From: Igor D.C Date: Sat, 6 Jun 2020 20:18:53 +0000 (+0000) Subject: Always install/clean KUD on Bluval job X-Git-Tag: v0.4.0~4 X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=976343cea0c565ffc6271603ad365b0c04d83785;p=icn.git Always install/clean KUD on Bluval job This commit makes the Bluval job (icn-bluval-daily-master) always ensure KUD/kubespray is installed before running the validation steps. Additionally, it fully uninstalls KUD and purges all Docker images and Docker itself, so that the next run will be as clean as possible and also using the latest available KUD version and EMCO k8s code. Since Jenkins is automatically installing k8s, this commit also makes Jenkins automatically patch the security vulnerabilities that would otherwise break conformance and kube-hunter. Change-Id: Ie3e604315514b00b8a3933d8c69ca8fd3ff50458 Signed-off-by: Igor D.C --- diff --git a/ci/jjb/akraino-icn-templates.yaml b/ci/jjb/akraino-icn-templates.yaml index 7706fb4..730c2b4 100644 --- a/ci/jjb/akraino-icn-templates.yaml +++ b/ci/jjb/akraino-icn-templates.yaml @@ -190,3 +190,13 @@ unstable-on-warning: false fail-on-error: true show-graphs: true + - postbuildscript: + mark-unstable-if-failed: true + builders: + - build-on: + - SUCCESS + - UNSTABLE + - FAILURE + build-steps: + - shell: !include-raw-escape: + shell/bluval-postbuild.sh diff --git a/ci/jjb/shell/bluval-postbuild.sh b/ci/jjb/shell/bluval-postbuild.sh new file mode 100644 index 0000000..622ad7a --- /dev/null +++ b/ci/jjb/shell/bluval-postbuild.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -e +set -o errexit +set -o pipefail + +echo "[ICN] Uninstalling EMCO k8s" +cd k8s/kud/hosting_providers/vagrant +ansible-playbook -i inventory/hosts.ini /opt/kubespray-2.12.6/reset.yml --become --become-user=root -e reset_confirmation=yes + +echo "[ICN] Purging Docker fully" +cat << EOF | tee purge-docker.yml +--- +- hosts: all + gather_facts: True + tasks: + - name: reset | remove all docker images + shell: "/usr/bin/docker image ls -a -q | xargs -r /usr/bin/docker rmi -f" + retries: 2 + delay: 5 + tags: + - docker + - name: reset | remove docker itself + shell: "apt-get purge docker-* -y --allow-change-held-packages" + retries: 2 + delay: 30 + tags: + - docker +EOF +ansible-playbook -i inventory/hosts.ini purge-docker.yml --become --become-user=root diff --git a/ci/jjb/shell/bluval.sh b/ci/jjb/shell/bluval.sh index a08c39a..87b3c57 100644 --- a/ci/jjb/shell/bluval.sh +++ b/ci/jjb/shell/bluval.sh @@ -3,6 +3,46 @@ set -e set -o errexit set -o pipefail +echo "[ICN] Downloading EMCO k8s" +git clone "https://gerrit.onap.org/r/multicloud/k8s" +cp ~/aio.sh k8s/kud/hosting_providers/baremetal/aio.sh +cp ~/installer.sh k8s/kud/hosting_providers/vagrant/installer.sh + +echo "[ICN] Installing EMCO k8s" +sudo chown root:root /var/lib/jenkins/.netrc +sudo k8s/kud/hosting_providers/baremetal/aio.sh +sudo chown jenkins:jenkins /var/lib/jenkins/.netrc +sudo chown jenkins:jenkins -R /var/lib/jenkins/workspace/icn-bluval-daily-master/k8s/kud/hosting_providers/vagrant +# the .netrc chown is a temporary workaround, needs to be fixed in multicloud-k8s +sleep 5 + +echo "[ICN] Patching EMCO k8s security vulnerabilities" +kubectl replace -f - << EOF +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-reader + annotations: + rbac.authorization.kubernetes.io/autoupdate: "false" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:public-info-viewer +rules: +- nonResourceURLs: + - /livez + - /readyz + - /healthz + verbs: + - get +EOF +kubectl replace -f - << EOF +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default +automountServiceAccountToken: false +EOF + echo "[ICN] Downloading run_bluval.sh from upstream ci-management" wget --read-timeout=10 --timeout=10 --waitretry=10 -t 10 https://raw.githubusercontent.com/akraino-edge-stack/ci-management/master/jjb/shell/run_bluval.sh