From 80e140562c63b09e7fc99dbe37b2478e41b1a530 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Wed, 25 Sep 2024 17:17:42 +0300 Subject: [PATCH 01/15] Install Tekton Results through operator This only changes development overlay as a start. --- ...ipeline-service-storage-configuration.yaml | 4 +- .../main-pipeline-service-configuration.yaml | 1305 +++++------------ hack/secret-creator/create-plnsvc-secrets.sh | 20 +- 3 files changed, 361 insertions(+), 968 deletions(-) diff --git a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml index 7d8cb948a1f..543fda3c054 100644 --- a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml +++ b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml @@ -53,7 +53,7 @@ metadata: namespace: openshift-gitops spec: destination: - namespace: tekton-results + namespace: openshift-pipelines server: https://kubernetes.default.svc project: default source: @@ -129,7 +129,7 @@ metadata: labels: app: minio name: storage - namespace: tekton-results + namespace: openshift-pipelines spec: certConfig: {} configuration: diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index c07e5160544..26b28534a95 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -9,16 +9,6 @@ metadata: name: openshift-pipelines --- apiVersion: v1 -kind: Namespace -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" - labels: - argocd.argoproj.io/managed-by: openshift-gitops - name: tekton-results ---- -apiVersion: v1 kind: ServiceAccount metadata: annotations: @@ -51,29 +41,7 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" name: metrics-reader - namespace: tekton-results ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api - namespace: tekton-results ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results + namespace: openshift-pipelines --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -97,28 +65,6 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results -rules: -- apiGroups: - - "" - resourceNames: - - tekton-results-info - resources: - - configmaps - verbs: - - get - - describe ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: @@ -289,98 +235,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - rbac.authorization.k8s.io/aggregate-to-admin: "true" - name: tekton-results-admin -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - verbs: - - create - - update - - get - - list - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: tekton-results-readonly -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - - summary - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-readwrite -rules: -- apiGroups: - - results.tekton.dev - resources: - - results - - records - - logs - verbs: - - create - - update - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -393,93 +247,6 @@ rules: - get --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher -rules: -- apiGroups: - - results.tekton.dev - resources: - - logs - - results - - records - verbs: - - create - - get - - update -- apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - verbs: - - get - - list - - patch - - update - - watch - - delete -- apiGroups: - - "" - resources: - - configmaps - - pods - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get -- apiGroups: - - tekton.dev - resources: - - pipelines - verbs: - - get -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - create - - update - - delete - - patch - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-rbac -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: @@ -514,26 +281,6 @@ subjects: name: system:authenticated --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: tekton-results-info -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: @@ -626,264 +373,7 @@ roleRef: subjects: - kind: ServiceAccount name: metrics-reader - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-api -subjects: -- kind: ServiceAccount - name: tekton-results-api - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-watcher -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-logs -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-admin -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - name: tekton-results-watcher-rbac -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: tekton-results-watcher-rbac -subjects: -- kind: ServiceAccount - name: tekton-results-watcher - namespace: tekton-results ---- -apiVersion: v1 -data: - config.env: | - DB_USER= - DB_PASSWORD= - DB_HOST= - DB_PORT=5432 - DB_NAME= - DB_SSLMODE=verify-full - DB_SSLROOTCERT=/etc/tls/db/tekton-results-db-ca.pem - DB_ENABLE_AUTO_MIGRATION=true - SERVER_PORT=8080 - PROMETHEUS_PORT=9090 - PROMETHEUS_HISTOGRAM=true - TLS_PATH=/etc/tls - AUTH_DISABLE=false - AUTH_IMPERSONATE=true - LOG_LEVEL=info - LOGS_API=false - LOGS_TYPE=File - LOGS_BUFFER_SIZE=5242880 - LOGS_PATH=/logs - S3_BUCKET_NAME= - S3_ENDPOINT= - S3_HOSTNAME_IMMUTABLE=false - S3_REGION= - S3_ACCESS_KEY_ID= - S3_SECRET_ACCESS_KEY= - S3_MULTI_PART_SIZE=5242880 - GCS_BUCKET_NAME= - STORAGE_EMULATOR_HOST= - K8S_QPS=50 - K8S_BURST=100 - PROFILING=true - PROFILING_PORT=6060 -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-config - namespace: tekton-results ---- -apiVersion: v1 -data: - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - # lease-duration is how long non-leaders will wait to try to acquire the - # lock; 15 seconds is the value used by core kubernetes controllers. - lease-duration: "60s" - # renew-deadline is how long a leader will try to renew the lease before - # giving up; 10 seconds is the value used by core kubernetes controllers. - renew-deadline: "40s" - # retry-period is how long the leader election client waits between tries of - # actions; 2 seconds is the value used by core kubernetes controllers. - retry-period: "10s" - # buckets is the number of buckets used to partition key space of each - # Reconciler. If this number is M and the replica number of the controller - # is N, the N replicas will compete for the M buckets. The owner of a - # bucket will take care of the reconciling for the