Merge pull request #205 from cloudbees/casc

[Blueprints, 02-at-scale]: Pre-validates Casc bundles pipelines

.docker/agent/agent.rootless.Dockerfile

@@ -11,6 +11,7 @@ ENV TF_VERSION=1.6.6 \
 RUN apk add --update --no-cache \
     bash \
     unzip \
+    zip \
     curl \
     git \
     make \

.gitignore

@@ -55,3 +55,6 @@ tfplan*.txt
 *.bkp
 *.dtmp
 *.save
+
+#tmp folder to validate casc bundles
+blueprints/02-at-scale/cbci/casc-pre-validate

Makefile

@@ -106,6 +106,12 @@ set-cbci-location: agentCheck guard-CBCI_REPO guard-CBCI_BRANCH
 	@$(call helpers,set-cbci-location $(CBCI_REPO) $(CBCI_BRANCH))
 	@$(call helpers,INFO "Setting new Casc location to $(CBCI_REPO) $(CBCI_BRANCH) finished succesfully.")
 
+.PHONY: zip-all-casc-bundles
+zip-all-casc-bundles: ## Creates a zip file containing all cbci casc bundles from 02 At scale. Example: make zip-all-casc-bundles
+zip-all-casc-bundles: agentCheck
+	@$(call helpers,zip-all-casc-bundles)
+	@$(call helpers,INFO "Zip casc bundles finished succesfully.")
+
 ##########################
 # Global
 ##########################

blueprints/02-at-scale/README.md

@@ -32,7 +32,7 @@ Once you have familiarized yourself with [CloudBees CI blueprint add-on: Get sta
 - Cloudbees CI uses [Configuration as Code (CasC)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/casc-intro) (refer to the [casc](cbci/casc) folder) to enable [exciting new features for streamlined DevOps](https://www.cloudbees.com/blog/cloudbees-ci-exciting-new-features-for-streamlined-devops) and other enterprise features, such as [CloudBees CI hibernation](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-admin-guide/managing-controllers#hibernation-managed-controllers).
   - The CloudBees operations center is using the [CasC Bundle Retriever](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/bundle-retrieval-scm).
   - Managed controller configurations are managed from the operations center using [source control management (SCM)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/add-bundle#_adding_casc_bundles_from_an_scm_tool).
-  - The managed controllers are using [CasC bundle inheritance](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/advanced#_configuring_bundle_inheritance_with_casc) (refer to the [parent](cbci/casc/mc/parent) folder). This "parent" bundle is inherited by two types of "child" controller bundles: `ha` and `none-ha`, to accommodate [considerations about HA controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/ha/ha-considerations).
+  - The managed controllers are using [CasC bundle inheritance](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/advanced#_configuring_bundle_inheritance_with_casc) (refer to the [parent](cbci/casc/mc/mc-parent) folder). This "parent" bundle is inherited by two types of "child" controller bundles: `ha` and `none-ha`, to accommodate [considerations about HA controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/ha/ha-considerations).
 
 > [!TIP]
 > A [resource group](https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html) is also included, to get a full list of all resources created by this blueprint.
@@ -167,6 +167,8 @@ If the command is successful, no output is returned.
 
 ### CloudBees CI
 
+#### Authentication and authorization
+
 1. Complete the steps to [validate CloudBees CI](../01-getting-started/README.md#cloudbees-ci), if you have not done so already.
 1. Authentication in this blueprint is based on LDAP using the `cn` user (available in [k8s/openldap-stack-values.yml](./k8s/openldap-stack-values.yml)) and the global password. The authorization level defines a set of permissions configured using [RBAC](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/rbac). Additionally, the operations center and controller use [single sign-on (SS0)](https://docs.cloudbees.com/docs/cloudbees-ci/latest/cloud-secure-guide/using-sso), including a [fallback mechanism](https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/operations-center/how-ldap-plugin-works-on-cjoc-sso-context) that is enabled by default. Issue the following command to retrieve the global password (valid for all users):
 
@@ -176,6 +178,8 @@ If the command is successful, no output is returned.
 
    There are differences in CloudBees CI permissions and folder restrictions when signed in as a user of the Admin group versus the Development group. For example, only Admin users have access to the agent validation jobs.
 
