diff --git a/integration-tests/pipelines/tsf-cli-e2e.yaml b/integration-tests/pipelines/tsf-cli-e2e.yaml index 7a56e76d2..5efaf96e2 100644 --- a/integration-tests/pipelines/tsf-cli-e2e.yaml +++ b/integration-tests/pipelines/tsf-cli-e2e.yaml @@ -45,6 +45,9 @@ spec: description: OCI image reference used by catalog tasks to store and report pipeline artifacts. type: string default: "quay.io/konflux-test-storage/rhads/tsf-cli:$(context.pipelineRun.name)" + workspaces: + - name: shared-data + description: Shared data between provision and deprovision tasks (passes ocp-login-command via file). tasks: - name: rosa-hcp-metadata taskRef: @@ -64,11 +67,14 @@ spec: resolver: git params: - name: url - value: https://github.com/konflux-ci/tekton-integration-catalog.git + value: $(params.tsf-cli-repo-url) - name: revision - value: main + value: $(params.tsf-cli-revision) - name: pathInRepo - value: tasks/rosa/hosted-cp/rosa-hcp-provision/0.2/rosa-hcp-provision.yaml + value: integration-tests/tasks/rosa-hcp-provision.yaml + workspaces: + - name: shared-data + workspace: shared-data params: - name: cluster-name value: "$(tasks.rosa-hcp-metadata.results.cluster-name)" @@ -147,16 +153,17 @@ spec: resolver: git params: - name: url - value: https://github.com/konflux-ci/tekton-integration-catalog.git + value: $(params.tsf-cli-repo-url) - name: revision - value: main + value: $(params.tsf-cli-revision) - name: pathInRepo - value: tasks/rosa/hosted-cp/rosa-hcp-deprovision/0.2/rosa-hcp-deprovision.yaml + value: integration-tests/tasks/rosa-hcp-deprovision.yaml + workspaces: + - name: shared-data + workspace: shared-data params: - name: test-name value: $(context.pipelineRun.name) - - name: ocp-login-command - value: "$(tasks.provision-rosa.results.ocp-login-command)" - name: oci-container value: "$(params.oci-container)" - name: cluster-name @@ -177,14 +184,14 @@ spec: resolver: git params: - name: url - value: https://github.com/konflux-ci/tekton-integration-catalog.git + value: $(params.tsf-cli-repo-url) - name: revision - value: main + value: $(params.tsf-cli-revision) - name: pathInRepo - value: tasks/sprayproxy/sprayproxy-deprovision/0.1/sprayproxy-deprovision.yaml - params: - - name: ocp-login-command - value: "$(tasks.provision-rosa.results.ocp-login-command)" + value: integration-tests/tasks/sprayproxy-deprovision.yaml + workspaces: + - name: shared-data + workspace: shared-data - name: store-pipeline-status taskRef: resolver: git diff --git a/integration-tests/tasks/rosa-hcp-deprovision.yaml b/integration-tests/tasks/rosa-hcp-deprovision.yaml new file mode 100644 index 000000000..eda0b7737 --- /dev/null +++ b/integration-tests/tasks/rosa-hcp-deprovision.yaml @@ -0,0 +1,215 @@ +# Forked from: https://github.com/konflux-ci/tekton-integration-catalog +# Upstream path: tasks/rosa/hosted-cp/rosa-hcp-deprovision/0.2/rosa-hcp-deprovision.yaml +# Reason: Read ocp-login-command from a shared workspace instead of a param +# so this finally task is not skipped when provision times out. +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: collect-artifacts-deprovision-rosa + labels: + app.kubernetes.io/version: "0.1" + upstream-usable: "false" + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: konflux +spec: + description: | + This Tekton Task handles the collection of test artifacts and deprovisions the OpenShift cluster. The task performs the following steps: + 1. **Collect Artifacts**: Gathers artifacts if the pipeline did not succeed. + 2. **Inspect and Upload Artifacts**: Checks for sensitive information in the artifacts and uploads them to the OCI container registry. + 3. **Deprovision ROSA Cluster**: Deletes the OpenShift cluster if specified. + 4. **Remove Tags from Subnets**: Cleans up tags from AWS subnets associated with the cluster. + 5. **Remove Load Balancers**: Deletes any associated AWS load balancers. + params: + - name: test-name + type: string + description: The name of the test being executed. + - name: ocp-login-command + type: string + description: Command to log in to the OpenShift cluster. + default: "" + - name: oci-container + type: