From f7a39745689a5643633edca9dd3476da330e3fa0 Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Thu, 12 Jan 2023 17:36:30 +0100 Subject: [PATCH] Remove image wrappers Supply private certificate via secret volume to tasks. Closes #621. --- Makefile | 15 ----- build/package/Dockerfile.gradle-toolset | 4 +- build/package/scripts/build-gradle.sh | 3 +- build/package/scripts/build-npm.sh | 12 ++-- build/package/scripts/build-python.sh | 2 +- ...et-gradle-proxy.sh => configure-gradle.sh} | 30 ++++++++- deploy/README.md | 5 +- deploy/install.sh | 35 ++++++++++ deploy/ods-pipeline/Chart.yaml | 3 - deploy/ods-pipeline/charts/images/Chart.yaml | 23 ------- .../charts/images/docker/Dockerfile.finish | 10 --- .../images/docker/Dockerfile.go-toolset | 10 --- .../images/docker/Dockerfile.gradle-toolset | 10 --- .../charts/images/docker/Dockerfile.helm | 10 --- .../docker/Dockerfile.node16-npm-toolset | 10 --- .../images/docker/Dockerfile.package-image | 24 ------- .../images/docker/Dockerfile.pipeline-manager | 10 --- .../images/docker/Dockerfile.python-toolset | 10 --- .../charts/images/docker/Dockerfile.sonar | 10 --- .../charts/images/docker/Dockerfile.start | 10 --- .../charts/images/templates/_helpers.tpl | 62 ------------------ .../images/templates/bc-ods-finish.yaml | 28 -------- .../images/templates/bc-ods-go-toolset.yaml | 30 --------- .../templates/bc-ods-gradle-toolset.yaml | 30 --------- .../charts/images/templates/bc-ods-helm.yaml | 30 --------- .../templates/bc-ods-node16-npm-toolset.yaml | 30 --------- .../templates/bc-ods-package-image.yaml | 32 --------- .../templates/bc-ods-pipeline-manager.yaml | 28 -------- .../templates/bc-ods-python-toolset.yaml | 30 --------- .../charts/images/templates/bc-ods-sonar.yaml | 28 -------- .../charts/images/templates/bc-ods-start.yaml | 28 -------- .../images/templates/is-ods-finish.yaml | 8 --- .../images/templates/is-ods-go-toolset.yaml | 10 --- .../templates/is-ods-gradle-toolset.yaml | 10 --- .../charts/images/templates/is-ods-helm.yaml | 10 --- .../templates/is-ods-node16-npm-toolset.yaml | 10 --- .../templates/is-ods-package-image.yaml | 10 --- .../templates/is-ods-pipeline-manager.yaml | 8 --- .../templates/is-ods-python-toolset.yaml | 10 --- .../charts/images/templates/is-ods-sonar.yaml | 8 --- .../charts/images/templates/is-ods-start.yaml | 8 --- .../images/templates/job-start-builds.yaml | 20 ------ deploy/ods-pipeline/charts/images/values.yaml | 2 - .../charts/setup/templates/deployment.yaml | 3 +- .../charts/tasks/templates/_sonar-step.tpl | 2 +- .../tasks/templates/task-ods-build-go.yaml | 12 +++- .../templates/task-ods-build-gradle.yaml | 12 +++- .../tasks/templates/task-ods-build-npm.yaml | 12 +++- .../templates/task-ods-build-python.yaml | 12 +++- .../tasks/templates/task-ods-deploy-helm.yaml | 12 +++- .../tasks/templates/task-ods-finish.yaml | 15 ++++- .../templates/task-ods-package-image.yaml | 12 +++- .../tasks/templates/task-ods-start.yaml | 10 ++- .../charts/tasks/values.docs.yaml | 4 -- deploy/ods-pipeline/charts/tasks/values.yaml | 3 + deploy/ods-pipeline/values.kind.yaml | 13 ++-- deploy/ods-pipeline/values.yaml | 46 ++----------- deploy/values.yaml.tmpl | 7 -- docs/creating-an-ods-task.adoc | 2 - docs/installation.adoc | 8 +-- docs/repository-layout.adoc | 2 +- pkg/tasktesting/helper.go | 15 ++++- scripts/install-inside-kind.sh | 25 ++++++- scripts/nexus/Dockerfile | 6 -- scripts/nexus/Dockerfile.amd64 | 17 +++++ scripts/nexus/Dockerfile.arm64 | 13 +++- scripts/run-nexus.sh | 23 +++---- test/tasks/common_test.go | 2 + test/tasks/ods-build-gradle_test.go | 4 +- test/testdata/private-cert/README.md | 8 +++ test/testdata/private-cert/openssl.conf | 22 +++++++ test/testdata/private-cert/tls.crt | 23 +++++++ test/testdata/private-cert/tls.key | 28 ++++++++ test/testdata/private-cert/tls.p12 | Bin 0 -> 2605 bytes test/testdata/private-cert/xtls.crt | 33 ++++++++++ test/testdata/private-cert/xtls.key | 52 +++++++++++++++ test/testdata/private-cert/xtls.p12 | Bin 0 -> 4213 bytes 77 files changed, 421 insertions(+), 753 deletions(-) rename build/package/scripts/{set-gradle-proxy.sh => configure-gradle.sh} (53%) delete mode 100644 deploy/ods-pipeline/charts/images/Chart.yaml delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.finish delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.go-toolset delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.gradle-toolset delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.helm delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.node16-npm-toolset delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.package-image delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.pipeline-manager delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.python-toolset delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.sonar delete mode 100644 deploy/ods-pipeline/charts/images/docker/Dockerfile.start delete mode 100644 deploy/ods-pipeline/charts/images/templates/_helpers.tpl delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-finish.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-go-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-gradle-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-helm.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-node16-npm-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-package-image.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-pipeline-manager.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-python-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-sonar.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/bc-ods-start.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-finish.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-go-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-gradle-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-helm.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-node16-npm-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-package-image.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-pipeline-manager.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-python-toolset.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-sonar.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/is-ods-start.yaml delete mode 100644 deploy/ods-pipeline/charts/images/templates/job-start-builds.yaml delete mode 100644 deploy/ods-pipeline/charts/images/values.yaml delete mode 100644 scripts/nexus/Dockerfile create mode 100644 scripts/nexus/Dockerfile.amd64 create mode 100644 test/testdata/private-cert/README.md create mode 100644 test/testdata/private-cert/openssl.conf create mode 100644 test/testdata/private-cert/tls.crt create mode 100644 test/testdata/private-cert/tls.key create mode 100644 test/testdata/private-cert/tls.p12 create mode 100644 test/testdata/private-cert/xtls.crt create mode 100644 test/testdata/private-cert/xtls.key create mode 100644 test/testdata/private-cert/xtls.p12 diff --git a/Makefile b/Makefile index 73804286..fd241fb0 100644 --- a/Makefile +++ b/Makefile @@ -144,18 +144,3 @@ ifeq ($(strip $(namespace)),) endif cd scripts && ./install-inside-kind.sh -n $(namespace) .PHONY: deploy - -##@ OpenShift - -start-ods-builds: ## Start builds for each ODS BuildConfig - oc start-build ods-package-image - oc start-build ods-finish - oc start-build ods-go-toolset - oc start-build ods-gradle-toolset - oc start-build ods-helm - oc start-build ods-node16-npm-toolset - oc start-build ods-pipeline-manager - oc start-build ods-python-toolset - oc start-build ods-sonar - oc start-build ods-start -.PHONY: start-ods-builds diff --git a/build/package/Dockerfile.gradle-toolset b/build/package/Dockerfile.gradle-toolset index 8a5fa4aa..dc594d22 100644 --- a/build/package/Dockerfile.gradle-toolset +++ b/build/package/Dockerfile.gradle-toolset @@ -37,13 +37,13 @@ COPY build/package/scripts/copy-build-if-cached.sh /usr/local/bin/copy-build-if- COPY build/package/scripts/copy-artifacts.sh /usr/local/bin/copy-artifacts COPY build/package/scripts/build-gradle.sh /usr/local/bin/build-gradle COPY build/package/scripts/supply-sonar-project-properties-default.sh /usr/local/bin/supply-sonar-project-properties-default -COPY build/package/scripts/set-gradle-proxy.sh /usr/local/bin/set-gradle-proxy +COPY build/package/scripts/configure-gradle.sh /usr/local/bin/configure-gradle RUN chmod +x /usr/local/bin/build-gradle && \ chmod +x /usr/local/bin/cache-build && \ chmod +x /usr/local/bin/copy-build-if-cached && \ chmod +x /usr/local/bin/copy-artifacts && \ chmod +x /usr/local/bin/supply-sonar-project-properties-default && \ - chmod +x /usr/local/bin/set-gradle-proxy + chmod +x /usr/local/bin/configure-gradle # Add sonar-project.properties COPY build/package/sonar-project.properties.d/gradle.properties /usr/local/default-sonar-project.properties diff --git a/build/package/scripts/build-gradle.sh b/build/package/scripts/build-gradle.sh index 6f372479..52e2e94b 100755 --- a/build/package/scripts/build-gradle.sh +++ b/build/package/scripts/build-gradle.sh @@ -43,8 +43,9 @@ echo "Using NEXUS_URL=$NEXUS_URL" echo "Using GRADLE_OPTS=$GRADLE_OPTS" echo "Using GRADLE_USER_HOME=$GRADLE_USER_HOME" echo "Using ARTIFACTS_DIR=$ARTIFACTS_DIR" +mkdir -p "${GRADLE_USER_HOME}" -set-gradle-proxy +configure-gradle echo cd "${WORKING_DIR}" diff --git a/build/package/scripts/build-npm.sh b/build/package/scripts/build-npm.sh index de17a932..ba3bbf3a 100755 --- a/build/package/scripts/build-npm.sh +++ b/build/package/scripts/build-npm.sh @@ -65,17 +65,17 @@ if [ "${WORKING_DIR}" != "." ]; then ARTIFACT_PREFIX="${WORKING_DIR/\//-}-" fi -echo "Configuring npm to use Nexus ..." -# Remove the protocol segment from NEXUS_URL -NEXUS_HOST=$(echo "${NEXUS_URL}" | sed -E 's/^\s*.