+#### Configuration as Code (CasC)
+
 1. CasC is enabled for the [operations center](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/) (`cjoc`) and [controllers](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-controller/) (`team-b` and `team-c-ha`). `team-a` is not using CasC, to illustrate the difference between the two approaches. Issue the following command to verify that all controllers are running:
 
    ```sh
@@ -190,6 +194,8 @@ If the command is successful, no output is returned.
    eval $(terraform output --raw cbci_controller_c_hpa)
    ```
 
+1. [Validating bundles prior to update](https://docs.cloudbees.com/docs/cloudbees-ci/latest/casc-oc/update-bundle#_validating_bundles_prior_to_update) is orchestrated via `validate-all-casc-bundles` jobs using as parameters API Token from admin user `admin_cbci_a` (see [builds](#builds) section) and the branch to validate.
+
 #### Secrets management
 
 ##### Kubernetes secret

blueprints/02-at-scale/cbci/casc/mc/ha/bundle.yaml → blueprints/02-at-scale/cbci/casc/mc/mc-ha/bundle.yaml

@@ -1,11 +1,11 @@
 apiVersion: "2"
-id: "ha"
+id: "mc-ha"
 description: "CasC bundle for HA controllers. It is tested for the CloudBees CI blueprint add-on: At scale."
 version: "1"
-parent: "parent"
+parent: "mc-parent"
 allowCapExceptions: true
 jcascMergeStrategy: "errorOnConflict"
 jcasc:
-  - jcasc
+  - jcasc.main.yaml
 variables:
-  - variables
+  - variables.yaml

blueprints/02-at-scale/cbci/casc/mc/ha/variables/variables.yaml → blueprints/02-at-scale/cbci/casc/mc/mc-ha/variables.yaml

@@ -1,4 +1,4 @@
 variables:
   - sharedLibRepo: "https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"
-  - sharedLibBranch: develop
+  - sharedLibBranch: casc
   - sharedLibPath: "blueprints/02-at-scale/cbci/shared-lib"

blueprints/02-at-scale/cbci/casc/mc/none-ha/bundle.yaml → blueprints/02-at-scale/cbci/casc/mc/mc-none-ha/bundle.yaml

@@ -1,11 +1,11 @@
 apiVersion: "2"
-id: "none-ha"
+id: "mc-none-ha"
 description: "CasC bundle for non-HA controllers. It is tested for the CloudBees CI blueprint add-on: At scale."
 version: "1"
-parent: "parent"
+parent: "mc-parent"
 allowCapExceptions: true
 jcascMergeStrategy: "errorOnConflict"
 jcasc:
-  - jcasc
+  - jcasc.main.yaml
 variables:
-  - variables
+  - variables.yaml

blueprints/02-at-scale/cbci/casc/mc/none-ha/variables/variables.yaml → blueprints/02-at-scale/cbci/casc/mc/mc-none-ha/variables.yaml

@@ -1,4 +1,4 @@
 variables:
   - sharedLibRepo: "https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"
-  - sharedLibBranch: develop
+  - sharedLibBranch: casc
   - sharedLibPath: "blueprints/02-at-scale/cbci/shared-lib"

blueprints/02-at-scale/cbci/casc/mc/mc-parent/bundle.yaml

@@ -0,0 +1,19 @@
+apiVersion: "2"
+id: "mc-parent"
+description: "Parent CasC bundle. It is tested for the CloudBees CI blueprint add-on: At scale."
+version: "1"
+jcasc:
+  - jcasc.main.yaml
+  - jcasc.support.yaml
+  - jcasc.k8s-agents.yaml
+  - jcasc.security.yaml
+items:
+  - items.admin-folder.yaml
+  - items.squad_x-folder.yaml
+  - items.squad_y-folder.yaml
+plugins:
+  - plugins.yaml
+rbac:
+  - rbac.yaml
+variables:
+  - variables.yaml

blueprints/02-at-scale/cbci/casc/oc/bundle.yaml

@@ -1,13 +1,17 @@
 apiVersion: "2"
-id: "modern.oc.simple"
+id: "oc"
 version: "1"
 jcasc:
-  - jcasc
+  - jcasc.main.yaml
+  - jcasc.security.yaml
+  - jcasc.k8s-agents.yaml
+  - jcasc.support.yaml
 items:
-  - items
+  - items.admin-folder.yaml
+  - items.root.yaml
 plugins:
-  - plugins
+  - plugins.yaml
 rbac:
-  - rbac
+  - rbac.yaml
 variables:
-  - variables
+  - variables.yaml

blueprints/02-at-scale/cbci/casc/oc/items/admin-folder.yaml → blueprints/02-at-scale/cbci/casc/oc/items.admin-folder.yaml