keys partitioned into - # that bucket. - buckets: "1" -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-leader-election - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-leader-election - namespace: tekton-results ---- -apiVersion: v1 -data: - loglevel.controller: info - loglevel.watcher: info - zap-logger-config: | - { - "level": "info", - "development": false, - "outputPaths": ["stdout"], - "errorOutputPaths": ["stderr"], - "encoding": "json", - "encoderConfig": { - "timeKey": "ts", - "levelKey": "level", - "nameKey": "logger", - "callerKey": "caller", - "messageKey": "msg", - "stacktraceKey": "stacktrace", - "lineEnding": "", - "levelEncoder": "", - "timeEncoder": "iso8601", - "durationEncoder": "string", - "callerEncoder": "" - } - } -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/name: tekton-results-logging - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-logging - namespace: tekton-results ---- -apiVersion: v1 -data: - profiling.enable: "true" - _example: | - ################################ - # # - # EXAMPLE CONFIGURATION # - # # - ################################ - - # This block is not actually functional configuration, - # but serves to illustrate the available configuration - # options and document them in a way that is accessible - # to users that `kubectl edit` this config map. - # - # These sample configuration options may be copied out of - # this example block and unindented to be in the data block - # to actually change the configuration. - - # metrics.backend-destination field specifies the system metrics destination. - # It supports either prometheus (the default) or stackdriver. - # Note: Using Stackdriver will incur additional charges. - metrics.backend-destination: prometheus - - # metrics.stackdriver-project-id field specifies the Stackdriver project ID. This - # field is optional. When running on GCE, application default credentials will be - # used and metrics will be sent to the cluster's project if this field is - # not provided. - metrics.stackdriver-project-id: "" - - # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed - # to send metrics to Stackdriver using "global" resource type and custom - # metric type. Setting this flag to "true" could cause extra Stackdriver - # charge. If metrics.backend-destination is not Stackdriver, this is - # ignored. - metrics.allow-stackdriver-custom-metrics: "false" - metrics.taskrun.level: "task" - metrics.taskrun.duration-type: "histogram" - metrics.pipelinerun.level: "pipeline" - metrics.pipelinerun.duration-type: "histogram" -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-observability - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-config-observability - namespace: tekton-results ---- -apiVersion: v1 -data: - version: devel -kind: ConfigMap -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - labels: - app.kubernetes.io/name: tekton-results-info - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-info - namespace: tekton-results + namespace: openshift-pipelines --- apiVersion: v1 kind: Secret @@ -893,7 +383,7 @@ metadata: argocd.argoproj.io/sync-wave: "0" kubernetes.io/service-account.name: metrics-reader name: metrics-reader - namespace: tekton-results + namespace: openshift-pipelines type: kubernetes.io/service-account-token --- apiVersion: v1 @@ -940,58 +430,6 @@ spec: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-chains --- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - service.beta.openshift.io/serving-cert-secret-name: tekton-results-tls - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api-service - namespace: tekton-results -spec: - ports: - - name: server - port: 8080 - protocol: TCP - targetPort: 8080 - - name: metrics - port: 9443 - protocol: TCP - targetPort: metrics - - name: profiling - port: 6060 - protocol: TCP - targetPort: 6060 - selector: - app.kubernetes.io/name: tekton-results-api ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "2" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results -spec: - ports: - - name: watchermetrics - port: 8443 - targetPort: watchermetrics - - name: profiling - port: 8008 - selector: - app.kubernetes.io/name: tekton-results-watcher ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -1035,369 +473,6 @@ spec: restartPolicy: Always serviceAccountName: pipeline-service-exporter --- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-api - namespace: tekton-results -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-api - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-api - app.kubernetes.io/version: devel - spec: - containers: - - env: - - name: LOGS_API - value: "true" - - name: LOGS_TYPE - value: S3 - - name: S3_HOSTNAME_IMMUTABLE - value: "true" - - name: S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: S3_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: S3_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - - name: DB_USER - valueFrom: - secretKeyRef: - key: db.user - name: tekton-results-database - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: tekton-results-database - - name: DB_HOST - valueFrom: - secretKeyRef: - key: db.host - name: tekton-results-database - - name: DB_NAME - valueFrom: - secretKeyRef: - key: db.name - name: tekton-results-database - image: quay.io/konflux-ci/tekton-results-api:e35af9274c0df84386b73aae8df0ad496ad175df - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - name: api - readinessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 100m - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 10 - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - mountPath: /etc/ssl/certs/s3-cert.crt - name: ca-s3 - subPath: s3-cert.crt - - mountPath: /etc/tls/db - name: db-tls-ca - readOnly: true - - mountPath: /etc/tekton/results - name: config - readOnly: true - - mountPath: /etc/tls - name: tls - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:9443 - - --upstream=http://127.0.0.1:9090/ - - --logtostderr=true - - --v=6 - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy - ports: - - containerPort: 9443 - name: metrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - initContainers: - - args: - - -c - - | - mc --config-dir /tmp config host add minio "$S3_ENDPOINT" "$S3_ACCESS_KEY_ID" "$S3_SECRET_ACCESS_KEY" && - if [ -z "$(mc --config-dir /tmp ls minio | grep "$S3_BUCKET_NAME")" ]; then - mc --config-dir /tmp mb --with-lock --region "$S3_REGION" minio/"$S3_BUCKET_NAME" && - echo "Minio bucket $S3_BUCKET_NAME successfully created." - fi - command: - - /bin/bash - env: - - name: S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: S3_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: S3_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - image: quay.io/minio/mc:RELEASE.2023-01-28T20-29-38Z - imagePullPolicy: Always - name: mc - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 5m - memory: 32Mi - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /etc/ssl/certs/s3-cert.crt - name: ca-s3 - subPath: s3-cert.crt - - mountPath: /tmp - name: tmp-mc-volume - serviceAccountName: tekton-results-api - volumes: - - name: ca-s3 - secret: - items: - - key: public.crt - path: s3-cert.crt - secretName: storage-tls - - emptyDir: {} - name: tmp-mc-volume - - configMap: - name: rds-root-crt - name: db-tls-ca - - configMap: - name: tekton-results-api-config - name: config - - name: tls - secret: - secretName: tekton-results-tls ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "2" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/part-of: tekton-results - app.kubernetes.io/version: devel - name: tekton-results-watcher - namespace: tekton-results -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: tekton-results-watcher - template: - metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app.kubernetes.io/name: tekton-results-watcher - app.kubernetes.io/version: devel - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: NotIn - values: - - windows - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: tekton-results-watcher - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - -api_addr - - tekton-results-api-service.tekton-results.svc.cluster.local:8080 - - -auth_mode - - token - - -check_owner=false - - -completed_run_grace_period=2h - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: tekton-results-config-logging - - name: CONFIG_LEADERELECTION_NAME - value: tekton-results-config-leader-election - - name: CONFIG_OBSERVABILITY_NAME - value: tekton-results-config-observability - - name: METRICS_DOMAIN - value: tekton.dev/results - - name: TEKTON_RESULTS_API_SERVICE - value: tekton-results-api-service.tekton-pipelines.svc.cluster.local:8080 - - name: AUTH_MODE - value: token - image: quay.io/redhat-appstudio/tekton-results-watcher:bae7851ff584423503af324200f52cd28ca99116 - name: watcher - ports: - - containerPort: 9090 - name: metrics - - containerPort: 8008 - name: profiling - resources: - limits: - cpu: 250m - memory: 2Gi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /etc/tls - name: tls - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:9090/ - - --logtostderr=true - - --v=6 - image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: watchermetrics - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - serviceAccountName: tekton-results-watcher - volumes: - - name: tls - secret: - secretName: tekton-results-tls ---- apiVersion: batch/v1 kind: CronJob metadata: @@ -1591,7 +666,7 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" name: tekton-results-api - namespace: tekton-results + namespace: openshift-pipelines spec: endpoints: - bearerTokenSecret: @@ -1614,7 +689,7 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" name: tekton-results-watcher - namespace: tekton-results + namespace: openshift-pipelines spec: endpoints: - bearerTokenSecret: @@ -1873,32 +948,6 @@ spec: - name: AUTOINSTALL_COMPONENTS value: "false" --- -apiVersion: route.openshift.io/v1 -kind: Route -metadata: - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "0" - haproxy.router.openshift.io/hsts_header: max-age=63072000 - haproxy.router.openshift.io/timeout: 86410s - openshift.io/host.generated: "true" - router.openshift.io/haproxy.health.check.interval: 86400s - labels: - app.kubernetes.io/part-of: tekton-results - name: tekton-results - namespace: tekton-results -spec: - port: - targetPort: server - tls: - insecureEdgeTerminationPolicy: Redirect - termination: reencrypt - to: - kind: Service - name: tekton-results-api-service - weight: 100 - wildcardPolicy: None ---- allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false @@ -1938,3 +987,347 @@ volumes: - persistentVolumeClaim - projected - secret +--- +apiVersion: operator.tekton.dev/v1alpha1 +kind: TektonResult +metadata: + name: result +spec: + targetNamespace: openshift-pipelines + logs_api: true + log_level: debug + db_port: 5432 + db_host: tekton-results-postgres-service.openshift-pipelines.svc.cluster.local + db_sslmode: verify-full + db_sslrootcert: /etc/tls/db/tekton-results-db-ca.pem + logs_path: /logs + logs_type: File + logs_buffer_size: 5242880 + auth_disable: true + tls_hostname_override: tekton-results-api-service.openshift-pipelines.svc.cluster.local + db_enable_auto_migration: true + server_port: 8080 + prometheus_port: 9090 + prometheus_histogram: true + s3_hostname_immutable: false + k8s_qps: 50 + k8s_burst: 100 + profiling: true + profiling_port: 6060 + options: + deployments: + tekton-results-watcher: + spec: + template: + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: NotIn + values: + - windows + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: tekton-results-watcher + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - name: watcher + args: + - -api_addr + - tekton-results-api-service.openshift-pipelines.svc.cluster.local:8080 + - -auth_mode + - token + - -check_owner=false + - -completed_run_grace_period=2h + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: tekton-results-config-logging + - name: CONFIG_LEADERELECTION_NAME + value: tekton-results-config-leader-election + - name: CONFIG_OBSERVABILITY_NAME + value: tekton-results-config-observability + - name: METRICS_DOMAIN + value: tekton.dev/results + - name: TEKTON_RESULTS_API_SERVICE + value: tekton-results-api-service.tekton-pipelines.svc.cluster.local:8080 + - name: AUTH_MODE + value: token + ports: + - containerPort: 9090 + name: metrics + - containerPort: 8008 + name: profiling + resources: + limits: + cpu: 250m + memory: 2Gi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/tls + name: tls + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:9090/ + - --logtostderr=true + - --v=6 + image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: watchermetrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: tekton-results-watcher + volumes: + - name: tls + secret: + secretName: tekton-results-tls + tekton-results-api: + spec: + template: + spec: + containers: + - name: api + env: + - name: LOGS_API + value: "true" + - name: LOGS_TYPE + value: S3 + - name: S3_HOSTNAME_IMMUTABLE + value: "true" + - name: S3_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: aws_access_key_id + name: tekton-results-s3 + - name: S3_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: aws_secret_access_key + name: tekton-results-s3 + - name: S3_REGION + valueFrom: + secretKeyRef: + key: aws_region + name: tekton-results-s3 + - name: S3_BUCKET_NAME + valueFrom: + secretKeyRef: + key: bucket + name: tekton-results-s3 + - name: S3_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: tekton-results-s3 + - name: DB_USER + valueFrom: + secretKeyRef: + key: db.user + name: tekton-results-database + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + key: db.password + name: tekton-results-database + - name: DB_HOST + valueFrom: + secretKeyRef: + key: db.host + name: tekton-results-database + - name: DB_NAME + valueFrom: + secretKeyRef: + key: db.name + name: tekton-results-database + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 10 + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + volumeMounts: + - mountPath: /etc/ssl/certs/s3-cert.crt + name: ca-s3 + subPath: s3-cert.crt + - mountPath: /etc/tls/db + name: db-tls-ca + readOnly: true + - mountPath: /etc/tekton/results + name: config + readOnly: true + - mountPath: /etc/tls + name: tls + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:9443 + - --upstream=http://127.0.0.1:9090/ + - --logtostderr=true + - --v=6 + image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 + name: kube-rbac-proxy + ports: + - containerPort: 9443 + name: metrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + initContainers: + - args: + - -c + - | + mc --config-dir /tmp config host add minio "$S3_ENDPOINT" "$S3_ACCESS_KEY_ID" "$S3_SECRET_ACCESS_KEY" && + if [ -z "$(mc --config-dir /tmp ls minio | grep "$S3_BUCKET_NAME")" ]; then + mc --config-dir /tmp mb --with-lock --region "$S3_REGION" minio/"$S3_BUCKET_NAME" && + echo "Minio bucket $S3_BUCKET_NAME successfully created." + fi + command: + - /bin/bash + env: + - name: S3_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: aws_access_key_id + name: tekton-results-s3 + - name: S3_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: aws_secret_access_key + name: tekton-results-s3 + - name: S3_REGION + valueFrom: + secretKeyRef: + key: aws_region + name: tekton-results-s3 + - name: S3_BUCKET_NAME + valueFrom: + secretKeyRef: + key: bucket + name: tekton-results-s3 + - name: S3_ENDPOINT + valueFrom: + secretKeyRef: + key: endpoint + name: tekton-results-s3 + image: quay.io/minio/mc:RELEASE.2023-01-28T20-29-38Z + imagePullPolicy: Always + name: mc + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 5m + memory: 32Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/ssl/certs/s3-cert.crt + name: ca-s3 + subPath: s3-cert.crt + - mountPath: /tmp + name: tmp-mc-volume + serviceAccountName: tekton-results-api + volumes: + - name: ca-s3 + secret: + items: + - key: public.crt + path: s3-cert.crt + secretName: storage-tls + - emptyDir: {} + name: tmp-mc-volume + - configMap: + name: rds-root-crt + name: db-tls-ca + - configMap: + name: tekton-results-api-config + name: config + - name: tls + secret: + secretName: tekton-results-tls diff --git a/hack/secret-creator/create-plnsvc-secrets.sh b/hack/secret-creator/create-plnsvc-secrets.sh index 558a9354d53..0d4862602b7 100755 --- a/hack/secret-creator/create-plnsvc-secrets.sh +++ b/hack/secret-creator/create-plnsvc-secrets.sh @@ -9,20 +9,20 @@ main() { } create_namespace() { - if kubectl get namespace tekton-results &>/dev/null; then + if kubectl get namespace openshift-pipelines &>/dev/null; then echo "tekton-results namespace already exists, skipping creation" return fi - kubectl create namespace tekton-results -o yaml --dry-run=client | kubectl apply -f- + kubectl create namespace openshift-pipelines -o yaml --dry-run=client | kubectl apply -f- } create_db_secret() { echo "Creating DB secret" >&2 - if kubectl get secret -n tekton-results tekton-results-database &>/dev/null; then + if kubectl get secret -n openshift-pipelines tekton-results-database &>/dev/null; then echo "DB secret already exists, skipping creation" return fi - kubectl create secret generic -n tekton-results tekton-results-database \ + kubectl create secret generic -n openshift-pipelines tekton-results-database \ --from-literal=db.user=tekton \ --from-literal=db.password="$(openssl rand -base64 20)" \ --from-literal=db.host="postgres-postgresql.tekton-results.svc.cluster.local" \ @@ -31,13 +31,13 @@ create_db_secret() { create_s3_secret() { echo "Creating S3 secret" >&2 - if kubectl get secret -n tekton-results tekton-results-s3 &>/dev/null; then + if kubectl get secret -n openshift-pipelines tekton-results-s3 &>/dev/null; then echo "S3 secret already exists, skipping creation" return fi USER=minio PASS="$(openssl rand -base64 20)" - kubectl create secret generic -n tekton-results tekton-results-s3 \ + kubectl create secret generic -n openshift-pipelines tekton-results-s3 \ --from-literal=aws_access_key_id="$USER" \ --from-literal=aws_secret_access_key="$PASS" \ --from-literal=aws_region='not-applicable' \ @@ -45,7 +45,7 @@ create_s3_secret() { --from-literal=endpoint='https://minio.tekton-results.svc.cluster.local' echo "Creating MinIO config" >&2 - if kubectl get secret -n tekton-results minio-storage-configuration &>/dev/null; then + if kubectl get secret -n openshift-pipelines minio-storage-configuration &>/dev/null; then echo "MinIO config already exists, skipping creation" return fi @@ -67,7 +67,7 @@ EOF create_db_cert_secret_and_configmap() { echo "Creating Postgres TLS certs" >&2 - if kubectl get secret -n tekton-results postgresql-tls &>/dev/null; then + if kubectl get secret -n openshift-pipelines postgresql-tls &>/dev/null; then echo "Postgres DB cert secret already exists, skipping creation" return fi @@ -99,11 +99,11 @@ create_db_cert_secret_and_configmap() { -out ".tmp/tekton-results/tls.crt" \ > /dev/null cat ".tmp/tekton-results/ca.crt" > ".tmp/tekton-results/tekton-results-db-ca.pem" - kubectl create secret generic -n tekton-results postgresql-tls \ + kubectl create secret generic -n openshift-pipelines postgresql-tls \ --from-file=.tmp/tekton-results/ca.crt \ --from-file=.tmp/tekton-results/tls.crt \ --from-file=.tmp/tekton-results/tls.key - kubectl create configmap -n tekton-results rds-root-crt \ + kubectl create configmap -n openshift-pipelines rds-root-crt \ --from-file=.tmp/tekton-results/tekton-results-db-ca.pem } From 70b037346531d05ae7e686ab19208865bbf70936 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Mon, 28 Oct 2024 15:15:51 +0200 Subject: [PATCH 02/15] test no DB SSL verification The option to provide path to cert is not available in the OSP oprrator. Until it is added, test with no verification. --- .../development/main-pipeline-service-configuration.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 26b28534a95..03c908048a9 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -998,8 +998,7 @@ spec: log_level: debug db_port: 5432 db_host: tekton-results-postgres-service.openshift-pipelines.svc.cluster.local - db_sslmode: verify-full - db_sslrootcert: /etc/tls/db/tekton-results-db-ca.pem + db_sslmode: disable logs_path: /logs logs_type: File logs_buffer_size: 5242880 From 2e1b0bb3a488a2b5d852d09e4b24216910c9f219 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Mon, 28 Oct 2024 16:14:33 +0200 Subject: [PATCH 03/15] Removing Results profiling configuration --- .../development/main-pipeline-service-configuration.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 03c908048a9..83c52212feb 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1009,10 +1009,6 @@ spec: prometheus_port: 9090 prometheus_histogram: true s3_hostname_immutable: false - k8s_qps: 50 - k8s_burst: 100 - profiling: true - profiling_port: 6060 options: deployments: tekton-results-watcher: From 230f1785990bd00bd43e5396b8dbf062281035f2 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Mon, 28 Oct 2024 18:01:56 +0200 Subject: [PATCH 04/15] More changes --- .../main-pipeline-service-configuration.yaml | 12 ++++++------ hack/secret-creator/create-plnsvc-secrets.sh | 19 +++++++++++++------ 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 83c52212feb..6456b1592c5 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1055,7 +1055,7 @@ spec: - name: METRICS_DOMAIN value: tekton.dev/results - name: TEKTON_RESULTS_API_SERVICE - value: tekton-results-api-service.tekton-pipelines.svc.cluster.local:8080 + value: tekton-results-api-service.openshift-pipelines.svc.cluster.local:8080 - name: AUTH_MODE value: token ports: @@ -1110,11 +1110,11 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: tekton-results-watcher - volumes: - - name: tls - secret: - secretName: tekton-results-tls + serviceAccountName: tekton-results-watcher + volumes: + - name: tls + secret: + secretName: tekton-results-tls tekton-results-api: spec: template: diff --git a/hack/secret-creator/create-plnsvc-secrets.sh b/hack/secret-creator/create-plnsvc-secrets.sh index 0d4862602b7..3adb366c363 100755 --- a/hack/secret-creator/create-plnsvc-secrets.sh +++ b/hack/secret-creator/create-plnsvc-secrets.sh @@ -10,10 +10,17 @@ main() { create_namespace() { if kubectl get namespace openshift-pipelines &>/dev/null; then - echo "tekton-results namespace already exists, skipping creation" + echo "openshift-pipelines namespace already exists, skipping creation" return fi kubectl create namespace openshift-pipelines -o yaml --dry-run=client | kubectl apply -f- + + # temporary needed until we complete the switch to installing Results through the OSP operator + if kubectl get namespace tekton-results &>/dev/null; then + echo "tekton-results namespace already exists, skipping creation" + return + fi + kubectl create namespace tekton-results -o yaml --dry-run=client | kubectl apply -f- } create_db_secret() { @@ -25,7 +32,7 @@ create_db_secret() { kubectl create secret generic -n openshift-pipelines tekton-results-database \ --from-literal=db.user=tekton \ --from-literal=db.password="$(openssl rand -base64 20)" \ - --from-literal=db.host="postgres-postgresql.tekton-results.svc.cluster.local" \ + --from-literal=db.host="postgres-postgresql.openshift-pipelines.svc.cluster.local" \ --from-literal=db.name="tekton_results" } @@ -42,7 +49,7 @@ create_s3_secret() { --from-literal=aws_secret_access_key="$PASS" \ --from-literal=aws_region='not-applicable' \ --from-literal=bucket=tekton-results \ - --from-literal=endpoint='https://minio.tekton-results.svc.cluster.local' + --from-literal=endpoint='https://minio.openshift-pipelines.svc.cluster.local' echo "Creating MinIO config" >&2 if kubectl get secret -n openshift-pipelines minio-storage-configuration &>/dev/null; then @@ -54,7 +61,7 @@ apiVersion: v1 kind: Secret metadata: name: minio-storage-configuration - namespace: tekton-results + namespace: openshift-pipelines type: Opaque stringData: config.env: |- @@ -86,13 +93,13 @@ create_db_cert_secret_and_configmap() { > /dev/null openssl