*:\/\///g') -if [ -n "${NEXUS_HOST}" ] && [ -n "${NEXUS_USERNAME}" ] && [ -n "${NEXUS_PASSWORD}" ]; then +echo "Configuring npm to use Nexus (${NEXUS_URL}) ..." +if [ -n "${NEXUS_URL}" ] && [ -n "${NEXUS_USERNAME}" ] && [ -n "${NEXUS_PASSWORD}" ]; then NEXUS_AUTH="$(urlencode "${NEXUS_USERNAME}"):$(urlencode "${NEXUS_PASSWORD}")" npm config set registry="$NEXUS_URL"/repository/npmjs/ npm config set always-auth=true npm config set _auth="$(echo -n "$NEXUS_AUTH" | base64)" npm config set email=no-reply@opendevstack.org - npm config set ca=null - npm config set strict-ssl=false + if [ -f /etc/ssl/certs/private-cert.pem ]; then + echo "Configuring private cert ..." + npm config set cafile=/etc/ssl/certs/private-cert.pem + fi fi; echo "package-*.json checks ..." diff --git a/build/package/scripts/build-python.sh b/build/package/scripts/build-python.sh index 1efd8e0a..a06b0efb 100755 --- a/build/package/scripts/build-python.sh +++ b/build/package/scripts/build-python.sh @@ -55,7 +55,7 @@ if [ "${WORKING_DIR}" != "." ]; then ARTIFACT_PREFIX="${WORKING_DIR/\//-}-" fi -echo "Configuring pip to use Nexus ..." +echo "Configuring pip to use Nexus (${NEXUS_URL}) ..." # Remove the protocol segment from NEXUS_URL NEXUS_HOST=$(echo "${NEXUS_URL}" | sed -E 's/^\s*.*:\/\///g') if [ -n "${NEXUS_HOST}" ] && [ -n "${NEXUS_USERNAME}" ] && [ -n "${NEXUS_PASSWORD}" ]; then diff --git a/build/package/scripts/set-gradle-proxy.sh b/build/package/scripts/configure-gradle.sh similarity index 53% rename from build/package/scripts/set-gradle-proxy.sh rename to build/package/scripts/configure-gradle.sh index fddae0c8..dc646974 100755 --- a/build/package/scripts/set-gradle-proxy.sh +++ b/build/package/scripts/configure-gradle.sh @@ -3,8 +3,31 @@ # This script checks for env variable HTTP_PROXY and adds them to gradle.properties. CONTENT="" -if [[ $HTTP_PROXY != "" ]]; then +if [ -f /etc/ssl/certs/private-cert.pem ]; then + echo "Configuring Gradle to trust private cert ..." + # Copy global keystone to location where we can write to (hide output with warnings). + keytool -importkeystore \ + -srckeystore "${JAVA_HOME}/lib/security/cacerts" -destkeystore "${GRADLE_USER_HOME}/cacerts" \ + -deststorepass changeit -srcstorepass changeit &> keytool-output.txt + # shellcheck disable=SC2181 + if [ $? -ne 0 ]; then + cat keytool-output.txt; exit 1 + fi + # Trust private cert (hide output with warnings). + keytool -importcert -noprompt -trustcacerts \ + -alias private-cert -file /etc/ssl/certs/private-cert.pem \ + -keystore "${GRADLE_USER_HOME}/cacerts" -storepass changeit &> keytool-output.txt + # shellcheck disable=SC2181 + if [ $? -ne 0 ]; then + cat keytool-output.txt; exit 1 + fi + # Configure Gradle to use the modified trust store. + CONTENT+="systemProp.javax.net.ssl.trustStore=${GRADLE_USER_HOME}/cacerts\n" + CONTENT+="systemProp.javax.net.ssl.trustStorePassword=changeit\n" +fi +if [ "${HTTP_PROXY}" != "" ]; then + echo "Configuring Gradle to honor HTTP_PROXY ..." proxy=$(echo "$HTTP_PROXY" | sed -e "s|https://||g" | sed -e "s|http://||g") proxy_hostp=$(echo "$proxy" | cut -d "@" -f2) @@ -32,7 +55,8 @@ if [[ $HTTP_PROXY != "" ]]; then fi fi -if [[ $NO_PROXY != "" ]]; then +if [ "${NO_PROXY}" != "" ]; then + echo "Configuring Gradle to honor NO_PROXY ..." # shellcheck disable=SC2001 noproxy_host=$(echo "$NO_PROXY" | sed -e 's|\,\.|\,\*\.|g') # shellcheck disable=SC2001 @@ -41,6 +65,6 @@ if [[ $NO_PROXY != "" ]]; then CONTENT+="systemProp.https.nonProxyHosts=$noproxy_host\n" fi -if [[ $CONTENT != "" ]]; then +if [ "${CONTENT}" != "" ]; then echo -e "$CONTENT" > "${GRADLE_USER_HOME}/gradle.properties" fi diff --git a/deploy/README.md b/deploy/README.md index 30e9b66c..8b375419 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -6,18 +6,15 @@ Manifests in `ods-pipeline` are applied once per project by a project administra ## Subcharts -The `tasks`, `images` and `setup` subcharts are maintained in https://github.com/opendevstack/ods-pipeline, and may be used by project admins to control the deployment of ODS pipeline resources in the respective project namespace in OpenShift. +The `tasks` and `setup` subcharts are maintained in https://github.com/opendevstack/ods-pipeline, and may be used by project admins to control the deployment of ODS pipeline resources in the respective project namespace in OpenShift. ### Subcharts Contents The resources are defined using Helm: -* `BuildConfig` and `ImageStream` resources (in the `images` subchart) * `Task` resources (in `tasks` subchart) * `ConfigMap` and `Secret` resources used by ODS tasks (in `setup` subchart) * ODS pipeline manager (`Service`/`Deployment`) (in `setup` subchart) -The resources of the `images` subchart are only applicable for OpenShift clusters. The subcharts may individually be enabled or disabled via the umbrella chart's `values.yaml`. - ### Versioning In a KinD cluster there are no versions. Images use the implicit `latest` tag. That makes testing and local development easy. diff --git a/deploy/install.sh b/deploy/install.sh index 40d4ce2d..e6c94bfe 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -19,6 +19,7 @@ BITBUCKET_AUTH="" BITBUCKET_WEBHOOK_SECRET="" NEXUS_AUTH="" SONAR_AUTH="" +PRIVATE_CERT="" # Check prerequisites. KUBECTL_BIN="" @@ -103,6 +104,9 @@ while [[ "$#" -gt 0 ]]; do --sonar-auth) SONAR_AUTH="$2"; shift;; --sonar-auth=*) SONAR_AUTH="${1#*=}";; + --private-cert) PRIVATE_CERT="$2"; shift;; + --private-cert=*) PRIVATE_CERT="${1#*=}";; + *) echo "Unknown parameter passed: $1"; exit 1;; esac; shift; done @@ -173,6 +177,35 @@ installSecret () { fi } +installTLSSecret () { + local secretName="$1" + local privateCert="$2" + local certFile="" + if [ -z "${privateCert}" ]; then + echo "No private cert given, skipping ..." + else + if [ "${privateCert:0:1}" == '/' ] || [ "${privateCert:0:2}" == './' ]; then + if [ ! -f "${privateCert}" ]; then + echo "No cert file exists at ${privateCert}"; exit 1 + fi + certFile="${privateCert}" + else + certFile="private-cert.pem.tmp" + openssl s_client -showcerts -connect "${privateCert}" "${certFile}" + fi + if "${KUBECTL_BIN}" -n "${NAMESPACE}" get "secret/${secretName}" &> /dev/null; then + echo "Re-creating secret ${secretName} ..." + "${KUBECTL_BIN}" -n "${NAMESPACE}" delete secret "${secretName}" + else + echo "Creating secret ${secretName} ..." + fi + "${KUBECTL_BIN}" -n "${NAMESPACE}" create secret generic "${secretName}" \ + --from-file=tls.crt="${certFile}" + rm private-cert.pem.tmp &>/dev/null || true + fi +} + # Manage serviceaccount ... if "${KUBECTL_BIN}" -n "${NAMESPACE}" get serviceaccount/"${SERVICEACCOUNT}" &> /dev/null; then echo "Serviceaccount exists already ..." @@ -233,6 +266,8 @@ else "${SONAR_AUTH}" \ "" \ "Please enter an auth token of a SonarQube user with scan permissions (input will be hidden):" + + installTLSSecret "ods-private-cert" "${PRIVATE_CERT}" fi echo "Installing Helm release ${RELEASE_NAME} ..." diff --git a/deploy/ods-pipeline/Chart.yaml b/deploy/ods-pipeline/Chart.yaml index af375267..e95b68e7 100644 --- a/deploy/ods-pipeline/Chart.yaml +++ b/deploy/ods-pipeline/Chart.yaml @@ -24,9 +24,6 @@ version: 0.8.0 appVersion: "0.8.0" dependencies: - - name: images - version: 0.8.0 - condition: images.enabled - name: setup version: 0.8.0 condition: setup.enabled diff --git a/deploy/ods-pipeline/charts/images/Chart.yaml b/deploy/ods-pipeline/charts/images/Chart.yaml deleted file mode 100644 index 59aa7433..00000000 --- a/deploy/ods-pipeline/charts/images/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v2 -name: images -description: A Helm chart to setup ODS pipeline images - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.8.