cd
/
k8s-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: cd:556c3bdecc70ba18d950774fa01577e2931c188a
Branches Tags
cd:master
..
compare: cd:f0a64ba9803f84781aa4cc66acb99e8ac98fa28c
Branches Tags
cd:master

6 Commits
556c3bdecc ... f0a64ba980

Author SHA1 Message Date
James Pace f0a64ba980 Document what we needed to do to get DNS resolving on j7s cluster. 2023-04-19 20:12:15 -04:00
James Pace f329f68f9a Add j7s-cluster bootstrap script. 2023-04-19 20:11:56 -04:00
James Pace 77be2bbe2e Move a bunch of stuff to the j7s-ci flux setup. 2023-04-19 20:11:32 -04:00
James Pace 7ddbab2da6 Remove onedev stuff. 2023-04-01 12:05:18 -04:00
James Pace c97c769d9c Get rid of dns. 2023-04-01 09:23:00 -04:00
James Pace dab788fd43 Remove chains. 2023-04-01 09:22:21 -04:00
17 changed files with 8 additions and 624 deletions
Show Stats Expand all files Collapse all files

18
chains/chains-config.yaml
View File

@ -1,18 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: default
app.kubernetes.io/part-of: tekton-chains
name: chains-config
namespace: tekton-chains
data:
artifacts.taskrun.format: in-toto
artifacts.taskrun.storage: tekton
artifacts.taskrun.signer: x509
artifacts.pipelinerun.format: in-toto
artifacts.pipelinerun.storage: tekton
artifacts.pipelinerun.signer: x509
artifacts.oci.storage: tekton
artifacts.oci.signer: ""
builder.id: http://tekton.internal.jpace121.net

8
chains/tekton-feature-flags.yaml
View File

@ -1,8 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: feature-flags
namespace: tekton-pipelines
data:
enable-api-fields: "alpha"
enable-provenance-in-status: "true"

2
cluster-v2-design.md
View File

@ -418,7 +418,7 @@ On VM:
sudo hostnamectl set-hostname j7s-cluster sudo hostnamectl set-hostname j7s-cluster
sudo systemctl disable firewalld --now sudo systemctl disable firewalld --now
sudo su sudo su
export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.46.0.0/16 --service-cidr 10.47.0.0/16 --cluster-dns 10.47.0.10 --selinux" export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.46.0.0/16 --service-cidr 10.47.0.0/16 --cluster-dns 10.47.0.10 --selinux --resolv-conf /run/systemd/resolve/resolv.conf"
curl -sfL https://get.k3s.io | sh -s - curl -sfL https://get.k3s.io | sh -s -
exit exit
sudo cp /etc/rancher/k3s/k3s.yaml ~/j7s-cluster.yaml sudo cp /etc/rancher/k3s/k3s.yaml ~/j7s-cluster.yaml

88
deployments/mosquitto.yaml
View File

@ -1,88 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mosquitto-deployment
labels:
app: mosquitto
spec:
replicas: 1
selector:
matchLabels:
app: mosquitto
template:
metadata:
labels:
app: mosquitto
spec:
containers:
- name: mosquitto
image: 192.168.1.149:8443/mosquitto:0.0.7
args: ["-v", "-c", "/opt/mqtt/mosquitto.conf"]
volumeMounts:
- mountPath: /opt/mqtt
name: mosquitto-conf
ports:
- containerPort: 9000
name: websockets-port
- containerPort: 9001
name: mqtt-port
volumes:
- name: mosquitto-conf
configMap:
name: mosquitto-conf
---
apiVersion: v1
kind: Service
metadata:
name: mosquitto-service
spec:
selector:
app: mosquitto
type: LoadBalancer
ports:
- protocol: TCP
port: 9000
name: websockets-port
- protocol: TCP
port: 9001
name: mqtt-port
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mosquitto-conf
data:
acl.yaml: |
default:
can_read: true
can_write: false
jimmy:
can_read: true
can_write: true
keys.yaml: |
default:
- /opt/mqtt/jpace121-key.pem
- /opt/mqtt/service-key.pem
mosquitto.conf: |
per_listener_settings false
allow_anonymous false
log_type all
auth_plugin /usr/lib/libj7s-plugin.so
auth_opt_key_file /opt/mqtt/keys.yaml
auth_opt_acl_file /opt/mqtt/acl.yaml
listener 9000
protocol websockets
listener 9001
protocol mqtt
service-key.pem: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9DBwMe+eHkYLfq076sFq75gepyaL4LQtX8qVlGjJCtLxV308L2d8XGC35VBxrIbx8Bs5sKT4e5s9suzO8FhGMQ==
-----END PUBLIC KEY-----
jpace121-key.pem: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqdtuaoyDj8jCtgB9qfUMwDe//VLAF1HTXHTQ7OS8i/S3wjOC4YOHxRy9kYQ3LdE44r7kIX6DR8VLJ3srctQ0xw==
-----END PUBLIC KEY-----

