diff --git a/developer/openshift/dev_setup.sh b/developer/openshift/dev_setup.sh index 49f52a3b3..f1903fa14 100755 --- a/developer/openshift/dev_setup.sh +++ b/developer/openshift/dev_setup.sh @@ -227,7 +227,7 @@ install_pipeline_service() { TEKTON_RESULTS_DATABASE_PASSWORD="$(yq '.tekton_results_db.password' "$CONFIG")" export TEKTON_RESULTS_DATABASE_USER export TEKTON_RESULTS_DATABASE_PASSWORD - TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "minio"' "$CONFIG")" + TEKTON_RESULTS_S3_USER="$(yq '.tekton_results_s3.user // "tekton"' "$CONFIG")" TEKTON_RESULTS_S3_PASSWORD="$(yq ".tekton_results_s3.password // \"$(openssl rand -base64 20)\"" "$CONFIG")" export TEKTON_RESULTS_S3_USER export TEKTON_RESULTS_S3_PASSWORD @@ -244,17 +244,14 @@ install_pipeline_service() { for app in "pipeline-service" "pipeline-service-storage" "pipeline-service-o11y"; do cat << EOF >"$manifest_dir/patch-$app.yaml" --- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: $app - namespace: openshift-gitops -spec: - source: - repoURL: $GIT_URL - targetRevision: $GIT_REF +- op: replace + path: "/spec/sources/0/repoURL" + value: $GIT_URL +- op: replace + path: "/spec/sources/0/targetRevision" + value: $GIT_REF EOF - yq -i ".patches += [{\"path\": \"patch-$app.yaml\"}]" "$manifest_dir/kustomization.yaml" + yq -i ".patches += [{\"path\": \"patch-$app.yaml\", \"target\": {\"kind\": \"Application\", \"namespace\": \"openshift-gitops\", \"name\": \"$app\" }}]" "$manifest_dir/kustomization.yaml" done ############################################################################# diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage.yaml index ca01d2318..c0b77d04a 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-storage.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-storage.yaml @@ -8,12 +8,20 @@ metadata: argocd.argoproj.io/sync-wave: "0" spec: destination: - namespace: openshift-gitops + namespace: tekton-results server: https://kubernetes.default.svc - source: - path: developer/openshift/gitops/argocd/pipeline-service-storage - repoURL: https://github.com/openshift-pipelines/pipeline-service.git - targetRevision: main + sources: + - repoURL: https://github.com/openshift-pipelines/pipeline-service.git + path: developer/openshift/gitops/argocd/pipeline-service-storage/minio + targetRevision: main + ref: values + - repoURL: https://charts.bitnami.com/bitnami + chart: postgresql + targetRevision: 12.2.7 + helm: + releaseName: postgres + valueFiles: + - $values/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml deleted file mode 100644 index f7ab7959a..000000000 --- a/developer/openshift/gitops/argocd/pipeline-service-storage/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - postgres.yaml - - minio diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/minio/kustomization.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/minio/kustomization.yaml index ee5398c4f..01458091d 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-storage/minio/kustomization.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-storage/minio/kustomization.yaml @@ -1,6 +1,6 @@ --- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component resources: - operator diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml index 4a366cee5..94b1f01fc 100644 --- a/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service-storage/minio/tenant/tenant.yaml @@ -2,7 +2,7 @@ apiVersion: minio.min.io/v2 kind: Tenant metadata: - name: storage + name: minio namespace: tekton-results labels: app: minio @@ -13,60 +13,35 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "0" spec: + image: quay.io/minio/minio:latest + requestAutoCert: false + podManagementPolicy: Parallel + configuration: + name: minio-configuration exposeServices: minio: true features: bucketDNS: false - domains: {} - # This desired part doesn't work. Issues: - # https://github.com/minio/operator/issues/1345 - # https://github.com/minio/operator/issues/1346 - # users: - # - name: storage-user - # buckets: - # - name: "tekton-results" - # region: "us-east-1" - # objectLock: true - certConfig: {} - podManagementPolicy: Parallel - configuration: - name: minio-storage-configuration - env: [] - serviceMetadata: - minioServiceLabels: {} - minioServiceAnnotations: {} - consoleServiceLabels: {} - consoleServiceAnnotations: {} - priorityClassName: "" - externalCaCertSecret: [] - externalCertSecret: [] - externalClientCertSecrets: [] - image: quay.io/minio/minio:RELEASE.2022-09-17T00-09-45Z - imagePullSecret: {} - mountPath: /export - subPath: "" + users: + - name: minio-user + buckets: + - name: tekton-results + region: not-applicable + objectLock: true pools: - servers: 1 name: pool-0 volumesPerServer: 2 - nodeSelector: {} - tolerations: [] - affinity: - nodeAffinity: {} - podAffinity: {} - podAntiAffinity: {} - resources: {} volumeClaimTemplate: apiVersion: v1 kind: persistentvolumeclaims - metadata: {} spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi - status: {} - securityContext: {} - containerSecurityContext: {} - requestAutoCert: true + securityContext: + runAsNonRoot: true + containerSecurityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml deleted file mode 100644 index 4cfc09417..000000000 --- a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: postgres - namespace: openshift-gitops - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - project: default - destination: - namespace: tekton-results - server: https://kubernetes.default.svc - source: - chart: postgresql - repoURL: https://charts.bitnami.com/bitnami - targetRevision: 12.2.7 - helm: - releaseName: postgres - parameters: - - name: image.tag - value: 13.10.0 - - name: tls.enabled - value: "true" - - name: tls.autoGenerated - value: "true" - - name: auth.database - value: "tekton_results" - - name: auth.username - value: "tekton" - - name: auth.existingSecret - value: "tekton-results-database" - - name: auth.secretKeys.userPasswordKey - value: "db.password" - - name: auth.secretKeys.adminPasswordKey - value: "db.password" - - name: primary.resources.requests - value: "null" - - name: primary.podSecurityContext.fsGroup - value: "null" - - name: primary.podSecurityContext.seccompProfile.type - value: RuntimeDefault - - name: primary.containerSecurityContext.runAsUser - value: "null" - - name: primary.containerSecurityContext.allowPrivilegeEscalation - value: "false" - - name: primary.containerSecurityContext.runAsNonRoot - value: "true" - - name: primary.containerSecurityContext.seccompProfile.type - value: RuntimeDefault - - name: primary.containerSecurityContext.capabilities.drop[0] - value: ALL - - name: volumePermissions.enabled - value: "false" - - name: shmVolume.enabled - value: "false" - syncPolicy: - # Comment this out if you want to manually trigger deployments (using the - # Argo CD Web UI or Argo CD CLI), rather than automatically deploying on - # every new Git commit to your directory. - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - # workaround to make working both minio: newer and old 4.5.4 - - Validate=false - retry: - limit: -1 # number of failed sync attempt retries; unlimited number of attempts if less than 0 - backoff: - duration: 10s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") - factor: 2 # a factor to multiply the base duration after each failed retry - maxDuration: 3m # the maximum amount of time allowed for the backoff strategy diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml new file mode 100644 index 000000000..59e739823 --- /dev/null +++ b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres/values.yaml @@ -0,0 +1,37 @@ +image: + tag: 13.10.0 + +tls: + enabled: true + autoGenerated: true + +auth: + database: tekton_results + username: tekton + existingSecret: tekton-results-database + secretKeys: + userPasswordKey: db.password + adminPasswordKey: db.password + +primary: + resources: + requests: null + podSecurityContext: + fsGroup: null + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: null + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + +volumePermissions: + enabled: false + +shmVolume: + enabled: false diff --git a/developer/openshift/gitops/argocd/pipeline-service.yaml b/developer/openshift/gitops/argocd/pipeline-service.yaml index cfebefd9e..a3035767f 100644 --- a/developer/openshift/gitops/argocd/pipeline-service.