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -appVersion: "0.8.0" diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.finish b/deploy/ods-pipeline/charts/images/docker/Dockerfile.finish deleted file mode 100644 index 064b53e2..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.finish +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-finish:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.go-toolset b/deploy/ods-pipeline/charts/images/docker/Dockerfile.go-toolset deleted file mode 100644 index edfa0ce2..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.go-toolset +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-go-toolset:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.gradle-toolset b/deploy/ods-pipeline/charts/images/docker/Dockerfile.gradle-toolset deleted file mode 100644 index 80d83308..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.gradle-toolset +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-gradle-toolset:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.helm b/deploy/ods-pipeline/charts/images/docker/Dockerfile.helm deleted file mode 100644 index 7c9bbc56..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.helm +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-helm:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.node16-npm-toolset b/deploy/ods-pipeline/charts/images/docker/Dockerfile.node16-npm-toolset deleted file mode 100644 index ca28169f..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.node16-npm-toolset +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-node16-npm-toolset:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.package-image b/deploy/ods-pipeline/charts/images/docker/Dockerfile.package-image deleted file mode 100644 index f4e3dd8b..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.package-image +++ /dev/null @@ -1,24 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-package-image:$imageTag - -ARG aquasecScannerUrl -ARG privateCertServer - -USER root - -# Optionally install Aqua scanner. -RUN if [ -z $aquasecScannerUrl ] ; then echo 'Skipping Aqua scanner installation!' ; else echo 'Installing Aqua scanner... getting binary from' $aquasecScannerUrl \ - && curl -v -L $aquasecScannerUrl -o aquasec \ - && mv aquasec /usr/local/bin/ \ - && chmod +x /usr/local/bin/aquasec \ - && echo 'Aqua scanner version:' \ - && aquasec version \ - && echo 'Aqua scanner installation completed!'; \ - fi - -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi - -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.pipeline-manager b/deploy/ods-pipeline/charts/images/docker/Dockerfile.pipeline-manager deleted file mode 100644 index 2fbca7fd..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.pipeline-manager +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-pipeline-manager:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.python-toolset b/deploy/ods-pipeline/charts/images/docker/Dockerfile.python-toolset deleted file mode 100644 index be3fc1c9..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.python-toolset +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-python-toolset:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.sonar b/deploy/ods-pipeline/charts/images/docker/Dockerfile.sonar deleted file mode 100644 index 9f61a243..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.sonar +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-sonar:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/docker/Dockerfile.start b/deploy/ods-pipeline/charts/images/docker/Dockerfile.start deleted file mode 100644 index 1d06d828..00000000 --- a/deploy/ods-pipeline/charts/images/docker/Dockerfile.start +++ /dev/null @@ -1,10 +0,0 @@ -ARG imageTag="latest" - -FROM ghcr.io/opendevstack/ods-pipeline/ods-start:$imageTag - -ARG privateCertServer -USER root -RUN if [ -n "${privateCertServer}" ]; then openssl s_client -showcerts -connect "${privateCertServer}" "/etc/pki/ca-trust/source/anchors/${privateCertServer%:*}.pem" && \ - update-ca-trust; fi -USER 1001 diff --git a/deploy/ods-pipeline/charts/images/templates/_helpers.tpl b/deploy/ods-pipeline/charts/images/templates/_helpers.tpl deleted file mode 100644 index 7ba5edc2..00000000 --- a/deploy/ods-pipeline/charts/images/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "chart.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "chart.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "chart.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "chart.labels" -}} -helm.sh/chart: {{ include "chart.chart" . }} -{{ include "chart.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "chart.selectorLabels" -}} -app.kubernetes.io/name: {{ include "chart.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "chart.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "chart.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-finish.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-finish.yaml deleted file mode 100644 index 3b45b1fa..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-finish.yaml +++ /dev/null @@ -1,28 +0,0 @@ -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-finish - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-finish:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.finish" | nindent 6}} - runPolicy: Serial diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-go-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-go-toolset.yaml deleted file mode 100644 index ab0207cb..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-go-toolset.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{if or .Values.global.enabledTasks.buildGo .Values.goToolset}} -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-go-toolset - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-go-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.go-toolset" | nindent 6}} - runPolicy: Serial -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-gradle-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-gradle-toolset.yaml deleted file mode 100644 index 5df23721..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-gradle-toolset.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{if or .Values.global.enabledTasks.buildGradle .Values.gradleToolset}} -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-gradle-toolset - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-gradle-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.gradle-toolset" | nindent 6}} - runPolicy: Serial -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-helm.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-helm.yaml deleted file mode 100644 index dbccf014..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-helm.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{if or .Values.global.enabledTasks.deployHelm .Values.helm}} -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-helm - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-helm:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.helm" | nindent 6}} - runPolicy: Serial -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-node16-npm-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-node16-npm-toolset.yaml deleted file mode 100644 index 92b9162d..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-node16-npm-toolset.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{if or .Values.global.enabledTasks.buildNPM .Values.node16NPMToolset}} -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-node16-npm-toolset - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-node16-npm-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.node16-npm-toolset" | nindent 6}} - runPolicy: Serial -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-package-image.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-package-image.yaml deleted file mode 100644 index 94716fc7..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-package-image.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{if or .Values.global.enabledTasks.packageImage .Values.packageImage}} -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-package-image - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-package-image:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - - name: aquasecScannerUrl - value: '{{.Values.aquasecScannerUrl}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.package-image" | nindent 6}} - runPolicy: Serial -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-pipeline-manager.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-pipeline-manager.yaml deleted file mode 100644 index 1736a639..