string + description: The ORAS container registry URI where artifacts will be stored. + - name: cluster-name + type: string + description: The name of the OpenShift cluster that is to be deleted. + - name: konflux-test-infra-secret + type: string + description: The name of the secret containing credentials for testing infrastructure. + - name: cloud-credential-key + type: string + description: The key within the konflux-test-infra secret where AWS ROSA configuration details are stored. + - name: pipeline-aggregate-status + type: string + description: The status of the pipeline (e.g., Succeeded, Failed, Completed, None). + default: None + workspaces: + - name: shared-data + optional: true + description: Shared workspace for reading login command written by the provision task. + volumes: + - name: konflux-test-infra-volume + secret: + secretName: konflux-test-infra + steps: + - name: collect-artifacts + workingDir: /workspace/cluster-artifacts + onError: continue + image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest + script: | + #!/bin/sh + LOGIN_CMD="$(params.ocp-login-command)" + if [ -z "${LOGIN_CMD}" ] && [ "$(workspaces.shared-data.bound)" = "true" ] && [ -f "$(workspaces.shared-data.path)/ocp-login-command" ]; then + LOGIN_CMD="$(cat "$(workspaces.shared-data.path)/ocp-login-command")" + fi + if [ -n "${LOGIN_CMD}" ]; then + eval "${LOGIN_CMD}" + else + echo "WARNING: No ocp-login-command available (provision may have timed out). Skipping artifact collection." + exit 1 + fi + + curl -sSL https://raw.githubusercontent.com/konflux-ci/konflux-qe-definitions/main/scripts/gather-extra.sh | bash + when: + - input: $(params.pipeline-aggregate-status) + operator: notin + values: ["Succeeded"] + - name: secure-push-oci + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/secure-push-oci/0.1/secure-push-oci.yaml + params: + - name: workdir-path + value: /workspace + - name: oci-ref + value: $(params.oci-container) + - name: credentials-volume-name + value: konflux-test-infra-volume + when: + - input: $(params.pipeline-aggregate-status) + operator: notin + values: ["Succeeded"] + - name: deprovision-rosa + image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest + onError: continue + volumeMounts: + - name: konflux-test-infra-volume + mountPath: /usr/local/konflux-test-infra + script: | + set -euo pipefail + + export CLUSTER_NAME REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY ROSA_TOKEN + + CLUSTER_NAME=$(params.cluster-name) + REGION=$(jq -r '.aws["region"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_ACCESS_KEY_ID=$(jq -r '.aws["access-key-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_SECRET_ACCESS_KEY=$(jq -r '.aws["access-key-secret"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + ROSA_TOKEN=$(jq -r '.aws["rosa-hcp"]["rosa-token"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + + config_aws_creds() { + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set region "$REGION" + } + + if [[ -n "$CLUSTER_NAME" ]]; then + echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Started to destroy cluster [$CLUSTER_NAME]..." + + printf "INFO: Logging in to your Red Hat account...\n" + config_aws_creds + rosa login --token="$ROSA_TOKEN" + + rosa delete cluster --region "$REGION" --cluster="$CLUSTER_NAME" -y + + else + echo "INFO: No OCP cluster needs to be destroyed." + fi + + echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Done" + - name: remove-tag-from-subnets + image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest + onError: continue + volumeMounts: + - name: konflux-test-infra-volume + mountPath: /usr/local/konflux-test-infra + script: | + set -euo pipefail + + CLUSTER_NAME=$(params.cluster-name) + REGION=$(jq -r '.aws["region"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_ACCESS_KEY_ID=$(jq -r '.aws["access-key-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_SECRET_ACCESS_KEY=$(jq -r '.aws["access-key-secret"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + ROSA_TOKEN=$(jq -r '.aws["rosa-hcp"]["rosa-token"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + SUBNET_IDS=$(jq -r '.aws["rosa-hcp"]["subnets-ids"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set region "$REGION" + + echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Started to remove tags of cluster [$CLUSTER_NAME]..." + + printf "INFO: Logging in to your Red Hat account...\n" + rosa login --token="$ROSA_TOKEN" + + if [[ -n "$CLUSTER_NAME" ]]; then + cluster_id=$(rosa --region "$REGION" describe cluster --cluster="$CLUSTER_NAME" -o json | jq -r .id) + echo "INFO: Cluster ID: $cluster_id" + + echo "INFO: Removing tag from subnets [$SUBNET_IDS]..." + new_subnet_ids="${SUBNET_IDS//,/ }" + aws --region "$REGION" ec2 delete-tags --resources $new_subnet_ids --tags Key="kubernetes.io/cluster/${cluster_id}" + + echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Done" + else + echo "INFO: No OCP cluster tag needs to be removed." + fi + - name: remove-load-balancers + image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest + onError: continue + volumeMounts: + - name: konflux-test-infra-volume + mountPath: /usr/local/konflux-test-infra + script: | + set -euo pipefail + + export CLUSTER_NAME REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY + + CLUSTER_NAME=$(params.cluster-name) + REGION=$(jq -r '.aws["region"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_ACCESS_KEY_ID=$(jq -r '.aws["access-key-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_SECRET_ACCESS_KEY=$(jq -r '.aws["access-key-secret"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + + aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID + aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY + aws configure set region "$REGION" + + echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Started to remove load balancers of cluster [$CLUSTER_NAME]..." + + ELB_TAG_KEY="api.openshift.com/name" + ELB_TAG_VALUE=$(params.cluster-name) + + all_arns=$(aws elbv2 describe-load-balancers --query 'LoadBalancers[*].LoadBalancerArn' --output text) + + batch_size=20 + arns_to_delete=() + + for arn in $all_arns; do + arns_to_delete+=($arn) + + if [ ${#arns_to_delete[@]} -eq $batch_size ]; then + aws elbv2 describe-tags --resource-arns ${arns_to_delete[@]} \ + --query "TagDescriptions[?Tags[?Key=='$ELB_TAG_KEY' && Value=='$ELB_TAG_VALUE']].ResourceArn" --output text | while read matched_arn; do + echo "Deleting load balancer with ARN: $matched_arn" + aws elbv2 delete-load-balancer --load-balancer-arn $matched_arn + done + arns_to_delete=() + fi + done diff --git a/integration-tests/tasks/rosa-hcp-provision.yaml b/integration-tests/tasks/rosa-hcp-provision.yaml new file mode 100644 index 000000000..f3028011f --- /dev/null +++ b/integration-tests/tasks/rosa-hcp-provision.yaml @@ -0,0 +1,235 @@ +# Forked from: https://github.com/konflux-ci/tekton-integration-catalog +# Upstream path: tasks/rosa/hosted-cp/rosa-hcp-provision/0.2/rosa-hcp-provision.yaml +# Reason: Write ocp-login-command to a shared workspace so that finally tasks +# can read it even when this task times out (Tekton skips finally tasks +# that reference unresolvable task-result variables). +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: rosa-hcp-provision + labels: + app.kubernetes.io/version: "0.1" + upstream-usable: "false" + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: konflux +spec: + description: | + The `rosa-hcp-provision` task automates the creation and provisioning of an ephemeral OpenShift cluster using Red Hat OpenShift on AWS (ROSA) with Hosted Control Planes (HCP). + The task takes several parameters, including the OpenShift version, AWS machine type, and cluster name, to configure and deploy the cluster on AWS. + It uses credentials stored in a Kubernetes secret for authentication and configuration of AWS and ROSA. + Once the cluster is provisioned, the task outputs a login command to access the newly created cluster, which can be used in subsequent pipeline steps. + The logs from cluster provisioning are than scanned for leaked credentials and pushed to specified OCI artifact + results: + - name: ocp-login-command + description: Command to log in to the newly