Always install/clean KUD on Bluval job

This commit makes the Bluval job (icn-bluval-daily-master) always
ensure KUD/kubespray is installed before running the validation steps.
Additionally, it fully uninstalls KUD and purges all Docker images
and Docker itself, so that the next run will be as clean as possible
and also using the latest available KUD version and EMCO k8s code.

Since Jenkins is automatically installing k8s, this commit also
makes Jenkins automatically patch the security vulnerabilities
that would otherwise break conformance and kube-hunter.

Change-Id: Ie3e604315514b00b8a3933d8c69ca8fd3ff50458
Signed-off-by: Igor D.C <igordcard@gmail.com>

diff --git a/ci/jjb/akraino-icn-templates.yaml b/ci/jjb/akraino-icn-templates.yaml
index 7706fb4..730c2b4 100644 (file)
--- a/ci/jjb/akraino-icn-templates.yaml
+++ b/ci/jjb/akraino-icn-templates.yaml
@@ -190,3 +190,13 @@
           unstable-on-warning: false
           fail-on-error: true
           show-graphs: true
+      - postbuildscript:
+          mark-unstable-if-failed: true
+          builders:
+              - build-on:
+                    - SUCCESS
+                    - UNSTABLE
+                    - FAILURE
+                build-steps:
+                    - shell: !include-raw-escape:
+                        shell/bluval-postbuild.sh

diff --git a/ci/jjb/shell/bluval-postbuild.sh b/ci/jjb/shell/bluval-postbuild.sh
new file mode 100644 (file)
index 0000000..622ad7a
--- /dev/null
+++ b/ci/jjb/shell/bluval-postbuild.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -e
+set -o errexit
+set -o pipefail
+
+echo "[ICN] Uninstalling EMCO k8s"
+cd k8s/kud/hosting_providers/vagrant
+ansible-playbook -i inventory/hosts.ini /opt/kubespray-2.12.6/reset.yml --become --become-user=root -e reset_confirmation=yes
+
+echo "[ICN] Purging Docker fully"
+cat << EOF | tee purge-docker.yml
+---
+- hosts: all
+  gather_facts: True
+  tasks:
+    - name: reset | remove all docker images
+      shell: "/usr/bin/docker image ls -a -q | xargs -r /usr/bin/docker rmi -f"
+      retries: 2
+      delay: 5
+      tags:
+        - docker
+    - name: reset | remove docker itself
+      shell: "apt-get purge docker-* -y --allow-change-held-packages"
+      retries: 2
+      delay: 30
+      tags:
+        - docker
+EOF
+ansible-playbook -i inventory/hosts.ini purge-docker.yml --become --become-user=root

diff --git a/ci/jjb/shell/bluval.sh b/ci/jjb/shell/bluval.sh
index a08c39a..87b3c57 100644 (file)
--- a/ci/jjb/shell/bluval.sh
+++ b/ci/jjb/shell/bluval.sh
@@ -3,6 +3,46 @@ set -e
 set -o errexit
 set -o pipefail
 
+echo "[ICN] Downloading EMCO k8s"
+git clone "https://gerrit.onap.org/r/multicloud/k8s"
+cp ~/aio.sh k8s/kud/hosting_providers/baremetal/aio.sh
+cp ~/installer.sh k8s/kud/hosting_providers/vagrant/installer.sh
+
+echo "[ICN] Installing EMCO k8s"
+sudo chown root:root /var/lib/jenkins/.netrc
+sudo k8s/kud/hosting_providers/baremetal/aio.sh
+sudo chown jenkins:jenkins /var/lib/jenkins/.netrc
+sudo chown jenkins:jenkins -R /var/lib/jenkins/workspace/icn-bluval-daily-master/k8s/kud/hosting_providers/vagrant
+# the .netrc chown is a temporary workaround, needs to be fixed in multicloud-k8s
+sleep 5
+
+echo "[ICN] Patching EMCO k8s security vulnerabilities"
+kubectl replace -f - << EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-reader
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "false"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:public-info-viewer
+rules:
+- nonResourceURLs:
+  - /livez
+  - /readyz
+  - /healthz
+  verbs:
+  - get
+EOF
+kubectl replace -f - << EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+automountServiceAccountToken: false
+EOF
+
 echo "[ICN] Downloading run_bluval.sh from upstream ci-management"
 wget --read-timeout=10 --timeout=10 --waitretry=10 -t 10 https://raw.githubusercontent.com/akraino-edge-stack/ci-management/master/jjb/shell/run_bluval.sh