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-pipeline-manager.yaml +++ /dev/null @@ -1,28 +0,0 @@ -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-pipeline-manager - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-pipeline-manager:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.pipeline-manager" | nindent 6}} - runPolicy: Serial diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-python-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-python-toolset.yaml deleted file mode 100644 index a281cb04..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-python-toolset.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{if or .Values.global.enabledTasks.buildPython .Values.pythonToolset }} -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-python-toolset - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-python-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.python-toolset" | nindent 6}} - runPolicy: Serial -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-sonar.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-sonar.yaml deleted file mode 100644 index c0e9ba65..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-sonar.yaml +++ /dev/null @@ -1,28 +0,0 @@ -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-sonar - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-sonar:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.sonar" | nindent 6}} - runPolicy: Serial diff --git a/deploy/ods-pipeline/charts/images/templates/bc-ods-start.yaml b/deploy/ods-pipeline/charts/images/templates/bc-ods-start.yaml deleted file mode 100644 index 72668b51..00000000 --- a/deploy/ods-pipeline/charts/images/templates/bc-ods-start.yaml +++ /dev/null @@ -1,28 +0,0 @@ -kind: BuildConfig -apiVersion: build.openshift.io/v1 -metadata: - name: ods-start - labels: - {{- include "chart.labels" . | nindent 4}} -spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'ods-start:{{.Values.global.imageTag | default .Chart.AppVersion}}' - resources: {} - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - postCommit: {} - strategy: - type: Docker - dockerStrategy: - buildArgs: - - name: imageTag - value: '{{.Values.global.imageTag | default .Chart.AppVersion}}' - - name: privateCertServer - value: '{{.Values.privateCertServer}}' - source: - dockerfile: |- - {{- .Files.Get "docker/Dockerfile.start" | nindent 6}} - runPolicy: Serial diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-finish.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-finish.yaml deleted file mode 100644 index c42ee665..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-finish.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-finish - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-go-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-go-toolset.yaml deleted file mode 100644 index e8a36b04..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-go-toolset.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{if or .Values.global.enabledTasks.buildGo .Values.goToolset}} -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-go-toolset - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-gradle-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-gradle-toolset.yaml deleted file mode 100644 index 6410ac7d..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-gradle-toolset.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{if or .Values.global.enabledTasks.buildGradle .Values.gradleToolset}} -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-gradle-toolset - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-helm.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-helm.yaml deleted file mode 100644 index 8360dd0e..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-helm.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{if or .Values.global.enabledTasks.deployHelm .Values.helm}} -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-helm - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-node16-npm-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-node16-npm-toolset.yaml deleted file mode 100644 index 5b0bbaeb..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-node16-npm-toolset.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{if or .Values.global.enabledTasks.buildNPM .Values.node16NPMToolset}} -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-node16-npm-toolset - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-package-image.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-package-image.yaml deleted file mode 100644 index a88e5d8b..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-package-image.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{if or .Values.global.enabledTasks.packageImage .Values.packageImage}} -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-package-image - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-pipeline-manager.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-pipeline-manager.yaml deleted file mode 100644 index e5552010..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-pipeline-manager.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-pipeline-manager - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-python-toolset.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-python-toolset.yaml deleted file mode 100644 index 3a42d50e..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-python-toolset.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{if or .Values.global.enabledTasks.buildPython .Values.pythonToolset }} -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-python-toolset - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep -{{end}} diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-sonar.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-sonar.yaml deleted file mode 100644 index cff36d38..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-sonar.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-sonar - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep diff --git a/deploy/ods-pipeline/charts/images/templates/is-ods-start.yaml b/deploy/ods-pipeline/charts/images/templates/is-ods-start.yaml deleted file mode 100644 index 9d9b0445..00000000 --- a/deploy/ods-pipeline/charts/images/templates/is-ods-start.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: image.openshift.io/v1 -kind: ImageStream -metadata: - name: ods-start - labels: - {{- include "chart.labels" . | nindent 4}} - annotations: - "helm.sh/resource-policy": keep diff --git a/deploy/ods-pipeline/charts/images/templates/job-start-builds.yaml b/deploy/ods-pipeline/charts/images/templates/job-start-builds.yaml deleted file mode 100644 index 6a286bdb..00000000 --- a/deploy/ods-pipeline/charts/images/templates/job-start-builds.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{if default true .Values.autoBuild}} -apiVersion: batch/v1 -kind: Job -metadata: - name: ods-start-builds - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed -spec: - template: - spec: - serviceAccountName: pipeline - restartPolicy: Never - containers: - - name: post-upgrade-job - image: '{{.Values.autoBuildImage | default "quay.io/openshift/origin-cli:4.10"}}' - command: ["/bin/sh","-c"] - args: ["set -e; oc get bc -l=app.kubernetes.io/name=ods-pipeline -o=name | xargs -I % sh -c 'oc start-build %'"] -{{end}} diff --git a/deploy/ods-pipeline/charts/images/values.yaml b/deploy/ods-pipeline/charts/images/values.yaml deleted file mode 100644 index e8d0e03d..00000000 --- a/deploy/ods-pipeline/charts/images/values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -# override name to be consistent with previous, separate chart naming convention(s) -nameOverride: ods-pipeline diff --git a/deploy/ods-pipeline/charts/setup/templates/deployment.yaml b/deploy/ods-pipeline/charts/setup/templates/deployment.yaml index ec1c8747..2f9d4488 100644 --- a/deploy/ods-pipeline/charts/setup/templates/deployment.yaml +++ b/deploy/ods-pipeline/charts/setup/templates/deployment.yaml @@ -17,8 +17,7 @@ spec: containers: - name: pipeline-manager securityContext: {} - image: "{{.Values.pipelineManager.image.registry}}/{{.Values.pipelineManager.image.namespace | default .Release.Namespace}}/{{.Values.pipelineManager.image.repository | default .Chart.Name}}:{{.Values.pipelineManager.image.tag | default .Chart.AppVersion}}" - imagePullPolicy: {{.Values.pipelineManager.image.pullPolicy}} + image: "{{.Values.pipelineManager.imageRepository}}/ods-pipeline-manager:{{.Values.pipelineManager.image.tag | default .Chart.AppVersion}}" ports: - name: http containerPort: 8080 diff --git a/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl b/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl index 5f70d0d7..f36c47ef 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl +++ b/deploy/ods-pipeline/charts/tasks/templates/_sonar-step.tpl @@ -1,7 +1,7 @@ {{- define "sonar-step"}} - name: scan-with-sonar # Image is built from build/package/Dockerfile.sonar. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-sonar:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-sonar:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: HOME value: '/tekton/home' diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-go.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-go.yaml index 2e055bf7..a09302d5 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-go.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-go.yaml @@ -117,7 +117,7 @@ spec: steps: - name: build-go-binary # Image is built from build/package/Dockerfile.go-toolset. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-go-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-go-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: HOME value: '/tekton/home' @@ -167,8 +167,18 @@ spec: --output-dir=$(params.output-dir) \ --debug=${DEBUG} fi + volumeMounts: + - mountPath: /etc/ssl/certs/private-cert.pem + name: private-cert + readOnly: true + subPath: tls.crt workingDir: $(workspaces.source.path) {{- include "sonar-step" . | indent 4}} + volumes: + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - name: source {{end}} diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-gradle.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-gradle.yaml index 2ed8fe54..4443df1c 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-gradle.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-gradle.yaml @@ -176,7 +176,7 @@ spec: steps: - name: build-gradle-binary # Image is built from build/package/Dockerfile.gradle-toolset. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-gradle-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-gradle-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: DEBUG valueFrom: @@ -240,8 +240,18 @@ spec: --output-dir=$(params.output-dir) \ --debug=${DEBUG} fi + volumeMounts: + - mountPath: /etc/ssl/certs/private-cert.pem + name: private-cert + readOnly: true + subPath: tls.crt workingDir: $(workspaces.source.path) {{- include "sonar-step" . | indent 4}} + volumes: + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - name: source {{end}} diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-npm.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-npm.yaml index a04ba49f..3543020d 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-npm.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-npm.yaml @@ -134,7 +134,7 @@ spec: steps: - name: build-npm # Image is built from build/package/Dockerfile.node-npm-toolset. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-node$(params.node-version)-npm-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-node$(params.node-version)-npm-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: HOME value: '/tekton/home' @@ -197,8 +197,18 @@ spec: --output-dir=$(params.output-dir) \ --debug=${DEBUG} fi + volumeMounts: + - mountPath: /etc/ssl/certs/private-cert.pem + name: private-cert + readOnly: true + subPath: tls.crt workingDir: $(workspaces.source.path) {{- include "sonar-step" . | indent 4}} + volumes: + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - name: source {{end}} diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-python.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-python.yaml index 2fff994f..1f389c9c 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-python.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-build-python.yaml @@ -96,7 +96,7 @@ spec: steps: - name: build-python # Image is built from build/package/Dockerfile.python-toolset. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-python-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-python-toolset:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: HOME value: '/tekton/home' @@ -159,8 +159,18 @@ spec: --output-dir=$(params.output-dir) \ --debug=${DEBUG} fi + volumeMounts: + - mountPath: /etc/ssl/certs/private-cert.pem + name: private-cert + readOnly: true + subPath: tls.crt workingDir: $(workspaces.source.path) {{- include "sonar-step" . | indent 4}} + volumes: + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - name: source {{end}} diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-deploy-helm.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-deploy-helm.yaml index 42207d4a..36901184 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-deploy-helm.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-deploy-helm.yaml @@ -101,7 +101,7 @@ spec: steps: - name: helm-upgrade-from-repo # Image is built from build/package/Dockerfile.helm. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-helm:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-helm:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: DEBUG valueFrom: @@ -119,7 +119,17 @@ spec: -diff-flags="$(params.diff-flags)" \ -upgrade-flags="$(params.upgrade-flags)" \ -age-key-secret=$(params.age-key-secret) + volumeMounts: + - mountPath: /etc/ssl/certs/private-cert.pem + name: private-cert + readOnly: true + subPath: tls.crt workingDir: $(workspaces.source.path) + volumes: + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - name: source {{end}} diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-finish.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-finish.yaml index 7a93d691..af60ab55 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-finish.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-finish.yaml @@ -34,7 +34,7 @@ spec: steps: - name: ods-finish # Image is built from build/package/Dockerfile.finish. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-finish:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-finish:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: HOME value: '/tekton/home' @@ -84,14 +84,23 @@ spec: key: debug name: ods-pipeline resources: {} - workingDir: $(workspaces.source.path) script: | # ods-finish is built from cmd/finish/main.go. ods-finish \ -pipeline-run-name=$(params.pipeline-run-name) \ -aggregate-tasks-status=$(params.aggregate-tasks-status) - + volumeMounts: + - mountPath: /etc/ssl/certs/private-cert.pem + name: private-cert + readOnly: true + subPath: tls.crt + workingDir: $(workspaces.source.path) + volumes: + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - description: The git repo will be present onto the volume backing this workspace name: source diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-package-image.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-package-image.yaml index 02737b82..eeca6c92 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-package-image.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-package-image.yaml @@ -48,7 +48,7 @@ spec: - name: registry description: Image registry to push image to. type: string - default: '{{default .Values.registry .Values.pushRegistry}}' + default: '{{default .Values.pushRegistry}}' - name: image-stream description: Reference of the image stream buildah will produce. If not set, the value of `.ods/component` is used. type: string @@ -91,7 +91,7 @@ spec: steps: - name: build-and-push-image # Image is built from build/package/Dockerfile.package-image. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-package-image:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-package-image:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: HOME value: '/tekton/home' @@ -172,10 +172,18 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + - mountPath: /etc/ssl/certs/private-cert.pem + name: private-cert + readOnly: true + subPath: tls.crt workingDir: $(workspaces.source.path) volumes: - emptyDir: {} name: varlibcontainers + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - name: source {{end}} diff --git a/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml b/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml index caed39de..d9818629 100644 --- a/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml +++ b/deploy/ods-pipeline/charts/tasks/templates/task-ods-start.yaml @@ -124,7 +124,7 @@ spec: steps: - name: ods-start # Image is built from build/package/Dockerfile.start. - image: '{{.Values.registry}}/{{default .Release.Namespace .Values.namespace}}/ods-start:{{.Values.global.imageTag | default .Chart.AppVersion}}' + image: '{{.Values.imageRepository}}/ods-start:{{.Values.global.imageTag | default .Chart.AppVersion}}' env: - name: HOME value: '/tekton/home' @@ -174,7 +174,6 @@ spec: key: debug name: ods-pipeline resources: {} - workingDir: $(workspaces.source.path) script: | # ods-start is built from cmd/start/main.go. @@ -198,7 +197,12 @@ spec: cp .ods/git-commit-sha $(results.commit.path) echo -n "$(params.url)" > $(results.url.path) - + workingDir: $(workspaces.source.path) + volumes: + - name: private-cert + secret: + secretName: ods-private-cert + optional: true workspaces: - description: The git repo will be cloned onto the volume backing this workspace name: source diff --git a/deploy/ods-pipeline/charts/tasks/values.docs.yaml b/deploy/ods-pipeline/charts/tasks/values.docs.yaml index 585202c0..1640798d 100644 --- a/deploy/ods-pipeline/charts/tasks/values.docs.yaml +++ b/deploy/ods-pipeline/charts/tasks/values.docs.yaml @@ -9,7 +9,3 @@ global: buildNPM: true packageImage: true deployHelm: true - -registry: image-registry.openshift-image-registry.svc:5000 -namespace: ods -pushRegistry: image-registry.openshift-image-registry.svc:5000 diff --git a/deploy/ods-pipeline/charts/tasks/values.yaml b/deploy/ods-pipeline/charts/tasks/values.yaml index e8d0e03d..47b0c55b 100644 --- a/deploy/ods-pipeline/charts/tasks/values.yaml +++ b/deploy/ods-pipeline/charts/tasks/values.yaml @@ -1,2 +1,5 @@ # override name to be consistent with previous, separate chart naming convention(s) nameOverride: ods-pipeline + +imageRepository: ghcr.io/opendevstack/ods-pipeline +pushRegistry: image-registry.openshift-image-registry.svc:5000 diff --git a/deploy/ods-pipeline/values.kind.yaml b/deploy/ods-pipeline/values.kind.yaml index 3338ab51..e214118c 100644 --- a/deploy/ods-pipeline/values.kind.yaml +++ b/deploy/ods-pipeline/values.kind.yaml @@ -16,12 +16,9 @@ setup: tag: "latest" tasks: - # To test with the latest public ods-pipeline images, set global.imageTag to 'latest' and use: - # registry: ghcr.io - # namespace: opendevstack/ods-pipeline - registry: localhost:5000 - namespace: ods - pushRegistry: kind-registry.kind:5000 + # Image repository to pull task images from. + # To test with the latest public ods-pipeline images, set + # global.imageTag to 'latest' and use: 'ghcr.io/opendevstack/ods-pipeline'. + imageRepository: localhost:5000/ods -images: - enabled: false + pushRegistry: kind-registry.kind:5000 diff --git a/deploy/ods-pipeline/values.yaml b/deploy/ods-pipeline/values.yaml index 71e443db..e77a476c 100644 --- a/deploy/ods-pipeline/values.yaml +++ b/deploy/ods-pipeline/values.yaml @@ -20,22 +20,6 @@ global: deployHelm: true -# ####################################### # -# IMAGES CHART CONFIG # -# ####################################### # -images: - # enable chart containing Openshift image streams and build configs - enabled: true - # When using a local/private CA, specify the server (incl. port!) to pull the root CA cert from. - # privateCertServer: 'example.com:443' - # if needed, enable images even though related tasks are disabled, e.g. - # pythonToolset: true - # autoBuild controls whether builds for all BuildConfig resources are started - # automatically after a successful Helm upgrade. autoBuild is enabled by default. - # autoBuild: true - # autoBuildImage allows to override the image used for starting builds. - # autoBuildImage: 'quay.io/openshift/origin-cli:4.9' - # ####################################### # # SETUP CHART CONFIG # @@ -164,21 +148,8 @@ setup: storageSize: '5Gi' # Number of replicas to run for the pipeline manager. replicaCount: 1 - image: - # Image registry from which to pull the pipeline manager container image. - registry: 'image-registry.openshift-image-registry.svc:5000' - # Namespace from which to pull the pipeline manager container image. - # If not given, the image is pulled from the release namespace. - # namespace: 'ods' - # Repository (ImageStream) from which to pull the pipeline manager - # container image. - # If not given, the image name equals the chart name. - repository: 'ods-pipeline-manager' - # Pull policy. - pullPolicy: 'Always' - # Image tag to pull. - # If not given, defaults to the chart appVersion. - # tag: 'latest' + # Repository from which to pull the pipeline manager container image. + imageRepository: ghcr.io/opendevstack/ods-pipeline # Deployment pod resources. Typically these settings should not need to change. resources: limits: @@ -197,21 +168,14 @@ tasks: # enable task definition chart enabled: true - # Registry to pull task images from. - registry: image-registry.openshift-image-registry.svc:5000 - - # ImageStream to pull task images from. - # If images are not located within OpenShift image streams, this maps to - # the organisation under which the images are hosted. - # If not set, defaults to the Helm release namespace. - # namespace: ods + # Image repository to pull task images from. + imageRepository: ghcr.io/opendevstack/ods-pipeline # Custom task prefix (defaults to "ods") # taskPrefix: "foo" # Registry to push images to from ods-package-image task. - # If not set, defaults to the value of "registry". - # pushRegistry: image-registry.openshift-image-registry.svc:5000 + pushRegistry: image-registry.openshift-image-registry.svc:5000 # To define build task specific sidecars and quotas, add resources/sidecar section(s) per task, # e.g. diff --git a/deploy/values.yaml.tmpl b/deploy/values.yaml.tmpl index 1340ec55..bbc1e4b6 100644 --- a/deploy/values.yaml.tmpl +++ b/deploy/values.yaml.tmpl @@ -51,10 +51,3 @@ setup: storageProvisioner: 'kubernetes.io/aws-ebs' # Storage class. On AWS backed clusters, use 'gp2'. storageClassName: 'gp2' - -images: - # URL from which to download aqua-scanner binary. The URL may need to contain basic authentication. - # Make sure that username/password are URL-encoded and that the version matches - # your Aqua server version. - # If you do not want to use Aqua, leave this empty. - aquasecScannerUrl: '' diff --git a/docs/creating-an-ods-task.adoc b/docs/creating-an-ods-task.adoc index e0e9a5e6..ab60b68f 100644 --- a/docs/creating-an-ods-task.adoc +++ b/docs/creating-an-ods-task.adoc @@ -10,8 +10,6 @@ To create a technology-specific Task (e.g. python), the following files should b - [ ] build/package/Dockerfile.python-toolset - The Dockerfile with the dependencies and runtime. - [ ] build/package/scripts/build-python.sh - Bash script to carry out the build, linting, testing operations. -- [ ] deploy/ods-pipeline/charts/images/templates/bc-ods-build-python.yaml - BuildConfig to generate the ods-build-python image. -- [ ] deploy/ods-pipeline/charts/images/templates/is-ods-build-python.yaml - Create ImageStream resource in OpenShift. - [ ] deploy/ods-pipeline/charts/tasks/templates/task-ods-build-python.yaml - The Tekton Task. - [ ] docs/tasks/task-ods-build-python.adoc - To describe the task and its parameters. - [ ] test/tasks/ods-build-python_test.go - A test file to test the behavior of the Tekton Task. diff --git a/docs/installation.adoc b/docs/installation.adoc index 44e79ff1..7df3a8ce 100644 --- a/docs/installation.adoc +++ b/docs/installation.adoc @@ -5,7 +5,7 @@ This guide will show how to install ODS Pipeline in an existing ODS project. It An ODS Pipeline installation consists of the following resources: -* `BuildConfig`, `ImageStream` and `Task` resources +* `Task` resources * `ConfigMap` and `Secret` resources, e.g. holding credentials of centrally installed tools such as Nexus and SonarQube * A pipeline manager, which is creating pipeline runs in response to Bitbucket webhook requests @@ -78,9 +78,7 @@ After you ran the install script, continue with the < "${HELM_GENERATED_VALUES_FILE}" +fi +if [ -f "${ODS_KIND_CREDENTIALS_DIR}/bitbucket-${URL_SUFFIX}" ]; then + BITBUCKET_URL=$(cat "${ODS_KIND_CREDENTIALS_DIR}/bitbucket-${URL_SUFFIX}") + echo " bitbucketUrl: '${BITBUCKET_URL}'" >> "${HELM_GENERATED_VALUES_FILE}" +fi +if [ -f "${ODS_KIND_CREDENTIALS_DIR}/nexus-${URL_SUFFIX}" ]; then + NEXUS_URL=$(cat "${ODS_KIND_CREDENTIALS_DIR}/nexus-${URL_SUFFIX}") + echo " nexusUrl: '${NEXUS_URL}'" >> "${HELM_GENERATED_VALUES_FILE}" +fi +if [ -f "${ODS_KIND_CREDENTIALS_DIR}/sonar-${URL_SUFFIX}" ]; then + SONAR_URL=$(cat "${ODS_KIND_CREDENTIALS_DIR}/sonar-${URL_SUFFIX}") + echo " sonarUrl: '${SONAR_URL}'" >> "${HELM_GENERATED_VALUES_FILE}" +fi + "${ODS_PIPELINE_DIR}"/deploy/install.sh \ --aqua-auth "unavailable:unavailable" \ --aqua-scanner-url "none" \ --bitbucket-auth "${BITBUCKET_AUTH}" \ --nexus-auth "${NEXUS_AUTH}" \ --sonar-auth "${SONAR_AUTH}" \ - -f ./ods-pipeline/values.kind.yaml,./ods-pipeline/values.generated.yaml "$@" + -f "./ods-pipeline/values.kind.yaml,${HELM_GENERATED_VALUES_FILE}" "$@" diff --git