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service.yaml @@ -8,12 +8,12 @@ metadata: argocd.argoproj.io/sync-wave: "0" spec: destination: - namespace: openshift-gitops + namespace: pipeline-service server: https://kubernetes.default.svc - source: - path: developer/openshift/gitops/argocd/pipeline-service - repoURL: https://github.com/openshift-pipelines/pipeline-service.git - targetRevision: main + sources: + - path: developer/openshift/gitops/argocd/pipeline-service + repoURL: https://github.com/openshift-pipelines/pipeline-service.git + targetRevision: main project: default syncPolicy: # Comment this out if you want to manually trigger deployments (using the diff --git a/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml b/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml index 6cc39d588..7e041e598 100644 --- a/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service/kustomization.yaml @@ -5,9 +5,8 @@ kind: Kustomization resources: - ../../../../../operator/gitops/argocd/pipeline-service -patches: - - path: tekton-results/minio-create-bucket.yaml - - path: tekton-results/minio-tls.yaml +#patches: +# - path: tekton-results/minio-tls.yaml # Skip applying the Tekton operands while the Tekton operator is being installed. # See more information about this option, here: diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml index 13b973dcb..b8cb96177 100644 --- a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/kustomization.yaml @@ -5,5 +5,4 @@ resources: - ../../../../../../operator/gitops/argocd/pipeline-service/tekton-results patches: - - path: minio-create-bucket.yaml - path: minio-tls.yaml diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-create-bucket.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-create-bucket.yaml deleted file mode 100644 index a72ab1c51..000000000 --- a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-create-bucket.yaml +++ /dev/null @@ -1,58 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tekton-results-api - namespace: tekton-results - annotations: - argocd.argoproj.io/sync-wave: "0" -spec: - template: - spec: - containers: - - name: api - initContainers: - - name: mc - image: >- - quay.io/minio/mc:RELEASE.2023-01-28T20-29-38Z - command: - - /bin/bash - args: - - '-c' - - | - mc --config-dir /tmp config host add minio "$S3_ENDPOINT" "$S3_ACCESS_KEY_ID" "$S3_SECRET_ACCESS_KEY" && - if [ -z "$(mc --config-dir /tmp ls minio | grep "$S3_BUCKET_NAME")" ]; then - mc --config-dir /tmp mb --with-lock --region "$S3_REGION" minio/"$S3_BUCKET_NAME" && - echo "Minio bucket $S3_BUCKET_NAME successfully created." - fi - imagePullPolicy: Always - env: - - name: S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: aws_access_key_id - name: tekton-results-s3 - - name: S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: aws_secret_access_key - name: tekton-results-s3 - - name: S3_REGION - valueFrom: - secretKeyRef: - key: aws_region - name: tekton-results-s3 - - name: S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: tekton-results-s3 - - name: S3_ENDPOINT - valueFrom: - secretKeyRef: - key: endpoint - name: tekton-results-s3 - volumeMounts: - - name: ca-s3 - mountPath: /etc/ssl/certs/s3-cert.crt - subPath: s3-cert.crt diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml index e0c5d7c48..937258ed6 100644 --- a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml +++ b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/minio-tls.yaml @@ -12,7 +12,7 @@ spec: volumes: - name: ca-s3 secret: - secretName: storage-tls + secretName: minio-tls items: - key: public.crt path: s3-cert.crt diff --git a/developer/openshift/operators/openshift-gitops/custom-permissions.yaml b/developer/openshift/operators/openshift-gitops/custom-permissions.yaml new file mode 100644 index 000000000..81d15d33d --- /dev/null +++ b/developer/openshift/operators/openshift-gitops/custom-permissions.yaml @@ -0,0 +1,29 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-gitops-custom +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - patch + - get + - list + - create + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openshift-gitops-custom +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openshift-gitops-custom +subjects: + - kind: ServiceAccount + name: openshift-gitops-argocd-application-controller + namespace: openshift-gitops diff --git a/developer/openshift/operators/openshift-gitops/kustomization.yaml b/developer/openshift/operators/openshift-gitops/kustomization.yaml index e0c4c97f8..1bb211ed3 100644 --- a/developer/openshift/operators/openshift-gitops/kustomization.yaml +++ b/developer/openshift/operators/openshift-gitops/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - openshift-gitops.yaml + - custom-permissions.yaml diff --git a/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml b/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml index 97ea18925..d7857d619 100644 --- a/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml +++ b/developer/openshift/operators/openshift-gitops/openshift-gitops.yaml @@ -7,7 +7,7 