@@ -93,6 +93,7 @@ items:
                   }
       - kind: backupAndRestore
         name: backup-cjoc
+        label: busybox-L
         triggers:
           - cron:
               spec: '@daily'
@@ -119,3 +120,30 @@ items:
                 n: 5
             safeDelaySeconds: 0
         concurrentBuild: false
+      - kind: freeStyle
+        name: validate-all-casc-bundles
+        builders:
+        - shell:
+            command: |
+              casc_repo="https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon"
+              casc_zip_bundle_path="terraform-aws-cloudbees-ci-eks-addon/blueprints/02-at-scale/cbci/casc-zip/pre-validate-casc.zip"
+              username="admin_cbci_a"
+              target_branch="^${TARGET_BRANCH}"
+              api_token="^${API_TOKEN}"
+              git clone -b "$target_branch" "$casc_repo"
+              curl -s -H 'Accept: application/json' -H 'Content-Type: application/zip;charset=utf-8' --user "$username:$api_token" --data-binary @"$casc_zip_bundle_path" -XPOST "^${JENKINS_URL}casc-bundle/pre-validate-bundle"
+        concurrentBuild: false
+        disabled: false
+        label: busybox-L
+        parameters:
+        - string:
+            trim: true
+            name: API_TOKEN
+            description: API TOKEN for user admin_cbci_a
+        - string:
+            trim: true
+            name: TARGET_BRANCH
+            description: Branch to validate casc bundles before merging to production branch
+
+
+

blueprints/02-at-scale/cbci/casc/oc/items/root.yaml → blueprints/02-at-scale/cbci/casc/oc/items.root.yaml

@@ -53,7 +53,7 @@ items:
               "cloudbees.prometheus": "true"
     properties:
       - configurationAsCode:
-          bundle: "develop/none-ha"
+          bundle: "casc/mc-none-ha"
   # Casc, HA
   - kind: managedController
     name: team-c-ha
@@ -101,4 +101,4 @@ items:
               "cloudbees.prometheus": "true"
     properties:
       - configurationAsCode:
-          bundle: "develop/ha"
+          bundle: "casc/mc-ha"

blueprints/02-at-scale/cbci/casc/oc/jcasc.k8s-agents.yaml

@@ -0,0 +1,32 @@
+kube:
+  podTemplatesConfiguration:
+    templates:
+    - name: "busybox-L"
+      label: "busybox-L"
+      yaml: |-
+        apiVersion: "v1"
+        kind: "Pod"
+        spec:
+          containers:
+          - args:
+            - "99d"
+            command:
+            - "sleep"
+            image: "busybox:1.37.0-musl"
+            name: "busybox"
+            resources:
+              limits:
+                memory: "1Gi"
+              requests:
+                memory: "500Mi"
+                cpu: "250m"
+          nodeSelector:
+            kubernetes.io/os: linux
+            role: "build-linux-l"
+            size: "2x"
+          tolerations:
+          - effect: "NoSchedule"
+            key: "dedicated"
+            operator: "Equal"
+            value: "build-linux-l"
+      yamlMergeStrategy: "override"

blueprints/02-at-scale/cbci/casc/oc/jcasc/main.yaml → blueprints/02-at-scale/cbci/casc/oc/jcasc.main.yaml

@@ -1,7 +1,14 @@
 jenkins:
   systemMessage: "${message}"
-  # Setting 1 executor for Backup OC
-  numExecutors: 1
+  numExecutors: 0
+  clouds:
+  - kubernetes:
+      name: "kubernetes-oc"
+      webSocket: true
+      # Note 1: Using cbci-agents namespace requires same permissions like jenkins SA
+      # namespace: "cbci-agents"
+      # Note 2: Similar to controller provisioning traffic can go internally. Then, websocket is not needed.
+      # jenkinsUrl: "http://cjoc.${namespace}.svc.cluster.local/"
 unclassified:
   cascItemsConfiguration:
       variableInterpolationEnabledForAdmin: true
@@ -32,6 +39,12 @@ unclassified:
           discarder:
             logRotator:
               numToKeepStr: "3"
+  bundleUpdateTiming:
+    automaticReload: true
+    automaticRestart: false
+    rejectWarnings: true
+    reloadAlwaysOnRestart: false
+    skipNewVersions: false
 cloudBeesCasCServer:
   defaultBundle: ${cascBranch}/none-ha
   visibility: true

blueprints/02-at-scale/cbci/casc/oc/variables/variables.yaml → blueprints/02-at-scale/cbci/casc/oc/variables.yaml

@@ -1,7 +1,7 @@
 variables:
   - message: "Welcome to the CloudBees CI blueprint add-on: At scale!"
   - cascRepo: "https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"
-  - cascBranch: develop
+  - cascBranch: casc
   - cascPathController: "/blueprints/02-at-scale/cbci/casc/mc/"
   - ldapManagerDN: "cn=admin,dc=acme,dc=org"
   - ldapRootDN: "dc=acme,dc=org"

blueprints/02-at-scale/k8s/cbci-values.yml

@@ -16,7 +16,7 @@ OperationsCenter:
     Retriever:
       Enabled: true
       scmRepo: "https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"
-      scmBranch: develop
+      scmBranch: casc
       scmBundlePath: blueprints/02-at-scale/cbci/casc/oc
       scmPollingInterval: PT20M
 Persistence:

