Skip to content

Commit

Permalink
Merge pull request #1 from trevor-dolby-at-ibm-com/os-4.14
Browse files Browse the repository at this point in the history
openshift 4.14
  • Loading branch information
trevor-dolby-at-ibm-com authored Dec 4, 2023
2 parents 0cdf75b + e2f0747 commit b2e75bf
Show file tree
Hide file tree
Showing 14 changed files with 128 additions and 35 deletions.
1 change: 0 additions & 1 deletion serverless/knative-service-account.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,3 @@ roleRef:
subjects:
- kind: ServiceAccount
name: ace-tekton-service-account
namespace: default
3 changes: 2 additions & 1 deletion serverless/tea-tekton-knative-service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,15 @@ apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: tea-tekton-knative
namespace: default
spec:
template:
spec:
volumes:
- name: secret-volume-2
secret:
secretName: jdbc-secret
imagePullSecrets:
- name: regcred
containers:
- name: tea-tekton-knative
image: DOCKER_REGISTRY/tea-tekton:latest
Expand Down
10 changes: 9 additions & 1 deletion tekton/10-maven-ace-build-task.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@ kind: Task
metadata:
name: maven-ace-build
spec:
# The security and environment settings are needed for OpenShift in a non-default
# namespace such as cp4i. Kaniko is expecting to be root in the container.
stepTemplate:
securityContext:
runAsUser: 0
env:
- name: "HOME"
value: "/tekton/home"
params:
- name: dockerRegistry
type: string
Expand Down Expand Up @@ -74,7 +82,7 @@ spec:
- mountPath: /work
name: work
- name: docker-build-and-push
image: gcr.io/kaniko-project/executor:v0.16.0
image: gcr.io/kaniko-project/executor:latest
# specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
env:
- name: "DOCKER_CONFIG"
Expand Down
3 changes: 3 additions & 0 deletions tekton/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ RUN chown -R aceuser:mqbrkrs /tmp/* && \
# Kaniko seems to chmod this directory 755 by mistake sometimes, which causes trouble later
RUN chmod 1777 /tmp

# This seems to be needed for OpenShift support due to random userids at runtime
RUN chmod -R 777 /home/aceuser/ace-server /var/mqsi || /bin/true

