From b1dacef3f065d4976ce663d1699250c124114137 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Mon, 13 Nov 2023 15:54:27 +0100 Subject: [PATCH 1/8] Validation pipeline for FIPS stemcell * this initial commit still uses the default stemcell --- ci/pipelines/fips-stemcell.yml | 250 +++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 ci/pipelines/fips-stemcell.yml diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml new file mode 100644 index 000000000..7622d7e92 --- /dev/null +++ b/ci/pipelines/fips-stemcell.yml @@ -0,0 +1,250 @@ +resources: + - name: fips-pool + type: pool + icon: pool + source: + uri: git@github.com:cloudfoundry/relint-ci-pools + branch: main + pool: cf-deployment/fips + private_key: ((ard_wg_gitbot_ssh_key.private_key)) + + - name: cf-deployment-concourse-tasks + type: git + icon: github + source: + uri: https://github.com/cloudfoundry/cf-deployment-concourse-tasks.git + + - name: runtime-ci + type: git + icon: github + source: + branch: main + uri: https://github.com/cloudfoundry/runtime-ci.git + + - name: relint-envs + type: git + icon: github + source: + branch: main + uri: git@github.com:cloudfoundry/relint-envs.git + private_key: ((ard_wg_gitbot_ssh_key.private_key)) + + - name: cf-smoke-tests + type: git + icon: github + source: + uri: https://github.com/cloudfoundry/cf-smoke-tests + + - name: cf-deployment-main + type: git + icon: github + source: + branch: main + uri: git@github.com:cloudfoundry/cf-deployment.git + private_key: ((ard_wg_gitbot_ssh_key.private_key)) + ignore_paths: + - .envrc + - .overcommit.yml + - ISSUE_TEMPLATE.md + - PULL_REQUEST_TEMPLATE.md + - ci/** + - texts/** + + - name: cf-acceptance-tests-rc + type: git + icon: github + source: + branch: release-candidate + uri: https://github.com/cloudfoundry/cf-acceptance-tests.git + +jobs: + - name: fips-acquire-pool + serial: true + public: true + plan: + - in_parallel: + - get: cf-deployment-main + trigger: true + - put: fips-pool + params: { acquire: true } + timeout: 4h + + - name: fips-release-pool-manual + public: true + plan: + - get: fips-pool + ensure: + try: + put: fips-pool + params: {release: fips-pool} + + - name: fips-deploy + serial_groups: [ fips-cats, fips-smokes ] + public: true + plan: + - get: fips-pool + trigger: true + passed: [fips-acquire-pool] + - in_parallel: + - get: cf-deployment-main + passed: [fips-acquire-pool] + - get: cf-deployment-concourse-tasks + - get: runtime-ci + - get: relint-envs + - get: cf-smoke-tests + - task: guarantee-no-existing-cf-deployment + file: cf-deployment-concourse-tasks/bosh-delete-deployment/task.yml + input_mapping: + bbl-state: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + IGNORE_ERRORS: true + - task: bosh-deploy-cf + file: cf-deployment-concourse-tasks/bosh-deploy/task.yml + input_mapping: + bbl-state: relint-envs + cf-deployment: cf-deployment-main + ops-files: cf-deployment-main + vars-files: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + SYSTEM_DOMAIN: cf.snape.env.wg-ard.ci.cloudfoundry.org + OPS_FILES: | + operations/addons/enable-component-syslog.yml + operations/addons/add-system-metrics-agent.yml + operations/use-postgres.yml + operations/experimental/enable-tls-cloud-controller-postgres.yml + VARS_FILES: | + environments/test/snape/syslog-vars.yml + REGENERATE_CREDENTIALS: true + - task: update-integration-configs + file: cf-deployment-concourse-tasks/update-integration-configs/task.yml + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + CATS_INTEGRATION_CONFIG_FILE: environments/test/snape/integration_config.json + input_mapping: + bbl-state: relint-envs + integration-configs: relint-envs + - in_parallel: + - task: ensure-api-healthy + file: runtime-ci/tasks/ensure-api-healthy/task.yml + input_mapping: + cats-integration-config: relint-envs + params: + CONFIG_FILE_PATH: environments/test/snape/integration_config.json + - in_parallel: + - task: open-asgs-for-credhub + file: cf-deployment-concourse-tasks/open-asgs-for-bosh-instance-group/task.yml + input_mapping: + bbl-state: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + INSTANCE_GROUP_NAME: credhub + SYSTEM_DOMAIN: cf.snape.env.wg-ard.ci.cloudfoundry.org + SECURITY_GROUP_NAME: credhub + - task: open-asgs-for-uaa + file: cf-deployment-concourse-tasks/open-asgs-for-bosh-instance-group/task.yml + input_mapping: + bbl-state: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + INSTANCE_GROUP_NAME: uaa + SYSTEM_DOMAIN: cf.snape.env.wg-ard.ci.cloudfoundry.org + SECURITY_GROUP_NAME: uaa + - task: enable-docker-and-tasks + attempts: 2 + file: cf-deployment-concourse-tasks/set-feature-flags/task.yml + input_mapping: + bbl-state: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + SYSTEM_DOMAIN: cf.snape.env.wg-ard.ci.cloudfoundry.org + ENABLED_FEATURE_FLAGS: | + diego_docker + task_creation + + - name: fips-smoke-tests + public: true + serial_groups: [ fips-smokes ] + plan: + - do: + - get: fips-pool + passed: [ fips-deploy ] + trigger: true + - in_parallel: + - get: relint-envs + - get: cf-deployment-main + passed: [ fips-deploy ] + - get: cf-deployment-concourse-tasks + timeout: 1h + - task: bosh-run-errand-smoke-tests + file: cf-deployment-concourse-tasks/run-errand/task.yml + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + ERRAND_NAME: smoke_tests + input_mapping: + bbl-state: relint-envs + + - name: fips-cats + public: true + serial_groups: [ fips-cats ] + plan: + - timeout: 4h + do: + - get: fips-pool + trigger: true + passed: [ fips-deploy ] + - in_parallel: + - get: cf-deployment-concourse-tasks + - get: cf-acceptance-tests-rc + - get: relint-envs + - get: cf-deployment-main + passed: [ fips-deploy ] + - task: update-integration-configs + file: cf-deployment-concourse-tasks/update-integration-configs/task.yml + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + CATS_INTEGRATION_CONFIG_FILE: environments/test/snape/integration_config.json + input_mapping: + bbl-state: relint-envs + integration-configs: relint-envs + - task: run-cats + file: cf-deployment-concourse-tasks/run-cats/task.yml + input_mapping: + integration-config: updated-integration-configs + cf-acceptance-tests: cf-acceptance-tests-rc + params: + CONFIG_FILE_PATH: environments/test/snape/integration_config.json + CAPTURE_LOGS: true + RELINT_VERBOSE_AUTH: "true" + NODES: 12 + + - name: fips-delete-deployment + serial: true + public: true + plan: + - timeout: 4h + do: + - get: fips-pool + trigger: true + passed: + - fips-cats + - fips-smoke-tests + - in_parallel: + - get: cf-deployment-concourse-tasks + - get: relint-envs + - task: delete-deployment-cf + file: cf-deployment-concourse-tasks/bosh-delete-deployment/task.yml + input_mapping: + bbl-state: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + IGNORE_ERRORS: true + - task: run-bosh-cleanup + file: cf-deployment-concourse-tasks/bosh-cleanup/task.yml + input_mapping: + bbl-state: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + - put: fips-pool + params: {release: fips-pool} \ No newline at end of file From 2554ec39f6aeeacccb1462d3cbc7f528f343ccf0 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Tue, 14 Nov 2023 08:49:42 +0100 Subject: [PATCH 2/8] Enable service_instance_sharing flag for fips deployment --- ci/pipelines/fips-stemcell.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml index 7622d7e92..db5e807a0 100644 --- a/ci/pipelines/fips-stemcell.yml +++ b/ci/pipelines/fips-stemcell.yml @@ -162,6 +162,7 @@ jobs: ENABLED_FEATURE_FLAGS: | diego_docker task_creation + service_instance_sharing - name: fips-smoke-tests public: true From 56e9161781da208f36360a018a1dfae6739714ef Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Fri, 17 Nov 2023 11:04:22 +0100 Subject: [PATCH 3/8] Add aws.yml ops file (required for wss connections to trafficcontroller) --- ci/pipelines/fips-stemcell.