a/scripts/nexus/Dockerfile b/scripts/nexus/Dockerfile deleted file mode 100644 index 6aa95940..00000000 --- a/scripts/nexus/Dockerfile +++ /dev/null @@ -1,6 +0,0 @@ -FROM sonatype/nexus3:3.30.1 - -USER root -RUN echo "storage.diskCache.diskFreeSpaceLimit=2048" >> /opt/sonatype/nexus/etc/karaf/system.properties && \ - echo "nexus.scripts.allowCreation=true" >> /opt/sonatype/nexus/etc/nexus-default.properties -USER nexus diff --git a/scripts/nexus/Dockerfile.amd64 b/scripts/nexus/Dockerfile.amd64 new file mode 100644 index 00000000..f0cd411b --- /dev/null +++ b/scripts/nexus/Dockerfile.amd64 @@ -0,0 +1,17 @@ +FROM sonatype/nexus3:3.30.1 + +USER root + +COPY cert.p12 cert.p12 +RUN mkdir -p nexus-ssl && keytool -importkeystore \ + -srckeystore cert.p12 -srcstoretype pkcs12 -srcstorepass password \ + -destkeystore /nexus-ssl/keystore.jks -deststoretype JKS -deststorepass password + +RUN echo "storage.diskCache.diskFreeSpaceLimit=2048" >> /opt/sonatype/nexus/etc/karaf/system.properties && \ + echo "nexus.scripts.allowCreation=true" >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo "application-port-ssl=8443" >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo 'application-port-ssl=8443' >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml' >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo 'ssl.etc=/nexus-ssl' >> /opt/sonatype/nexus/etc/nexus-default.properties + +USER nexus diff --git a/scripts/nexus/Dockerfile.arm64 b/scripts/nexus/Dockerfile.arm64 index 81d9d703..ecebf221 100644 --- a/scripts/nexus/Dockerfile.arm64 +++ b/scripts/nexus/Dockerfile.arm64 @@ -1,6 +1,17 @@ FROM klo2k/nexus3:3.30.1-01 USER root + +COPY tls.p12 tls.p12 +RUN mkdir -p nexus-ssl && keytool -importkeystore \ + -srckeystore tls.p12 -srcstoretype pkcs12 -srcstorepass password \ + -destkeystore /nexus-ssl/keystore.jks -deststoretype JKS -deststorepass password + RUN echo "storage.diskCache.diskFreeSpaceLimit=2048" >> /opt/sonatype/nexus/etc/karaf/system.properties && \ - echo "nexus.scripts.allowCreation=true" >> /opt/sonatype/nexus/etc/nexus-default.properties + echo "nexus.scripts.allowCreation=true" >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo "application-port-ssl=8443" >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo 'application-port-ssl=8443' >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo 'nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml' >> /opt/sonatype/nexus/etc/nexus-default.properties && \ + echo 'ssl.etc=/nexus-ssl' >> /opt/sonatype/nexus/etc/nexus-default.properties + USER nexus diff --git a/scripts/run-nexus.sh b/scripts/run-nexus.sh index 4bba58e1..34cb821b 100755 --- a/scripts/run-nexus.sh +++ b/scripts/run-nexus.sh @@ -5,7 +5,8 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ODS_PIPELINE_DIR=${SCRIPT_DIR%/*} INSECURE="" -HOST_PORT="8081" +HOST_HTTP_PORT="8081" +HOST_HTTPS_PORT="8443" ADMIN_USER="admin" ADMIN_PASSWORD="" DEVELOPER_USERNAME="developer" @@ -14,8 +15,8 @@ NEXUS_URL= IMAGE_NAME="ods-test-nexus" CONTAINER_NAME="ods-test-nexus" NEXUS_IMAGE_TAG="3.30.1" -HELM_VALUES_FILE="${ODS_PIPELINE_DIR}/deploy/ods-pipeline/values.generated.yaml" ODS_KIND_CREDENTIALS_DIR="${ODS_PIPELINE_DIR}/deploy/.kind-credentials" +DOCKER_CONTEXT_DIR="${ODS_PIPELINE_DIR}/test/testdata/private-cert" while [[ "$#" -gt 0 ]]; do case $1 in @@ -30,20 +31,16 @@ esac; shift; done echo "Run container using image tag ${NEXUS_IMAGE_TAG}" docker rm -f ${CONTAINER_NAME} || true cd "${SCRIPT_DIR}"/nexus -if [ "$(uname -m)" == "arm64" ]; then - docker build -t ${IMAGE_NAME} -f Dockerfile.arm64 . -else - docker build -t ${IMAGE_NAME} . -fi +docker build -t ${IMAGE_NAME} -f "Dockerfile.$(uname -m)" "${DOCKER_CONTEXT_DIR}" cd - &> /dev/null -docker run -d -p "${HOST_PORT}:8081" --net kind --name ${CONTAINER_NAME} ${IMAGE_NAME} +docker run -d -p "${HOST_HTTP_PORT}:8081" -p "${HOST_HTTPS_PORT}:8443" --net kind --name ${CONTAINER_NAME} ${IMAGE_NAME} if ! "${SCRIPT_DIR}/waitfor-nexus.sh" ; then docker logs ${CONTAINER_NAME} exit 1 -fi +fi -NEXUS_URL="http://localhost:${HOST_PORT}" +NEXUS_URL="http://localhost:${HOST_HTTP_PORT}" function runJsonScript { local jsonScriptName=$1 @@ -89,9 +86,7 @@ runJsonScript "createUser" "-d @${SCRIPT_DIR}/nexus/developer-user-with-password rm "${SCRIPT_DIR}"/nexus/developer-user-with-password.json # Write values / secrets so that it can be picked up by install.sh later. -if [ ! -e "${HELM_VALUES_FILE}" ]; then - echo "setup:" > "${HELM_VALUES_FILE}" -fi -echo " nexusUrl: 'http://${CONTAINER_NAME}.kind:8081'" >> "${HELM_VALUES_FILE}" mkdir -p "${ODS_KIND_CREDENTIALS_DIR}" +echo -n "https://${CONTAINER_NAME}.kind:${HOST_HTTPS_PORT}" > "${ODS_KIND_CREDENTIALS_DIR}/nexus-https" +echo -n "http://${CONTAINER_NAME}.kind:${HOST_HTTP_PORT}" > "${ODS_KIND_CREDENTIALS_DIR}/nexus-http" echo -n "${DEVELOPER_USERNAME}:${DEVELOPER_PASSWORD}" > "${ODS_KIND_CREDENTIALS_DIR}/nexus-auth" diff --git a/test/tasks/common_test.go b/test/tasks/common_test.go index 4897a78d..927866d4 100644 --- a/test/tasks/common_test.go +++ b/test/tasks/common_test.go @@ -25,6 +25,7 @@ import ( var alwaysKeepTmpWorkspacesFlag = flag.Bool("always-keep-tmp-workspaces", false, "Whether to keep temporary workspaces from taskruns even when test is successful") var outsideKindFlag = flag.Bool("outside-kind", false, "Whether to continue if not in KinD cluster") var skipSonarQubeFlag = flag.Bool("skip-sonar", false, "Whether to skip SonarQube steps") +var privateCertFlag = flag.Bool("private-cert", false, "Whether to run tests using a private cert") const ( taskKindRef = "Task" @@ -162,6 +163,7 @@ func runTaskTestCases(t *testing.T, taskName string, requiredServices []tasktest SourceDir: tasktesting.StorageSourceDir, StorageCapacity: tasktesting.StorageCapacity, StorageClassName: tasktesting.StorageClassName, + PrivateCert: *privateCertFlag, }, ) diff --git a/test/tasks/ods-build-gradle_test.go b/test/tasks/ods-build-gradle_test.go index 19c7c649..1e668a06 100644 --- a/test/tasks/ods-build-gradle_test.go +++ b/test/tasks/ods-build-gradle_test.go @@ -48,7 +48,7 @@ func TestTaskODSBuildGradle(t *testing.T) { logContains(ctxt.CollectedLogs, t, "--gradle-options=--no-daemon --stacktrace", "No sonar-project.properties present, using default:", - "Using NEXUS_URL=http://ods-test-nexus.kind:8081", + "ods-test-nexus.kind", "Gradle 7.4.2", "Using GRADLE_OPTS=-Dorg.gradle.jvmargs=-Xmx512M", "Using GRADLE_USER_HOME=/workspace/source/.ods-cache/deps/gradle", @@ -89,7 +89,7 @@ func TestTaskODSBuildGradle(t *testing.T) { logContains(ctxt.CollectedLogs, t, "--gradle-options=--no-daemon --stacktrace", "No sonar-project.properties present, using default:", - "Using NEXUS_URL=http://ods-test-nexus.kind:8081", + "ods-test-nexus.kind", "Gradle 7.4.2", "Using GRADLE_OPTS=-Dorg.gradle.jvmargs=-Xmx512M", "Using GRADLE_USER_HOME=/workspace/source/.ods-cache/deps/gradle", diff --git a/test/testdata/private-cert/README.md b/test/testdata/private-cert/README.md new file mode 100644 index 00000000..eed3b181 --- /dev/null +++ b/test/testdata/private-cert/README.md @@ -0,0 +1,8 @@ +This folder contains a self-signed certificate for `localhost` for testing purposes ONLY. + +The files were created like this: +``` +openssl req -config openssl.conf -new -newkey rsa:2048 -days 3650 -nodes -x509 \ + -keyout tls.key -out tls.crt -extensions req_ext +openssl pkcs12 -export -out tls.p12 -in tls.crt -inkey tls.key -passout pass:password +``` diff --git a/test/testdata/private-cert/openssl.conf b/test/testdata/private-cert/openssl.conf new file mode 100644 index 00000000..3e772911 --- /dev/null +++ b/test/testdata/private-cert/openssl.conf @@ -0,0 +1,22 @@ +[ req ] +default_bits = 2048 +prompt = no +distinguished_name = dn +req_extensions = req_ext +default_md = sha256 + +[ dn ] +C = DE +ST = RLP +L = Ingelheim +O = BI X Digital GmbH +CN = localhost +emailAddress = info@bix-digital.com + +[ req_ext ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = ods-test-nexus.kind +DNS.2 = ods-test-sonarqube.kind +DNS.3 = ods-test-bitbucket-server.kind diff --git a/test/testdata/private-cert/tls.crt b/test/testdata/private-cert/tls.crt new file mode 100644 index 00000000..a757e3a5 --- /dev/null +++ b/test/testdata/private-cert/tls.