot for shielded VMs: ${SECURE_BOOT_FOR_SHIELDED_VMS}" echo " Private: ${PRIVATE}" +echo " WIF: ${ENABLE_WIF}" +if [[ "${ENABLE_WIF}" == "yes" ]]; then + echo " WIF config ID: ${WIF_CONFIG_ID}" +fi if [ "${ENABLE_SHARED_VPC}" == "yes" ]; then echo " VPC project id: ${VPC_PROJECT_ID}" echo " VPC name: ${VPC_NAME}" @@ -273,11 +297,16 @@ if [ "${ENABLE_SHARED_VPC}" == "yes" ]; then echo " Compute subnet: ${COMPUTE_SUBNET}" fi +if [[ "${ENABLE_WIF}" == "yes" ]]; then + GCP_AUTH_SWITCH="--wif-config ${WIF_CONFIG_ID}" +else + GCP_AUTH_SWITCH="--ccs --service-account-file ${GCP_CREDENTIALS_FILE}" +fi + cmd="ocm create cluster ${CLUSTER_NAME} \ ---ccs \ +${GCP_AUTH_SWITCH} \ --provider=gcp \ --region ${REGION} \ ---service-account-file ${GCP_CREDENTIALS_FILE} \ --version ${OPENSHIFT_VERSION} \ --channel-group ${CHANNEL_GROUP} \ --compute-machine-type ${COMPUTE_MACHINE_TYPE} \ diff --git a/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml b/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml index 6adb8809a8054..05cc70141d40d 100644 --- a/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml +++ b/ci-operator/step-registry/osd-ccs/cluster/provision/gcp/osd-ccs-cluster-provision-gcp-ref.yaml @@ -57,6 +57,9 @@ ref: - name: PRIVATE default: "no" documentation: Restrict master API endpoint and application routes to direct, private connectivity. The supported values are [no, yes]. + - name: ENABLE_WIF + default: "no" + documentation: Whether to create the cluster using GCP Workload Identity Federation. When set to "yes", the WIF config ID is read from SHARED_DIR/wif-config-id. The supported values are [no, yes]. documentation: |- Using ocm cli to create an osd ccs GCP cluster with the provided cluster profile. The cluster profile should include the offline token ocm-token to login. diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/OWNERS b/ci-operator/step-registry/osd-ccs/gcp/wif-config/OWNERS new file mode 100644 index 0000000000000..4fee3b41b2df6 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/OWNERS @@ -0,0 +1,15 @@ +approvers: +- bmeng +- dustman9000 +- gdbranco +- jfrazierredhat +- ravitri +- tiwillia +options: {} +reviewers: +- bmeng +- dustman9000 +- gdbranco +- jfrazierredhat +- ravitri +- tiwillia diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS new file mode 100644 index 0000000000000..4fee3b41b2df6 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/OWNERS @@ -0,0 +1,15 @@ +approvers: +- bmeng +- dustman9000 +- gdbranco +- jfrazierredhat +- ravitri +- tiwillia +options: {} +reviewers: +- bmeng +- dustman9000 +- gdbranco +- jfrazierredhat +- ravitri +- tiwillia diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh new file mode 100755 index 0000000000000..7b749585436b1 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-commands.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +function logger() { + local -r log_level=$1; shift + local -r log_msg=$1; shift + echo "$(date -u --rfc-3339=seconds) - ${log_level}: ${log_msg}" +} + +trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM + +GCP_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/osd-ccs-gcp.json" +export GOOGLE_APPLICATION_CREDENTIALS="${GCP_CREDENTIALS_FILE}" + +# Log in +OCM_VERSION=$(ocm version) +OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true) +SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true) +SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true) +if [[ -n "${OCM_TOKEN}" ]]; then + logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}" +elif [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then + logger "INFO" "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}" +else + logger "ERROR" "Cannot login! You need to securely supply an ocm-token or SSO credentials!" + exit 1 +fi + +WIF_CONFIG_ID=$(cat "${SHARED_DIR}/wif-config-id" 2>/dev/null || true) +if [[ -z "${WIF_CONFIG_ID}" ]]; then + logger "INFO" "No WIF config ID found in SHARED_DIR, skipping deletion" + exit 0 +fi + +logger "INFO" "Deleting WIF