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml index db5e807a0..a0889cd80 100644 --- a/ci/pipelines/fips-stemcell.yml +++ b/ci/pipelines/fips-stemcell.yml @@ -110,6 +110,7 @@ jobs: BBL_STATE_DIR: environments/test/snape/bbl-state SYSTEM_DOMAIN: cf.snape.env.wg-ard.ci.cloudfoundry.org OPS_FILES: | + operations/aws.yml operations/addons/enable-component-syslog.yml operations/addons/add-system-metrics-agent.yml operations/use-postgres.yml From 5570a1119550de54287b3706090044f518867c22 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Fri, 1 Dec 2023 10:51:34 +0100 Subject: [PATCH 4/8] Add bosh-io stemcell resource with authentication for FIPS stemcell --- ci/pipelines/fips-stemcell.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml index a0889cd80..f35853acf 100644 --- a/ci/pipelines/fips-stemcell.yml +++ b/ci/pipelines/fips-stemcell.yml @@ -8,6 +8,17 @@ resources: pool: cf-deployment/fips private_key: ((ard_wg_gitbot_ssh_key.private_key)) + - name: fips-stemcell + type: bosh-io-stemcell + icon: dna + source: + repository: foundationalinfrastructure/bosh-io-stemcell-resource + tag: latest + name: bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent + auth: + access_key: ((ci_dev_gcp_service_account_hmac_access_key)) + secret_key: ((ci_dev_gcp_service_account_hmac_secret)) + - name: cf-deployment-concourse-tasks type: git icon: github @@ -65,6 +76,8 @@ jobs: - in_parallel: - get: cf-deployment-main trigger: true + - get: fips-stemcell + trigger: true - put: fips-pool params: { acquire: true } timeout: 4h From 58d344e7067d091441dc76592b22e8ddfad79247 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Fri, 1 Dec 2023 14:52:27 +0100 Subject: [PATCH 5/8] Use dev bosh-io-stemcell resource * downloading the fips-stemcell with credentials now works * add upload-stemcell task * configure use-fips-stemcell ops file --- ci/pipelines/fips-stemcell.yml | 53 ++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml index f35853acf..e61a295d8 100644 --- a/ci/pipelines/fips-stemcell.yml +++ b/ci/pipelines/fips-stemcell.yml @@ -1,3 +1,11 @@ +# TODO remove this resource type declaration when a final release of the resource is available +resource_types: + - name: bosh-io-stemcell + source: + repository: foundationalinfrastructure/bosh-io-stemcell-resource + tag: v1.2.1 + type: docker-image + resources: - name: fips-pool type: pool @@ -12,8 +20,6 @@ resources: type: bosh-io-stemcell icon: dna source: - repository: foundationalinfrastructure/bosh-io-stemcell-resource - tag: latest name: bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent auth: access_key: ((ci_dev_gcp_service_account_hmac_access_key)) @@ -101,6 +107,7 @@ jobs: - in_parallel: - get: cf-deployment-main passed: [fips-acquire-pool] + - get: fips-stemcell - get: cf-deployment-concourse-tasks - get: runtime-ci - get: relint-envs @@ -112,6 +119,47 @@ jobs: params: BBL_STATE_DIR: environments/test/snape/bbl-state IGNORE_ERRORS: true + - task: bosh-cleanup + file: cf-deployment-concourse-tasks/bosh-cleanup/task.yml + input_mapping: + bbl-state: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + # existing upload-stemcell tasks don't work as they are trying to upload the stemcell from the given (protected) URL + # instead, we must upload the stemcell from the local file of the "fips-stemcell" resource + - task: upload-fips-stemcell + config: + platform: linux + image_resource: + type: docker-image + source: + repository: cloudfoundry/cf-deployment-concourse-tasks + inputs: + - name: cf-deployment-concourse-tasks + - name: fips-stemcell + - name: relint-envs + params: + BBL_STATE_DIR: environments/test/snape/bbl-state + run: + path: bash + dir: "" + args: + - -c + - | + #!