Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SONAR-24154 NO-JIRA WIP trigger sonarqube CI #620

Closed
wants to merge 8 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .cirrus.star
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
load("github.com/SonarSource/cirrus-modules@v3", "load_features")
load("cirrus", "env", "fs", "yaml")
load(".cirrus/tasks.star", "build_tasks")


def main(ctx):
return yaml.dumps(load_features(ctx)) + fs.read(".cirrus/tasks.yml")
tasks = build_tasks(ctx)
return yaml.dumps(load_features(ctx)) + tasks
20 changes: 18 additions & 2 deletions .cirrus/package.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,33 @@ set -xeuo pipefail
: "${BUILD_NUMBER:?}"
: "${CIRRUS_BASE_BRANCH:=}"

[[ -n "${CIRRUS_BASE_BRANCH}" ]] && TARGET_BRANCH="${CIRRUS_BASE_BRANCH}" || TARGET_BRANCH="${CIRRUS_BRANCH}"
if [[ -n "${CIRRUS_BASE_BRANCH}" ]]; then
TARGET_BRANCH="${CIRRUS_BASE_BRANCH}"
else
TARGET_BRANCH="${CIRRUS_BRANCH}"
fi

PREVIOUS_RELEASE=$(gh api "/repos/{owner}/{repo}/releases" --jq "[.[] | select(.target_commitish==\"${TARGET_BRANCH}\")][1].tag_name")

[[ -z "${PREVIOUS_RELEASE}" ]] && CHARTS=("charts/sonarqube-dce" "charts/sonarqube") || CHARTS=$(ct list-changed --since "${PREVIOUS_RELEASE}" --target-branch "${TARGET_BRANCH}")
if [[ -z "${PREVIOUS_RELEASE}" ]]; then
CHARTS=("charts/sonarqube-dce" "charts/sonarqube")
else
# shellcheck disable=SC2178 # This will output a string, we will use it only in the for-loop, which will split it
CHARTS=$(ct list-changed --since "${PREVIOUS_RELEASE}" --target-branch "${TARGET_BRANCH}")
fi

# If there is a $1 argument, and it is contained in the CHARTS array, then we will only package that chart
ARG_CHART_NAME=${1:+charts/$1}
if [[ -n "${ARG_CHART_NAME}" ]] && [[ "${CHARTS[*]}" =~ ${ARG_CHART_NAME} ]]; then
CHARTS=("${ARG_CHART_NAME}")
fi

BUILD_METADATA="-${BUILD_NUMBER}"
[[ ${CIRRUS_RELEASE:-} != "" ]] && BUILD_METADATA=""

echo "${CHARTS[@]}"

# shellcheck disable=SC2068 # Because ct list-changed will return a string, we want the potential split here
for chart in ${CHARTS[@]}; do
_original_version=$(yq '.version' "${chart}"/Chart.yaml)
_new_version="${_original_version}${BUILD_METADATA}"
Expand Down
39 changes: 31 additions & 8 deletions .cirrus/sign_chart.sh
Original file line number Diff line number Diff line change
@@ -1,13 +1,36 @@
#!/bin/sh
#!/bin/bash

set -euo pipefail

echo $SONARSOURCE_SIGN_KEY_PASSPHRASE | gpg --batch --yes --passphrase-fd 0 --import /tmp/key
: "${SONARSOURCE_SIGN_KEY_PASSPHRASE:?}"
: "${CIRRUS_WORKING_DIR:?}"

CURRENT_DIR=$(pwd)
# If there is a $1 argument, treat it as the chart to sign by looking for $1*.tgz* files
# Otherwise, look for all *.tgz* files in the working directory
CHART_TO_SIGN=${1:-}
NAME_GLOB="*.tgz*"
if [[ -n "${CHART_TO_SIGN}" ]]; then
NAME_GLOB="${CHART_TO_SIGN}-[0-9]*.tgz*"
fi

for chart in $(find $CIRRUS_WORKING_DIR -maxdepth 1 -name "*.tgz*" -type f -exec basename "{}" ";"); do
cd $CIRRUS_WORKING_DIR
echo $SONARSOURCE_SIGN_KEY_PASSPHRASE | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --output $chart.asc --detach-sig $chart
cd $CURRENT_DIR
done
find_charts=$(find "${CIRRUS_WORKING_DIR}" -maxdepth 1 -name "${NAME_GLOB}" -type f -exec basename "{}" ";" || exit 1)

CHART_TO_SIGN=()
while IFS= read -r chart; do
CHART_TO_SIGN+=("${chart}")
done <<< "${find_charts}"

if [[ ${#CHART_TO_SIGN[@]} -eq 0 ]]; then
echo "No charts found to sign."
exit 1
fi

# Debugging: Print the charts to be signed
echo "Charts to sign: ${CHART_TO_SIGN[*]}"

echo "${SONARSOURCE_SIGN_KEY_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 --import /tmp/key

for chart in "${CHART_TO_SIGN[@]}"; do
echo "Signing ${chart}"
echo "${SONARSOURCE_SIGN_KEY_PASSPHRASE}" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --output "${chart}.asc" --detach-sig "${chart}"
done
16 changes: 16 additions & 0 deletions .cirrus/tasks.star
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
load("cirrus", "fs")


def build_tasks(ctx):
tasks_env = fs.read(".cirrus/tasks_env.yml")
tasks_templates = fs.read(".cirrus/tasks_templates.yml")
tasks = fs.read(".cirrus/tasks.yml")
tasks += fs.read(".cirrus/tasks_sonarqube.yml")
tasks += fs.read(".cirrus/tasks_sonarqube_dce.yml")
tasks += fs.read(".cirrus/tasks_gcp_marketplace.yml")

# The release task depends on some sonarqube and sonarqube_dce tasks,
# therefore it MUST be loaded AFTER tasks_sonarqube.yml and tasks_sonarqube_dce.yml
tasks += fs.read(".cirrus/tasks_release.yml")

return tasks_env + tasks_templates + tasks
267 changes: 5 additions & 262 deletions .cirrus/tasks.yml
Original file line number Diff line number Diff line change
@@ -1,144 +1,6 @@
env:
### Shared variables
NIGHTLY_CRON: 'nightly-cron'
DOCKER_USERNAME: VAULT[development/kv/data/docker/sonardockerrw data.username]
DOCKER_PASSWORD: VAULT[development/kv/data/docker/sonardockerrw data.access_token_rwd]
KUBE_VERSION: 1.32.0
DOCKER_GCLOUD_SA_KEY: VAULT[development/team/sonarqube/kv/data/gcp-marketplace-registry-staging data.key]
GCLOUD_REGISTRY: gcr.io/sonarqube-marketplace-provider # This is the staging registry
GCLOUD_PRODUCT_NAME: sonarqube-dce-staging # This is the staging product name
GCLOUD_TAG: 10.8.1
ROSA_OPENSHIFT_URL: VAULT[development/team/sonarqube/kv/data/rosa-openshift data.url]
ROSA_OPENSHIFT_USER: VAULT[development/team/sonarqube/kv/data/rosa-dev data.username]
ROSA_OPENSHIFT_PASSWORD: VAULT[development/team/sonarqube/kv/data/rosa-dev data.password]



except_nightly_cron: &EXCEPT_ON_NIGHTLY_CRON
only_if: $CIRRUS_CRON != $NIGHTLY_CRON

except_external_pr_or_cron: &EXCEPT_ON_PR_OR_CRON
only_if: $CIRRUS_PRERELEASE != "true" && $CIRRUS_PR == "" && $CIRRUS_CRON != $NIGHTLY_CRON

only_on_non_release_draft_template: &ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
only_if: $CIRRUS_PRERELEASE != "true"