req -new -nodes -text \ -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \ - -addext "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local" \ + -addext "subjectAltName=DNS:postgres-postgresql.openshift-pipelines.svc.cluster.local" \ -out ".tmp/tekton-results/tls.csr" \ -keyout ".tmp/tekton-results/tls.key" \ > /dev/null chmod og-rwx ".tmp/tekton-results/tls.key" openssl x509 -req -text -days 9999 -CAcreateserial \ - -extfile <(printf "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local") \ + -extfile <(printf "subjectAltName=DNS:postgres-postgresql.openshift-pipelines.svc.cluster.local") \ -in ".tmp/tekton-results/tls.csr" \ -CA ".tmp/tekton-results/ca.crt" \ -CAkey ".tmp/tekton-results/ca.key" \ From 07f8103be4476e0c19b47f78d9467e1748a2e127 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Tue, 29 Oct 2024 13:49:01 +0200 Subject: [PATCH 05/15] Remove Results prometheus config Still not supported by the OSP operator. Removing temporary to allow testing. Also remove S3_HOSTNAME_IMMUTABLE, set to default value (false) anyway. --- .../development/main-pipeline-service-configuration.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 6456b1592c5..db810bca1f4 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1006,9 +1006,6 @@ spec: tls_hostname_override: tekton-results-api-service.openshift-pipelines.svc.cluster.local db_enable_auto_migration: true server_port: 8080 - prometheus_port: 9090 - prometheus_histogram: true - s3_hostname_immutable: false options: deployments: tekton-results-watcher: From 2a33ede2520e82930f9c2c81b38304dd6ffe61e3 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Tue, 29 Oct 2024 14:52:14 +0200 Subject: [PATCH 06/15] Disable tls_hostname_override, overriden by the operator The option has been depricated and should be completely removed. The operator overrides this value, so it and argocd fight over it blocking the deployment. --- .../development/main-pipeline-service-configuration.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index db810bca1f4..e4ed3eb9950 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1003,7 +1003,6 @@ spec: logs_type: File logs_buffer_size: 5242880 auth_disable: true - tls_hostname_override: tekton-results-api-service.openshift-pipelines.svc.cluster.local db_enable_auto_migration: true server_port: 8080 options: From 2908ea5d823cc5250a11f42dbaab4ba290872b99 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Wed, 30 Oct 2024 18:22:34 +0200 Subject: [PATCH 07/15] Rename db_* postgres_* variables --- .../main-pipeline-service-configuration.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index e4ed3eb9950..185aff4b783 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1159,6 +1159,16 @@ spec: secretKeyRef: key: db.password name: tekton-results-database + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + key: db.user + name: tekton-results-database + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: db.password + name: tekton-results-database - name: DB_HOST valueFrom: secretKeyRef: From 1bccc748c6d4d015ac4d0b42383e9bd70f930d0f Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Mon, 4 Nov 2024 15:09:53 +0200 Subject: [PATCH 08/15] Remove Postgres Application It is now deployed by the OSP operator as part of the Tekton Results deployment. --- ...ipeline-service-storage-configuration.yaml | 73 ------------------- 1 file changed, 73 deletions(-) diff --git a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml index 543fda3c054..d3d8d1ddd70 100644 --- a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml +++ b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml @@ -44,79 +44,6 @@ subjects: name: openshift-gitops-argocd-application-controller namespace: openshift-gitops --- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - annotations: - argocd.argoproj.io/sync-wave: "0" - name: postgres - namespace: openshift-gitops -spec: - destination: - namespace: openshift-pipelines - server: https://kubernetes.default.svc - project: default - source: - chart: postgresql - helm: - parameters: - - name: image.tag - value: 13.14.0 - - name: tls.enabled - value: "true" - - name: tls.certificatesSecret - value: postgresql-tls - - name: tls.certFilename - value: tls.crt - - name: tls.certKeyFilename - value: tls.key - - name: auth.database - value: tekton_results - - name: auth.username - value: tekton - - name: auth.existingSecret - value: tekton-results-database - - name: auth.secretKeys.userPasswordKey - value: db.password - - name: auth.secretKeys.adminPasswordKey - value: db.password - - name: primary.resources.requests - value: "null" - - name: primary.podSecurityContext.fsGroup - value: "null" - - name: primary.podSecurityContext.seccompProfile.type - value: RuntimeDefault - - name: primary.containerSecurityContext.runAsUser - value: "null" - - name: primary.containerSecurityContext.allowPrivilegeEscalation - value: "false" - - name: primary.containerSecurityContext.runAsNonRoot - value: "true" - - name: primary.containerSecurityContext.seccompProfile.type - value: RuntimeDefault - - name: primary.containerSecurityContext.capabilities.drop[0] - value: ALL - - name: volumePermissions.enabled - value: "false" - - name: shmVolume.enabled - value: "false" - releaseName: postgres - repoURL: https://charts.bitnami.com/bitnami - targetRevision: 14.0.5 - syncPolicy: - automated: - prune: true - selfHeal: true - retry: - backoff: - duration: 10s - factor: 2 - maxDuration: 3m - limit: -1 - syncOptions: - - CreateNamespace=false - - Validate=false ---- apiVersion: minio.min.io/v2 kind: Tenant metadata: From 855b87fe2a9f5ee3e150a2743fe80d91b377ba5e Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Thu, 31 Oct 2024 11:38:45 +0200 Subject: [PATCH 09/15] Rename postgres secret name The operator expects secret named `tekton-results-postgres` while orinal secret name is `tekton-results-database`. The name of the fields in the secret also changed. --- .../main-pipeline-service-configuration.yaml | 26 ++++++------------- hack/secret-creator/create-plnsvc-secrets.sh | 12 ++++----- 2 files changed, 14 insertions(+), 24 deletions(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 185aff4b783..11ec33d2272 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1152,33 +1152,23 @@ spec: - name: DB_USER valueFrom: secretKeyRef: - key: db.user - name: tekton-results-database + key: POSTGRES_USER + name: tekton-results-postgres - name: DB_PASSWORD valueFrom: secretKeyRef: - key: db.password - name: tekton-results-database - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: db.user - name: tekton-results-database - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: db.password - name: tekton-results-database + key: POSTGRES_PASSWORD + name: tekton-results-postgres - name: DB_HOST valueFrom: secretKeyRef: - key: db.host - name: tekton-results-database + key: POSTGRES_HOST + name: tekton-results-postgres - name: DB_NAME valueFrom: secretKeyRef: - key: db.name - name: tekton-results-database + key: POSTGRES_DB + name: tekton-results-postgres livenessProbe: httpGet: path: /healthz diff --git a/hack/secret-creator/create-plnsvc-secrets.sh b/hack/secret-creator/create-plnsvc-secrets.sh index 3adb366c363..2e2e6d8febd 100755 --- a/hack/secret-creator/create-plnsvc-secrets.sh +++ b/hack/secret-creator/create-plnsvc-secrets.sh @@ -25,15 +25,15 @@ create_namespace() { create_db_secret() { echo "Creating DB secret" >&2 - if kubectl get secret -n openshift-pipelines tekton-results-database &>/dev/null; then + if kubectl get secret -n openshift-pipelines tekton-results-postgres &>/dev/null; then echo "DB secret already exists, skipping creation" return fi - kubectl create secret generic -n openshift-pipelines tekton-results-database \ - --from-literal=db.user=tekton \ - --from-literal=db.password="$(openssl rand -base64 20)" \ - --from-literal=db.host="postgres-postgresql.openshift-pipelines.svc.cluster.local" \ - --from-literal=db.name="tekton_results" + kubectl create secret generic -n openshift-pipelines tekton-results-postgres \ + --from-literal=POSTGRES_USER=tekton \ + --from-literal=POSTGRES_PASSWORD="$(openssl rand -base64 20)" \ + --from-literal=POSTGRES_HOST="tekton-results-postgres-service.openshift-pipelines.svc.cluster.local" \ + --from-literal=POSTGRES_DB="tekton_results" } create_s3_secret() { From 3bbcbe5c7a94e2eed61ba8aadff88f8aef5b7bd8 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Tue, 5 Nov 2024 14:18:30 +0200 Subject: [PATCH 10/15] Bump OSP to newest version --- hack/secret-creator/create-plnsvc-secrets.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/secret-creator/create-plnsvc-secrets.sh b/hack/secret-creator/create-plnsvc-secrets.sh index 2e2e6d8febd..c50f3205b19 100755 --- a/hack/secret-creator/create-plnsvc-secrets.sh +++ b/hack/secret-creator/create-plnsvc-secrets.sh @@ -33,7 +33,7 @@ create_db_secret() { --from-literal=POSTGRES_USER=tekton \ --from-literal=POSTGRES_PASSWORD="$(openssl rand -base64 20)" \ --from-literal=POSTGRES_HOST="tekton-results-postgres-service.openshift-pipelines.svc.cluster.local" \ - --from-literal=POSTGRES_DB="tekton_results" + --from-literal=POSTGRES_DB="tekton-results" } create_s3_secret() { From 40524eb70c147bfa4056dfa156f31f594c873bc3 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Sun, 10 Nov 2024 16:59:47 +0200 Subject: [PATCH 11/15] Enable DB TLS verify-full and prometheus_histogram With operator now supporting those configuration options, we add them back to configuration. --- .../development/main-pipeline-service-configuration.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 11ec33d2272..9e2e313d6c8 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -998,13 +998,16 @@ spec: log_level: debug db_port: 5432 db_host: tekton-results-postgres-service.openshift-pipelines.svc.cluster.local - db_sslmode: disable + db_sslmode: verify-full + db_sslrootcert: /etc/tls/db/tekton-results-db-ca.pem logs_path: /logs logs_type: File logs_buffer_size: 5242880 auth_disable: true db_enable_auto_migration: true server_port: 8080 + prometheus_port: 9090 + prometheus_histogram: true options: deployments: tekton-results-watcher: From 2eaebd231a9284510d4abfa9cfee1bf130644e0d Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Mon, 11 Nov 2024 16:12:36 +0200 Subject: [PATCH 12/15] Expose TLS key and cert to Postgres --- .../main-pipeline-service-configuration.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 9e2e313d6c8..5f0070849df 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1009,6 +1009,26 @@ spec: prometheus_port: 9090 prometheus_histogram: true options: + statefulSets: + tekton-results-postgres: + spec: + template: + spec: + containers: + - name: postgres + volumeMounts: + - mountPath: /opt/app-root/src/certs/ + name: db-tls-ca + readOnly: true + volumes: + - name: db-tls-ca + secret: + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + secretName: rds-root-crt deployments: tekton-results-watcher: spec: From c4e9601a30ba89c173adb448431255b976071627 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Tue, 12 Nov 2024 14:20:38 +0200 Subject: [PATCH 13/15] Revert "Remove Postgres Application" This reverts commit 47a55cf58ee05b10e9810dce58cdb3cfc0a65cd7. --- ...ipeline-service-storage-configuration.yaml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml index d3d8d1ddd70..543fda3c054 100644 --- a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml +++ b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml @@ -44,6 +44,79 @@ subjects: name: openshift-gitops-argocd-application-controller namespace: openshift-gitops --- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "0" + name: postgres + namespace: openshift-gitops +spec: + destination: + namespace: openshift-pipelines + server: https://kubernetes.default.svc + project: default + source: + chart: postgresql + helm: + parameters: + - name: image.tag + value: 13.14.0 + - name: tls.enabled + value: "true" + - name: tls.certificatesSecret + value: postgresql-tls + - name: tls.certFilename + value: tls.crt + - name: tls.certKeyFilename + value: tls.key + - name: auth.database + value: tekton_results + - name: auth.username + value: tekton + - name: auth.existingSecret + value: tekton-results-database + - name: auth.secretKeys.userPasswordKey + value: db.password + - name: auth.secretKeys.adminPasswordKey + value: db.password + - name: primary.resources.requests + value: "null" + - name: primary.podSecurityContext.fsGroup + value: "null" + - name: primary.podSecurityContext.seccompProfile.type + value: RuntimeDefault + - name: primary.containerSecurityContext.runAsUser + value: "null" + - name: primary.containerSecurityContext.allowPrivilegeEscalation + value: "false" + - name: primary.containerSecurityContext.runAsNonRoot + value: "true" + - name: primary.containerSecurityContext.seccompProfile.type + value: RuntimeDefault + - name: primary.containerSecurityContext.capabilities.drop[0] + value: ALL + - name: volumePermissions.enabled + value: "false" + - name: shmVolume.enabled + value: "false" + releaseName: postgres + repoURL: https://charts.bitnami.com/bitnami + targetRevision: 14.0.5 + syncPolicy: + automated: + prune: true + selfHeal: true + retry: + backoff: + duration: 10s + factor: 2 + maxDuration: 3m + limit: -1 + syncOptions: + - CreateNamespace=false + - Validate=false +--- apiVersion: minio.min.io/v2 kind: Tenant metadata: From 07a4ea32344615a84e81d92fe1d37a4069f118fa Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Tue, 12 Nov 2024 14:25:17 +0200 Subject: [PATCH 14/15] Reintroduce external DB With the DB installed through the operator, we can't provide TLS certificate and key, thus we can't enabled TLS verification in the API. --- ...ipeline-service-storage-configuration.yaml | 6 ++--- .../main-pipeline-service-configuration.yaml | 23 ++----------------- hack/secret-creator/create-plnsvc-secrets.sh | 6 ++--- 3 files changed, 8 insertions(+), 27 deletions(-) diff --git a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml index 543fda3c054..a26786a5d28 100644 --- a/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml +++ b/components/pipeline-service/development/dev-only-pipeline-service-storage-configuration.yaml @@ -75,11 +75,11 @@ spec: - name: auth.username value: tekton - name: auth.existingSecret - value: tekton-results-database + value: tekton-results-postgres - name: auth.secretKeys.userPasswordKey - value: db.password + value: POSTGRES_PASSWORD - name: auth.secretKeys.adminPasswordKey - value: db.password + value: POSTGRES_PASSWORD - name: primary.resources.requests value: "null" - name: primary.podSecurityContext.fsGroup diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 5f0070849df..1cb45c7a5dd 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -997,9 +997,10 @@ spec: logs_api: true log_level: debug db_port: 5432 - db_host: tekton-results-postgres-service.openshift-pipelines.svc.cluster.local + db_host: postgres-postgresql.openshift-pipelines.svc.cluster.local db_sslmode: verify-full db_sslrootcert: /etc/tls/db/tekton-results-db-ca.pem + is_external_db: true logs_path: /logs logs_type: File logs_buffer_size: 5242880 @@ -1009,26 +1010,6 @@ spec: prometheus_port: 9090 prometheus_histogram: true options: - statefulSets: - tekton-results-postgres: - spec: - template: - spec: - containers: - - name: postgres - volumeMounts: - - mountPath: /opt/app-root/src/certs/ - name: db-tls-ca - readOnly: true - volumes: - - name: db-tls-ca - secret: - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - secretName: rds-root-crt deployments: tekton-results-watcher: spec: diff --git a/hack/secret-creator/create-plnsvc-secrets.sh b/hack/secret-creator/create-plnsvc-secrets.sh index c50f3205b19..5f97860090c 100755 --- a/hack/secret-creator/create-plnsvc-secrets.sh +++ b/hack/secret-creator/create-plnsvc-secrets.sh @@ -32,8 +32,8 @@ create_db_secret() { kubectl create secret generic -n openshift-pipelines tekton-results-postgres \ --from-literal=POSTGRES_USER=tekton \ --from-literal=POSTGRES_PASSWORD="$(openssl rand -base64 20)" \ - --from-literal=POSTGRES_HOST="tekton-results-postgres-service.openshift-pipelines.svc.cluster.local" \ - --from-literal=POSTGRES_DB="tekton-results" + --from-literal=POSTGRES_HOST="postgres-postgresql.openshift-pipelines.svc.cluster.local" \ + --from-literal=POSTGRES_DB="tekton_results" } create_s3_secret() { @@ -92,7 +92,7 @@ create_db_cert_secret_and_configmap() { -out ".tmp/tekton-results/ca.crt" \ > /dev/null openssl req -new -nodes -text \ - -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \ + -subj "/CN=postgres-postgresql.openshift-pipelines.svc.cluster.local" \ -addext "subjectAltName=DNS:postgres-postgresql.openshift-pipelines.svc.cluster.local" \ -out ".tmp/tekton-results/tls.csr" \ -keyout ".tmp/tekton-results/tls.key" \ From 281e4df02badd41f578cc5c586c8517b0c2543f7 Mon Sep 17 00:00:00 2001 From: Emil Natan Date: Wed, 13 Nov 2024 17:35:43 +0200 Subject: [PATCH 15/15] Fix Results deployments patching --- .../development/main-pipeline-service-configuration.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/components/pipeline-service/development/main-pipeline-service-configuration.yaml b/components/pipeline-service/development/main-pipeline-service-configuration.yaml index 1cb45c7a5dd..287b522df59 100644 --- a/components/pipeline-service/development/main-pipeline-service-configuration.yaml +++ b/components/pipeline-service/development/main-pipeline-service-configuration.yaml @@ -1035,10 +1035,6 @@ spec: containers: - name: watcher args: - - -api_addr - - tekton-results-api-service.openshift-pipelines.svc.cluster.local:8080 - - -auth_mode - - token - -check_owner=false - -completed_run_grace_period=2h env: @@ -1083,13 +1079,13 @@ spec: - mountPath: /etc/tls name: tls readOnly: true - - args: + - name: kube-rbac-proxy + args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:9090/ - --logtostderr=true - --v=6 image: registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.12 - name: kube-rbac-proxy ports: - containerPort: 8443 name: watchermetrics