/bin/bash + source cf-deployment-concourse-tasks/shared-functions + ln -s relint-envs bbl-state + setup_bosh_env_vars + bosh upload-stemcell ./fips-stemcell/stemcell.tgz + - task: collect-ops-files + file: cf-deployment-concourse-tasks/collect-ops-files/task.yml + input_mapping: + base-ops-files: cf-deployment-main + new-ops-files: relint-envs + params: + BASE_OPS_FILE_DIR: operations + NEW_OPS_FILES: | + environments/test/snape/use-fips-stemcell.yml - task: bosh-deploy-cf file: cf-deployment-concourse-tasks/bosh-deploy/task.yml input_mapping: @@ -123,6 +171,7 @@ jobs: BBL_STATE_DIR: environments/test/snape/bbl-state SYSTEM_DOMAIN: cf.snape.env.wg-ard.ci.cloudfoundry.org OPS_FILES: | + operations/use-fips-stemcell.yml operations/aws.yml operations/addons/enable-component-syslog.yml operations/addons/add-system-metrics-agent.yml From 816f0405a1bac42c5a7e50baf06dbf68268fe16d Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Fri, 1 Dec 2023 15:33:41 +0100 Subject: [PATCH 6/8] fix collect-ops-files config --- ci/pipelines/fips-stemcell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml index e61a295d8..ca66c39de 100644 --- a/ci/pipelines/fips-stemcell.yml +++ b/ci/pipelines/fips-stemcell.yml @@ -165,7 +165,7 @@ jobs: input_mapping: bbl-state: relint-envs cf-deployment: cf-deployment-main - ops-files: cf-deployment-main + ops-files: collected-ops-files vars-files: relint-envs params: BBL_STATE_DIR: environments/test/snape/bbl-state From ebed84d8846bd5546e91ca6949ed94a01a3d3213 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Mon, 4 Dec 2023 08:01:15 +0100 Subject: [PATCH 7/8] Remove "use-fips-stemcell" ops file from pipeline * FIPS stemcell will have the same os name as the regular stemcell, so we don't need an ops file --- ci/pipelines/fips-stemcell.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml index ca66c39de..62845a60d 100644 --- a/ci/pipelines/fips-stemcell.yml +++ b/ci/pipelines/fips-stemcell.yml @@ -151,27 +151,17 @@ jobs: ln -s relint-envs bbl-state setup_bosh_env_vars bosh upload-stemcell ./fips-stemcell/stemcell.tgz - - task: collect-ops-files - file: cf-deployment-concourse-tasks/collect-ops-files/task.yml - input_mapping: - base-ops-files: cf-deployment-main - new-ops-files: relint-envs - params: - BASE_OPS_FILE_DIR: operations - NEW_OPS_FILES: | - environments/test/snape/use-fips-stemcell.yml - task: bosh-deploy-cf file: cf-deployment-concourse-tasks/bosh-deploy/task.yml input_mapping: bbl-state: relint-envs cf-deployment: cf-deployment-main - ops-files: collected-ops-files + ops-files: cf-deployment-main vars-files: relint-envs params: BBL_STATE_DIR: environments/test/snape/bbl-state SYSTEM_DOMAIN: cf.snape.env.wg-ard.ci.cloudfoundry.org OPS_FILES: | - operations/use-fips-stemcell.yml operations/aws.yml operations/addons/enable-component-syslog.yml operations/addons/add-system-metrics-agent.yml From 2d81076d75b7e8f666bc675131f73f8222bbec35 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Tue, 5 Dec 2023 13:33:41 +0100 Subject: [PATCH 8/8] Use "latest" stemcell and skip stemcell upload in bosh-deploy task * this ensures that we always use the latest version of the "fips-stemcell" input --- ci/pipelines/fips-stemcell.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ci/pipelines/fips-stemcell.yml b/ci/pipelines/fips-stemcell.yml index 62845a60d..05db86a51 100644 --- a/ci/pipelines/fips-stemcell.yml +++ b/ci/pipelines/fips-stemcell.yml @@ -167,9 +167,11 @@ jobs: operations/addons/add-system-metrics-agent.yml operations/use-postgres.yml operations/experimental/enable-tls-cloud-controller-postgres.yml + operations/use-latest-stemcell.yml VARS_FILES: | environments/test/snape/syslog-vars.yml REGENERATE_CREDENTIALS: true + SKIP_STEMCELL_UPLOAD: true - task: update-integration-configs file: cf-deployment-concourse-tasks/update-integration-configs/task.yml params: