ROX-17123, ROX-19217: Move GKEs to a RH project (#963)

stackrox · Sep 21, 2023 · 24d14df · 24d14df
1 parent e7ce554
commit 24d14df
Show file tree

Hide file tree

Showing 12 changed files with 58 additions and 84 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,8 +8,9 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp
 
 ## [NEXT RELEASE]
 
-## [0.7.12]
+## [0.8.0]
 
+- Switch GKE based flavors (gke-default, demo, qa-demo) to use a RH project (ROX-17123,ROX-19217)
 - CLI: Add client-side cluster name validation
 - Bump demo flavors to 4.2.0
 

diff --git a/chart/infra-server/static/flavors.yaml b/chart/infra-server/static/flavors.yaml
@@ -139,7 +139,7 @@
       value: ""
       kind: optional
       help: |
-        e.g. 1.19.12-gke.2100. Use 'gcloud container get-server-config --zone=us-central1 --project srox-temp-dev-test' to see all versions.
+        e.g. 1.19.12-gke.2100. Use 'gcloud container get-server-config --zone=us-central1 --project acs-team-temp-dev' to see all versions.
 
     - name: pod-security-policy
       description: Enable pod security policy

diff --git a/chart/infra-server/static/workflow-demo.yaml b/chart/infra-server/static/workflow-demo.yaml
@@ -78,10 +78,10 @@ spec:
             path: /certs/cert.pem
             gcs:
               bucket: sr-demo-files
-              key: certs/demo.stackrox.com/privkey-plus-fullchain.pem
+              key: certs/demos.rox.systems/privkey-plus-fullchain.pem
               serviceAccountKeySecret:
                 name: google-credentials-demo
-                key: google-credentials.json
+                key: read-certs-google-credentials.json
       outputs:
         artifacts:
           - name: kubeconfig
@@ -106,13 +106,19 @@ spec:
             archive:
               none: {}
 
+          - name: admin-password
+            path: /data/central/password
+            optional: true
+            archive:
+              none: {}
+
           - name: SSH_ACCESS
             path: /data/SSH_ACCESS.md
             archive:
               none: {}
 
       container:
-        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11
+        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0
         imagePullPolicy: Always
         command:
           - /usr/bin/entrypoint
@@ -121,8 +127,8 @@ spec:
           - "--name={{workflow.parameters.name}}"
           - "--main-image={{workflow.parameters.main-image}}"
           - "--central-db-image={{workflow.parameters.central-db-image}}"
-          - --gcp-project=srox-temp-sales-demos
-          - --dns-gcp-project=ultra-current-825
+          - --gcp-project=acs-team-temp-dev
+          - --dns-gcp-project=acs-team-temp-dev
           - --creation-source=infra
           - --k8s-version={{workflow.parameters.k8s-version}}
           - --enable-psps={{workflow.parameters.enable-psps}}
@@ -131,8 +137,8 @@ spec:
             mountPath: /tmp/google-credentials.json
             subPath: google-credentials.json
           - name: credentials
-            mountPath: /tmp/google-scanner-credentials.json
-            subPath: google-scanner-credentials.json
+            mountPath: /tmp/image-read-google-credentials.json
+            subPath: image-read-google-credentials.json
         env:
           - name: QUAY_RHACS_ENG_RO_USERNAME
             valueFrom:
@@ -154,25 +160,15 @@ spec:
               secretKeyRef:
                 name: demo-secrets
                 key: STACKROX_IO_PASSWORD
-          - name: AUTH_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: demo-secrets
-                key: AUTH_CLIENT_ID
-          - name: AUTH_DOMAIN
-            valueFrom:
-              secretKeyRef:
-                name: demo-secrets
-                key: AUTH_DOMAIN
           - name: SLACK_WEBHOOK
             valueFrom:
               secretKeyRef:
                 name: demo-secrets
                 key: SLACK_WEBHOOK
           - name: GCP_CLOUD_DNS_ZONE_NAME
-            value: "demo-stackrox-com"
+            value: "demos-rox-systems"
           - name: DOMAIN_NAME
-            value: "demo.stackrox.com"
+            value: "demos.rox.systems"
 
     - name: wait
       suspend: {}
@@ -188,7 +184,7 @@ spec:
             path: /data/tfvars
             optional: true
       container:
-        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11
+        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0
         imagePullPolicy: Always
         command:
           - /usr/bin/entrypoint

diff --git a/chart/infra-server/static/workflow-gke-default.yaml b/chart/infra-server/static/workflow-gke-default.yaml
@@ -69,7 +69,7 @@ spec:
           - "--name={{workflow.parameters.name}}"
           - "--nodes={{workflow.parameters.nodes}}"
           - "--machine-type={{workflow.parameters.machine-type}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --creation-source=infra
           - --k8s-version={{workflow.parameters.k8s-version}}
           - --pod-security-policy={{workflow.parameters.pod-security-policy}}
@@ -92,7 +92,7 @@ spec:
         args:
           - destroy
           - "--name={{workflow.parameters.name}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --gcp-zone={{workflow.parameters.gcp-zone}}
         volumeMounts:
           - name: credentials

