From 1843bbad07873491da61adf40602682bd81f5707 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Oct 21 2021 12:27:36 +0000 Subject: Adding some notes about cico-workspace build workflow Signed-off-by: Fabian Arrotin --- diff --git a/docs/operations/ci/upgrades/cico-workspace-container.md b/docs/operations/ci/upgrades/cico-workspace-container.md new file mode 100644 index 0000000..294290f --- /dev/null +++ b/docs/operations/ci/upgrades/cico-workspace-container.md @@ -0,0 +1,30 @@ +# cico-workspace container upgrade + +## Overview + +We provide a [template](https://github.com/centosci/images/blob/master/cico-workspace/openshift/templates/centosci-workspace.yml) that is used to pre-deploy dedicated jenkins pod in our openshift setup. +It's using jenkins container maintained by Red Hat (RH catalog) and also a specific jenkins-agent container (called cico-workspace) that is spun up for each job that should run in that jenkins environment (dedicated per project/tenant in CI ocp infra) + +All that is also discussed in the "Onboard Tenants" section. + +## Updating cico-workspace image + +The `cico-workspace` container image is available in dedicated [Quay.io](https://quay.io/repository/centosci/cico-workspace) repository. +That's the repositry/registry that ocp.ci cluster is using to spin up cico-workspace containers on demand, always verifying if there is a new one and then pulling : + +```xml + quay.io/centosci/cico-workspace:latest + false + true +``` + +The container (re)build process happens either through : + + * git commit/push in upstream [git repository](https://github.com/centosci/images) + * a manual build trigger in quay.io + +Some notes about what we provide in that cico-workspace image : + + * centos 7 updated container with jenkins agent (java) + * ansible (from our own configmanagement SIG) + * [python-cicoclient](https://github.com/CentOS/python-cicoclient/) rpm built through cbs.centos.org koji, and needed to interact easily with Duffy API when requesting a node to run tests on diff --git a/docs/security/tls.md b/docs/security/tls.md index 75f08a4..66b8ce4 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -248,11 +248,13 @@ You can still "force" the playbook execution if you want, from ansible bot host There is no dedicated ansible host/management station for ci infra (yet) so you have to run it yourself. Once you have pushed the renewed certs (through git-crypted pkistore git repo), you can just apply with : ``` -for role in haproxy ocp-admin-node ; do +for role in haproxy ocp-admin-nodei jenkins-server ; do ansible-playbook playbooks/role-${role}.yml --tags "tls,pki,certs" done ``` + + #### CentOS Stream infra Same as for other parts of infra, except that you *have* to encrypt with ansible-vault before git commit/git push operations (important). Once done : diff --git a/mkdocs.yml b/mkdocs.yml index ed6d420..b9345be 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -50,6 +50,7 @@ nav: - Upgrades: - operations/ci/upgrades/upgrade-notification-template.md - operations/ci/upgrades/upgrade-jenkins.md + - operations/ci/upgrades/cico-workspace-container.md - Spikes: - Configure default permissions for ACO users: operations/ci/configuring_default_aco_user_permissions.md