Skip to content

Commit

Permalink
feat: remove dependency for specific workspace feature offered by tekton
Browse files Browse the repository at this point in the history
Previously mapt weas using workspaces as input spaces for cloud credentials this could be done by using more basic components from k8s volumes, also the resulting information to connect within the provisioned machine / service was return as a combination of plain results and stored files on location from workspaces. this commit will change the approach to create a specific secret holding the information as another basic resources offered by k8s

Signed-off-by: Adrian Riobo <[email protected]>
  • Loading branch information
adrianriobo committed Dec 9, 2024
1 parent 36b3308 commit 2c2101f
Show file tree
Hide file tree
Showing 19 changed files with 2,231 additions and 1,546 deletions.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ define tkn_update
sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-aws-mac.yaml > tkn/infra-aws-mac.yaml
sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-aws-rhel.yaml > tkn/infra-aws-rhel.yaml
sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-aws-windows-server.yaml > tkn/infra-aws-windows-server.yaml
sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-aks.yaml > tkn/infra-azure-aks.yaml
sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-rhel.yaml > tkn/infra-azure-rhel.yaml
sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-fedora.yaml > tkn/infra-azure-fedora.yaml
sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/infra-azure-windows-desktop.yaml > tkn/infra-azure-windows-desktop.yaml
Expand Down
Empty file modified hacks/azure/azure_setup.sh
100644 → 100755
Empty file.
2 changes: 2 additions & 0 deletions oci/Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ ENV AZ_CLI_VERSION 2.61.0
# Pulumi plugins
# renovate: datasource=github-releases depName=pulumi/pulumi-aws
ARG PULUMI_AWS_VERSION=v6.37.1
# Install this
# https://releases.hashicorp.com/terraform-provider-aws/5.75.1/terraform-provider-aws_5.75.1_linux_amd64.zip
# renovate: datasource=github-releases depName=pulumi/pulumi-aws
ARG PULUMI_AWSX_VERSION=v2.3.0
# renovate: datasource=github-releases depName=pulumi/pulumi-azure-native
Expand Down
231 changes: 130 additions & 101 deletions tkn/infra-aws-fedora.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,22 +6,25 @@ metadata:
labels:
app.kubernetes.io/version: "0.8.0-dev"
annotations:
tekton.dev/pipelines.minVersion: "0.24.x"
tekton.dev/pipelines.minVersion: "0.44.x"
tekton.dev/categories: infrastructure
tekton.dev/tags: infrastructure, aws, fedora
tekton.dev/displayName: "aws manager"
tekton.dev/platforms: "linux/amd64"
tekton.dev/platforms: "linux/amd64, linux/arm64"
spec:
description: |
Task provision a fedora dedicated on host on AWS
The machine will offer nested virtualizataion capabilities as so it should be spin on a dedicated (baremetal) machine
workspaces:
- name: storage
description: volume to store outputs to connect within the target machine + state file for the infrastructure
mountPath: /opt/storage
volumes:
- name: aws-credentials
secret:
secretName: $(params.secret-aws-credentials)
- name: host-info
emptyDir: {}

params:
# mapt params
- name: secret-aws-credentials
description: |
ocp secret holding the aws credentials. Secret should be accessible to this task.
Expand All @@ -38,22 +41,35 @@ spec:
access-key: ${access_key}
secret-key: ${secret_key}
region: ${region}
mountPath: /opt/aws-credentials

params:
# mapt params
- name: project-name
description: identifier for project.
- name: backed-url
description: |
If we want to backed resources externally we can use s3 setting this param(i.e s3://existing-bucket).
If default will be store on storage workspace at path set by param ws-output-path.
default: "''"
- name: ws-output-path
description: path on workspace where to store ephemeral assets related with the provisioning
bucket: ${bucket}
- name: id
description: identifier for the provisioned environment
- name: operation
description: operation to execute within the infrastructure. Current values (create, destroy)
- name: host-access-secret
description: name from the secret holding the host-info created during create operation. This is required only destroy operation
default: "''"

