From 66bccc6441203647a90cf7f765357e28e00f3d6d Mon Sep 17 00:00:00 2001 From: Sayan Biswas Date: Fri, 28 Apr 2023 12:24:35 +0530 Subject: [PATCH] Fix tekton results storage configurations --- developer/openshift/dev_setup.sh | 19 ++-- .../gitops/argocd/pipeline-service-o11y.yaml | 8 +- .../argocd/pipeline-service-storage.yaml | 18 +++- .../kustomization.yaml | 7 -- .../minio/tenant/tenant.yaml | 57 ++++------- .../pipeline-service-storage/postgres.yaml | 73 -------------- .../postgres/values.yaml | 38 ++++++++ .../gitops/argocd/pipeline-service.yaml | 10 +- .../pipeline-service/kustomization.yaml | 5 +- .../tekton-results/kustomization.yaml | 1 - .../tekton-results/minio-create-bucket.yaml | 58 ----------- .../tekton-results/minio-tls.yaml | 2 +- .../openshift-gitops/custom-permissions.yaml | 30 ++++++ .../openshift-gitops/kustomization.yaml | 1 + .../openshift-gitops/openshift-gitops.yaml | 2 +- developer/openshift/reset.sh | 95 +++++++++++++------ operator/gitops/argocd/pipeline-service.yaml | 2 +- .../content/bin/setup_work_dir.sh | 58 +++++------ .../cluster-setup/content/bin/install.sh | 2 +- 19 files changed, 219 insertions(+), 267 deletions(-) delete mode 100644 developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml delete mode 100644 developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml create mode 100644 developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml delete mode 100644 developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-create-bucket.yaml create mode 100644 developer/openshift/operators/openshift-gitops/custom-permissions.yaml diff --git a/developer/openshift/dev_setup.sh b/developer/openshift/dev_setup.sh index 42ef66c9f..fe4ad8487 100755 --- a/developer/openshift/dev_setup.sh +++ b/developer/openshift/dev_setup.sh @@ -234,7 +234,7 @@ install_pipeline_service() { TEKTON_RESULTS_DATABASE_PASSWORD="$(yq '.tekton_results_db.password' "$CONFIG")" export TEKTON_RESULTS_DATABASE_USER export TEKTON_RESULTS_DATABASE_PASSWORD - TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "minio"' "$CONFIG")" + TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "tekton"' "$CONFIG")" TEKTON_RESULTS_S3_PASSWORD="$(yq ".tekton_results_s3.password // \"$(openssl rand -base64 20)\"" "$CONFIG")" export TEKTON_RESULTS_S3_USER export TEKTON_RESULTS_S3_PASSWORD @@ -251,17 +251,14 @@ install_pipeline_service() { for app in "pipeline-service" "pipeline-service-storage" "pipeline-service-o11y"; do cat << EOF >"$manifest_dir/patch-$app.yaml" --- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: $app - namespace: openshift-gitops -spec: - source: - repoURL: $GIT_URL - targetRevision: $GIT_REF +- op: replace + path: "/spec/sources/0/repoURL" + value: $GIT_URL +- op: replace + path: "/spec/sources/0/targetRevision" + value: $GIT_REF EOF - yq -i ".patches += [{\"path\": \"patch-$app.yaml\"}]" "$manifest_dir/kustomization.yaml" + yq -i ".patches += [{\"path\": \"patch-$app.yaml\", \"target\": {\"kind\": \"Application\", \"namespace\": \"openshift-gitops\", \"name\": \"$app\" }}]" "$manifest_dir/kustomization.yaml" done ############################################################################# diff --git a/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml b/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml index 99a71f57b..e5cd8a84d 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-o11y.yaml @@ -10,10 +10,10 @@ spec: destination: namespace: openshift-gitops server: https://kubernetes.default.svc - source: - path: developer/openshift/gitops/argocd/pipeline-service-o11y - repoURL: https://github.com/openshift-pipelines/pipeline-service.git - targetRevision: main + sources: + - path: developer/openshift/gitops/argocd/pipeline-service-o11y + repoURL: https://github.com/openshift-pipelines/pipeline-service.git + targetRevision: main project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage.yaml index ca01d2318..c0b77d04a 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-storage.