Skip to content

Commit

Permalink
refactored
Browse files Browse the repository at this point in the history 
- job templates now include image streams, build configs, service accounts and rbac
  objects to make them usable standalone
- deployment jobs do not redeploy sdi-observer's objects anymore and
  vice-versa

Signed-off-by: Michal Minář <miminar@redhat.com>
  • Loading branch information
Michal Minář committed Apr 28, 2020
1 parent 68f817d commit 94aa605
Show file tree
Hide file tree
Showing 17 changed files with 971 additions and 504 deletions.
137 changes: 137 additions & 0 deletions letsencrypt/deploy-job-template.json
View file
Expand Up @@ -81,6 +81,126 @@
}
}
}
},
{
"apiVersion": "v1",
"kind": "ServiceAccount",
"metadata": {
"labels": {
"created-by": "letsencrypt-deploy",
"deploymentconfig": "sdi-observer"
},
"name": "sdi-observer",
"namespace": "${NAMESPACE}"
}
},
{
"apiVersion": "rbac.authorization.k8s.io/v1",
"kind": "ClusterRoleBinding",
"metadata": {
"labels": {
"deploymentconfig": "sdi-observer"
},
"name": "sdi-observer-admin"
},
"roleRef": {
"apiGroup": "rbac.authorization.k8s.io",
"kind": "ClusterRole",
"name": "admin"
},
"subjects": [
{
"kind": "ServiceAccount",
"name": "sdi-observer",
"namespace": "${NAMESPACE}"
}
]
},
{
"apiVersion": "build.openshift.io/v1",
"kind": "BuildConfig",
"metadata": {
"labels": {
"created-by": "letsencrypt-deploy",
"deploymentconfig": "sdi-observer"
},
"name": "sdi-observer",
"namespace": "${NAMESPACE}"
},
"spec": {
"output": {
"to": {
"kind": "ImageStreamTag",
"name": "sdi-observer:${OCP_MINOR_RELEASE}"
}
},
"runPolicy": "Serial",
"source": {
"dockerfile": "FROM openshift/cli:latest\nRUN dnf update -y\n# TODO: jq is not yet available in EPEL-8\nRUN dnf install -y \\\n https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \\\n dnf install -y jq\nRUN dnf install -y \\\n https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \\\n dnf install -y parallel procps-ng bc git httpd-tools && dnf clean all -y\n# TODO: determine OCP version from environment\nCOPY https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-${OCP_MINOR_RELEASE}/openshift-client-linux.tar.gz /tmp/\nCOPY https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-${OCP_MINOR_RELEASE}/sha256sum.txt /tmp/\n# verify the downloaded tar\nRUN /bin/bash -c 'f=/tmp/openshift-client-linux.tar.gz; \\\n got=\"$(awk '\"'\"'{print $1}'\"'\"' <(sha256sum \"$f\"))\"; \\\n exp=\"$(awk '\"'\"'/openshift-client-linux-/ {print $1}'\"'\"' /tmp/sha256sum.txt | head -n 1)\"; \\\n if [[ \"$got\" != \"$exp\" ]]; then printf \\\n '\"'\"'Unexpected hashsum of %s (expected \"%s\", got \"%s\")\\n!'\"'\"' \"$f\" \"$exp\" \"$got\" >&2; \\\n exit 1; \\\n fi'\nRUN /bin/bash -c 'tar -C /usr/local/bin/ -xzvf /tmp/openshift-client-linux.tar.gz -T <(printf oc)'\n# TODO: verify signatures as well\nRUN mkdir -p /usr/local/bin /usr/local/share/openshift-acme\nRUN git clone --depth 5 --single-branch \\\n --branch ${LETSENCRYPT_REVISION} \\\n ${LETSENCRYPT_REPOSITORY} /usr/local/share/openshift-acme\nRUN git clone --depth 5 --single-branch \\\n --branch ${SDI_OBSERVER_GIT_REVISION} \\\n ${SDI_OBSERVER_REPOSITORY} /usr/local/share/sap-data-intelligence\nRUN for bin in observer.sh deploy-registry.sh deploy-letsencrypt.sh; do \\\n cp -lv $(find /usr/local/share/sap-data-intelligence \\\n -type f -executable -name \"$bin\") \\\n /usr/local/bin/$bin; \\\n chmod a+rx /usr/local/bin/$bin; \\\n done\nRUN ln -s /usr/local/share/sap-data-intelligence /usr/local/share/sdi\nWORKDIR /usr/local/share/sdi\nCMD [\"/usr/local/bin/observer.sh\"]"
},
"strategy": {
"dockerStrategy": {
"from": {
"kind": "ImageStreamTag",
"name": "ubi8:latest"
},
"pullSecret": {
"name": "${REDHAT_REGISTRY_SECRET_NAME}"
}
}
},
"triggers": [
{
"type": "ImageChange"
},
{
"type": "ConfigChange"
}
]
}
},
{
"apiVersion": "v1",
"kind": "ImageStream",
"metadata": {
"labels": {
"created-by": "letsencrypt-deploy"
},
"name": "sdi-observer",
"namespace": "${NAMESPACE}"
},
"spec": null,
"status": {
"dockerImageRepository": ""
}
},
{
"apiVersion": "v1",
"kind": "ImageStream",
"metadata": {
"labels": {
"created-by": "letsencrypt-deploy"
},
"name": "ubi8",
"namespace": "${NAMESPACE}"
},
"spec": {
"tags": [
{
"from": {
"kind": "DockerImage",
"name": "registry.redhat.io/ubi8/ubi:latest"
},
"name": "latest",
"referencePolicy": {
"type": "Source"
}
}
]
},
"status": {
"dockerImageRepository": ""
}
}
],
"parameters": [
Expand Down Expand Up @@ -141,6 +261,23 @@
"name": "SCRIPT_ARGUMENTS",
"required": false,
"value": "[\"--wait\"]"
},
{
"description": "Name of the secret with credentials for registry.redhat.io registry. Please visit\nhttps://access.redhat.com/terms-based-registry/ to obtain the OpenShift secret. For\nmore details, please refer to https://access.redhat.com/RegistryAuthentication.'\n",
"name": "REDHAT_REGISTRY_SECRET_NAME",
"required": true
},
{
"description": "URL of SDI Observer's git repository to clone into sdi-observer image.\n",
"name": "SDI_OBSERVER_REPOSITORY",
"required": true,
"value": "https://github.com/redhat-sap/sap-data-intelligence"
},
{
"description": "Revision (e.g. tag, commit or branch) of SDI Observer's git repository to check out.\n",
"name": "SDI_OBSERVER_GIT_REVISION",
"required": true,
"value": "master"
}
]
}
10 changes: 10 additions & 0 deletions lib/common.sh
View file
Expand Up @@ -279,6 +279,9 @@ function createOrReplace() {
object="$(jq '.metadata.namespace |= "'"$namespace"'"' <<<"$object")"
fi