USER aceuser

# We're in an internal pipeline
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@ kind: Task
metadata:
name: ace-minimal-image-build-and-push
spec:
# The security and environment settings are needed for OpenShift in a non-default
# namespace such as cp4i. Kaniko is expecting to be root in the container.
stepTemplate:
securityContext:
runAsUser: 0
env:
- name: "HOME"
value: "/tekton/home"
params:
- name: dockerRegistry
type: string
Expand All @@ -23,12 +31,13 @@ spec:
#!/bin/sh
cd /work
git clone "https://github.com/trevor-dolby-at-ibm-com/ace-docker"
sed -i 's/alpine:3.18/quay.io\/trevor_dolby\/alpine:3.18/g' /work/ace-docker/experimental/ace-minimal/Dockerfile.alpine
ls -l /work/ace-docker/experimental/ace-minimal
volumeMounts:
- mountPath: /work
name: work
- name: ace-minimal-push
image: gcr.io/kaniko-project/executor:v0.16.0
image: gcr.io/kaniko-project/executor:latest
# specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
env:
- name: "DOCKER_CONFIG"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@ kind: Task
metadata:
name: ace-minimal-build-image-build-and-push
spec:
# The security and environment settings are needed for OpenShift in a non-default
# namespace such as cp4i. Kaniko is expecting to be root in the container.
stepTemplate:
securityContext:
runAsUser: 0
env:
- name: "HOME"
value: "/tekton/home"
params:
- name: dockerRegistry
type: string
Expand All @@ -25,7 +33,7 @@ spec:
- mountPath: /work
name: work
- name: ace-minimal-build-push
image: gcr.io/kaniko-project/executor:v0.16.0
image: gcr.io/kaniko-project/executor:latest
# specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
env:
- name: "DOCKER_CONFIG"
Expand Down
36 changes: 36 additions & 0 deletions tekton/os/ace-scc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: ace-scc is a close replica of anyuid scc. pipelines-scc has fsGroup - RunAsAny.
name: ace-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: ["CHOWN", "DAC_OVERRIDE","FOWNER","SETFCAP","SETGID","SETUID"]
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
44 changes: 18 additions & 26 deletions tekton/os/cp4i/force-pull-cp4i.yaml
Original file line number Diff line number Diff line change
@@ -1,30 +1,22 @@
apiVersion: v1
kind: Pod
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: force-pull-cp4i
namespace: cp4i
spec:
containers:
- name: force-pull-cp4i-base
imagePullPolicy: Always
image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/tea-tekton-cp4i:latest
command: ["sleep"]
args: ["1"]
- name: force-pull-cp4i-ct
imagePullPolicy: Always
image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/tea-tekton-cp4i-ct:latest
command: ["sleep"]
args: ["1"]
- name: force-pull-minimal
imagePullPolicy: Always
image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-server-prod:12.0.10.0-r1
command: ["sleep"]
args: ["1"]
- name: force-pull-minimal-build
imagePullPolicy: Always
image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-minimal-build:12.0.10.0-alpine
command: ["sleep"]
args: ["1"]
restartPolicy: Never
imagePullSecrets:
- name: 'regcred'
selector:
matchLabels:
name: force-pull-cp4i
template:
metadata:
labels:
name: force-pull-cp4i
spec:
containers:
- name: force-pull-minimal-build
imagePullPolicy: Always
image: image-registry.openshift-image-registry.svc.cluster.local:5000/default/ace-minimal-build:12.0.10.0-alpine
command: ["sleep"]
args: ["1000000"]
imagePullSecrets:
- name: 'regcred'
3 changes: 3 additions & 0 deletions tekton/os/cp4i/service-account-cp4i.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ kind: ServiceAccount
metadata:
name: cp4i-tekton-service-account
namespace: cp4i
imagePullSecrets:
- name: regcred
- name: ibm-entitlement-key
secrets:
- name: regcred
- name: ibm-entitlement-key
Expand Down
32 changes: 32 additions & 0 deletions tekton/os/service-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: ace-tekton-service-account
imagePullSecrets:
- name: regcred
secrets:
- name: regcred
---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pipeline-role
rules:
- apiGroups: ["extensions", "apps", "appconnect.ibm.com", "", "v1"]
resources: ["services", "deployments", "pods", "integrationservers", "pods/exec", "integrationruntimes"]
verbs: ["get", "create", "update", "patch", "list", "delete", "exec", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pipeline-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pipeline-role
subjects:
- kind: ServiceAccount
name: ace-tekton-service-account
1 change: 0 additions & 1 deletion tekton/os/tea-tekton-route.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: tea-route
namespace: default
spec:
host: tea-route-default.apps.openshift.mycompany.com
to:
Expand Down
4 changes: 2 additions & 2 deletions tekton/service-account.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: ace-tekton-service-account
imagePullSecrets:
- name: regcred
secrets:
- name: regcred

Expand All @@ -10,7 +12,6 @@ secrets:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pipeline-role
rules:
- apiGroups: ["extensions", "apps", ""]
Expand All @@ -30,4 +31,3 @@ roleRef:
subjects:
- kind: ServiceAccount
name: ace-tekton-service-account
namespace: default
3 changes: 3 additions & 0 deletions tekton/tea-tekton-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,14 @@ spec:
- name: secret-volume-2
secret:
secretName: jdbc-secret
imagePullSecrets:
- name: regcred
containers:
- name: tea-tekton
image: DOCKER_REGISTRY/tea-tekton:latest
ports:
- containerPort: 7800
imagePullPolicy: Always
volumeMounts:
- name: secret-volume-2
mountPath: /var/run/secrets/jdbc
2 changes: 1 addition & 1 deletion tekton/temp-db2/14-maven-ace-build-temp-db2-task.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ spec:
- mountPath: /work
name: work
- name: docker-build-and-push
image: gcr.io/kaniko-project/executor:v0.16.0
image: gcr.io/kaniko-project/executor:latest
# specifying DOCKER_CONFIG is required to allow kaniko to detect docker credential
env:
- name: "DOCKER_CONFIG"
Expand Down

0 comments on commit b2e75bf

Please sign in to comment.