docker_build_container_template: &CONTAINER_TEMPLATE
dockerfile: .cirrus/Dockerfile
docker_arguments:
CIRRUS_AWS_ACCOUNT: ${CIRRUS_AWS_ACCOUNT}
cluster_name: ${CIRRUS_CLUSTER_NAME}
builder_role: cirrus-builder
builder_image: docker-builder-v*
builder_instance_type: t2.small
region: eu-central-1
namespace: default
cpu: 1
memory: 1Gb

container_template: &STD_CONTAINER_TEMPLATE
image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j11-latest
cluster_name: ${CIRRUS_CLUSTER_NAME}
region: eu-central-1
namespace: default
cpu: 1
memory: 1Gb

vm_instance_template: &VM_TEMPLATE
image: docker-builder-v*
type: t2.xlarge
region: eu-central-1
cpu: 4
memory: 16Gb

clone_script_template: &CLONE_SCRIPT_TEMPLATE
clone_script: |
if [ -z "$CIRRUS_PR" ]; then
git clone --recursive --branch=$CIRRUS_BRANCH https://github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
git reset --hard $CIRRUS_CHANGE_IN_REPO
else
git clone --recursive https://github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
git fetch origin pull/$CIRRUS_PR/head:pull/$CIRRUS_PR
git reset --hard $CIRRUS_CHANGE_IN_REPO
fi

build_gcp_app_template: &BUILD_GCP_APP_TEMPLATE
ec2_instance:
<<: *VM_TEMPLATE
login_to_gcr_script:
- export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d)
- docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_REGISTRY}
install_helm_script:
- curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
- chmod 700 get_helm.sh
- ./get_helm.sh
helm_dependency_build_script:
- ./.cirrus/build_chart_dependencies.sh charts/sonarqube-dce
tag_and_promote_script:
- export CURRENT_MINOR_VERSION=$(echo ${GCLOUD_TAG} | cut -d '.' -f 1,2)
- docker build -f google-cloud-marketplace-k8s-app/Dockerfile --build-arg REGISTRY=${GCLOUD_REGISTRY} --build-arg TAG=${GCLOUD_TAG} --tag ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${CURRENT_MINOR_VERSION} .
- docker tag ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${CURRENT_MINOR_VERSION} ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${GCLOUD_TAG}
- docker push ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${GCLOUD_TAG}
- docker push ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${CURRENT_MINOR_VERSION}

build_gcp_staging_app_task:
<<: *BUILD_GCP_APP_TEMPLATE
only_if: $TRIGGER == "PUSH_STAGING_DEPLOYER" || $TRIGGER == "PUSH_PROD_DEPLOYER" || $BRANCH == "master"
env:
GCLOUD_PRODUCT_NAME: sonarqube-dce-staging

verify_gcp_app_template: &VERIFY_GCP_APP_TEMPLATE
only_if: $TRIGGER == "PUSH_STAGING_DEPLOYER" || $BRANCH == "master"
env:
BASE_FOLDER: "/root/.gcp/cache"
PATH: "${BASE_FOLDER}:${BASE_FOLDER}/google-cloud-sdk/bin:${PATH}"
KUBE_CONFIG: "/tmp/kubeconfig"
KUBECONFIG: "${KUBE_CONFIG}"
HOME: "/tmp"
GCLOUD_CLI_VERSION: 495.0.0
MPDEV_VERSION: 0.12.4
gcp_cache:
folder: ${BASE_FOLDER}
fingerprint_script: echo "${GCLOUD_CLI_VERSION}+${MPDEV_VERSION}"
populate_script:
- ./.cirrus/setup.sh
ec2_instance:
<<: *VM_TEMPLATE
login_script:
- echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d > /tmp/key.json
- gcloud auth activate-service-account cirrusciservice@sonarqube-marketplace-provider.iam.gserviceaccount.com --key-file /tmp/key.json --project=sonarqube-marketplace-provider
- gcloud auth configure-docker gcr.io --quiet
- gcloud container clusters get-credentials sonarqube-marketplace-staging-standard --zone=europe-west1-b --project=sonarqube-marketplace-provider
verify_script:
- kubectl get pods
- mpdev verify --deployer=$GCLOUD_REGISTRY/$GCLOUD_PRODUCT_NAME/deployer:$GCLOUD_TAG --wait_timeout=1200 --parameters='{"name":"${GCLOUD_PRODUCT_NAME}-cirrus-test", "namespace":"test-cirrus","ApplicationNodes.jwtSecret":"dZ0EB0KxnF++nr5+4vfTCaun/eWbv6gOoXodiAMqcFo=", "postgresql.enabled":true, "jdbcOverwrite.enabled":false }'
depends_on:
- build_gcp_staging_app