local creator=""
creator="$(jq -r '.metadata.labels["created-by"]' <<<"$object")" ||:

IFS=: read -r namespace kind name <<<"$(oc create --dry-run -f - -o \
jsonpath=$'{.metadata.namespace}:{.kind}:{.metadata.name}\n' <<<"$object")"
namespace="${namespace:-$NAMESPACE}"
Expand All @@ -299,6 +302,13 @@ function createOrReplace() {
fi
return 0
fi
originalCreator="$(oc labels --list "$kind" "$name" | sed -n 's/^created-by=\(.\+\)/\1/p')"

if [[ -n "${originalCreator:-}" && "${originalCreator}" != "${creator:-}" ]]; then
log 'Not replacing %s/%s created by "%s" with a new object created by "%s".' \
"$kind" "$name" "$originalCreator" "$creator"
return 0
fi
args=( -f - )
if _forceReplace "$kind" "$force" "${err:-}"; then
args+=( --force )
Expand Down
2 changes: 2 additions & 0 deletions observer/observer.sh
View file
Expand Up @@ -204,6 +204,7 @@ function checkPermissions() {
readarray -t registryKinds <<<"$(oc process \
NAMESPACE="${NAMESPACE:-foo}" \
REDHAT_REGISTRY_SECRET_NAME=foo \
OCP_MINOR_RELEASE="${OCP_MINOR_RELEASE:-foo}" \
-f "$(getRegistryTemplatePath)" -o jsonpath=$'{range .items[*]}{.kind}\n{end}')"
for kind in "${registryKinds[@],,}"; do
toCheck+=( "${nmprefix}create/${kind}" )
Expand Down Expand Up @@ -283,6 +284,7 @@ function deployComponent() {
EXPOSE_WITH_LETSENCRYPT="${EXPOSE_WITH_LETSENCRYPT:-}"
REDHAT_REGISTRY_SECRET_NAME="${REDHAT_REGISTRY_SECRET_NAME:-}"
REPLACE_PERSISTENT_VOLUME_CLAIMS="${REPLACE_PERSISTENT_VOLUME_CLAIMS:-}"
OCP_MINOR_RELEASE="${OCP_MINOR_RELEASE:-}"
)
;;
letsencrypt)
Expand Down

0 comments on commit 94aa605

Please sign in to comment.