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "0" spec: - channel: stable + channel: gitops-1.8 installPlanApproval: Automatic name: openshift-gitops-operator source: redhat-operators diff --git a/developer/openshift/reset.sh b/developer/openshift/reset.sh index fd891b1ef..aec7488ba 100755 --- a/developer/openshift/reset.sh +++ b/developer/openshift/reset.sh @@ -123,34 +123,34 @@ check_if_argocd_app_was_removed() { printf " OK\n" } -uninstall_minio() { - printf "\n Uninstalling Minio Service:\n" - if argocd app get minio >/dev/null 2>&1; then +uninstall_pipeline_service_storage() { + printf "\n Uninstalling Pipeline Service Storage:\n" + if argocd app get pipeline-service-storage >/dev/null 2>&1; then # If something went wrong(e.g. bad development changes) the ArgoCD sync operation can be very long or could hang. # In this case any other ArgoCD operation will be queued. # Therefore the 'delete' operation will not be executed in a timely manner. # Cancelling the sync operation speeds up the process. - argocd app terminate-op minio >/dev/null 2>&1 + argocd app terminate-op pipeline-service-storage >/dev/null 2>&1 - argocd app delete minio --yes + argocd app delete pipeline-service-storage --yes if [ -n "${RESET_HARD}" ]; then # Remove any finalizers that might inhibit deletion - if argocd app get minio >/dev/null 2>&1; then - kubectl patch applications.argoproj.io -n openshift-gitops minio --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' >/dev/null 2>&1 + if argocd app get pipeline-service-storage >/dev/null 2>&1; then + kubectl patch applications.argoproj.io -n openshift-gitops pipeline-service-storage --type json --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' >/dev/null 2>&1 fi # Check if the Argo CD application has been indeed removed - if argocd app get minio >/dev/null 2>&1; then - printf "\n[ERROR] Couldn't uninstall Minio Argo CD application." >&2 + if argocd app get pipeline-service-storage >/dev/null 2>&1; then + printf "\n[ERROR] Couldn't uninstall Pipeline Service Storage Argo CD application." >&2 exit 1 fi printf "\n Uninstalling Minio Operator:\n" kubectl delete -k "$DEV_DIR/gitops/argocd/minio" --ignore-not-found=true else - check_if_argocd_app_was_removed "minio" 25 + check_if_argocd_app_was_removed "pipeline-service-storage" 100 fi printf "\n Uninstalling Minio Operator:\n" @@ -205,7 +205,7 @@ uninstall_pipeline_service() { exit 1 fi else - check_if_argocd_app_was_removed "pipeline-service" 40 + check_if_argocd_app_was_removed "pipeline-service" 100 fi # Remove pipeline-service-manager resources @@ -319,8 +319,8 @@ uninstallOpenshiftPipelines() { main(){ parse_args "$@" prechecks - uninstall_minio uninstall_pipeline_service + uninstall_pipeline_service_storage if [ -n "${RESET_HARD}" ]; then uninstall_operators_and_controllers diff --git a/operator/gitops/argocd/pipeline-service.yaml b/operator/gitops/argocd/pipeline-service.yaml index 891c1298f..c8ede383a 100644 --- a/operator/gitops/argocd/pipeline-service.yaml +++ b/operator/gitops/argocd/pipeline-service.yaml @@ -8,7 +8,7 @@ metadata: argocd.argoproj.io/sync-wave: "0" spec: destination: - namespace: openshift-gitops + namespace: pipeline-service server: https://kubernetes.default.svc source: path: operator/gitops/argocd/pipeline-service diff --git a/operator/images/access-setup/content/bin/setup_work_dir.sh b/operator/images/access-setup/content/bin/setup_work_dir.sh index 24601e634..e8bb0b762 100755 --- a/operator/images/access-setup/content/bin/setup_work_dir.sh +++ b/operator/images/access-setup/content/bin/setup_work_dir.sh @@ -172,23 +172,11 @@ tekton_chains_manifest(){ } tekton_results_manifest(){ - miniosecret="$(kubectl get secrets minio-storage-configuration -o name -n tekton-results --ignore-not-found)" - if [ -z "$miniosecret" ]; then - printf "Need to create tekton results manifests for DB and S3 \n" - else - printf "Tekton results secrets already in place, returning from tekton_results_manifest \n" - # create minimal kustomization.yaml so calling function does not need to check for the secret as well - mkdir -p "$manifests_dir/compute/tekton-results" - kubectl create namespace tekton-results --dry-run=client -o yaml > "$manifests_dir/compute/tekton-results/namespace.yaml" - yq e -n '.resources += ["namespace.yaml"]' > "$manifests_dir/compute/tekton-results/kustomization.yaml" - printf "OK\n" - return - fi - results_kustomize="$manifests_dir/compute/tekton-results/kustomization.yaml" results_namespace="$manifests_dir/compute/tekton-results/namespace.yaml" results_db_secret="$manifests_dir/compute/tekton-results/tekton-results-db-secret.yaml" results_s3_secret="$manifests_dir/compute/tekton-results/tekton-results-s3-secret.yaml" + results_minio_user="$manifests_dir/compute/tekton-results/tekton-results-minio-user.yaml" results_minio_config="$manifests_dir/compute/tekton-results/tekton-results-minio-config.yaml" if [ ! -e "$results_kustomize" ]; then results_dir="$(dirname "$results_kustomize")" @@ -207,38 +195,52 @@ tekton_results_manifest(){ fi kubectl create namespace tekton-results --dry-run=client -o yaml > "$results_namespace" + yq -n '.resources += ["namespace.yaml"]' > "$results_kustomize" - kubectl create secret generic -n tekton-results tekton-results-database \ + db_secret="$(kubectl get secret tekton-results-database -n tekton-results -o name --ignore-not-found)" + if [ -z "$db_secret" ]; then + echo 'Tekton Results database secrets not found, new secrets will be created' + kubectl create secret generic -n tekton-results tekton-results-database \ --from-literal=db.user="$TEKTON_RESULTS_DATABASE_USER" \ --from-literal=db.password="$TEKTON_RESULTS_DATABASE_PASSWORD" \ --from-literal=db.host="postgres-postgresql.tekton-results.svc.cluster.local" \ --from-literal=db.name="tekton_results" \ --dry-run=client -o yaml > "$results_db_secret" + yq -i '.resources += ["tekton-results-db-secret.yaml"]' "$results_kustomize" + fi - kubectl create secret generic -n tekton-results tekton-results-s3 \ - --from-literal=aws_access_key_id="$TEKTON_RESULTS_S3_USER" \ - --from-literal=aws_secret_access_key="$TEKTON_RESULTS_S3_PASSWORD" \ - --from-literal=aws_region='not-applicable' \ - --from-literal=bucket=tekton-results \ - --from-literal=endpoint='https://minio.tekton-results.svc.cluster.local' \ - -n tekton-results --dry-run=client -o yaml > "$results_s3_secret" + s3_secret="$(kubectl get secret tekton-results-s3 -n tekton-results -o name --ignore-not-found)" + if [ -z "$s3_secret" ]; then + echo 'Tekton Results S3 secrets not found, new secrets will be created' + kubectl create secret generic -n tekton-results tekton-results-s3 \ + --from-literal=aws_access_key_id="$TEKTON_RESULTS_S3_USER" \ + --from-literal=aws_secret_access_key="$TEKTON_RESULTS_S3_PASSWORD" \ + --from-literal=aws_region='not-applicable' \ + --from-literal=bucket=tekton-results \ + --from-literal=endpoint='http://minio.tekton-results.svc.cluster.local' \ + -n tekton-results --dry-run=client -o yaml > "$results_s3_secret" - cat < "$results_minio_config" + kubectl create secret generic -n tekton-results minio-user \ + --from-literal=CONSOLE_ACCESS_KEY="$TEKTON_RESULTS_S3_USER" \ + --from-literal=CONSOLE_SECRET_KEY="$TEKTON_RESULTS_S3_PASSWORD" \ + -n tekton-results --dry-run=client -o yaml > "$results_minio_user" + + cat < "$results_minio_config" apiVersion: v1 kind: Secret metadata: - name: minio-storage-configuration + name: minio-configuration namespace: tekton-results type: Opaque stringData: config.env: |- - export MINIO_ROOT_USER="$TEKTON_RESULTS_S3_USER" - export MINIO_ROOT_PASSWORD="$TEKTON_RESULTS_S3_PASSWORD" - export MINIO_STORAGE_CLASS_STANDARD="EC:2" + export MINIO_ROOT_USER="minio" + export MINIO_ROOT_PASSWORD="$(openssl rand -base64 20)" + export MINIO_STORAGE_CLASS_STANDARD="EC:1" export MINIO_BROWSER="on" EOF - - yq e -n '.resources += ["namespace.yaml", "tekton-results-db-secret.yaml", "tekton-results-s3-secret.yaml", "tekton-results-minio-config.yaml"]' > "$results_kustomize" + yq -i '.resources += ["tekton-results-s3-secret.yaml", "tekton-results-minio-user.yaml", "tekton-results-minio-config.yaml"]' "$results_kustomize" + fi fi printf "OK\n" } diff --git a/operator/images/cluster-setup/content/bin/install.sh b/operator/images/cluster-setup/content/bin/install.sh index f84d1bf0a..64e69cabc 100755 --- a/operator/images/cluster-setup/content/bin/install.sh +++ b/operator/images/cluster-setup/content/bin/install.sh @@ -139,7 +139,7 @@ install_clusters() { check_deployments "openshift-pipelines" "${tektonDeployments[@]}" | indent 4 resultsDeployments=("tekton-results-api" "tekton-results-watcher") check_deployments "tekton-results" "${resultsDeployments[@]}" | indent 4 - resultsStatefulsets=("postgres-postgresql" "storage-pool-0") + resultsStatefulsets=("postgres-postgresql" "minio-pool-0") check_statefulsets "tekton-results" "${resultsStatefulsets[@]}" | indent 4 printf -- "- Checking pods status for controlplane namespaces\n"