Bump stack from cflinuxfs3 to cflinuxfs4 [v7] (#3157)

Use CAPI release version var Remove min CAPI jobs Move ops-files from cli-ci to this repo
cloudfoundry · Aug 30, 2024 · 2b7d99c · 2b7d99c
1 parent e91fa56
commit 2b7d99c
Show file tree

Hide file tree

Showing 26 changed files with 242 additions and 232 deletions.
diff --git a/.github/ops-files/add-oidc-provider.yml b/.github/ops-files/add-oidc-provider.yml
@@ -0,0 +1,155 @@
+---
+- type: replace
+  path: /instance_groups/name=uaa/jobs/name=uaa/properties/login/oauth?/providers?
+  value:
+    cli-oidc-provider:
+      type: oidc1.0
+      discoveryUrl: https://uaa-oidc.service.cf.internal:8443/.well-known/openid-configuration
+      scopes:
+        - openid
+      linkText: My other uaa Oauth Provider
+      showLinkText: true
+      addShadowUserOnLogin: true
+      relyingPartyId: rp_oidc_admin
+      relyingPartySecret: adminsecret
+      skipSslValidation: true
+      storeCustomAttributes: true
+      passwordGrantEnabled: true
+      attributeMappings:
+        given_name: given_name
+        family_name: family_name
+        user_name: user_name
+
+- type: replace
+  path: /instance_groups/name=uaa:after
+  value:
+    name: uaa-oidc
+    instances: 1
+    azs: [z1, z2, z3]
+    vm_type: default
+    stemcell: default
+    persistent_disk: 500
+    networks:
+    - name: default
+    jobs:
+    - name: uaa
+      release: uaa
+      properties:
+        encryption:
+          active_key_label: 'key-1'
+          encryption_keys:
+            - label: 'key-1'
+              passphrase: 'MY-PASSPHRASE'
+        uaadb:
+          address: sql-db.service.cf.internal
+          databases:
+          - name: uaa_oidc
+            tag: uaa
+          db_scheme: mysql
+          port: 3306
+          roles:
+          - name: uaa-oidc
+            password: "((uaa_oidc_database_password))"
+            tag: admin
+        uaa:
+          url: https://uaa-oidc.service.cf.internal:8443
+          jwt:
+            policy:
+              active_key_id: key-1
+              keys:
+                key-1:
+                  signingKey: ((uaa-oidc-key1.private_key))
+          sslCertificate: ((uaa-oidc_tls.certificate))
+          sslPrivateKey: ((uaa-oidc_tls.private_key))
+          ca_certs:
+          - ((mysql_server_certificate.ca))
+          clients:
+            rp_oidc_admin:
+              authorized-grant-types: authorization_code,client_credentials,refresh_token,user_token,password,urn:ietf:params:oauth:grant-type:saml2-bearer,implicit
+              redirect-uri: https://uaa.service.cf.internal:8443/login/callback/cli-oidc-provider
+              scope: openid,uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,uaa.user,doppler.firehose
+              authorities: uaa.admin,clients.admin
+              secret: adminsecret
+          scim:
+            user:
+              override: true
+            users:
+              - name: admin-oidc
+                password: "((uaa_oidc_admin_password))"
+                groups:
+                  - uaa.admin
+        login:
+          protocol: https
+          saml:
+            activeKeyId: key1
+            keys:
+              key1:
+                key: ((saml_oidc-key1.private_key))
+                passphrase: ''