42
deployments/squid.yaml
View File

@ -1,42 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: squid-deployment
labels:
app: squid
spec:
replicas: 1
selector:
matchLabels:
app: squid
template:
metadata:
labels:
app: squid
spec:
containers:
- name: squid
image: 192.168.1.149:8443/squid:0.3
volumeMounts:
- mountPath: /var/spool/squid
name: squid-volume
ports:
- containerPort: 3128
name: squid-port
volumes:
- name: squid-volume
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: squid-service
spec:
selector:
app: squid
ports:
- protocol: TCP
targetPort: 3128
port: 3128
name: squid-port

31
dns/dns.yaml
View File

@ -1,31 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health
hosts {
192.168.1.128 tekton.internal.jpace121.net
192.168.1.128 k3s
192.168.1.128 harbor.internal.jpace121.net
192.168.1.135 k3s-node1
10.100.100.1 git.jpace121.net
fallthrough
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
reload
loadbalance
}
NodeHosts: |
#192.168.1.128 k3s

7
j7s-cluster/bootstrap.sh Executable file
View File

@ -0,0 +1,7 @@
flux bootstrap git \
--author-email=flux@internal.jpace121.net \
--author-name=Flux \
--context=j7s \
--url=ssh://git@git.jpace121.net:2222/cd/flux-cluster.git \
--branch=master \
--path=clusters/j7s-cluster

29
tasks/j7s-ansible-build.yaml
View File

@ -1,29 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-ansible-build
namespace: j7s-ci
spec:
workspaces:
- name: source
- name: ssh-directory
params:
- name: deploy
- name: ansible-file-path
steps:
- image: 192.168.1.149:8443/ansible-podman:latest
securityContext:
privileged: true
script: |
#!/usr/bin/env bash
set -ex
cp -r $(workspaces.ssh-directory.path) ~/.ssh
chmod 700 ~/.ssh
chmod -R 400 ~/.ssh/*
cd $(workspaces.source.path)
ansible-playbook -vvvv --skip-tags deploy -i $(params.ansible-file-path)/inventory.yaml $(params.ansible-file-path)/build.yaml
if [[ $(params.deploy) == "true" ]]; then
ansible-playbook -vvvv --tags deploy -i $(params.ansible-file-path)/inventory.yaml $(params.ansible-file-path)/build.yaml
fi

84
tasks/j7s-buildah.yaml
View File

@ -1,84 +0,0 @@
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-buildah
namespace: j7s-ci
spec:
description: Build and push a container image.
params:
- name: registry
description: Registry to push to.
- name: name
description: Name of the image.
- name: version
description: Version for the image.
- name: containerfile
description: Path of the Containerfile relative to source.
workspaces:
- name: source
- name: cosign-credentials
steps:
- name: build
image: 192.168.1.149:8443/buildah:latest
workingDir: $(workspaces.source.path)
script: |
set -x
# Login
buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
mkdir ~/.sigstore
cp $(workspaces.cosign-credentials.path)/* ~/.sigstore
cat <<EOF > ~/.sigstore/param-file.yaml
privateKeyFile: "$HOME/.sigstore/cosign.key"
privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
EOF
mkdir -p /etc/containers/registries.d/
cat <<EOF > /etc/containers/registries.d/james-registry.yaml
docker:
$(params.registry):
use-sigstore-attachments: true
EOF
# Build
buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
-f $(params.containerfile) -t $(params.name):$(params.version) .
# Push
skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):$(params.version)
skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
containers-storage:localhost/$(params.name):$(params.version) \
docker://$(params.registry)/$(params.name):latest
# Indicate results.
HASH=`skopeo inspect containers-storage:localhost/$(params.name):$(params.version) --format={{.Digest}}`
cat <<EOF > $(results.image-ARTIFACT_OUTPUTS.path)
{
"uri": "$(params.registry)/$(params.name):$(params.version)",
"digest": "$HASH"
}
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: registry-login-secret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: registry-login-secret
key: password
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
securityContext:
privileged: true
volumes:
- name: varlibcontainers
emptyDir: {}
results:
- name: image-ARTIFACT_OUTPUTS
type: object
properties:
uri:
type: string
digest:
type: string