verify_gcp_staging_app_task:
<<: *VERIFY_GCP_APP_TEMPLATE
only_if: $TRIGGER == "PUSH_STAGING_DEPLOYER" || $TRIGGER == "PUSH_PROD_DEPLOYER" || $BRANCH == "master"
env:
GCLOUD_PRODUCT_NAME: sonarqube-dce-staging
depends_on:
- build_gcp_staging_app

chart_static_compatibility_test_task:
<<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
timeout_in: 30m
eks_container:
<<: *CONTAINER_TEMPLATE
cpu: 1
memory: 1Gb
<<: *CLONE_SCRIPT_TEMPLATE
script:
- ./.cirrus/build_chart_dependencies.sh charts/sonarqube
- ./.cirrus/unit_helm_compatibility_test.sh sonarqube
- ./.cirrus/build_chart_dependencies.sh charts/sonarqube-dce
- ./.cirrus/unit_helm_compatibility_test.sh sonarqube-dce

chart_fixture_test_task:
<<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
skip: "!changesInclude('charts/**/*', '.cirrus/*')"
timeout_in: 30m
eks_container:
<<: *CONTAINER_TEMPLATE
Expand All @@ -153,6 +15,7 @@ chart_fixture_test_task:

chart_testing_on_kind_task:
<<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
skip: "!changesInclude('charts/**/*', '.cirrus/*')"
timeout_in: 1h
ec2_instance:
<<: *VM_TEMPLATE
Expand All @@ -162,7 +25,7 @@ chart_testing_on_kind_task:
- kind create cluster
- kubectl cluster-info --context kind-kind
- kubectl get nodes
- kubectl create namespace test --dry-run=client -o yaml | kubectl apply -f -
- kubectl create namespace test --dry-run=client -o yaml | kubectl apply -f -
- kubectl create secret docker-registry pullsecret --namespace test --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD} --dry-run=client -o yaml | kubectl apply -f -
script:
- ct lint --config test.yaml --all
Expand All @@ -172,125 +35,5 @@ chart_testing_on_kind_task:
artifacthub_lint_script:
- ah lint
depends_on:
- chart_static_compatibility_test

chart_testing_on_openshift_task:
<<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
timeout_in: 1h
eks_container:
<<: *CONTAINER_TEMPLATE
cpu: 2
memory: 4Gb
authenticate_to_openshift_script:
- ./.cirrus/openshift_auth.sh
matrix:
- name: chart_testing_on_openshift_sonarqube
env:
- VERIFYING_CHART: sonarqube
- name: chart_testing_on_openshift_sonarqube_dce
env:
- VERIFYING_CHART: sonarqube-dce
setup_script:
- oc new-project "${VERIFYING_CHART}" --display-name="Test Project" --description="This is a test project for testing ${VERIFYING_CHART} from Cirrus" || oc project "${VERIFYING_CHART}"
- kubectl create secret docker-registry pullsecret --namespace "${VERIFYING_CHART}" --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD} --dry-run=client -o yaml | kubectl apply -f -
- ./.cirrus/build_chart_dependencies.sh charts/"${VERIFYING_CHART}"
- chart-verifier version
script:
- mkdir -p "$(pwd)/report-${VERIFYING_CHART}"
- chart-verifier verify charts/"${VERIFYING_CHART}" --helm-install-timeout 20m -F charts/"${VERIFYING_CHART}"/openshift-verifier/values.yaml -n "${VERIFYING_CHART}" --openshift-version 4.16 > "$(pwd)/report-${VERIFYING_CHART}/report.yaml"
verifier_report_artifacts:
path: "report-*/*.yaml"
check_violations_script:
- cat "report-${VERIFYING_CHART}/report.yaml" | ./.cirrus/verify_openshift.sh
always:
cleanup_script:
- oc delete project "${VERIFYING_CHART}"
depends_on:
- chart_static_compatibility_test