# Secret result ownership
- name: ownerKind
type: string
default: PipelineRun
description: |
The type of resource that should own the generated SpaceRequest.
Deletion of this resource will trigger deletion of the SpaceRequest.
Supported values: `PipelineRun`, `TaskRun`.
- name: ownerName
type: string
description: |
The name of the resource that should own the generated SpaceRequest.
This should either be passed the value of `$(context.pipelineRun.name)`
or `$(context.taskRun.name)` depending on the value of `ownerKind`.
- name: ownerUid
type: string
description: |
The uid of the resource that should own the generated SpaceRequest.
This should either be passed the value of `$(context.pipelineRun.uid)`
or `$(context.taskRun.uid)` depending on the value of `ownerKind`.
# VM type params
- name: arch
Expand All @@ -74,8 +90,8 @@ spec:

# Fedora params
- name: version
description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 40.
default: '40'
description: this task will spin a Fedora-Cloud image. This param will set the version for it. Default 41.
default: '41'

# Topology params
- name: airgap
Expand All @@ -94,9 +110,6 @@ spec:
default: "''"

# Control params
- name: remove-lock
description: in case a previous run fails the stack can be locked. This value allows to control if remove lock
default: 'true'
- name: debug
description: |
Warning setting this param to true expose credentials
Expand All @@ -106,109 +119,125 @@ spec:
default: 'false'

results:
- name: host
description: ip to connect to the provisioned machine
- name: username
description: username to connect to the provisioned machine
- name: key
description: filename for the private key. The key is located at workspace-resources-path
- name: bastion-host
description: if airgap is set we get the bastion host as result
- name: bastion-username
description: if airgap is set we get the bastion username to connect as result
- name: bastion-key
description: if airgap is set we get the bastion filename for the private key. The key is located at workspace-resources-path

- name: host-access-secret
description: |
ocp secret holding the information to connect with the target machine.
---
apiVersion: v1
kind: Secret
metadata:
name: ${name}
labels:
type: Opaque
data:
host: ${host}
username: ${username}
id_rsa: ${id_rsa}
# If airgap data for bastion host
bastion-host: ${bastion-host}
bastion-username: ${bastion-username}
bastion-id_rsa: ${bastion-id_rsa}
steps:
- name: provisioner
image: quay.io/redhat-developer/mapt:v0.8.0-dev
imagePullPolicy: Always
volumeMounts:
- name: aws-credentials
mountPath: /opt/aws-credentials
- name: host-info
mountPath: /opt/host-info
script: |
#!/bin/sh
set -euo pipefail
# If debug add verbosity
if [[ $(params.debug) == "true" ]]; then
set -xuo
set -xeuo pipefail
fi
# Credentials
export AWS_ACCESS_KEY_ID=$(cat /opt/aws-credentials/access-key)
export AWS_SECRET_ACCESS_KEY=$(cat /opt/aws-credentials/secret-key)
export AWS_DEFAULT_REGION=$(cat /opt/aws-credentials/region)
# Output folder
workspace_path=/opt/storage/$(params.ws-output-path)
mkdir -p ${workspace_path}
# Remove lock
if [[ $(params.remove-lock) == "true" ]]; then
rm -rf ${workspace_path}/.pulumi/locks/*
fi
BUCKET=$(cat /opt/aws-credentials/bucket)
# Run mapt
cmd="mapt aws fedora $(params.operation) "
cmd="$cmd --project-name $(params.project-name) "
# Set the backed url
if [[ $(params.backed-url) != "" ]]; then
cmd="$cmd --backed-url $(params.backed-url) "
else
cmd="$cmd --backed-url file://${workspace_path} "
fi
cmd+="--project-name mapt-fedora-$(params.id) "
cmd+="--backed-url s3://${BUCKET}/mapt/fedora/$(params.id) "
if [[ $(params.operation) == "create" ]]; then
cmd="$cmd --conn-details-output ${workspace_path} "
cmd="$cmd --arch $(params.arch) "
cmd="$cmd --cpus $(params.cpus) "
cmd="$cmd --memory $(params.memory) "
if [[ $(params.nested-virt) == "true" ]]; then
cmd="$cmd --nested-virt "
fi
cmd="$cmd --version $(params.version) "
cmd+="--conn-details-output /opt/host-info "
cmd+="--arch $(params.arch) "
cmd+="--cpus $(params.cpus) "
cmd+="--memory $(params.memory) "
cmd+="--version $(params.version) "
if $($(params.nested-virt)); then cmd+="--nested-virt "; fi
if [[ $(params.spot) == "true" ]]; then
cmd="$cmd --spot "
cmd+="--spot "
fi
if [[ $(params.airgap) == "true" ]]; then
cmd="$cmd --airgap "
fi
if [[ $(params.tags) != "" ]]; then
cmd="$cmd --tags $(params.tags) "
cmd+="--airgap "
fi
cmd+="--tags $(params.tags) "
fi
eval "${cmd}"
create_exit_code=$?
# set task results
cat "${workspace_path}/host" | tee $(results.host.path)
cat "${workspace_path}/username" | tee $(results.username.path)
echo -n "id_rsa" | tee $(results.key.path)
if [[ $(params.airgap) == "true" ]]; then
cat "${workspace_path}/bastion_host" | tee $(results.bastion-host.path)
cat "${workspace_path}/bastion_username" | tee $(results.bastion-username.path)
echo -n "bastion_id_rsa" | tee $(results.bastion-key.path)
fi
# If debug print credentials
if [[ $(params.debug) == "true" ]]; then
echo "Credentials to access target machine \n"
cat "${workspace_path}/host"
cat "${workspace_path}/username"
cat "${workspace_path}/id_rsa"
if [[ $(params.airgap) == "true" ]]; then
cat "${workspace_path}/bastion_host"
cat "${workspace_path}/bastion_username"
cat "${workspace_path}/bastion_id_rsa"
fi
fi
if [[ ${create_exit_code} -ne 0 ]]; then
exit 1
fi
resources:
requests:
memory: "200Mi"
cpu: "100m"
limits:
memory: "600Mi"
cpu: "300m"