23
tasks/j7s-git-clone-hash.yaml
View File

@ -1,23 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-git-clone-hash
namespace: j7s-ci
spec:
workspaces:
- name: output
- name: ssh-directory
params:
- name: url
- name: hash
steps:
- image: 192.168.1.149:8443/gitssh:latest
script: |
set -x
cp -r $(workspaces.ssh-directory.path) ~/.ssh
chmod 700 ~/.ssh
chmod -R 400 ~/.ssh/*
git clone $(params.url) $(workspaces.output.path)
cd $(workspaces.output.path)
git checkout $(params.hash)

21
tasks/j7s-git-clone.yaml
View File

@ -1,21 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-git-clone
namespace: j7s-ci
spec:
workspaces:
- name: output
- name: ssh-directory
params:
- name: url
- name: branch
steps:
- image: 192.168.1.149:8443/gitssh:latest
script: |
set -x
cp -r $(workspaces.ssh-directory.path) ~/.ssh
chmod 700 ~/.ssh
chmod -R 400 ~/.ssh/*
git clone --single-branch --branch $(params.branch) $(params.url) $(workspaces.output.path)

50
tasks/j7s-onedev-file-bug.yaml
View File

@ -1,50 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-onedev-file-bug
namespace: j7s-ci
spec:
params:
- name: tekton-login-secret-name
- name: feedback-url
- name: project-id
- name: run-name
- name: status
steps:
- image: 192.168.1.149:8443/curl:latest
script: |
#!/usr/bin/env bash
set -e
function make_request {
cat <<EOF > request.json
{
"projectId": $(params.project-id),
"title": "Failed run: $(params.run-name).",
"description": "Build Failed!",
"confidential": false,
"milestoneIds": [],
"fields": {"Type": "Build Failure"}
}
EOF
}
case "$(params.status)" in
"Succeeded" | "Completed")
echo "Build was successful!"
;;
"Failed" | "None")
echo "Build failed. :("
make_request
curl -u tekton:$TEKTON_API_KEY \
-H "Content-Type: application/json" \
-d@request.json \
$(params.feedback-url)/~api/issues
;;
esac
env:
- name: TEKTON_API_KEY
valueFrom:
secretKeyRef:
name: $(params.tekton-login-secret-name)
key: accesstoken

53
tasks/j7s-onedev-pr-review.yaml
View File

@ -1,53 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-onedev-pr-review
namespace: j7s-ci
spec:
params:
- name: tekton-login-secret-name
- name: feedback-url
- name: pr-id
- name: run-name
- name: status
steps:
- image: 192.168.1.149:8443/curl:latest
script: |
#!/usr/bin/env bash
set -e
STATUS=""
case "$(params.status)" in
"Succeeded" | "Completed")
echo "Build was successful!"
STATUS="Sucess! :) "
;;
"Failed" | "None")
STATUS="Error! :( "
;;
esac
# Make a comment on the PR.
cat <<EOF > comment.json
{
"userId": $TEKTON_USER_ID,
"requestId": $(params.pr-id),
"date": "`date +"%Y-%m-%dT%H:%M:%S%:z"`",
"content": "$STATUS Tekton run: $(params.run-name)."
}
EOF
curl -u tekton:$TEKTON_API_KEY \
-H "Content-Type: application/json" \
-d@comment.json \
$(params.feedback-url)/~api/pull-request-comments
env:
- name: TEKTON_API_KEY
valueFrom:
secretKeyRef:
name: $(params.tekton-login-secret-name)
key: accesstoken
- name: TEKTON_USER_ID
valueFrom:
secretKeyRef:
name: $(params.tekton-login-secret-name)
key: userid