ephemeral OpenShift cluster. + params: + - name: ocp-version + type: string + description: The version of the OpenShift Container Platform (OCP) to deploy. This will be used to fetch the corresponding HCP version for deployment. + - name: cluster-name + type: string + description: The unique name of the OpenShift cluster to be created. + - name: machine-type + type: string + description: The AWS EC2 instance type to be used for the worker nodes of the OpenShift cluster (e.g., m5.xlarge). + - name: replicas + type: string + description: The number of worker nodes to provision in the cluster. Defaults to 3 worker nodes. + default: '3' + - name: konflux-test-infra-secret + type: string + description: The name of the Kubernetes secret that contains AWS and ROSA configuration credentials needed for cluster provisioning. + - name: cloud-credential-key + type: string + description: The key within the secret where AWS ROSA configurations (e.g., credentials, roles) are stored. + - name: oci-container + type: string + description: The ORAS container registry URI where artifacts will be stored. + workspaces: + - name: shared-data + optional: true + description: Shared workspace for passing login command to finally tasks. + volumes: + - name: konflux-test-infra-volume + secret: + secretName: "$(params.konflux-test-infra-secret)" + steps: + - name: provision + image: quay.io/konflux-ci/tekton-integration-catalog/utils:latest + onError: continue + volumeMounts: + - name: konflux-test-infra-volume + mountPath: /usr/local/konflux-test-infra + workingDir: /workspace/cluster-provision + env: + - name: CLUSTER_NAME + value: "$(params.cluster-name)" + - name: OCP_VERSION + value: "$(params.ocp-version)" + - name: MACHINE_TYPE + value: "$(params.machine-type)" + script: | + set -euo pipefail + + export ROSA_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY BILLING_ACCOUNT_ID AWS_OIDC_CONFIG_ID OPERATOR_ROLES_PREFIX \ + SUBNET_IDS INSTALL_ROLE_ARN SUPPORT_ROLE_ARN WORKER_ROLE_ARN REGION + + ROSA_TOKEN=$(jq -r '.aws["rosa-hcp"]["rosa-token"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_ACCESS_KEY_ID=$(jq -r '.aws["access-key-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_SECRET_ACCESS_KEY=$(jq -r '.aws["access-key-secret"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + BILLING_ACCOUNT_ID=$(jq -r '.aws["aws-account-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + AWS_OIDC_CONFIG_ID=$(jq -r '.aws["rosa-hcp"]["aws-oidc-config-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + OPERATOR_ROLES_PREFIX=$(jq -r '.aws["rosa-hcp"]["operator-roles-prefix"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + SUBNET_IDS=$(jq -r '.aws["rosa-hcp"]["subnets-ids"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + INSTALL_ROLE_ARN=$(jq -r '.aws["rosa-hcp"]["install-role-arn"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + SUPPORT_ROLE_ARN=$(jq -r '.aws["rosa-hcp"]["support-role-arn"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + WORKER_ROLE_ARN=$(jq -r '.aws["rosa-hcp"]["worker-role-arn"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + REGION=$(jq -r '.aws["region"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key)) + + main() { + config_aws_creds() { + printf "INFO: Configure AWS Credentials...\n" + aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID" + aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY" + aws configure set region "$REGION" + } + + print_debug_info() { + printf "INFO: Print debug info......\n" + rosa --region "$REGION" describe cluster --cluster="$CLUSTER_NAME" + } + + wait_for() { + local command="${1}" + local description="${2}" + local timeout="${3}" + local interval="${4}" + + printf "Waiting for %s for %s...\n" "${description}" "${timeout}" + timeout --foreground "${timeout}" bash -c " + until ${command} + do + printf \"Waiting for %s... Trying again in ${interval}s\n\" \"${description}\" + sleep ${interval} + done + " || return 1 + printf "%s finished!