Custom scripts and config for deployment

.gitignore

@@ -9,4 +9,7 @@ id_rsa.pub
 *.patch
 *.egg-info/
 .nox
-.tox
+.tox
+/stackhpc/github-secrets/*
+/stackhpc/keys/*
+force-teardown.sh

stackhpc/README.md

@@ -0,0 +1,7 @@
+# Installation
+1. Configure the files under deploy-zuul
+2. Create github-secrets/webhook_token containg Github app webhook token
+3. Create keys/github-key.pem containg Github app private key
+4. Run install.sh
+5. Once the zuul-web deployment has been created, run patch.sh
+6. You may need to restart the nodepool-launcher-kubernetes deployment after the patches are complete

stackhpc/database/mariadb-secret.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mariadb-secret
+stringData:
+  dburi: mariadb+pymysql://zuul:password@mysql:3306/zuul_db

stackhpc/database/mysql.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: zuul
+    app.kubernetes.io/component: mysql
+  name: mysql
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: zuul
+      app.kubernetes.io/component: mysql
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: zuul
+        app.kubernetes.io/component: mysql
+    spec:
+      containers:
+        - env:
+            - name: MYSQL_DATABASE
+              value: zuul_db
+            - name: MYSQL_PASSWORD
+              value: password
+            - name: MYSQL_RANDOM_ROOT_PASSWORD
+              value: "yes"
+            - name: MYSQL_USER
+              value: "zuul"
+          image: mariadb:10.10
+          name: mysql
+          ports:
+            - containerPort: 3306
+          resources: {}
+          volumeMounts:
+            - mountPath: /var/lib/mysql
+              name: var-lib-mysql
+      hostname: mysql
+      restartPolicy: Always
+      volumes:
+        - name: var-lib-mysql
+          persistentVolumeClaim:
+            claimName: var-lib-mysql
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: zuul
+    app.kubernetes.io/component: mysql
+  name: mysql
+spec:
+  ports:
+    - name: mysql
+      port: 3306
+      targetPort: 3306
+  selector:
+    app.kubernetes.io/name: zuul
+    app.kubernetes.io/component: mysql
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: zuul
+    app.kubernetes.io/component: mysql
+  name: var-lib-mysql
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

stackhpc/deploy-zuul/main.yaml

@@ -0,0 +1,14 @@
+- tenant:
+    name: my-tenant
+    exclude-unprotected-branches: false
+    source:
+      github:
+        config-projects:
+         - wtripp180901/zuul-config-test
+        untrusted-projects:
+          - wtripp180901/zuul-test-repo-a
+          - wtripp180901/zuul-test-repo-b
+          - wtripp180901/zuul-test-repo-c
+      opendev:
+        untrusted-projects:
+          - zuul/zuul-jobs

stackhpc/deploy-zuul/nodepool.yaml

@@ -0,0 +1,24 @@
+zookeeper-servers:
+  - host: zookeeper
+    port: 2281
+
+zookeeper-tls:
+  cert: /var/certs/certs/client.pem
+  key: /var/certs/keys/clientkey.pem
+  ca: /var/certs/certs/cacert.pem
+
+labels:
+  - name: zuul-jobs-ns
+  - name: zuul-job-pod
+
+providers:
+  - name: kubernetes
+    driver: kubernetes
+    pools:
+      - name: main
+        labels:
+          - name: zuul-jobs-ns
+            type: namespace
+          - name: zuul-job-pod
+            type: pod
+            image: docker.io/rockylinux:8

stackhpc/deploy-zuul/zuul-permissions-role.yaml

@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: zuul-permissions
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - apply
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: zuul-perms-rb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: zuul-permissions
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: default

stackhpc/deploy-zuul/zuul.yaml

@@ -0,0 +1,29 @@
+apiVersion: operator.zuul-ci.org/v1alpha2
+kind: Zuul
+metadata:
+  name: zuul
+spec:
+  executor:
+    count: 1
+    # sshkey:
+    #   secretName: executor-secret
+  scheduler:
+    config:
+      secretName: zuul-tenant-config
+  launcher:
+    config:
+      secretName: zuul-nodepool-config
+  web:
+    count: 1
+  connections:
+    github:
+      driver: github
+      app_id: 382716
+      app_key: /gh-keys/gh-key.pem
+      secretName: github-secrets
+    opendev:
+      driver: git
+      baseurl: https://opendev.org/
+  database:
+    allowUnsafeConfig: True
+    secretName: mariadb-secret

stackhpc/install.sh

@@ -0,0 +1,9 @@
+kubectl apply -f "database/*.yaml"
+kubectl apply -f ../deploy/crds/zuul-ci_v1alpha2_zuul_crd.yaml
+kubectl apply -f ../deploy/rbac-admin.yaml
+kubectl apply -f ../deploy/operator.yaml
+kubectl create secret generic zuul-nodepool-config --from-file=deploy-zuul/nodepool.yaml
+kubectl create secret generic zuul-tenant-config --from-file=deploy-zuul/main.yaml
+kubectl create secret generic github-secrets --from-file=github-secrets
+kubectl create secret generic gh-key --from-file=keys
+kubectl apply -f deploy-zuul/zuul.yaml

stackhpc/patch-files/executor-key-patchfile.yaml

@@ -0,0 +1,12 @@
+spec:
+  template:
+    spec:
+      containers:
+        - name: executor
+          volumeMounts:
+            - name: gh-keys
+              mountPath: /gh-keys
+      volumes:
+        - name: gh-keys
+          secret:
+            secretName: gh-key

stackhpc/patch-files/scheduler-key-patchfile.yaml

@@ -0,0 +1,12 @@
+spec:
+  template:
+    spec:
+      containers:
+        - name: scheduler 
+          volumeMounts:
+            - name: gh-keys
+              mountPath: /gh-keys
+      volumes:
+        - name: gh-keys
+          secret:
+            secretName: gh-key

stackhpc/patch-files/web-key-patchfile.yaml

@@ -0,0 +1,12 @@
+spec:
+  template:
+    spec:
+      containers:
+        - name: web 
+          volumeMounts:
+            - name: gh-keys
+              mountPath: /gh-keys
+      volumes:
+        - name: gh-keys
+          secret:
+            secretName: gh-key

stackhpc/patch-files/web-service-patchfile.yaml

@@ -0,0 +1,3 @@
+spec:
+  type: LoadBalancer
+  loadBalancerIP: 192.171.169.119

stackhpc/patch-files/zookeeper-image-patchfile.yaml

@@ -0,0 +1,6 @@
+spec:
+  template:
+    spec:
+      containers:
+        - name: zookeeper
+          image: "zookeeper:3.8.2"

stackhpc/patch.sh

@@ -0,0 +1,5 @@
+kubectl patch deployment zuul-web --patch-file=patch-files/web-key-patchfile.yaml
+kubectl patch statefulset zuul-scheduler  --patch-file=patch-files/scheduler-key-patchfile.yaml
+kubectl patch service zuul-web  --patch-file=patch-files/web-service-patchfile.yaml
+kubectl patch statefulset zuul-executor  --patch-file=patch-files/executor-key-patchfile.yaml
+kubectl patch statefulset zookeeper --patch-file=patch-files/zookeeper-image-patchfile.yaml