config: ${WIF_CONFIG_ID}" +ocm gcp delete wif-config "${WIF_CONFIG_ID}" +logger "INFO" "WIF config ${WIF_CONFIG_ID} deleted successfully" diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.metadata.json b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.metadata.json new file mode 100644 index 0000000000000..a569897a9a378 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml", + "owners": { + "approvers": [ + "bmeng", + "dustman9000", + "gdbranco", + "jfrazierredhat", + "ravitri", + "tiwillia" + ], + "reviewers": [ + "bmeng", + "dustman9000", + "gdbranco", + "jfrazierredhat", + "ravitri", + "tiwillia" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml new file mode 100644 index 0000000000000..d3d00ac5eed66 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/deprovision/osd-ccs-gcp-wif-config-deprovision-ref.yaml @@ -0,0 +1,17 @@ +ref: + as: osd-ccs-gcp-wif-config-deprovision + from: ocm-cli + grace_period: 10m + commands: osd-ccs-gcp-wif-config-deprovision-commands.sh + resources: + requests: + cpu: 100m + memory: 300Mi + timeout: 30m + env: + - name: OCM_LOGIN_ENV + default: "staging" + documentation: The environment for ocm login. The supported values are [production, staging]. + documentation: |- + Deletes a GCP WIF (Workload Identity Federation) config using ocm cli. + Reads the WIF config ID from SHARED_DIR/wif-config-id. diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS new file mode 100644 index 0000000000000..4fee3b41b2df6 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/OWNERS @@ -0,0 +1,15 @@ +approvers: +- bmeng +- dustman9000 +- gdbranco +- jfrazierredhat +- ravitri +- tiwillia +options: {} +reviewers: +- bmeng +- dustman9000 +- gdbranco +- jfrazierredhat +- ravitri +- tiwillia diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-commands.sh b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-commands.sh new file mode 100755 index 0000000000000..5bc50a8a289a5 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-commands.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +function logger() { + local -r log_level=$1; shift + local -r log_msg=$1; shift + echo "$(date -u --rfc-3339=seconds) - ${log_level}: ${log_msg}" +} + +trap 'CHILDREN=$(jobs -p); if test -n "${CHILDREN}"; then kill ${CHILDREN} && wait; fi' TERM + +GCP_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/osd-ccs-gcp.json" +export GOOGLE_APPLICATION_CREDENTIALS="${GCP_CREDENTIALS_FILE}" + +# Log in +OCM_VERSION=$(ocm version) +OCM_TOKEN=$(cat "${CLUSTER_PROFILE_DIR}/ocm-token" 2>/dev/null || true) +SSO_CLIENT_ID=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-id" 2>/dev/null || true) +SSO_CLIENT_SECRET=$(cat "${CLUSTER_PROFILE_DIR}/sso-client-secret" 2>/dev/null || true) +if [[ -n "${OCM_TOKEN}" ]]; then + logger "INFO" "Logging into ${OCM_LOGIN_ENV} with offline token using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --token "${OCM_TOKEN}" +elif [[ -n "${SSO_CLIENT_ID}" && -n "${SSO_CLIENT_SECRET}" ]]; then + logger "INFO" "Logging into ${OCM_LOGIN_ENV} with SSO credentials using ocm cli ${OCM_VERSION}" + ocm login --url "${OCM_LOGIN_ENV}" --client-id "${SSO_CLIENT_ID}" --client-secret "${SSO_CLIENT_SECRET}" +else + logger "ERROR" "Cannot login! You need to securely supply an ocm-token or SSO credentials!" + exit 1 +fi + +# Determine GCP project ID +if [[ -z "${GCP_PROJECT_ID}" ]]; then + GCP_PROJECT_ID=$(jq -r '.project_id' "${GCP_CREDENTIALS_FILE}") + logger "INFO" "Extracted GCP project ID from credentials: ${GCP_PROJECT_ID}" +fi + +# Generate WIF config name if not provided +suffix=$(head /dev/urandom | tr -dc a-z0-9 | head -c 4) +WIF_CONFIG_NAME=${WIF_CONFIG_NAME:-"ci-wif-$suffix"} + +logger "INFO" "Creating WIF config:" +echo " Name: ${WIF_CONFIG_NAME}" +echo " GCP project ID: ${GCP_PROJECT_ID}" + +ocm gcp create wif-config --name "${WIF_CONFIG_NAME}" --project "${GCP_PROJECT_ID}" > "${ARTIFACT_DIR}/wif-config.txt" + +WIF_CONFIG_ID=$(ocm gcp describe wif-config "${WIF_CONFIG_NAME}" | grep ID | awk '{print $2}') +if [[ -z "${WIF_CONFIG_ID}" ]]; then + logger "ERROR" "Failed to retrieve WIF config ID" + exit 1 +fi + +logger "INFO" "WIF config created: ${WIF_CONFIG_ID}" +echo -n "${WIF_CONFIG_ID}" > "${SHARED_DIR}/wif-config-id" +echo -n "${WIF_CONFIG_NAME}" > "${SHARED_DIR}/wif-config-name" diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.metadata.json b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.metadata.json new file mode 100644 index 0000000000000..4070edcb4d268 --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.metadata.json @@ -0,0 +1,21 @@ +{ + "path": "osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.yaml", + "owners": { + "approvers": [ + "bmeng", + "dustman9000", + "gdbranco", + "jfrazierredhat", + "ravitri", + "tiwillia" + ], + "reviewers": [ + "bmeng", + "dustman9000", + "gdbranco", + "jfrazierredhat", + "ravitri", + "tiwillia" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.yaml b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.yaml new file mode 100644 index 0000000000000..808af3615579b --- /dev/null +++ b/ci-operator/step-registry/osd-ccs/gcp/wif-config/provision/osd-ccs-gcp-wif-config-provision-ref.yaml @@ -0,0 +1,23 @@ +ref: + as: osd-ccs-gcp-wif-config-provision + from: ocm-cli + grace_period: 10m + commands: osd-ccs-gcp-wif-config-provision-commands.sh + resources: + requests: + cpu: 100m + memory: 300Mi + timeout: 30m + env: + - name: OCM_LOGIN_ENV + default: "staging" + documentation: The environment for ocm login. The supported values are [production, staging]. + - name: WIF_CONFIG_NAME + default: "" + documentation: The name of the WIF config to create. If empty, a name will be auto-generated. + - name: GCP_PROJECT_ID + default: "" + documentation: The GCP project ID for the WIF config. If empty, it will be extracted from the osd-ccs-gcp.json credentials file. + documentation: |- + Creates a GCP WIF (Workload Identity Federation) config using ocm cli. + The WIF config ID is written to SHARED_DIR/wif-config-id for use by subsequent steps. diff --git a/ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS b/ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS new file mode 100644 index 0000000000000..fe6b5a447676f --- /dev/null +++ b/ci-operator/step-registry/rosa/e2e/osd-gcp/OWNERS @@ -0,0 +1,10 @@ +approvers: +- tiwillia +- dustman9000 +- bmeng +- ravitri +reviewers: +- tiwillia +- dustman9000 +- bmeng +- ravitri diff --git a/ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json b/ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json new file mode 100644 index 0000000000000..f087e084f61d1 --- /dev/null +++ b/ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.metadata.json @@ -0,0 +1,17 @@ +{ + "path": "rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml", + "owners": { + "approvers": [ + "tiwillia", + "dustman9000", + "bmeng", + "ravitri" + ], + "reviewers": [ + "tiwillia", + "dustman9000", + "bmeng", + "ravitri" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml b/ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml new file mode 100644 index 0000000000000..72356949de8ee --- /dev/null +++ b/ci-operator/step-registry/rosa/e2e/osd-gcp/rosa-e2e-osd-gcp-workflow.yaml @@ -0,0 +1,28 @@ +workflow: + as: rosa-e2e-osd-gcp + steps: + env: + COMPUTE_MACHINE_TYPE: "custom-4-16384" + COMPUTE_NODES: "2" + CLUSTER_TOPOLOGY: osd-gcp + ENABLE_WIF: "yes" + HOSTED_CP: "false" + pre: + - ref: osd-ccs-gcp-wif-config-provision + - ref: osd-ccs-cluster-provision-gcp + - ref: osd-ccs-conf-idp-htpasswd + - ref: osd-ccs-conf-idp-htpasswd-multi-users + - ref: osd-ccs-cluster-operators-wait-ready + test: + - ref: rosa-e2e-test + post: + - chain: gather + best_effort: true + - ref: osd-ccs-cluster-deprovision + best_effort: true + - ref: osd-ccs-gcp-wif-config-deprovision + best_effort: true + documentation: |- + This workflow provisions a GCP WIF config, creates an OSD GCP WIF cluster, + runs the rosa-e2e managed service validation suite, then tears down the + cluster and deletes the WIF config.