From 24d14dff51e502e531e5a9007ed027a536598044 Mon Sep 17 00:00:00 2001 From: Gavin Jefferies Date: Thu, 21 Sep 2023 09:03:45 -0700 Subject: [PATCH] ROX-17123, ROX-19217: Move GKEs to a RH project (#963) --- CHANGELOG.md | 3 +- chart/infra-server/static/flavors.yaml | 2 +- chart/infra-server/static/workflow-demo.yaml | 36 ++++++++---------- .../static/workflow-gke-default.yaml | 4 +- .../infra-server/static/workflow-qa-demo.yaml | 38 +++++++++---------- .../infra-server/templates/demo/secrets.yaml | 17 ++++----- chart/infra-server/templates/gke/secrets.yaml | 2 +- .../templates/qa-demo/secrets.yaml | 18 --------- .../missing-parameter-descriptions.yaml | 4 +- flavor/testdata/test-gke-lite.yaml | 4 +- scripts/add-PR-comment-for-deploy-to-dev.sh | 10 ++--- workflows/gke-lite.yaml | 4 +- 12 files changed, 58 insertions(+), 84 deletions(-) delete mode 100644 chart/infra-server/templates/qa-demo/secrets.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 18bc73691..b11a96ddd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,8 +8,9 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp ## [NEXT RELEASE] -## [0.7.12] +## [0.8.0] +- Switch GKE based flavors (gke-default, demo, qa-demo) to use a RH project (ROX-17123,ROX-19217) - CLI: Add client-side cluster name validation - Bump demo flavors to 4.2.0 diff --git a/chart/infra-server/static/flavors.yaml b/chart/infra-server/static/flavors.yaml index 48eb76155..d38fe4a55 100644 --- a/chart/infra-server/static/flavors.yaml +++ b/chart/infra-server/static/flavors.yaml @@ -139,7 +139,7 @@ value: "" kind: optional help: | - e.g. 1.19.12-gke.2100. Use 'gcloud container get-server-config --zone=us-central1 --project srox-temp-dev-test' to see all versions. + e.g. 1.19.12-gke.2100. Use 'gcloud container get-server-config --zone=us-central1 --project acs-team-temp-dev' to see all versions. - name: pod-security-policy description: Enable pod security policy diff --git a/chart/infra-server/static/workflow-demo.yaml b/chart/infra-server/static/workflow-demo.yaml index 476f81c65..d4af60acb 100644 --- a/chart/infra-server/static/workflow-demo.yaml +++ b/chart/infra-server/static/workflow-demo.yaml @@ -78,10 +78,10 @@ spec: path: /certs/cert.pem gcs: bucket: sr-demo-files - key: certs/demo.stackrox.com/privkey-plus-fullchain.pem + key: certs/demos.rox.systems/privkey-plus-fullchain.pem serviceAccountKeySecret: name: google-credentials-demo - key: google-credentials.json + key: read-certs-google-credentials.json outputs: artifacts: - name: kubeconfig @@ -106,13 +106,19 @@ spec: archive: none: {} + - name: admin-password + path: /data/central/password + optional: true + archive: + none: {} + - name: SSH_ACCESS path: /data/SSH_ACCESS.md archive: none: {} container: - image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11 + image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0 imagePullPolicy: Always command: - /usr/bin/entrypoint @@ -121,8 +127,8 @@ spec: - "--name={{workflow.parameters.name}}" - "--main-image={{workflow.parameters.main-image}}" - "--central-db-image={{workflow.parameters.central-db-image}}" - - --gcp-project=srox-temp-sales-demos - - --dns-gcp-project=ultra-current-825 + - --gcp-project=acs-team-temp-dev + - --dns-gcp-project=acs-team-temp-dev - --creation-source=infra - --k8s-version={{workflow.parameters.k8s-version}} - --enable-psps={{workflow.parameters.enable-psps}} @@ -131,8 +137,8 @@ spec: mountPath: /tmp/google-credentials.json subPath: google-credentials.json - name: credentials - mountPath: /tmp/google-scanner-credentials.json - subPath: google-scanner-credentials.json + mountPath: /tmp/image-read-google-credentials.json + subPath: image-read-google-credentials.json env: - name: QUAY_RHACS_ENG_RO_USERNAME valueFrom: @@ -154,25 +160,15 @@ spec: secretKeyRef: name: demo-secrets key: STACKROX_IO_PASSWORD - - name: AUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: demo-secrets - key: AUTH_CLIENT_ID - - name: AUTH_DOMAIN - valueFrom: - secretKeyRef: - name: demo-secrets - key: AUTH_DOMAIN - name: SLACK_WEBHOOK valueFrom: secretKeyRef: name: demo-secrets key: SLACK_WEBHOOK - name: GCP_CLOUD_DNS_ZONE_NAME - value: "demo-stackrox-com" + value: "demos-rox-systems" - name: DOMAIN_NAME - value: "demo.stackrox.com" + value: "demos.rox.systems" - name: wait suspend: {} @@ -188,7 +184,7 @@ spec: path: /data/tfvars optional: true container: - image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11 + image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0 imagePullPolicy: Always command: - /usr/bin/entrypoint diff --git a/chart/infra-server/static/workflow-gke-default.yaml b/chart/infra-server/static/workflow-gke-default.yaml index e656408c2..367ec62a5 100644 --- a/chart/infra-server/static/workflow-gke-default.yaml +++ b/chart/infra-server/static/workflow-gke-default.yaml @@ -69,7 +69,7 @@ spec: - "--name={{workflow.parameters.name}}" - "--nodes={{workflow.parameters.nodes}}" - "--machine-type={{workflow.parameters.machine-type}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --creation-source=infra - --k8s-version={{workflow.parameters.k8s-version}} - --pod-security-policy={{workflow.parameters.pod-security-policy}} @@ -92,7 +92,7 @@ spec: args: - destroy - "--name={{workflow.parameters.name}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --gcp-zone={{workflow.parameters.gcp-zone}} volumeMounts: - name: credentials diff --git a/chart/infra-server/static/workflow-qa-demo.yaml b/chart/infra-server/static/workflow-qa-demo.yaml index d31b870db..a40f29771 100644 --- a/chart/infra-server/static/workflow-qa-demo.yaml +++ b/chart/infra-server/static/workflow-qa-demo.yaml @@ -29,7 +29,7 @@ spec: volumes: - name: credentials secret: - secretName: google-credentials-qa-demo + secretName: google-credentials-demo templates: - name: start @@ -85,10 +85,10 @@ spec: path: /certs/cert.pem gcs: bucket: sr-demo-files - key: certs/demo.stackrox.com/privkey-plus-fullchain.pem + key: certs/demos.rox.systems/privkey-plus-fullchain.pem serviceAccountKeySecret: name: google-credentials-demo - key: google-credentials.json + key: read-certs-google-credentials.json outputs: artifacts: @@ -110,13 +110,19 @@ spec: path: /data/url optional: true + - name: admin-password + path: /data/central/password + optional: true + archive: + none: {} + - name: SSH_ACCESS path: /data/SSH_ACCESS.md archive: none: {} container: - image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11 + image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0 imagePullPolicy: Always command: - /usr/bin/entrypoint @@ -127,8 +133,8 @@ spec: - "--scanner-image={{workflow.parameters.scanner-image}}" - "--scanner-db-image={{workflow.parameters.scanner-db-image}}" - "--central-db-image={{workflow.parameters.central-db-image}}" - - --gcp-project=srox-temp-dev-test - - --dns-gcp-project=ultra-current-825 + - --gcp-project=acs-team-temp-dev + - --dns-gcp-project=acs-team-temp-dev - --creation-source=infra - --k8s-version={{workflow.parameters.k8s-version}} - --enable-psps={{workflow.parameters.enable-psps}} @@ -137,8 +143,8 @@ spec: mountPath: /tmp/google-credentials.json subPath: google-credentials.json - name: credentials - mountPath: /tmp/google-scanner-credentials.json - subPath: google-scanner-credentials.json + mountPath: /tmp/image-read-google-credentials.json + subPath: image-read-google-credentials.json env: - name: QUAY_RHACS_ENG_RO_USERNAME valueFrom: @@ -160,25 +166,15 @@ spec: secretKeyRef: name: demo-secrets key: STACKROX_IO_PASSWORD - - name: AUTH_CLIENT_ID - valueFrom: - secretKeyRef: - name: demo-secrets - key: AUTH_CLIENT_ID - - name: AUTH_DOMAIN - valueFrom: - secretKeyRef: - name: demo-secrets - key: AUTH_DOMAIN - name: SLACK_WEBHOOK valueFrom: secretKeyRef: name: demo-secrets key: SLACK_WEBHOOK - name: GCP_CLOUD_DNS_ZONE_NAME - value: "demo-stackrox-com" + value: "demos-rox-systems" - name: DOMAIN_NAME - value: "demo.stackrox.com" + value: "demos.rox.systems" - name: wait suspend: {} @@ -194,7 +190,7 @@ spec: path: /data/tfvars optional: true container: - image: quay.io/stackrox-io/ci:automation-flavors-demo-0.7.11 + image: quay.io/stackrox-io/ci:automation-flavors-demo-0.8.0 imagePullPolicy: Always command: - /usr/bin/entrypoint diff --git a/chart/infra-server/templates/demo/secrets.yaml b/chart/infra-server/templates/demo/secrets.yaml index 9c0e30042..db96794ec 100644 --- a/chart/infra-server/templates/demo/secrets.yaml +++ b/chart/infra-server/templates/demo/secrets.yaml @@ -11,11 +11,15 @@ metadata: data: # Service account used for provisioning demo infrastructure. google-credentials.json: |- - {{ required ".Values.demo__demo_provisioner_json is undefined" .Values.demo__demo_provisioner_json }} + {{ required ".Values.demo__gke_demo_provisioner_json is undefined" .Values.demo__gke_demo_provisioner_json }} + + # Service account used for demo Artifact Registry access. + image-read-google-credentials.json: |- + {{ required ".Values.demo__gke_demo_scanner_json is undefined" .Values.demo__gke_demo_scanner_json }} - # Service account used for demo GCR integration. - google-scanner-credentials.json: |- - {{ required ".Values.demo__google_scanner_credentials_json is undefined" .Values.demo__google_scanner_credentials_json }} + # Service account used for providing certs from the certifier sr-demo-files bucket. + read-certs-google-credentials.json: |- + {{ required ".Values.demo__demo_provisioner_json is undefined" .Values.demo__demo_provisioner_json }} --- @@ -43,11 +47,6 @@ data: STACKROX_IO_PASSWORD: |- {{ .Values.pullSecrets.stackrox.password | b64enc }} - AUTH_CLIENT_ID: |- - {{ .Values.auth0.clientID | b64enc }} - AUTH_DOMAIN: |- - {{ .Values.auth0.tenant | b64enc }} - SLACK_WEBHOOK: |- {{ .Values.slackWebhook | b64enc }} diff --git a/chart/infra-server/templates/gke/secrets.yaml b/chart/infra-server/templates/gke/secrets.yaml index 5b97699db..0cf1dda7b 100644 --- a/chart/infra-server/templates/gke/secrets.yaml +++ b/chart/infra-server/templates/gke/secrets.yaml @@ -10,6 +10,6 @@ metadata: data: google-credentials.json: |- - {{ required ".Values.gke__gke_credentials_json is undefined" .Values.gke__gke_credentials_json }} + {{ required ".Values.gke__gke_provisioner_json is undefined" .Values.gke__gke_provisioner_json }} --- diff --git a/chart/infra-server/templates/qa-demo/secrets.yaml b/chart/infra-server/templates/qa-demo/secrets.yaml deleted file mode 100644 index f70d5edef..000000000 --- a/chart/infra-server/templates/qa-demo/secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -apiVersion: v1 -kind: Secret -type: Opaque - -metadata: - name: google-credentials-qa-demo - namespace: default - -data: - # Service account used for provisioning demo infrastructure. - google-credentials.json: |- - {{ required ".Values.qa_demo__qa_demo_provisioner_json is undefined" .Values.qa_demo__qa_demo_provisioner_json }} - - # Service account used for demo GCR integration. - google-scanner-credentials.json: |- - {{ required ".Values.demo__google_scanner_credentials_json is undefined" .Values.demo__google_scanner_credentials_json }} diff --git a/flavor/testdata/missing-parameter-descriptions.yaml b/flavor/testdata/missing-parameter-descriptions.yaml index d97d06a68..fb1fa3588 100644 --- a/flavor/testdata/missing-parameter-descriptions.yaml +++ b/flavor/testdata/missing-parameter-descriptions.yaml @@ -75,7 +75,7 @@ spec: - "--name={{workflow.parameters.name}}" - "--nodes={{workflow.parameters.nodes}}" - "--machine-type={{workflow.parameters.machine-type}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --creation-source=infra - --k8s-version={{workflow.parameters.k8s-version}} - --pod-security-policy={{workflow.parameters.pod-security-policy}} @@ -98,7 +98,7 @@ spec: args: - destroy - "--name={{workflow.parameters.name}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --gcp-zone={{workflow.parameters.gcp-zone}} volumeMounts: - name: credentials diff --git a/flavor/testdata/test-gke-lite.yaml b/flavor/testdata/test-gke-lite.yaml index 86beb20c2..593b64a43 100644 --- a/flavor/testdata/test-gke-lite.yaml +++ b/flavor/testdata/test-gke-lite.yaml @@ -78,7 +78,7 @@ spec: - "--name={{workflow.parameters.name}}" - "--nodes={{workflow.parameters.nodes}}" - "--machine-type={{workflow.parameters.machine-type}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --creation-source=infra - --k8s-version={{workflow.parameters.k8s-version}} - --pod-security-policy={{workflow.parameters.pod-security-policy}} @@ -101,7 +101,7 @@ spec: args: - destroy - "--name={{workflow.parameters.name}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --gcp-zone={{workflow.parameters.gcp-zone}} volumeMounts: - name: credentials diff --git a/scripts/add-PR-comment-for-deploy-to-dev.sh b/scripts/add-PR-comment-for-deploy-to-dev.sh index f72020b38..ffcfa23d2 100755 --- a/scripts/add-PR-comment-for-deploy-to-dev.sh +++ b/scripts/add-PR-comment-for-deploy-to-dev.sh @@ -28,7 +28,7 @@ CI will attempt to deploy {{.Env.IMAGE_NAME}} to it. :electric_plug: You can **connect** to this cluster with: \`\`\` -gcloud container clusters get-credentials {{.Env.DEV_CLUSTER_NAME}} --zone us-central1-a --project srox-temp-dev-test +gcloud container clusters get-credentials {{.Env.DEV_CLUSTER_NAME}} --zone us-central1-a --project acs-team-temp-dev \`\`\` :hammer_and_wrench: And pull **infractl** from the deployed dev infra-server with: @@ -56,10 +56,10 @@ make install-local ### Logs -Logs for the development infra depending on your @stackrox.com authuser: -- [authuser=0](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=srox-temp-dev-test&authuser=0) -- [authuser=1](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=srox-temp-dev-test&authuser=1) -- [authuser=2](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=srox-temp-dev-test&authuser=2) +Logs for the development infra depending on your @redhat.com authuser: +- [authuser=0](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=acs-team-temp-dev&authuser=0) +- [authuser=1](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=acs-team-temp-dev&authuser=1) +- [authuser=2](https://console.cloud.google.com/logs/query;query=resource.labels.cluster_name%3D%22{{.Env.DEV_CLUSTER_NAME}}%22%0Aresource.labels.container_name%3D%22infra-server%22?project=acs-team-temp-dev&authuser=2) Or: \`\`\` diff --git a/workflows/gke-lite.yaml b/workflows/gke-lite.yaml index b432368be..099878d59 100644 --- a/workflows/gke-lite.yaml +++ b/workflows/gke-lite.yaml @@ -86,7 +86,7 @@ spec: - "--name={{workflow.parameters.name}}" - "--nodes={{workflow.parameters.nodes}}" - "--machine-type={{workflow.parameters.machine-type}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --creation-source=infra - --k8s-version={{workflow.parameters.k8s-version}} - --pod-security-policy={{workflow.parameters.pod-security-policy}} @@ -109,7 +109,7 @@ spec: args: - destroy - "--name={{workflow.parameters.name}}" - - --gcp-project=srox-temp-dev-test + - --gcp-project=acs-team-temp-dev - --gcp-zone={{workflow.parameters.gcp-zone}} volumeMounts: - name: credentials