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-storage.yaml @@ -8,12 +8,20 @@ metadata: argocd.argoproj.io/sync-wave: "0" spec: destination: - namespace: openshift-gitops + namespace: tekton-results server: https://kubernetes.default.svc - source: - path: developer/openshift/gitops/argocd/pipeline-service-storage - repoURL: https://github.com/openshift-pipelines/pipeline-service.git - targetRevision: main + sources: + - repoURL: https://github.com/openshift-pipelines/pipeline-service.git + path: developer/openshift/gitops/argocd/pipeline-service-storage/minio + targetRevision: main + ref: values + - repoURL: https://charts.bitnami.com/bitnami + chart: postgresql + targetRevision: 12.2.7 + helm: + releaseName: postgres + valueFiles: + - $values/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml deleted file mode 100644 index f7ab7959a..000000000 --- a/developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - postgres.yaml - - minio diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml index 4a366cee5..1b2001b19 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml @@ -2,7 +2,7 @@ apiVersion: minio.min.io/v2 kind: Tenant metadata: - name: storage + name: minio namespace: tekton-results labels: app: minio @@ -13,60 +13,35 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" spec: + image: quay.io/minio/minio:latest + requestAutoCert: false + podManagementPolicy: Parallel + configuration: + name: minio-configuration exposeServices: minio: true features: bucketDNS: false - domains: {} - # This desired part doesn't work. Issues: - # https://github.com/minio/operator/issues/1345 - # https://github.com/minio/operator/issues/1346 - # users: - # - name: storage-user - # buckets: - # - name: "tekton-results" - # region: "us-east-1" - # objectLock: true - certConfig: {} - podManagementPolicy: Parallel - configuration: - name: minio-storage-configuration - env: [] - serviceMetadata: - minioServiceLabels: {} - minioServiceAnnotations: {} - consoleServiceLabels: {} - consoleServiceAnnotations: {} - priorityClassName: "" - externalCaCertSecret: [] - externalCertSecret: [] - externalClientCertSecrets: [] - image: quay.io/minio/minio:RELEASE.2022-09-17T00-09-45Z - imagePullSecret: {} - mountPath: /export - subPath: "" + users: + - name: minio-user + buckets: + - name: tekton-results + region: not-applicable + objectLock: true pools: - servers: 1 name: pool-0 volumesPerServer: 2 - nodeSelector: {} - tolerations: [] - affinity: - nodeAffinity: {} - podAffinity: {} - podAntiAffinity: {} - resources: {} volumeClaimTemplate: apiVersion: v1 kind: persistentvolumeclaims - metadata: {} spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi - status: {} - securityContext: {} - containerSecurityContext: {} - requestAutoCert: true + securityContext: + runAsNonRoot: true + containerSecurityContext: + runAsNonRoot: true diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml deleted file mode 100644 index 4cfc09417..000000000 --- a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: postgres - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - project: default - destination: - namespace: tekton-results - server: https://kubernetes.default.svc - source: - chart: postgresql - repoURL: https://charts.bitnami.com/bitnami - targetRevision: 12.2.7 - helm: - releaseName: postgres - parameters: - - name: image.tag - value: 13.10.0 - - name: tls.enabled - value: "true" - - name: tls.autoGenerated - value: "true" - - name: auth.database - value: "tekton_results" - - name: auth.username - value: "tekton" - - name: auth.existingSecret - value: "tekton-results-database" - - name: auth.secretKeys.userPasswordKey - value: "db.password" - - name: auth.secretKeys.adminPasswordKey - value: "db.password" - - name: primary.resources.requests - value: "null" - - name: primary.podSecurityContext.fsGroup - value: "null" - - name: primary.podSecurityContext.seccompProfile.type - value: RuntimeDefault - - name: primary.containerSecurityContext.runAsUser - value: "null" - - name: primary.containerSecurityContext.allowPrivilegeEscalation - value: "false" - - name: primary.containerSecurityContext.runAsNonRoot - value: "true" - - name: primary.containerSecurityContext.seccompProfile.type - value: RuntimeDefault - - name: primary.containerSecurityContext.capabilities.drop[0] - value: ALL - - name: volumePermissions.enabled - value: "false" - - name: shmVolume.enabled - value: "false" - syncPolicy: - # Comment this out if you want to manually trigger deployments (using the - # Argo CD Web UI or Argo CD CLI), rather than automatically deploying on - # every new Git commit to your directory. - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - # workaround to make working both minio: newer and old 4.5.4 - - Validate=false - retry: - limit: -1 # number of failed sync attempt retries; unlimited number of attempts if less than 0 - backoff: - duration: 10s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") - factor: 2 # a factor to multiply the base duration after each failed retry - maxDuration: 3m # the maximum amount of time allowed for the backoff strategy diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml new file mode 100644 index 000000000..833bfa196 --- /dev/null +++ b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml @@ -0,0 +1,38 @@ +--- +image: + tag: 13.10.0 + +tls: + enabled: true + autoGenerated: true + +auth: + database: tekton_results + username: tekton + existingSecret: tekton-results-database + secretKeys: + userPasswordKey: db.password + adminPasswordKey: db.password + +primary: + resources: + requests: null + podSecurityContext: + fsGroup: null + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: null + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + +volumePermissions: + enabled: false + +shmVolume: + enabled: false diff --git a/developer/openshift/gitops/argocd/pipeline-service.yaml b/developer/openshift/gitops/argocd/pipeline-service.yaml index cfebefd9e..a3035767f 100644 --- a/developer/openshift/gitops/argocd/pipeline-service.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service.yaml @@ -8,12 +8,12 @@ metadata: argocd.argoproj.io/sync-wave: "0" spec: destination: - namespace: openshift-gitops + namespace: pipeline-service server: https://kubernetes.default.svc - source: - path: developer/openshift/gitops/argocd/pipeline-service - repoURL: https://github.com/openshift-pipelines/pipeline-service.git - targetRevision: main + sources: + - path: developer/openshift/gitops/argocd/pipeline-service + repoURL: https://github.com/openshift-pipelines/pipeline-service.git + targetRevision: main project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml b/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml index 6cc39d588..4c80b85da 100644 --- a/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml @@ -5,9 +5,8 @@ kind: Kustomization resources: - ../../../../../operator/gitops/argocd/pipeline-service -patches: - - path: tekton-results/minio-create-bucket.yaml - - path: tekton-results/minio-tls.yaml + # patches: + # - path: tekton-results/minio-tls.yaml # Skip applying the Tekton operands while the Tekton operator is being installed. # See more information about this option, here: diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml index 13b973dcb..b8cb96177 100644 --- a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml @@ -5,5 +5,4 @@ resources: - ../../../../../../operator/gitops/argocd/pipeline-service/tekton-results patches: - - path: minio-create-bucket.yaml - path: minio-tls.yaml diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-create-bucket.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-create-bucket.yaml deleted file mode 100644 index a72ab1c51..000000000 --- a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-create-bucket.yaml +++ /dev/null @@ -1,58 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-results-api - namespace: tekton-results - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - template: - spec: - containers: - - name: api - initContainers: - - name: mc - image: >- - quay.io/minio/mc:RELEASE.2023-01-28T20-29-38Z - command: - - /bin/bash - args: - - '-c' - - | - mc --config-dir /tmp config host add minio "$S3_ENDPOINT" "$S3_ACCESS_KEY_ID" "$S3_SECRET_ACCESS_KEY" && - if [ -z "$(mc --config-dir /tmp ls minio | grep "$S3_BUCKET_NAME")" ]; then - mc --config-dir /tmp mb --with-lock --region "$S3_REGION" minio/"$S3_BUCKET_NAME" && - echo "Minio bucket $S3_BUCKET_NAME successfully created." - fi - imagePullPolicy: Always - env: - - name: S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: S3_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: S3_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - volumeMounts: - - name: ca-s3 - mountPath: /etc/ssl/certs/s3-cert.crt - subPath: s3-cert.crt diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml index e0c5d7c48..937258ed6 100644 --- a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml @@ -12,7 +12,7 @@ spec: volumes: - name: ca-s3 secret: - secretName: storage-tls + secretName: minio-tls items: - key: public.crt path: s3-cert.crt diff --git a/developer/openshift/operators/openshift-gitops/custom-permissions.yaml b/developer/openshift/operators/openshift-gitops/custom-permissions.yaml new file mode 100644 index 000000000..bcb8159b6 --- /dev/null +++ b/developer/openshift/operators/openshift-gitops/custom-permissions.yaml @@ -0,0 +1,30 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-gitops-custom +rules: + - apiGroups: + - "" + resources: + - services + - serviceaccounts + verbs: ['*'] + - apiGroups: + - "apps" + resources: + - deployments + verbs: ['*'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openshift-gitops-custom +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openshift-gitops-custom +subjects: + - kind: ServiceAccount + name: openshift-gitops-argocd-application-controller + namespace: openshift-gitops diff --git a/developer/openshift/operators/openshift-gitops/kustomization.yaml b/developer/openshift/operators/openshift-gitops/kustomization.yaml index e0c4c97f8..1bb211ed3 100644 --- a/developer/openshift/operators/openshift-gitops/kustomization.yaml +++ b/developer/openshift/operators/openshift-gitops/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - openshift-gitops.yaml + - custom-permissions.yaml diff --git a/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml b/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml index 97ea18925..a2128a759 100644 --- a/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml +++ b/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml @@ -7,7 +7,7 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "0" spec: - channel: stable + channel: gitops-1.9 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/developer/openshift/reset.sh b/developer/openshift/reset.sh index 5d525cb27..e69c96a3a 100755 --- a/developer/openshift/reset.sh +++ b/developer/openshift/reset.sh @@ -109,9 +109,9 @@ check_if_argocd_app_was_removed() { local appName=$1 local numOfAttempts=$2 local i=0 - printf " Removing ArgoCD application '%s': " "$appName" - while [[ $(argocd app get "${appName}" 2>&1) != *"not found"* ]]; do - printf '.'; sleep 5; + printf "Removing ArgoCD application '%s': " "$appName" + while argocd app get "${appName}" >/dev/null 2>&1; do + printf '.'; sleep 10; i=$((i+1)) if [[ $i -eq "${numOfAttempts}" ]]; then printf "\n[ERROR] ArgoCD app %s was no deleted by timeout \n" "$appName" >&2 @@ -123,37 +123,37 @@ check_if_argocd_app_was_removed() { printf " OK\n" } -uninstall_minio() { - printf "\n Uninstalling Minio Service:\n" - if argocd app get minio >/dev/null 2>&1; then +uninstall_pipeline_service_storage() { + printf "\nUninstalling Pipeline Service Storage:\n" + if argocd app get pipeline-service-storage >/dev/null 2>&1; then # If something went wrong(e.g. bad development changes) the ArgoCD sync operation can be very long or could hang. # In this case any other ArgoCD operation will be queued. # Therefore the 'delete' operation will not be executed in a timely manner. # Cancelling the sync operation speeds up the process. - argocd app terminate-op minio >/dev/null 2>&1 + argocd app terminate-op pipeline-service-storage >/dev/null 2>&1 - argocd app delete minio --yes + argocd app delete pipeline-service-storage --yes if [ -n "${RESET_HARD}" ]; then # Remove any finalizers that might inhibit deletion - if argocd app get minio >/dev/null 2>&1; then - kubectl patch applications.argoproj.io -n openshift-gitops minio --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' >/dev/null 2>&1 + if argocd app get pipeline-service-storage >/dev/null 2>&1; then + kubectl patch applications.argoproj.io -n openshift-gitops pipeline-service-storage --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' >/dev/null 2>&1 fi # Check if the Argo CD application has been indeed removed - if argocd app get minio >/dev/null 2>&1; then - printf "\n[ERROR] Couldn't uninstall Minio Argo CD application." >&2 + if argocd app get pipeline-service-storage >/dev/null 2>&1; then + printf "\n[ERROR] Couldn't uninstall Pipeline Service Storage Argo CD application." >&2 exit 1 fi - printf "\n Uninstalling Minio Operator:\n" - kubectl delete -k "$DEV_DIR/gitops/argocd/minio" --ignore-not-found=true + printf "\nUninstalling Pipeline Service Storage:\n" + kubectl delete -k "$DEV_DIR/gitops/argocd/pipeline-service-storage" --ignore-not-found=true else - check_if_argocd_app_was_removed "minio" 25 + check_if_argocd_app_was_removed "pipeline-service-storage" 100 fi - printf "\n Uninstalling Minio Operator:\n" + printf "\nRemoving Minio Operator:\n" minio_gitops_csv=$(kubectl get csv -n openshift-operators | grep -ie "minio-operator" | cut -d " " -f 1) if [[ -n "$minio_gitops_csv" ]]; then kubectl delete csv -n openshift-operators "$minio_gitops_csv" @@ -162,21 +162,57 @@ uninstall_minio() { mapfile -t minio_crds < <(kubectl get crd -n openshift-operators | grep -iE "tenant" | cut -d " " -f 1) if [[ "${#minio_crds[@]}" -gt 0 ]]; then for crd in "${minio_crds[@]}"; do - printf "\n Delete crd %s\n" "$crd" + printf "\nDelete crd %s\n" "$crd" kubectl delete crd "$crd" done fi minio_operator=$(kubectl get operator | grep -ie "minio" | cut -d " " -f 1) if [[ -n "$minio_operator" ]]; then - printf "\n Delete operator cr %s\n" "$minio_operator" + printf "\nDelete operator cr %s\n" "$minio_operator" kubectl delete operator "$minio_operator" fi fi + + printf "\n[INFO] Pipeline-Service-Storage Argo CD application has been successfully removed.\n" +} + +uninstall_pipeline_service_monitoring() { + printf "\nUninstalling Pipeline Service Monitoring:\n" + if argocd app get pipeline-service-o11y >/dev/null 2>&1; then + + # If something went wrong(e.g. bad development changes) the ArgoCD sync operation can be very long or could hang. + # In this case any other ArgoCD operation will be queued. + # Therefore the 'delete' operation will not be executed in a timely manner. + # Cancelling the sync operation speeds up the process. + argocd app terminate-op pipeline-service-o11y >/dev/null 2>&1 + + argocd app delete pipeline-service-o11y --yes + + if [ -n "${RESET_HARD}" ]; then + # Remove any finalizers that might inhibit deletion + if argocd app get pipeline-service-o11y >/dev/null 2>&1; then + kubectl patch applications.argoproj.io -n openshift-gitops pipeline-service-o11y --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' >/dev/null 2>&1 + fi + + # Check if the Argo CD application has been indeed removed + if argocd app get pipeline-service-o11y >/dev/null 2>&1; then + printf "\n[ERROR] Couldn't uninstall Pipeline Service O11y Argo CD application." >&2 + exit 1 + fi + + printf "\nUninstalling Pipeline Service Monitoring:\n" + kubectl delete -k "$DEV_DIR/gitops/argocd/pipeline-service-o11y" --ignore-not-found=true + else + check_if_argocd_app_was_removed "pipeline-service-o11y" 100 + fi + fi + + printf "\n[INFO] Pipeline-Service-Monitoring Argo CD application has been successfully removed.\n" } uninstall_pipeline_service() { - printf "\n Uninstalling Pipeline Service:\n" + printf "\nUninstalling Pipeline Service:\n" # Remove pipeline-service Argo CD application if [ -z "$RESET_HARD" ]; then if ! argocd app get pipeline-service >/dev/null 2>&1; then @@ -185,6 +221,10 @@ uninstall_pipeline_service() { fi fi + # Remove tektonconfig and finalizers + argocd app delete-resource pipeline-service --orphan --force --kind "TektonConfig" --resource-name "config" >/dev/null 2>&1 + kubectl patch tektonconfigs.operator.tekton.dev config --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' >/dev/null 2>&1 + # If something went wrong(e.g. bad development changes) the ArgoCD sync operation can be very long or could hang. # In this case any other ArgoCD operation will be queued. # Therefore the 'delete' operation will not be executed in a timely manner. @@ -192,7 +232,7 @@ uninstall_pipeline_service() { argocd app terminate-op pipeline-service >/dev/null 2>&1 argocd app delete pipeline-service --yes - + if [ -n "$RESET_HARD" ]; then # Remove any finalizers that might inhibit deletion if argocd app get pipeline-service >/dev/null 2>&1; then @@ -205,17 +245,17 @@ uninstall_pipeline_service() { exit 1 fi else - check_if_argocd_app_was_removed "pipeline-service" 40 + check_if_argocd_app_was_removed "pipeline-service" 100 fi # Remove pipeline-service-manager resources kubectl delete -k "$COMPUTE_DIR" --ignore-not-found=true - printf "\nPipeline-Service Argo CD application has been successfully removed.