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6DCCAtCgAwIBAgIJALTk6ZnqJnrYMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD +VQQGEwJERTEMMAoGA1UECAwDUkxQMRIwEAYDVQQHDAlJbmdlbGhlaW0xGjAYBgNV +BAoMEUJJIFggRGlnaXRhbCBHbWJIMRIwEAYDVQQDDAlsb2NhbGhvc3QxIzAhBgkq +hkiG9w0BCQEWFGluZm9AYml4LWRpZ2l0YWwuY29tMB4XDTIzMDExMjE0NTY1MFoX +DTMzMDEwOTE0NTY1MFowgYQxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANSTFAxEjAQ +BgNVBAcMCUluZ2VsaGVpbTEaMBgGA1UECgwRQkkgWCBEaWdpdGFsIEdtYkgxEjAQ +BgNVBAMMCWxvY2FsaG9zdDEjMCEGCSqGSIb3DQEJARYUaW5mb0BiaXgtZGlnaXRh +bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW/Z85guVFrG24 +TJPld8tr7s4HBlokpVtrZdPrc8xNkQElwYFkrnPpiu/G1rrRnET1lNmXl99qBJJ7 +KmE4WcjspvSbBywU11uB/ujXu76sNPJYwJXhTOj637vnVsmVweqc4W5nTeSHBwYM +xlCmi0FOwuhM0iKGLTaENTJ3hnDmO9Y7aqu9E1J/IN3FkCiOLTrGRQEyhJeM5TzH +2r6+WojS1nWz5u320SALom7Nd3LJaRGv+kD6Lmtf5alXrLUeeTVxGL5qE7fFhp9n ++tZMrYAfzyw5GKiUdnp7po6BXt3zg/pMJOU3ccwDklirS37S/FbxqExA2ZRoF0W8 +1xwSqNsFAgMBAAGjWzBZMFcGA1UdEQRQME6CE29kcy10ZXN0LW5leHVzLmtpbmSC +F29kcy10ZXN0LXNvbmFycXViZS5raW5kgh5vZHMtdGVzdC1iaXRidWNrZXQtc2Vy +dmVyLmtpbmQwDQYJKoZIhvcNAQELBQADggEBAEVLaOH6KYTCGOCtyhV1mCTqA0wB +oURWoFV1Q4WLYjOji5XZh0GwGGy3tuuGv4R9HnilDEX8VTD/wHYlKvroh0CTlzaq +9OGhEQ/oZQBhrVSgNtAYibtwv6ZSWrZ6dzyXJ4iWbDvjBH4VeUE/g+Vd7ZBBE4HJ +s8cxvT87uP4/wmSNCeGBlGZByMFPQgWNb/HE0KHXYH+oePiS0NGM5F0gcJdksxKd +qIWQtVwiu2SzYxgFJ3M/wx37hVCg13/jiqY7q6UAhPW5vXm3093I8GYnrat92I62 +Hkbgh94oI/18AjSKWJMLKL+rvFKjHyBEDyiTSeHIeG7ngnhh+WAu0g4Mzkc= +-----END CERTIFICATE----- diff --git a/test/testdata/private-cert/tls.key b/test/testdata/private-cert/tls.key new file mode 100644 index 00000000..df248ca2 --- /dev/null +++ b/test/testdata/private-cert/tls.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDW/Z85guVFrG24 +TJPld8tr7s4HBlokpVtrZdPrc8xNkQElwYFkrnPpiu/G1rrRnET1lNmXl99qBJJ7 +KmE4WcjspvSbBywU11uB/ujXu76sNPJYwJXhTOj637vnVsmVweqc4W5nTeSHBwYM +xlCmi0FOwuhM0iKGLTaENTJ3hnDmO9Y7aqu9E1J/IN3FkCiOLTrGRQEyhJeM5TzH +2r6+WojS1nWz5u320SALom7Nd3LJaRGv+kD6Lmtf5alXrLUeeTVxGL5qE7fFhp9n ++tZMrYAfzyw5GKiUdnp7po6BXt3zg/pMJOU3ccwDklirS37S/FbxqExA2ZRoF0W8 +1xwSqNsFAgMBAAECggEAfEXw0zK5yxOH/N+vIhakLMjGqULfuo0nEiazYEf4keG+ +8w8u937sG9SnE54uMVoOdpLLUJiGmWb5MV7nAcbMoRdFD5QOxCFUkQlDmOi6qBqW +9/yi5rApgFLx8CC3t+x27KZWxjo9XlwOADZmik62uotp8nYJZNwfxj5l5Ld+7WYb +7Hx3wMBjPlJVGRrOV76CdPi3EJbxYxmR/92kEy90JFqS4QiACcA5k4bqLLT0QMfh +VD7bjrN34KybfaM2uRbCM6K7eBfPs+qHSn8+Y1V74FhAoicqbx8jJeiOXSc35i24 +FIQRp9IDlhRTDJP1H23sNnIK76pvcUl4bWWwk5QYRQKBgQDyQuIpjrveu2MxSp15 +b3K8u+rMN5bZmjWGVrNAziRs+JXYEQOgoS8z7ip1aNWaDyhVHoESXVWHUlq3nCGq +dRe1MQXmkNT6xCnAoen82QOeWwgZFiQbVqfHewQlZqt/8S7AR3/ulSrRMOs6zSat +HNL4F/MuA70m2wA/wTRc/EU/mwKBgQDjLtQLPPiRbsJ0kITgQggMa7xVo0nnJ+V5 +0PJE5DTJ8cOhqOSULFknXHCahmf0PxnAQBU+mrD9YS3LtKVEAUf2PHVuBmeQCPas +QpXcah2sPFi6sJArbeXSc8etWgy3bHNrBeS/aUBvhSLsNNnmL0PeopOtvwEJ2Aoj +cntQ0+4J3wKBgQDIbleJBGMgoq4tYMsqZe9qgJqAvNkcTT5NV7vUOPjgA0aNzX3P +zqsr7rbIDqTyYen/ik5FMF0LqTIOyKj9ywSDTvzPxjG/Cr50dkENhUo+IJhxkOTs +jWQgYQGMJAZtws/oGv+YF2emTS/ApWyDOt68jawO/N7on7X0CVfWOozcUwKBgC5e +IGkqyJDmSkoANR6QW5QtaQMRkMPdILj8LHZjHWMaNROJpR2Y75lZBKKFTDJNrrPO +YIemivksHGy3MgPvPwDC1jTemcSMD8yYyn1yKxw8NN/lqYczpvSNLPP0rSPCvsvZ +KBbpJH2ebsJHBzIz82Y9SGbt1QhtT6RseT7GAo+BAoGBAImkSqscaVcFPJJK/bmm +Lm52tcpbED3Jo0/fEZKhcub+WJJWTFxDRS9p0WC8uLpgajEOgl465eM2e1qkCfXF +uKqK9AY24q4H68zCHBbQxy3YgPTzgUEqtxFZp+ST5lOi1Cn/+Ft5653DJOOdoz+D ++jgVjmdeq5BlcDZ4j3FKFuWJ +-----END PRIVATE KEY----- diff --git a/test/testdata/private-cert/tls.p12 b/test/testdata/private-cert/tls.p12 new file mode 100644 index 0000000000000000000000000000000000000000..d8bb2a79eb90ea8f33812a9316fa3726195d41fd GIT binary patch literal 2605 zcmV+|3exp3f(j`D0Ru3C3GW68Duzgg_YDCD0ic2j-~@sR+%SR(*f4?wj|K@UhDe6@ z4FLxRpn?Q|FoFbp0s#Opf&_I22`Yw2hW8Bt2LUh~1_~;MNQUPl7jgzHaO#-DW~P}{#x(J&qd#qEy5;Ui2@e=~X4Ps9yYv)GL+ zGSyaWc=UKJ7~5k=m&mw%N+fUY6B|#I?}+hY`t|4PnW!7%jN*rk_jrOjcTA7EpPF-> z!65Ra>D{;9Uw!}$Oe!bw@9j{q%l)Np(*iN}Ooss=g{aR25ScG}m(xq_y{0Lk1qBoP z4V(CO++33eK{bpMwb2qDXU6)&rf-L`SM4za4a~A9?yyy^5-GCE_2qnl{5a;>ER*-n zz1Zi_aJMelG;1~jBO#t&Z4>5~Ch)pTj>ZXyxQO!4D29 zXka#}7-N7DTt)3XNA629O{H&Bxg@(kc)`#a9R!pn)Vzg|xK>TGyUah*kbyzoNVp=8IxZenpAL#$VXcE>-c{9QW40TTz78kxfpW>rjb>bY z8z2VT!OY^U1`Nc`m^gD{in|0zdr3oO~GUmV2(sSL0@GwA*0V&;msd!e$Lo}9Ri`+`x#6{%e{Rd#4#}|QMF^w z-hJ|xcF6!;kQ2$u+$*7LQL9=_0D1#XoDx^2y|6t&n=~RGZC}c?g#?zmwrnB;_C&R* zS0`4W=BC6V&nF*ivH^w@Z zhQC4`WA9mNkfBz3GY2FprBOW3L$)JeixifywFKg>GZJWd5Dm^wi@)MKr> zxz4J74J&(9vx}ZAjDuKC6*3M(2#J|Q4LCLNbH0J(ZPQI53nTzuufWdMp03y%q|5R|gC(%4pg1D`DZ@3G7X@RE)q4A{;?auhR` z#DzpNHJ&?KSDcI^qbNL>^{&LNQUKq2ml0v1jy}h z?UdDTD`(y6j(=}8`liSnLMB$|7Y8|HZ~}873(ehrIK$NgHDiIotsvs9O1w z9Py}w{W>>EDe+^$l-VC%PT%S3`~peNDd?CoHtBp7dvvUr*(h?5;S; zw&3%U2Z$DWd^Q@e4BeX}&~(oAU&|J*OGjVDPsH+a;lfExM2Ji1`5myF6(m8ls2Kyau$9uw z>)~ca(=^*IYefS{3MNAfB9|YBvqTM&9Y$miH#CYBOHQ)p>Dg>O<)5~nv2OAKN$f>? z-1tmRDf*!9fC)hLmE8>y>_Nb-P@M^xLta<37@gr{(`_Fu6Cz(HR+>cK{_++@A))my zm(#U);XYQS%`l}F+_zG8g#|3xtsuz%$C>`M)&+i9+k)&LZt|opl*X>rO9CbAR_o8L zmibz343(W6LFNp!tkq=|inFT$6dX@CJde973wM$B6KtrA>)(PbmDK+_3)JG2J&NViUA zN0Ee#%-Jp2m_O<<2J?4u_j_WCe9rVn${XQ3(I?o}xbp5E%$o>YN`aT5 zD!Bs59{qzs5R8dAg;3SAmvbNb{U(PwMicZtc6Xy@7_Lj5<&|{ujH_!B9%D?gZ z(AG;S{3$Y((2xdx3xo=&F9i7hKNd!PM-RT-CM=lNs}IrSO&+GXAZZ4-o(L_0y^7Z= z|Aag)76nkqi`$3`tr5i$@(tY!+e+xd{QMqX`%QKXpB{sn5@>9OqSKCBlFp&un5o<% z&13)ZjnX*UQH8CG(k&6No+3rz2T#Cy{L#45!LN@D7LkX`sb&=_5ZTSt+@c~sTMGkxDwD7xnvUybYyTKzLt2Mm0D>O-p?Cg&O5E>Wnvs4_lhSw zql7HJa%>Gd8(c>(L*v!P!T8_@>SNp6G(c`qOIaWZv&*`Y>iJk<5ip9>Vrt&mQfLy= z{lC)lxuL_C%@ZQVKnq|u9g69?lU;!zjE&pSh9zoaJH^L(s!{WvE{=i9h91~ijNt*y z=i>UW(*)HX!F-i3w5Hf#LwKboQv_#i+k;w}{f}mB5V1j$TVHK+N5<}Vp3A22vGW-G zWV&#i_XbJ;2nGg{PQT2gK3PNN5E7CSgrY!@ zj{ITj)6>mtUo4!JjidyEM&`C=EU!%bL|uP((VZ{c_%=}4n;E@C(%w!LZZn=q5<)TT zo4jy^BaryV0Q%Nqe_?QQ>z_w-9b*w45!a8~wmmqb!5r^o!+x>w;8JAqCbB3Vz*ml~ zvKNiS_JT$`tkP*-RZ;;Z(t(ob%a;s^0bMQv>+}M3n}tN*0I%rz#v>|^sTA9vY*xXw zllp36@$Z%bYe|)y*Y_Es@&PYx!pLFas=fATqB|m&Imx+DYXA97?b%+Z?Qcg!`90+= z+CM=(0!M9kC-e$>X}qg!mNNZ`3+HD~5&VD^C+(os=z>wpniNdC;h8*>UT_5c$4TPK zl}GsuSNNKGgW56BVodMqKJ z(C^(aCrik0m9};ebbJabr3KG;mcAC;zq{%>O^&K#R9rh7 z3}2pAXrb{{xc)R1t#I8+J&F{|zJZDr)BJ+QEIb7CH|eDQR+a(})z#`0p&zctZQ5fn z6qYvV&&=AKd0#2WOT)HDc%^sx>c~U11WJtccYXBf7F|0HTce)bY)V7>N%Rdnamf3F zhYPL6Wv5*~N;>p+s>m}o4DyTzpA2Q1O`%)X1*XJ&NCS5q=(1Zap9o*HBz1+mBBiP4 za?B4#q_s|wCyIpw-zYB!kG0G{V*R^0`VRkoXpJ)r3v}6pL! z%7JwhR9?t|v0uU|!!G#bsT~_z0aaI3C5mdr-1g-aV$@x{dy#1M^cB08&$c%0x{H#yJI zy^#H;%qWXP+U6ymG)#%xkVs7_8OK`k zb1R3IOTQu&zaG4a-aet4r!1}{8+Q+;#*UYm@r6C0x2qJXasIJI+z#Js>v%$WReonQ z=+}pZ;t+~BX|9S(7f>%PXvgGzMUfGn@i9|iid==bqZ6hfBV@_e8Pah;Ht~ooWXW|~ zEuQ>l^?LM7YEa3;ifsYX6dvR$QmLd2Oma8v`1+g{{rqzTA^gU?E967!yJ}UBf zV@9=TuAa4^3TXfR1zw=}yzY^;Z-y5?prJS_$ujAP+u(REjT_#}D`33iSU}o+2YgFO zalu;aJs+JWotaENE$c!1A%DP%!f3SfEjB?wtJ_FNXvo);+wJYOwW6(u1U-8#h{9U+ z4+P8~;)G|@Z=DIMkI0*zm?E6ciZ2N=3ShDPi28jwpRZwtcO+V?J;^|&q#7^So$GN7 z0nLHEjF4b@*4B`S6faRFT7cf*U{c9D)b0gCk#+qaf#jjc z>VYV->c6=BZ`-B{Vkd~J{RusZy-gi3pvxz)Q%FB3rp;UQ#J3 z94aHs=!vD?WqBsG;}}uC*uqOPkTpoDvB&W2=bIV*3{x5v`3FObuO>Tc-W)GP%@a~U zmKqQFp2U_@%d-bu-&EUXxZ?F@C>-bdm$Ba?2wd_LE0lUD-Iby zH9B=-91=yMyanYikC<&LErQuz@SxwxY!x7)!d%I~f0Ds6mAre!(rAkbv)!)yO8-ou z2YKxmzZ(r%y{*8kas}U;cy}T}eeO9%51ioZKJRam#F6hNGKt?v+K5V9A~_`=f2kz6 z3oWdYaAZ&kAHJU$GSvxn!ha^lH+#q`jyH^hm)43>OSF8mJQ5(F3?|6S{R=aaNz7Pk z-zC}xzSN?#oC>U5M?qEtdMOaHpEER_#P=KxLoLG$#xNko9#5p){YPK#TJTrUmX^h+ zE^_*kB^*MG;|Z8MYdf3B8QIrvfnt4&XSY${F3+kXg7zE7sjNbk;Uku%ocrub22cM8 z;rFFR)x7n3_Km$haR__@nE*=e3gWK)WQadFYx8qiKm7DacNp*KYJOyHKIWqi~3LlYj_cGELWNEa*s@J=`OX9gs%4*DHGLkP7MsOQlbqH?4;?|RA+{1W!;|Yz{i>;PUnYVusBj??_9BRweu?NzyS*J&~p3pTH)nh+Z5Fa|bOr-NYIy*_#A?r*# zX^eDpvqW=iAKHwb6nYMpc9pdUOYjPn_}P(-e#nS>aGK`BD9kTa$~GGQZh2ZdfP59i z=isWc!MLNcYS8)h3-J9+&|+==_G8e%SMa#3ZD6%#Ke6$&;}v?`WlfG<-2#49aVs`jfz zf_<9$0y0#U!O0!)(B7;Vw%>-8kkT4{pvKzwJXgKazuY?@k56VhPH}qwT!UImc=3JJ zfD3{;^_FlH(4MaubZE+&PDE7^186$%f5(CiTcAQX8aX*1&Br}H4Yj$m`@!TnKjQK} zgzGxSq>?0gk!^j@0Zvcb&cE@H0g)wF!nHFZ0`p5)@QZ8wx%y@~V>0#^@%gJx6|QAC zLpwq2a%p8xDDHY3pAAC!aPq|9^NkSAcC|d+704)|uWp~sG+&3ApZgW6D!bFCShd9T zwXS=^*55w08yGaFk~C*!fSS#ubLxn*Sq48_A+}AX;w7p zOvfsu7txaiJi~XQ+zmE@<)XBR2f71e-jB`pcmF1;e_+x*p@!Ar3pC}UtG~ywBRJPj z*SK?NDe%bVo@K1Eq9TI^h9BzB5{%D61$_H1fW-ym^WZOkAyvnixDv%^Qkf(W4cyVU zpAoFw=zS5kZFKBREb zD{zZPYn^};X9DS1`?8?5_}+bY^{sNV(Y0>W+49?qXsyBvaW-QK?BUMa1A1^Tq5~Pl zt&%(h+3pB-ix!IUEB~_F?ZEYZ+A3;fy23jNS-lnp+>+@9%R%jI%C5;Y1b($1Z0WCe zdWzxY@;aYrvE%jbaSeE0;gOSuwF5*R);qZw7KX}jBZJ#b(`=nXH#=!wpoQZPEK{~_ zlzGm$;nR~=Q6YNWr(Al=bUN;YzAws!GfiZF8idN^18-B;EUki7L=*HyU35VmSNdnV zs$OvhwTc9*>2y2I!4CmHB7dE5e?_yVDE|oHGJjaM&2@2bU$s~#q z(}k&$Pqbuh@pVjuux|6mxITgF=k7#f`+*0iDTgD-Kr?F4lCI4%tATqzs|U?A{0=wM z1_Ep;I+|8J)D*ZMwVlQ6PD@E0ZUNs#!68oHvwr6^ruQPF3XY@+g|(jhqlMVLS_LFk z`v%^8^+J}GJerhYCJ!<{@lQOz1gb%yFX)85@IgeDy!B1+?C?qe4a<|3G!VxE5TDgF zG$zEBdeQkrKmE=37jY=ex=V53M=gdSSLT=^ z8z|f;I9~6FokbZnN3YNmHT&bZcUj~ofRuJS<3R_O1c`fAXBpg>R8mt>eA~n z_A~Z&zS`i*7`N8uU72MmGtK?!i80uXQ>W1!1ZxUXY6gSGho%$cLW4A>F1G~Y?ShkX zWA&Ifv*o%=Nef?lOPD$oos!jrK4PsKDSEb9ldbfJPxj(>Trm|UVVOuK63$b)AH=R0 z63JR*c`i1@Ch@AJ5B6bf;ntESuQotX_T0NRm2qgdz75kQ>vi~#wUaLKZ_AIND-*8A zdjy2{mSw8^Y#Zp(B!8qOPjVw6z=pwQ{wOu^v53|)fDZ`lbsLC@uEC1uK)ec$e^MOK>Fjpk8Qin$!A|tEz8Ft z*wb5?eOH($i~~jnA{GJ@5i%1K0O@bbZHkRW#%jAN)MLu3=@uxnsqBHIS3!vq5uvB5 I|9)xz1w!@QfB*mh literal 0 HcmV?d00001