\n" "${description}" + } + + check_clusteroperators() { + wait_for "kubectl get clusteroperators -A" "cluster operators to be accessible" "2m" "10" + echo "[INFO] Cluster operators are accessible." + } + + get_hcp_full_version() { + rosa_output=$(rosa list version --channel-group stable --region "$REGION" --hosted-cp -o json) + raw_id=$(echo "$rosa_output" | jq -r "[.[].raw_id | select(startswith(\"$OCP_VERSION\"))] | max") + HCP_FULL_VERSION="$raw_id" + if [ -z "$HCP_FULL_VERSION" ]; then + echo "Failed to get the HCP full version of $OCP_VERSION" >&2 + exit 1 + fi + } + + check_cluster_health_endpoint() { + cluster_id=$(ocm get clusters --parameter search="name like '$CLUSTER_NAME'" | jq -r '.items[].id') + wait_for "ocm get subs --parameter search=\"cluster_id = '$cluster_id'\" | jq -r '.items[0].metrics[0].health_state' | grep -E ^healthy || (kubectl get clusteroperators -A && false)" \ + "cluster to be reported as healthy" "60m" "60" + } + + deploy_cluster() { + printf "INFO: Log in to your Red Hat account...\n" + config_aws_creds + rosa login --token="$ROSA_TOKEN" + + printf "INFO: Create ROSA with HCP cluster...\n" + get_hcp_full_version + rosa create cluster --cluster-name "$CLUSTER_NAME" \ + --sts --mode=auto --oidc-config-id "$AWS_OIDC_CONFIG_ID" \ + --operator-roles-prefix "$OPERATOR_ROLES_PREFIX" --region "$REGION" --version "$HCP_FULL_VERSION" \ + --role-arn "$INSTALL_ROLE_ARN" \ + --support-role-arn "$SUPPORT_ROLE_ARN" \ + --worker-iam-role "$WORKER_ROLE_ARN" \ + --compute-machine-type "$MACHINE_TYPE" \ + --subnet-ids="$SUBNET_IDS" \ + --billing-account "$BILLING_ACCOUNT_ID" \ + --replicas $(params.replicas) \ + --tags konflux-ci:true,creation-date:$(date -u +"%Y-%m-%d"),cluster-type:rosa-hcp \ + --hosted-cp -y + + printf "INFO: Track the progress of the cluster creation...\n" + rosa logs install --cluster="$CLUSTER_NAME" --region "$REGION" --watch + + printf "INFO: ROSA with HCP cluster is ready, create a cluster admin account for accessing the cluster\n" + admin_output="$(rosa create admin --region "$REGION" --cluster="$CLUSTER_NAME")" + + admin_user="$(echo "$admin_output" | grep -oP '(?<=--username ).*(?= --password)')" + admin_pass="$(echo "$admin_output" | grep -oP '(?<=--password ).*')" + api_url="$(echo "$admin_output" | grep -oP '(?<=oc login ).*(?= --username)')" + + printf "INFO: Storing login command...\n" + echo "oc login $api_url --username $admin_user --password $admin_pass" > $(results.ocp-login-command.path) + + # Also write to shared workspace so finally tasks can access it + # even if this task times out after producing the login command. + if [ "$(workspaces.shared-data.bound)" = "true" ]; then + cp "$(results.ocp-login-command.path)" "$(workspaces.shared-data.path)/ocp-login-command" + echo "INFO: Login command also written to shared workspace" + fi + + printf "INFO: Check if it's able to login to OCP cluster...\n" + max_retries=10 + retries=0 + + while ! oc login "$api_url" --username "$admin_user" --password "$admin_pass" >/dev/null 2>&1; do + if [ "$retries" -eq "$max_retries" ]; then + echo "ERROR: Failed to login the cluster." >&2 + print_debug_info + exit 1 + fi + sleep 60 + retries=$((retries + 1)) + echo "Retried $retries times..." + done + + printf "INFO: Check if apiserver is ready...\n" + if ! timeout 300s bash -c "while ! kubectl get nodes >/dev/null 2>/dev/null; do printf '.'; sleep 10; done"; then + echo "ERROR: API server is not ready" >&2 + exit 1 + fi + check_clusteroperators + check_cluster_health_endpoint + } + + deploy_cluster + } + main 2>&1 | tee cluster-provision.log + - name: secure-push-oci + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/secure-push-oci/0.1/secure-push-oci.yaml + params: + - name: workdir-path + value: /workspace/cluster-provision + - name: oci-ref + value: $(params.oci-container) + - name: credentials-volume-name + value: konflux-test-infra-volume + - name: fail-if-any-step-failed + ref: + resolver: git + params: + - name: url + value: https://github.com/konflux-ci/tekton-integration-catalog.git + - name: revision + value: main + - name: pathInRepo + value: stepactions/fail-if-any-step-failed/0.1/fail-if-any-step-failed.yaml diff --git a/integration-tests/tasks/sprayproxy-deprovision.yaml