\n" + printf "\n[INFO] Pipeline-Service Argo CD application has been successfully removed.\n" } uninstall_operators_and_controllers(){ - printf "\n Uninstalling Openshift-GitOps Operator:\n" + printf "\nUninstalling Openshift-GitOps Operator:\n" kubectl delete -k "$DEV_DIR/operators/openshift-gitops" --ignore-not-found=true openshift_gitops_csv=$(kubectl get csv -n openshift-operators | grep -ie "openshift-gitops-operator" | cut -d " " -f 1) if [[ -n "$openshift_gitops_csv" ]]; then @@ -258,7 +298,7 @@ uninstall_operators_and_controllers(){ exit 1 fi - printf "\nGitops operator and Tekton controllers are successfully uninstalled.\n" + printf "\n[INFO] Gitops operator and Tekton controllers are successfully uninstalled.\n" } # ArgoCD installs openshift pipelines operator with "pipeline-service" ArgoCD application @@ -269,7 +309,7 @@ uninstall_operators_and_controllers(){ # We need to clean up these resources to make the certified CatalogSource healthy. # A CatalogSource with unhealthy status prevents installation of more operators. uninstallOpenshiftPipelines() { - printf "\n Uninstalling Openshift-Pipelines Operator:\n" + printf "\nUninstalling Openshift-Pipelines Operator:\n" # We start with deleting tektonconfig so that the 'tekton.dev' CRs are removed gracefully by it. kubectl delete tektonconfig config --ignore-not-found=true if [ -n "$RESET_HARD" ]; then @@ -312,7 +352,8 @@ uninstallOpenshiftPipelines() { main(){ parse_args "$@" prechecks - uninstall_minio + uninstall_pipeline_service_storage + uninstall_pipeline_service_monitoring uninstall_pipeline_service if [ -n "${RESET_HARD}" ]; then @@ -324,5 +365,5 @@ main(){ if [ "${BASH_SOURCE[0]}" == "$0" ]; then main "$@" - printf "[INFO] Uninstallation pipeline-service was completed.\n" + printf "\n[INFO] Uninstallation pipeline-service was completed.\n" fi diff --git a/operator/gitops/argocd/pipeline-service.yaml b/operator/gitops/argocd/pipeline-service.yaml index 891c1298f..c8ede383a 100644 --- a/operator/gitops/argocd/pipeline-service.yaml +++ b/operator/gitops/argocd/pipeline-service.yaml @@ -8,7 +8,7 @@ metadata: argocd.argoproj.io/sync-wave: "0" spec: destination: - namespace: openshift-gitops + namespace: pipeline-service server: https://kubernetes.default.svc source: path: operator/gitops/argocd/pipeline-service diff --git a/operator/images/access-setup/content/bin/setup_work_dir.sh b/operator/images/access-setup/content/bin/setup_work_dir.sh index 24601e634..e8bb0b762 100755 --- a/operator/images/access-setup/content/bin/setup_work_dir.sh +++ b/operator/images/access-setup/content/bin/setup_work_dir.sh @@ -172,23 +172,11 @@ tekton_chains_manifest(){ } tekton_results_manifest(){ - miniosecret="$(kubectl get secrets minio-storage-configuration -o name -n tekton-results --ignore-not-found)" - if [ -z "$miniosecret" ]; then - printf "Need to create tekton results manifests for DB and S3 \n" - else - printf "Tekton results secrets already in place, returning from tekton_results_manifest \n" - # create minimal kustomization.yaml so calling function does not need to check for the secret as well - mkdir -p "$manifests_dir/compute/tekton-results" - kubectl create namespace tekton-results --dry-run=client -o yaml > "$manifests_dir/compute/tekton-results/namespace.yaml" - yq e -n '.resources += ["namespace.yaml"]' > "$manifests_dir/compute/tekton-results/kustomization.yaml" - printf "OK\n" - return - fi - results_kustomize="$manifests_dir/compute/tekton-results/kustomization.yaml" results_namespace="$manifests_dir/compute/tekton-results/namespace.yaml" results_db_secret="$manifests_dir/compute/tekton-results/tekton-results-db-secret.yaml" results_s3_secret="$manifests_dir/compute/tekton-results/tekton-results-s3-secret.yaml" + results_minio_user="$manifests_dir/compute/tekton-results/tekton-results-minio-user.yaml" results_minio_config="$manifests_dir/compute/tekton-results/tekton-results-minio-config.yaml" if [ ! -e "$results_kustomize" ]; then results_dir="$(dirname "$results_kustomize")" @@ -207,38 +195,52 @@ tekton_results_manifest(){ fi kubectl create namespace tekton-results --dry-run=client -o yaml > "$results_namespace" + yq -n '.resources += ["namespace.yaml"]' > "$results_kustomize" - kubectl create secret generic -n tekton-results tekton-results-database \ + db_secret="$(kubectl get secret tekton-results-database -n tekton-results -o name --ignore-not-found)" + if [ -z "$db_secret" ]; then + echo 'Tekton Results database secrets not found, new secrets will be created' + kubectl create secret generic -n tekton-results tekton-results-database \ --from-literal=db.user="$TEKTON_RESULTS_DATABASE_USER" \ --from-literal=db.password="$TEKTON_RESULTS_DATABASE_PASSWORD" \ --from-literal=db.host="postgres-postgresql.tekton-results.svc.cluster.local" \ --from-literal=db.name="tekton_results" \ --dry-run=client -o yaml > "$results_db_secret" + yq -i '.resources += ["tekton-results-db-secret.yaml"]' "$results_kustomize" + fi - kubectl create secret generic -n tekton-results tekton-results-s3 \ - --from-literal=aws_access_key_id="$TEKTON_RESULTS_S3_USER" \ - --from-literal=aws_secret_access_key="$TEKTON_RESULTS_S3_PASSWORD" \ - --from-literal=aws_region='not-applicable' \ - --from-literal=bucket=tekton-results \ - --from-literal=endpoint='https://minio.tekton-results.svc.cluster.local' \ - -n tekton-results --dry-run=client -o yaml > "$results_s3_secret" + s3_secret="$(kubectl get secret tekton-results-s3 -n tekton-results -o name --ignore-not-found)" + if [ -z "$s3_secret" ]; then + echo 'Tekton Results S3 secrets not found, new secrets will be created' + kubectl create secret generic -n tekton-results tekton-results-s3 \ + --from-literal=aws_access_key_id="$TEKTON_RESULTS_S3_USER" \ + --from-literal=aws_secret_access_key="$TEKTON_RESULTS_S3_PASSWORD" \ + --from-literal=aws_region='not-applicable' \ + --from-literal=bucket=tekton-results \ + --from-literal=endpoint='http://minio.tekton-results.svc.cluster.local' \ + -n tekton-results --dry-run=client -o yaml > "$results_s3_secret" - cat < "$results_minio_config" + kubectl create secret generic -n tekton-results minio-user \ + --from-literal=CONSOLE_ACCESS_KEY="$TEKTON_RESULTS_S3_USER" \ + --from-literal=CONSOLE_SECRET_KEY="$TEKTON_RESULTS_S3_PASSWORD" \ + -n tekton-results --dry-run=client -o yaml > "$results_minio_user" + + cat < "$results_minio_config" apiVersion: v1 kind: Secret metadata: - name: minio-storage-configuration + name: minio-configuration namespace: tekton-results type: Opaque stringData: config.env: |- - export MINIO_ROOT_USER="$TEKTON_RESULTS_S3_USER" - export MINIO_ROOT_PASSWORD="$TEKTON_RESULTS_S3_PASSWORD" - export MINIO_STORAGE_CLASS_STANDARD="EC:2" + export MINIO_ROOT_USER="minio" + export MINIO_ROOT_PASSWORD="$(openssl rand -base64 20)" + export MINIO_STORAGE_CLASS_STANDARD="EC:1" export MINIO_BROWSER="on" EOF - - yq e -n '.resources += ["namespace.yaml", "tekton-results-db-secret.yaml", "tekton-results-s3-secret.yaml", "tekton-results-minio-config.yaml"]' > "$results_kustomize" + yq -i '.resources += ["tekton-results-s3-secret.yaml", "tekton-results-minio-user.yaml", "tekton-results-minio-config.yaml"]' "$results_kustomize" + fi fi printf "OK\n" } diff --git a/operator/images/cluster-setup/content/bin/install.sh b/operator/images/cluster-setup/content/bin/install.sh index f84d1bf0a..64e69cabc 100755 --- a/operator/images/cluster-setup/content/bin/install.sh +++ b/operator/images/cluster-setup/content/bin/install.sh @@ -139,7 +139,7 @@ install_clusters() { check_deployments "openshift-pipelines" "${tektonDeployments[@]}" | indent 4 resultsDeployments=("tekton-results-api" "tekton-results-watcher") check_deployments "tekton-results" "${resultsDeployments[@]}" | indent 4 - resultsStatefulsets=("postgres-postgresql" "storage-pool-0") + resultsStatefulsets=("postgres-postgresql" "minio-pool-0") check_statefulsets "tekton-results" "${resultsStatefulsets[@]}" | indent 4 printf -- "- Checking pods status for controlplane namespaces\n"