Skip to content

Fix rosa deprovision #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rhopp wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix rosa deprovision #180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2840189
fix: pass ocp-login-command via workspace to prevent finally task skip
rhopp Apr 30, 2026
097f581
TEMP: add sleep to force provision timeout for testing
rhopp Apr 30, 2026
399c620
fix: use YAML format for volumeClaimTemplate file (tkn requires .yaml)
rhopp Apr 30, 2026
7f7d5ee
revert: remove temp sleep from provision task
rhopp Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 21 additions & 14 deletions integration-tests/pipelines/tsf-cli-e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ spec:
description: OCI image reference used by catalog tasks to store and report pipeline artifacts.
type: string
default: "quay.io/konflux-test-storage/rhads/tsf-cli:$(context.pipelineRun.name)"
workspaces:
- name: shared-data
description: Shared data between provision and deprovision tasks (passes ocp-login-command via file).
tasks:
- name: rosa-hcp-metadata
taskRef:
Expand All @@ -64,11 +67,14 @@ spec:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/tekton-integration-catalog.git
value: $(params.tsf-cli-repo-url)
- name: revision
value: main
value: $(params.tsf-cli-revision)
- name: pathInRepo
value: tasks/rosa/hosted-cp/rosa-hcp-provision/0.2/rosa-hcp-provision.yaml
value: integration-tests/tasks/rosa-hcp-provision.yaml
workspaces:
- name: shared-data
workspace: shared-data
params:
- name: cluster-name
value: "$(tasks.rosa-hcp-metadata.results.cluster-name)"
Expand Down Expand Up @@ -147,16 +153,17 @@ spec:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/tekton-integration-catalog.git
value: $(params.tsf-cli-repo-url)
- name: revision
value: main
value: $(params.tsf-cli-revision)
- name: pathInRepo
value: tasks/rosa/hosted-cp/rosa-hcp-deprovision/0.2/rosa-hcp-deprovision.yaml
value: integration-tests/tasks/rosa-hcp-deprovision.yaml
workspaces:
- name: shared-data
workspace: shared-data
params:
- name: test-name
value: $(context.pipelineRun.name)
- name: ocp-login-command
value: "$(tasks.provision-rosa.results.ocp-login-command)"
- name: oci-container
value: "$(params.oci-container)"
- name: cluster-name
Expand All @@ -177,14 +184,14 @@ spec:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/tekton-integration-catalog.git
value: $(params.tsf-cli-repo-url)
- name: revision
value: main
value: $(params.tsf-cli-revision)
- name: pathInRepo
value: tasks/sprayproxy/sprayproxy-deprovision/0.1/sprayproxy-deprovision.yaml
params:
- name: ocp-login-command
value: "$(tasks.provision-rosa.results.ocp-login-command)"
value: integration-tests/tasks/sprayproxy-deprovision.yaml
workspaces:
- name: shared-data
workspace: shared-data
- name: store-pipeline-status
taskRef:
resolver: git
Expand Down
215 changes: 215 additions & 0 deletions integration-tests/tasks/rosa-hcp-deprovision.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,215 @@
# Forked from: https://github.com/konflux-ci/tekton-integration-catalog
# Upstream path: tasks/rosa/hosted-cp/rosa-hcp-deprovision/0.2/rosa-hcp-deprovision.yaml
# Reason: Read ocp-login-command from a shared workspace instead of a param
# so this finally task is not skipped when provision times out.
---
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: collect-artifacts-deprovision-rosa
labels:
app.kubernetes.io/version: "0.1"
upstream-usable: "false"
annotations:
tekton.dev/pipelines.minVersion: 0.12.1
tekton.dev/tags: konflux
spec:
description: |
This Tekton Task handles the collection of test artifacts and deprovisions the OpenShift cluster. The task performs the following steps:
1. **Collect Artifacts**: Gathers artifacts if the pipeline did not succeed.
2. **Inspect and Upload Artifacts**: Checks for sensitive information in the artifacts and uploads them to the OCI container registry.
3. **Deprovision ROSA Cluster**: Deletes the OpenShift cluster if specified.
4. **Remove Tags from Subnets**: Cleans up tags from AWS subnets associated with the cluster.
5. **Remove Load Balancers**: Deletes any associated AWS load balancers.
params:
- name: test-name
type: string
description: The name of the test being executed.
- name: ocp-login-command
type: string
description: Command to log in to the OpenShift cluster.
default: ""
- name: oci-container
type: string
description: The ORAS container registry URI where artifacts will be stored.
- name: cluster-name
type: string
description: The name of the OpenShift cluster that is to be deleted.
- name: konflux-test-infra-secret
type: string
description: The name of the secret containing credentials for testing infrastructure.
- name: cloud-credential-key
type: string
description: The key within the konflux-test-infra secret where AWS ROSA configuration details are stored.
- name: pipeline-aggregate-status
type: string
description: The status of the pipeline (e.g., Succeeded, Failed, Completed, None).
default: None
workspaces:
- name: shared-data
optional: true
description: Shared workspace for reading login command written by the provision task.
volumes:
- name: konflux-test-infra-volume
secret:
secretName: konflux-test-infra
steps:
- name: collect-artifacts
workingDir: /workspace/cluster-artifacts
onError: continue
image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest
script: |
#!/bin/sh
LOGIN_CMD="$(params.ocp-login-command)"
if [ -z "${LOGIN_CMD}" ] && [ "$(workspaces.shared-data.bound)" = "true" ] && [ -f "$(workspaces.shared-data.path)/ocp-login-command" ]; then
LOGIN_CMD="$(cat "$(workspaces.shared-data.path)/ocp-login-command")"
fi
if [ -n "${LOGIN_CMD}" ]; then
eval "${LOGIN_CMD}"
else
echo "WARNING: No ocp-login-command available (provision may have timed out). Skipping artifact collection."
exit 1
fi