+                certificate: ((saml_oidc-key1.certificate))
+
+- type: replace
+  path: /addons/name=bosh-dns-aliases/jobs/name=bosh-dns-aliases/properties/aliases/-
+  value:
+    domain: uaa-oidc.service.cf.internal
+    targets:
+    - query: '*'
+      instance_group: uaa-oidc
+      deployment: cf
+      network: default
+      domain: bosh
+
+- type: replace
+  path: /instance_groups/name=database/jobs/name=pxc-mysql/properties/seeded_databases?/-
+  value:
+    name: uaa_oidc
+    username: uaa-oidc
+    password: "((uaa_oidc_database_password))"
+
+- type: replace
+  path: /variables?/-
+  value:
+    name: uaa_oidc_admin_password
+    type: password
+
+- type: replace
+  path: /variables?/-
+  value:
+    name: uaa_oidc_database_password
+    type: password
+
+- type: replace
+  path: /variables?/-
+  value:
+    name: uaa-oidc-key1
+    type: rsa
+
+- type: replace
+  path: /variables?/-
+  value:
+    name: uaa-oidc_ca
+    type: certificate
+    options:
+      is_ca: true
+      common_name: uaa-oidc
+      alternative_names: ["*.uaa-oidc.service.cf.internal"]
+      extended_key_usage:
+      - server_auth
+
+- type: replace
+  path: /variables?/-
+  value:
+    name: saml_oidc-key1
+    type: certificate
+    options:
+      ca: uaa-oidc_ca
+      common_name: saml_oidc
+
+- type: replace
+  path: /variables?/-
+  value:
+    name: uaa-oidc_tls
+    type: certificate
+    options:
+      ca: uaa-oidc_ca
+      common_name: uaa-oidc.service.cf.internal
diff --git a/.github/ops-files/add-uaa-client-credentials.yml b/.github/ops-files/add-uaa-client-credentials.yml
@@ -0,0 +1,11 @@
+---
+- type: replace
+  path: /instance_groups/name=uaa/jobs/name=uaa/properties/uaa/clients/potato-face?
+  value:
+    access-token-validity: 600
+    authorized-grant-types: client_credentials
+    override: true
+    secret: ((client-secret))
+    scope: openid,routing.router_groups.write,scim.read,cloud_controller.admin,uaa.user,routing.router_groups.read,cloud_controller.read,password.write,cloud_controller.write,network.admin,doppler.firehose,scim.write,uaa.admin
+    authorities: openid,routing.router_groups.write,scim.read,cloud_controller.admin,uaa.user,routing.router_groups.read,cloud_controller.read,password.write,cloud_controller.write,network.admin,doppler.firehose,scim.write,uaa.admin
+
diff --git a/.github/ops-files/diego-cell-instances.yml b/.github/ops-files/diego-cell-instances.yml
@@ -0,0 +1,4 @@
+---
+- type: replace
+  path: /instance_groups/name=diego-cell/instances
+  value: 3
diff --git a/.github/ops-files/use-cflinuxfs3.yml b/.github/ops-files/use-cflinuxfs3.yml
diff --git a/.github/ops-files/use-latest-capi.yml b/.github/ops-files/use-latest-capi.yml
@@ -0,0 +1,10 @@
+---
+- type: replace
+  path: /releases/name=capi/version
+  value: latest
+
+- type: remove
+  path: /releases/name=capi/url?
+
+- type: remove
+  path: /releases/name=capi/sha1?
diff --git a/.github/workflows/tests-integration-reusable.yml b/.github/workflows/tests-integration-reusable.yml
@@ -10,9 +10,6 @@ name: "pvt: run integration tests"
 on:
   workflow_call:
     inputs:
-      capi-version:
-        required: true
-        type: string
       run-with-client-creds:
         required: true
         type: boolean
@@ -69,7 +66,6 @@ jobs:
 