blueprints/02-at-scale/k8s/kube-prom-stack-values.yml

@@ -197,8 +197,8 @@ grafana:
         token: ""
     grafana-dashboards-cloudbees:
       prometheus-plugin:
-        url: https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/develop/blueprints/02-at-scale/k8s/prometheus-plugin-db.json
+        url: https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/casc/blueprints/02-at-scale/k8s/prometheus-plugin-db.json
         token: ""
       otel-plugin:
-        url: https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/develop/blueprints/02-at-scale/k8s/opentelemetry-plugin-db.json
+        url: https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/casc/blueprints/02-at-scale/k8s/opentelemetry-plugin-db.json
         token: ""

blueprints/helpers.sh

@@ -219,16 +219,30 @@ set-cbci-location () {
   local branch="$2"
   #Repo
   sed -i "s|scmRepo: .*|scmRepo: \"$repo\"|g" "$SCRIPTDIR/02-at-scale/k8s/cbci-values.yml"
-  sed -i "s|scmCascMmStore: .*|scmCascMmStore: \"$repo\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/variables/variables.yaml"
-  sed -i "s|sharedLibRepo: .*|sharedLibRepo: \"$repo\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/ha/variables/variables.yaml"
-  sed -i "s|sharedLibRepo: .*|sharedLibRepo: \"$repo\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/none-ha/variables/variables.yaml"
+  sed -i "s|scmCascMmStore: .*|scmCascMmStore: \"$repo\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/variables.yaml"
+  sed -i "s|sharedLibRepo: .*|sharedLibRepo: \"$repo\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/mc-ha/variables.yaml"
+  sed -i "s|sharedLibRepo: .*|sharedLibRepo: \"$repo\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/mc-none-ha/variables.yaml"
   #Branch
   sed -i "s|scmBranch: .*|scmBranch: $branch|g" "$SCRIPTDIR/02-at-scale/k8s/cbci-values.yml"
-  sed -i "s|cascBranch: .*|cascBranch: $branch|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/variables/variables.yaml"
-  sed -i "s|sharedLibBranch: .*|sharedLibBranch: $branch|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/ha/variables/variables.yaml"
-  sed -i "s|sharedLibBranch: .*|sharedLibBranch: $branch|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/none-ha/variables/variables.yaml"
-  sed -i "s|bundle: \".*/none-ha\"|bundle: \"$branch/none-ha\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/items/root.yaml"
-  sed -i "s|bundle: \".*/ha\"|bundle: \"$branch/ha\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/items/root.yaml"
+  sed -i "s|cascBranch: .*|cascBranch: $branch|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/variables.yaml"
+  sed -i "s|sharedLibBranch: .*|sharedLibBranch: $branch|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/mc-ha/variables.yaml"
+  sed -i "s|sharedLibBranch: .*|sharedLibBranch: $branch|g" "$SCRIPTDIR/02-at-scale/cbci/casc/mc/mc-none-ha/variables.yaml"
+  sed -i "s|bundle: \".*/none-ha\"|bundle: \"$branch/none-ha\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/items.root.yaml"
+  sed -i "s|bundle: \".*/ha\"|bundle: \"$branch/ha\"|g" "$SCRIPTDIR/02-at-scale/cbci/casc/oc/items.root.yaml"
   sed -i "s|https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/.*/blueprints/02-at-scale/k8s/prometheus-plugin-db.json|https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/$branch/blueprints/02-at-scale/k8s/prometheus-plugin-db.json|g" "$SCRIPTDIR/02-at-scale/k8s/kube-prom-stack-values.yml"
   sed -i "s|https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/.*/blueprints/02-at-scale/k8s/opentelemetry-plugin-db.json|https://raw.githubusercontent.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/$branch/blueprints/02-at-scale/k8s/opentelemetry-plugin-db.json|g" "$SCRIPTDIR/02-at-scale/k8s/kube-prom-stack-values.yml"
 }
+
+zip-all-casc-bundles () {
+  branch=$(git rev-parse --abbrev-ref HEAD)
+  cbciDirInput="$SCRIPTDIR/02-at-scale/cbci"
+  cascDirOutput="$cbciDirInput/casc-zip"
+  cascPreValidatePath="casc-pre-validate/$branch"
+  cascDirTempValidate="$cbciDirInput/$cascPreValidatePath"
+  mkdir -p "$cascDirTempValidate"
+  cp -R "${cbciDirInput}/casc/oc" "$cascDirTempValidate"
+  cp -R "${cbciDirInput}/casc/mc/"* "$cascDirTempValidate"
+  rm "$cascDirOutput/pre-validate-casc.zip" || INFO "No previous zip found."
+  cd "$cbciDirInput/casc-pre-validate" && zip "$cascDirOutput/pre-validate-casc.zip" "$branch" -r
+  rm -rf "$cascDirTempValidate"
+}