curl -sSL https://raw.githubusercontent.com/konflux-ci/konflux-qe-definitions/main/scripts/gather-extra.sh | bash
when:
- input: $(params.pipeline-aggregate-status)
operator: notin
values: ["Succeeded"]
- name: secure-push-oci
ref:
resolver: git
params:
- name: url
value: https://github.com/konflux-ci/tekton-integration-catalog.git
- name: revision
value: main
- name: pathInRepo
value: stepactions/secure-push-oci/0.1/secure-push-oci.yaml
params:
- name: workdir-path
value: /workspace
- name: oci-ref
value: $(params.oci-container)
- name: credentials-volume-name
value: konflux-test-infra-volume
when:
- input: $(params.pipeline-aggregate-status)
operator: notin
values: ["Succeeded"]
- name: deprovision-rosa
image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest
onError: continue
volumeMounts:
- name: konflux-test-infra-volume
mountPath: /usr/local/konflux-test-infra
script: |
set -euo pipefail

export CLUSTER_NAME REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY ROSA_TOKEN

CLUSTER_NAME=$(params.cluster-name)
REGION=$(jq -r '.aws["region"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
AWS_ACCESS_KEY_ID=$(jq -r '.aws["access-key-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
AWS_SECRET_ACCESS_KEY=$(jq -r '.aws["access-key-secret"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
ROSA_TOKEN=$(jq -r '.aws["rosa-hcp"]["rosa-token"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))

config_aws_creds() {
aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set region "$REGION"
}

if [[ -n "$CLUSTER_NAME" ]]; then
echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Started to destroy cluster [$CLUSTER_NAME]..."

printf "INFO: Logging in to your Red Hat account...\n"
config_aws_creds
rosa login --token="$ROSA_TOKEN"

rosa delete cluster --region "$REGION" --cluster="$CLUSTER_NAME" -y

else
echo "INFO: No OCP cluster needs to be destroyed."
fi

echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Done"
- name: remove-tag-from-subnets
image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest
onError: continue
volumeMounts:
- name: konflux-test-infra-volume
mountPath: /usr/local/konflux-test-infra
script: |
set -euo pipefail

CLUSTER_NAME=$(params.cluster-name)
REGION=$(jq -r '.aws["region"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
AWS_ACCESS_KEY_ID=$(jq -r '.aws["access-key-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
AWS_SECRET_ACCESS_KEY=$(jq -r '.aws["access-key-secret"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
ROSA_TOKEN=$(jq -r '.aws["rosa-hcp"]["rosa-token"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
SUBNET_IDS=$(jq -r '.aws["rosa-hcp"]["subnets-ids"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))

aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set region "$REGION"

echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Started to remove tags of cluster [$CLUSTER_NAME]..."

printf "INFO: Logging in to your Red Hat account...\n"
rosa login --token="$ROSA_TOKEN"

if [[ -n "$CLUSTER_NAME" ]]; then
cluster_id=$(rosa --region "$REGION" describe cluster --cluster="$CLUSTER_NAME" -o json | jq -r .id)
echo "INFO: Cluster ID: $cluster_id"

echo "INFO: Removing tag from subnets [$SUBNET_IDS]..."
new_subnet_ids="${SUBNET_IDS//,/ }"
aws --region "$REGION" ec2 delete-tags --resources $new_subnet_ids --tags Key="kubernetes.io/cluster/${cluster_id}"

echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Done"
else
echo "INFO: No OCP cluster tag needs to be removed."
fi
- name: remove-load-balancers
image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest
onError: continue
volumeMounts:
- name: konflux-test-infra-volume
mountPath: /usr/local/konflux-test-infra
script: |
set -euo pipefail

export CLUSTER_NAME REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY

CLUSTER_NAME=$(params.cluster-name)
REGION=$(jq -r '.aws["region"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
AWS_ACCESS_KEY_ID=$(jq -r '.aws["access-key-id"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))
AWS_SECRET_ACCESS_KEY=$(jq -r '.aws["access-key-secret"]' /usr/local/konflux-test-infra/$(params.cloud-credential-key))

aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
aws configure set region "$REGION"
Copy link
Copy Markdown
Member

@dperaza4dustbit dperaza4dustbit Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would avoid aws configure, this writes to file system. I think using env vars in memory should be enough: https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html


echo "INFO: [$(date +"%Y/%m/%d %H:%M:%S")] Started to remove load balancers of cluster [$CLUSTER_NAME]..."

ELB_TAG_KEY="api.openshift.com/name"
ELB_TAG_VALUE=$(params.cluster-name)

all_arns=$(aws elbv2 describe-load-balancers --query 'LoadBalancers[*].LoadBalancerArn' --output text)

batch_size=20
arns_to_delete=()

for arn in $all_arns; do
arns_to_delete+=($arn)

if [ ${#arns_to_delete[@]} -eq $batch_size ]; then
aws elbv2 describe-tags --resource-arns ${arns_to_delete[@]} \
--query "TagDescriptions[?Tags[?Key=='$ELB_TAG_KEY' && Value=='$ELB_TAG_VALUE']].ResourceArn" --output text | while read matched_arn; do
echo "Deleting load balancer with ARN: $matched_arn"
aws elbv2 delete-load-balancer --load-balancer-arn $matched_arn
done
arns_to_delete=()
fi
done
Loading