     - name: Checkout cf-deployment
       uses: actions/checkout@v4
-      if: ${{ inputs.capi-version == 'edge' }}
       with:
         repository: cloudfoundry/cf-deployment
         path: cf-deployment
@@ -89,7 +85,7 @@ jobs:
       run: |
         shepherd login service-account ${account_token}
 
-        echo "shepherd create lease --duration 8h --pool ${pool_name} --pool-namespace ${pool_namespace} --namespace tas-devex"
+        echo "shepherd create lease --duration 8h --pool ${pool_name} --pool-namespace ${pool_namespace} --namespace tas-devex --description 'CLI GHA'"
         lease_id=$(shepherd create lease --duration 8h --pool ${pool_name} --pool-namespace ${pool_namespace} --namespace tas-devex --json | jq -r .id)
         # Give sometime for the lease to complete. Shepherd may take upto an 3 hours to create an env
         # if the pool is empty.
@@ -145,9 +141,14 @@ jobs:
         apt-get install -y build-essential
 
     - name: Upload latest CAPI release
-      if: ${{ inputs.capi-version == 'edge' }}
+      env:
+        capi_release_version: ${{ vars.CAPI_RELEASE_VERSION }}
       run: |
-        capi_release_version=$(curl -s https://api.github.com/repos/cloudfoundry/capi-release/releases/latest | jq -r .tag_name)
+        if [ -z "$capi_release_version" ]
+        then
+          capi_release_version=$(curl -s https://api.github.com/repos/cloudfoundry/capi-release/releases/latest | jq -r .tag_name)
+        fi
+        
         echo "Latest CAPI release is $capi_release_version"
         
         eval "$(bbl print-env --metadata-file metadata.json)"
@@ -156,7 +157,6 @@ jobs:
         bosh upload-release "https://bosh.io/d/github.com/cloudfoundry/capi-release?v=$capi_release_version"
 
     - name: Deploy Isolation Segment and OIDC Provider
-      if: ${{ inputs.capi-version == 'edge' }}
       run: |
         env_name=$(jq -r .name metadata.json)
         jq -r .bosh.jumpbox_private_key metadata.json > /tmp/${env_name}.priv
@@ -165,35 +165,13 @@ jobs:
         # deploy
         bosh -d cf manifest > /tmp/manifest.yml
         bosh interpolate /tmp/manifest.yml \
-          -o .github/ops-files/use-cflinuxfs3.yml \
-          -o .github/ops-files/replace-redis.yml \
+          -o cf-deployment/operations/use-internal-lookup-for-route-services.yml \
           -o cf-deployment/operations/add-persistent-isolation-segment-diego-cell.yml \
-          -o cli-ci/ci/infrastructure/operations/use-latest-capi.yml \
-          -o cli-ci/ci/infrastructure/operations/add-oidc-provider.yml \
-          -o cli-ci/ci/infrastructure/operations/add-uaa-client-credentials.yml \
-          -o cli-ci/ci/infrastructure/operations/diego-cell-instances.yml \
-          -v client-secret="${{ secrets.CLIENT_SECRET }}" \
-          > ./director.yml
-
-        bosh -d cf deploy director.yml -n
-        echo "Deployed CAPI version:"
-        bosh -d cf releases | grep capi
-
-    - name: Deploy MIN CAPI with Isolation Segment and OIDC Provider
-      if: ${{ inputs.capi-version != 'edge' }}
-      run: |
-        env_name=$(jq -r .name metadata.json)
-        jq -r .bosh.jumpbox_private_key metadata.json > /tmp/${env_name}.priv
-        eval "$(bbl print-env --metadata-file metadata.json)"
-
-        # deploy
-        bosh -d cf manifest > /tmp/manifest.yml
-        bosh interpolate /tmp/manifest.yml \
-          -o cf-deployment/operations/test/add-persistent-isolation-segment-diego-cell.yml \
-          -o cli-ci/ci/infrastructure/operations/add-oidc-provider.yml \
-          -o cli-ci/ci/infrastructure/operations/add-uaa-client-credentials.yml \
-          -o cli-ci/ci/infrastructure/operations/diego-cell-instances.yml \
-          -o cli-ci/ci/infrastructure/operations/use-latest-ruby-buildpack.yml \
+          -o .github/ops-files/replace-redis.yml \
+          -o .github/ops-files/use-latest-capi.yml \
+          -o .github/ops-files/add-oidc-provider.yml \
+          -o .github/ops-files/add-uaa-client-credentials.yml \
+          -o .github/ops-files/diego-cell-instances.yml \
           -v client-secret="${{ secrets.CLIENT_SECRET }}" \
           > ./director.yml