diff --git a/chart/infra-server/static/workflow-qa-demo.yaml b/chart/infra-server/static/workflow-qa-demo.yaml
@@ -29,7 +29,7 @@ spec:
   volumes:
     - name: credentials
       secret:
-        secretName: google-credentials-qa-demo
+        secretName: google-credentials-demo
 
   templates:
     - name: start
@@ -85,10 +85,10 @@ spec:
             path: /certs/cert.pem
             gcs:
               bucket: sr-demo-files
-              key: certs/demo.stackrox.com/privkey-plus-fullchain.pem
+              key: certs/demos.rox.systems/privkey-plus-fullchain.pem
               serviceAccountKeySecret:
                 name: google-credentials-demo
-                key: google-credentials.json
+                key: read-certs-google-credentials.json
 
       outputs:
         artifacts:
@@ -110,13 +110,19 @@ spec:
             path: /data/url
             optional: true
 
+          - name: admin-password
+            path: /data/central/password
+            optional: true
+            archive:
+              none: {}
+
           - name: SSH_ACCESS
             path: /data/SSH_ACCESS.md
             archive:
               none: {}
 
       container:
-        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11
+        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0
         imagePullPolicy: Always
         command:
           - /usr/bin/entrypoint
@@ -127,8 +133,8 @@ spec:
           - "--scanner-image={{workflow.parameters.scanner-image}}"
           - "--scanner-db-image={{workflow.parameters.scanner-db-image}}"
           - "--central-db-image={{workflow.parameters.central-db-image}}"
-          - --gcp-project=srox-temp-dev-test
-          - --dns-gcp-project=ultra-current-825
+          - --gcp-project=acs-team-temp-dev
+          - --dns-gcp-project=acs-team-temp-dev
           - --creation-source=infra
           - --k8s-version={{workflow.parameters.k8s-version}}
           - --enable-psps={{workflow.parameters.enable-psps}}
@@ -137,8 +143,8 @@ spec:
             mountPath: /tmp/google-credentials.json
             subPath: google-credentials.json
           - name: credentials
-            mountPath: /tmp/google-scanner-credentials.json
-            subPath: google-scanner-credentials.json
+            mountPath: /tmp/image-read-google-credentials.json
+            subPath: image-read-google-credentials.json
         env:
           - name: QUAY_RHACS_ENG_RO_USERNAME
             valueFrom:
@@ -160,25 +166,15 @@ spec:
               secretKeyRef:
                 name: demo-secrets
                 key: STACKROX_IO_PASSWORD
-          - name: AUTH_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: demo-secrets
-                key: AUTH_CLIENT_ID
-          - name: AUTH_DOMAIN
-            valueFrom:
-              secretKeyRef:
-                name: demo-secrets
-                key: AUTH_DOMAIN
           - name: SLACK_WEBHOOK
             valueFrom:
               secretKeyRef:
                 name: demo-secrets
                 key: SLACK_WEBHOOK
           - name: GCP_CLOUD_DNS_ZONE_NAME
-            value: "demo-stackrox-com"
+            value: "demos-rox-systems"
           - name: DOMAIN_NAME
-            value: "demo.stackrox.com"
+            value: "demos.rox.systems"
 
     - name: wait
       suspend: {}
@@ -194,7 +190,7 @@ spec:
             path: /data/tfvars
             optional: true
       container:
-        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11
+        image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0
         imagePullPolicy: Always
         command:
           - /usr/bin/entrypoint

diff --git a/chart/infra-server/templates/demo/secrets.yaml b/chart/infra-server/templates/demo/secrets.yaml
@@ -11,11 +11,15 @@ metadata:
 data:
   # Service account used for provisioning demo infrastructure.
   google-credentials.json: |-
-    {{ required ".Values.demo__demo_provisioner_json is undefined" .Values.demo__demo_provisioner_json }}
+    {{ required ".Values.demo__gke_demo_provisioner_json is undefined" .Values.demo__gke_demo_provisioner_json }}
+
+  # Service account used for demo Artifact Registry access.
+  image-read-google-credentials.json: |-
+    {{ required ".Values.demo__gke_demo_scanner_json is undefined" .Values.demo__gke_demo_scanner_json }}
 
-  # Service account used for demo GCR integration.
-  google-scanner-credentials.json: |-
-    {{ required ".Values.demo__google_scanner_credentials_json is undefined" .Values.demo__google_scanner_credentials_json }}
+  # Service account used for providing certs from the certifier sr-demo-files bucket.
+  read-certs-google-credentials.json: |-
+    {{ required ".Values.demo__demo_provisioner_json is undefined" .Values.demo__demo_provisioner_json }}
 