b/integration-tests/tasks/sprayproxy-deprovision.yaml new file mode 100644 index 000000000..8d1956f32 --- /dev/null +++ b/integration-tests/tasks/sprayproxy-deprovision.yaml @@ -0,0 +1,85 @@ +# Forked from: https://github.com/konflux-ci/tekton-integration-catalog +# Upstream path: tasks/sprayproxy/sprayproxy-deprovision/0.1/sprayproxy-deprovision.yaml +# Reason: Read ocp-login-command from a shared workspace instead of a param +# so this finally task is not skipped when provision times out. +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: sprayproxy-unregister-server + labels: + app.kubernetes.io/version: "0.1" + upstream-usable: "false" + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: konflux +spec: + description: | + The `sprayproxy-unregister-server` Task is designed to unregister Pipelines as Code (PAC) servers from the SprayProxy server. + It retrieves the list of currently registered PAC servers, checks their availability, and removes any unreachable PAC servers + from the SprayProxy backend. The task ensures that the server is unregistered cleanly and retries the operation if necessary. + params: + - name: ocp-login-command + type: string + description: The OpenShift login command used to authenticate to the cluster. + default: "" + workspaces: + - name: shared-data + optional: true + description: Shared workspace for reading login command written by the provision task. + steps: + - name: provision + image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest + env: + - name: SPRAYPROXY_SERVER_TOKEN + valueFrom: + secretKeyRef: + name: "sprayproxy-auth" + key: "server-token" + - name: SPRAYPROXY_SERVER_URL + valueFrom: + secretKeyRef: + name: "sprayproxy-auth" + key: "server-url" + script: | + #!/usr/bin/env bash + set -o errexit + set -o nounset + set -o pipefail + + LOGIN_CMD="$(params.ocp-login-command)" + if [ -z "${LOGIN_CMD}" ] && [ "$(workspaces.shared-data.bound)" = "true" ] && [ -f "$(workspaces.shared-data.path)/ocp-login-command" ]; then + LOGIN_CMD="$(cat "$(workspaces.shared-data.path)/ocp-login-command")" + fi + if [ -z "${LOGIN_CMD}" ]; then + echo "ERROR: No ocp-login-command available, cannot unregister from sprayproxy" + exit 1 + fi + + echo -e "INFO: Login to ephemeral cluster..." + eval "${LOGIN_CMD}" + + export WEBHOOK_URL=https://"$(oc get route pipelines-as-code-controller -n openshift-pipelines -o jsonpath='{.spec.host}')" + + unregister_pac_server(){ + echo "Unregistering PAC server [$WEBHOOK_URL] from SprayProxy server" + for _ in {1..5}; do + if curl -k -X DELETE -H "Authorization: Bearer ${SPRAYPROXY_SERVER_TOKEN}" "${SPRAYPROXY_SERVER_URL}"/backends --data '{"url": "'"$WEBHOOK_URL"'"}'; then + break + fi + sleep 5 + done + } + + list_pac_servers(){ + echo "List PAC server from SprayProxy servers" + for _ in {1..5}; do + if curl -k -X GET -H "Authorization: Bearer ${SPRAYPROXY_SERVER_TOKEN}" "${SPRAYPROXY_SERVER_URL}"/backends; then + break + fi + sleep 5 + done + } + + unregister_pac_server + list_pac_servers diff --git a/integration-tests/tasks/start-pipeline.yaml b/integration-tests/tasks/start-pipeline.yaml index 93d8c7438..61c1f66ab 100644 --- a/integration-tests/tasks/start-pipeline.yaml +++ b/integration-tests/tasks/start-pipeline.yaml @@ -152,6 +152,17 @@ spec: pipeline_url="https://raw.githubusercontent.com/${URL_ORG}/${URL_REPOSITORY}/${GIT_REVISION}/integration-tests/pipelines/tsf-cli-e2e.yaml" echo "Starting tsf-cli-e2e pipeline from ${pipeline_url} for OCP version ${OCP_VERSION}" + # Create volumeClaimTemplate for the shared-data workspace used to pass + # ocp-login-command from provision to finally tasks. + cat > /tmp/vct-shared-data.yaml << 'VCTEOF' + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Mi + VCTEOF + # Required child params and static pipeline labels. tkn_params=( "--param" "ocp-version=${OCP_VERSION}" @@ -177,6 +188,7 @@ spec: "-o" "name" "--serviceaccount" "konflux-integration-runner" "--pipeline-timeout" "2h0m" + "--workspace" "name=shared-data,volumeClaimTemplateFile=/tmp/vct-shared-data.yaml" ) # Keep child pipeline default image unless job-spec provides one.