chart_packaging_task:
<<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
timeout_in: 15m
eks_container:
<<: *CONTAINER_TEMPLATE
cpu: 2
memory: 1Gb
<<: *CLONE_SCRIPT_TEMPLATE
environment_cache:
folder: ${CIRRUS_WORKING_DIR}/*.tgz*
fingerprint_script: echo $CIRRUS_BUILD_ID
env:
GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-releases token]
SONARSOURCE_SIGN_KEY: VAULT[development/kv/data/sign data.key]
SONARSOURCE_SIGN_KEY_ID: VAULT[development/kv/data/sign data.key_id]
SONARSOURCE_SIGN_KEY_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
key_file:
path: /tmp/key
variable_name: SONARSOURCE_SIGN_KEY
script:
- source cirrus-env BUILD
- helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
- helm repo add bitnami-pre2022 https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
- helm repo update
- ./.cirrus/package.sh
- ./.cirrus/sign_chart.sh
depends_on:
- chart_testing_on_kind
- chart_testing_on_openshift_sonarqube
- chart_testing_on_openshift_sonarqube_dce

push_to_repox_task:
<<: *EXCEPT_ON_PR_OR_CRON
timeout_in: 15m
eks_container:
<<: *STD_CONTAINER_TEMPLATE
cpu: 1
memory: 1Gb
<<: *CLONE_SCRIPT_TEMPLATE
environment_cache:
folder: ${CIRRUS_WORKING_DIR}/*.tgz*
fingerprint_script: echo $CIRRUS_BUILD_ID
env:
ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
script:
- source cirrus-env ""
- ./.cirrus/upload_chart.sh
depends_on:
- chart_packaging

trigger_release_task:
timeout_in: 15m
eks_container:
<<: *STD_CONTAINER_TEMPLATE
cpu: 1
memory: 1Gb
only_if: $CIRRUS_PRERELEASE != "true" && $CIRRUS_RELEASE != ""
<<: *CLONE_SCRIPT_TEMPLATE
stateful: 'true'
environment_cache:
folder: ${CIRRUS_WORKING_DIR}/*.tgz*
fingerprint_script: echo $CIRRUS_BUILD_ID
env:
GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-releases token]
SLACK_TOKEN: VAULT[development/kv/data/slack data.token]
gh_action_script: |
source cirrus-env RELEASE
CHARTS=$(find $CIRRUS_WORKING_DIR -maxdepth 1 -name "*.tgz*" -type f -exec basename "{}" ";")
[[ "x$CHARTS" == "x" ]] && exit 0
gh workflow run release.yml -f version=$CIRRUS_TAG -f buildNumber=$BUILD_NUMBER
depends_on:
- chart_packaging
- push_to_repox
on_failure:
slack_notification_script:
- ./.cirrus/slack-notification.sh

release_gcp_prod_app_task:
<<: *BUILD_GCP_APP_TEMPLATE
only_if: $TRIGGER == "PUSH_PROD_DEPLOYER"
env:
GCLOUD_REGISTRY: gcr.io/sonarsource-public
GCLOUD_PRODUCT_NAME: official-sonarqube-data-center-edition
depends_on:
- verify_gcp_staging_app
- sonarqube_chart_static_compatibility_test
- sonarqube_dce_chart_static_compatibility_test
Loading
Loading