 ---
 
@@ -43,11 +47,6 @@ data:
   STACKROX_IO_PASSWORD: |-
     {{ .Values.pullSecrets.stackrox.password | b64enc }}
 
-  AUTH_CLIENT_ID: |-
-    {{ .Values.auth0.clientID | b64enc }}
-  AUTH_DOMAIN: |-
-    {{ .Values.auth0.tenant | b64enc }}
-
   SLACK_WEBHOOK: |-
     {{ .Values.slackWebhook | b64enc }}
 

diff --git a/chart/infra-server/templates/gke/secrets.yaml b/chart/infra-server/templates/gke/secrets.yaml
@@ -10,6 +10,6 @@ metadata:
 
 data:
   google-credentials.json: |-
-    {{ required ".Values.gke__gke_credentials_json is undefined" .Values.gke__gke_credentials_json }}
+    {{ required ".Values.gke__gke_provisioner_json is undefined" .Values.gke__gke_provisioner_json }}
 
 ---
diff --git a/chart/infra-server/templates/qa-demo/secrets.yaml b/chart/infra-server/templates/qa-demo/secrets.yaml
diff --git a/flavor/testdata/missing-parameter-descriptions.yaml b/flavor/testdata/missing-parameter-descriptions.yaml
@@ -75,7 +75,7 @@ spec:
           - "--name={{workflow.parameters.name}}"
           - "--nodes={{workflow.parameters.nodes}}"
           - "--machine-type={{workflow.parameters.machine-type}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --creation-source=infra
           - --k8s-version={{workflow.parameters.k8s-version}}
           - --pod-security-policy={{workflow.parameters.pod-security-policy}}
@@ -98,7 +98,7 @@ spec:
         args:
           - destroy
           - "--name={{workflow.parameters.name}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --gcp-zone={{workflow.parameters.gcp-zone}}
         volumeMounts:
           - name: credentials

diff --git a/flavor/testdata/test-gke-lite.yaml b/flavor/testdata/test-gke-lite.yaml
@@ -78,7 +78,7 @@ spec:
           - "--name={{workflow.parameters.name}}"
           - "--nodes={{workflow.parameters.nodes}}"
           - "--machine-type={{workflow.parameters.machine-type}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --creation-source=infra
           - --k8s-version={{workflow.parameters.k8s-version}}
           - --pod-security-policy={{workflow.parameters.pod-security-policy}}
@@ -101,7 +101,7 @@ spec:
         args:
           - destroy
           - "--name={{workflow.parameters.name}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --gcp-zone={{workflow.parameters.gcp-zone}}
         volumeMounts:
           - name: credentials

diff --git a/scripts/add-PR-comment-for-deploy-to-dev.sh b/scripts/add-PR-comment-for-deploy-to-dev.sh
@@ -28,7 +28,7 @@ CI will attempt to deploy {{.Env.IMAGE_NAME}} to it.
 
 :electric_plug: You can **connect** to this cluster with:
 \`\`\`
-gcloud container clusters get-credentials {{.Env.DEV_CLUSTER_NAME}} --zone us-central1-a --project srox-temp-dev-test
+gcloud container clusters get-credentials {{.Env.DEV_CLUSTER_NAME}} --zone us-central1-a --project acs-team-temp-dev
 \`\`\`
 
 :hammer_and_wrench: And pull **infractl** from the deployed dev infra-server with:
@@ -56,10 +56,10 @@ make install-local
 
 ### Logs
 
-Logs for the development infra depending on your @stackrox.com authuser:
-- [authuser=0](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=srox-temp-dev-test&authuser=0)
-- [authuser=1](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=srox-temp-dev-test&authuser=1)
-- [authuser=2](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=srox-temp-dev-test&authuser=2)
+Logs for the development infra depending on your @redhat.com authuser:
+- [authuser=0](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=acs-team-temp-dev&authuser=0)
+- [authuser=1](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=acs-team-temp-dev&authuser=1)
+- [authuser=2](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=acs-team-temp-dev&authuser=2)
 
 Or: 
 \`\`\`

diff --git a/workflows/gke-lite.yaml b/workflows/gke-lite.yaml
@@ -86,7 +86,7 @@ spec:
           - "--name={{workflow.parameters.name}}"
           - "--nodes={{workflow.parameters.nodes}}"
           - "--machine-type={{workflow.parameters.machine-type}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --creation-source=infra
           - --k8s-version={{workflow.parameters.k8s-version}}
           - --pod-security-policy={{workflow.parameters.pod-security-policy}}
@@ -109,7 +109,7 @@ spec:
         args:
           - destroy
           - "--name={{workflow.parameters.name}}"
-          - --gcp-project=srox-temp-dev-test
+          - --gcp-project=acs-team-temp-dev
           - --gcp-zone={{workflow.parameters.gcp-zone}}
         volumeMounts:
           - name: credentials