- name: host-info-secret
image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:e70eb2be867f1236b19f5cbfeb8e0625737ce0ec1369e32a4f9f146aaaf68d49
env:
- name: NAMESPACE
value: $(context.taskRun.namespace)
- name: OWNER_KIND
value: $(params.ownerKind)
- name: OWNER_NAME
value: $(params.ownerName)
- name: OWNER_UID
value: $(params.ownerUid)
volumeMounts:
- name: host-info
mountPath: /opt/host-info
script: |
#!/bin/bash
set -eo pipefail
if [[ $(params.operation) == "create" ]]; then
cat <<EOF > host-info.yaml
apiVersion: v1
kind: Secret
metadata:
generateName: mapt-aws-fedora-
namespace: $NAMESPACE
ownerReferences:
- apiVersion: tekton.dev/v1
kind: $OWNER_KIND
name: $OWNER_NAME
uid: $OWNER_UID
type: Opaque
data:
host: $(cat /opt/host-info/host | base64 -w0)
username: $(cat /opt/host-info/username | base64 -w0)
id_rsa: $(cat /opt/host-info/id_rsa | base64 -w0)
EOF
if [[ $(params.airgap) == "true" ]]; then
cat <<EOF >> host-info.yaml
bastion-host: $(cat /opt/host-info/bastion_host | base64 -w0)
bastion-username: $(cat /opt/host-info/bastion_username | base64 -w0)
bastion-id_rsa: $(cat /opt/host-info/bastion_id_rsa | base64 -w0)
EOF
fi
if [[ $(params.debug) == "true" ]]; then
cat /opt/host-info/*
fi
NAME=$(oc create -f host-info.yaml -o=jsonpath='{.metadata.name}')
echo -n "${NAME}" | tee $(results.host-access-secret.path)
fi
Loading

0 comments on commit 2c2101f

Please sign in to comment.