53
tasks/j7s-os-buildah.yaml
View File

@ -1,53 +0,0 @@
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-os-buildah
namespace: j7s-ci
spec:
description: Build the deployment container image for j7s-os.
params:
- name: image
description: Reference of the image buildah will produce.
- name: commit
description: Repo directory to put inside the image.
- name: registry
description: Registry to push to.
- name: version
description: Version for the image.
workspaces:
- name: source
steps:
- name: build
image: quay.io/buildah/stable:v1.23.3
workingDir: $(workspaces.source.path)
script: |
set -x
# Login
buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
# Build
buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
--build-arg commit=./$(params.commit) \
-f ./hosting/Dockerfile -t $(params.image):$(params.version) .
# Push
buildah --storage-driver=overlay push --tls-verify=false $(params.image) docker://$(params.registry)/$(params.image):$(params.version)
buildah --storage-driver=overlay push --tls-verify=false $(params.image) docker://$(params.registry)/$(params.image):latest
env:
- name: USERNAME
valueFrom:
secretKeyRef:
name: registry-login-secret
key: username
- name: PASSWORD
valueFrom:
secretKeyRef:
name: registry-login-secret
key: password
volumeMounts:
- name: varlibcontainers
mountPath: /var/lib/containers
securityContext:
privileged: true
volumes:
- name: varlibcontainers
emptyDir: {}

22
tasks/j7s-os-image-build.yaml
View File

@ -1,22 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-os-image-build
namespace: j7s-ci
spec:
workspaces:
- name: source
params:
- name: image-name
results:
- name: version-string
steps:
- image: 192.168.1.149:8443/j7s-image-build:latest
securityContext:
privileged: true
script: |
set -x
sudo chown -R j7s:j7s $(workspaces.source.path)
cd $(workspaces.source.path)
make $(params.image-name)
echo -n `date +%Y%m%d%H%M`-`git describe --no-match --always --dirty` | tee $(results.version-string.path)

45
tasks/j7s-os-k8s-deploy.yaml
View File

@ -1,45 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-os-k8s-deploy
namespace: j7s-ci
spec:
params:
- name: image
description: The image to deploy.
- name: version
description: The version of the image to deploy.
workspaces:
- name: ssh-directory
steps:
- name: update-with-flux
image: 192.168.1.149:8443/gitssh:latest
script: |
#!/usr/bin/env bash
set -x
cp -r $(workspaces.ssh-directory.path) ~/.ssh
chmod 700 ~/.ssh
chmod -R 400 ~/.ssh/*
git config --global user.name tekton
git config --global user.email tekton@internal.jpace121.net
git clone ssh://git.jpace121.net:2222/cd/flux-apps flux-apps
cd flux-apps
cat <<EOF > j7s-os-deploy/patch.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: j7s-os-app-deployment
spec:
template:
spec:
containers:
- name: j7s-os-app
image: $(params.image):$(params.version)
EOF
git add ./j7s-os-deploy
git commit -m "Update j7s-os-deploy to version $(params.version)"
git push origin master

56
tasks/j7s-ros-clone.yaml
View File

@ -1,56 +0,0 @@
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: j7s-ros-clone
namespace: j7s-ci
spec:
workspaces:
- name: output
- name: ssh-directory
params:
- name: url
- name: branch
- name: repos-file
results:
- name: workspace-git-commit-ARTIFACT_OUTPUTS
type: object
properties:
uri:
type: string
digest:
type: string
- name: vcs-exact-file-ARTIFACT_OUTPUTS
type: object
properties:
uri:
type: string
digest:
type: string
steps:
- image: 192.168.1.149:8443/vcs:latest
script: |
set -x
cp -r $(workspaces.ssh-directory.path) ~/.ssh
chmod 700 ~/.ssh
chmod -R 400 ~/.ssh/*
git clone --single-branch --branch $(params.branch) $(params.url) $(workspaces.output.path)
cd $(workspaces.output.path)
mkdir src
vcs import src < $(params.repos-file)
# Git hash is really sha1, rehashing to workaround Tekton bug.
GITHASH=`git rev-parse HEAD | sha256sum | cut -f 1 -d " "`
VCSEXACTHASH=`vcs export --exact ./src | sha256sum | cut -f 1 -d " "`
cat <<EOF > $(results.workspace-git-commit-ARTIFACT_OUTPUTS.path)
{
"uri": "$(params.url)",
"digest": "sha256:$GITHASH"
}
EOF
cat <<EOF > $(results.vcs-exact-file-ARTIFACT_OUTPUTS.path)
{
"uri": "vcs-exact-file",
"digest": "sha256:$VCSEXACTHASH"
}
EOF