Add zuul-tenant-conf-check role/job

This performs static validation of Zuul tenant config files.

Change-Id: I5d439d6cfb963e55d07b2a0058de76f030fe47b3
This commit is contained in:
James E. Blair 2024-01-31 14:34:52 -08:00
parent 7761396303
commit 73bdf1f2df
11 changed files with 210 additions and 0 deletions

View File

@ -12,3 +12,4 @@ General Purpose Jobs
.. zuul:autojob:: shake-build .. zuul:autojob:: shake-build
.. zuul:autojob:: upload-git-mirror .. zuul:autojob:: upload-git-mirror
.. zuul:autojob:: validate-zone-db .. zuul:autojob:: validate-zone-db
.. zuul:autojob:: zuul-tenant-conf-check

View File

@ -59,3 +59,4 @@ General Purpose Roles
.. zuul:autorole:: validate-zone-db .. zuul:autorole:: validate-zone-db
.. zuul:autorole:: version-from-git .. zuul:autorole:: version-from-git
.. zuul:autorole:: write-inventory .. zuul:autorole:: write-inventory
.. zuul:autorole:: zuul-tenant-conf-check

View File

@ -0,0 +1,3 @@
- hosts: all
roles:
- ensure-docker

View File

@ -0,0 +1,3 @@
- hosts: all
roles:
- zuul-tenant-conf-check

View File

@ -0,0 +1,50 @@
Run the zuul-admin tenant-conf-check command.
This requires a partial zuul.conf (it only needs the connection
entries, and those without any credential information) and a tenant
config file. It will validate the syntax of the tenant config file
(but not the job configuration of any projects in the tenants).
**Role Variables**
.. zuul:rolevar:: zuul_tenant_conf_check_zuul_conf_path
The path to the partial zuul.conf to use. This must contain the
connection entries, but no credentials are required. Any other
sections are ignored.
.. zuul:rolevar:: zuul_tenant_conf_check_tenant_config_path
The path to the tenant config file to check.
.. zuul:rolevar:: zuul_tenant_conf_check_image
:default: quay.io/zuul-ci/zuul-scheduler:latest
The Zuul scheduler container image which contains the zuul-admin
command to run.
.. zuul:rolevar:: zuul_tenant_conf_check_registry_credentials
An optional value, expected in the form of a secret, that supplies
credential information if zuul_tenant_conf_check_image is in a
registry that requires authentication. The format is a dictionary
keyed by the registry name. Example:
.. code-block:: yaml
zuul_tenant_conf_check_registry_credentials:
docker.io:
username: 'username'
password: 'password'
.. zuul:rolevar:: [registry_name]
The dictionary key should be the name of the registry
.. zuul:rolevar:: username
The registry username.
.. zuul:rolevar:: password
The registry password.

View File

@ -0,0 +1 @@
zuul_tenant_conf_check_image: quay.io/zuul-ci/zuul-scheduler:latest

View File

@ -0,0 +1,53 @@
- name: Create temporary directory
tempfile:
state: directory
register: zj_zuul_tenant_conf_check_tempdir
- name: Copy zuul.conf to temporary directory
copy:
src: "{{ zuul_tenant_conf_check_zuul_conf_path }}"
dest: "{{ zj_zuul_tenant_conf_check_tempdir.path }}/zuul.conf"
- name: Copy tenant config to temporary directory
copy:
src: "{{ zuul_tenant_conf_check_tenant_config_path }}"
dest: "{{ zj_zuul_tenant_conf_check_tempdir.path }}/main.yaml"
- name: Update zuul.conf with tenant config path
ini_file:
path: "{{ zj_zuul_tenant_conf_check_tempdir.path }}/zuul.conf"
section: scheduler
option: tenant_config
value: "/work/main.yaml"
state: present
- name: Identify container registry for authentication
when: zuul_tenant_conf_check_registry_credentials is defined
set_fact:
_registry: "{{ (zuul_tenant_conf_check_image | split('/', 1)).0 }}"
_repopath: "{{ (zuul_tenant_conf_check_image | split('/', 1)).1 }}"
- name: Log into container registry
when: zuul_tenant_conf_check_registry_credentials is defined
command: >-
docker login
-u "{{ zuul_tenant_conf_check_registry_credentials[_registry].username }}"
-p "{{ zuul_tenant_conf_check_registry_credentials[_registry].password }}"
{{ _registry }}
- name: Run tenant-conf-check
block:
- name: Run tenant-conf-check
command: >-
docker run --rm -t
-v "{{ zj_zuul_tenant_conf_check_tempdir.path }}:/work"
{{ zuul_tenant_conf_check_image }}
zuul-admin -c /work/zuul.conf tenant-conf-check
always:
- name: Remove temporary directory
file:
path: "{{ zj_zuul_tenant_conf_check_tempdir.path }}"
state: absent
- name: Log out of container registry
when: zuul_tenant_conf_check_registry_credentials is defined
command: docker logout

View File

@ -0,0 +1,8 @@
- tenant:
name: opendev
max-nodes-per-job: 10
source:
gerrit:
config-projects:
- opendev/project-config
- opendev/base-jobs

View File

@ -0,0 +1,22 @@
[connection "smtp"]
driver=smtp
server=localhost
port=25
[connection "gerrit"]
driver=gerrit
server=review.opendev.org
user=openstack-zuul
[connection "opendaylight"]
driver=gerrit
server=git.opendaylight.org
user=openstack-zuul
[connection "github"]
driver=github
[connection "googlesource"]
driver=gerrit
server=gerrit-review.googlesource.com
user=git-infra-root.openstack.org

View File

@ -925,6 +925,18 @@
vars: vars:
zuul_use_fetch_output: false zuul_use_fetch_output: false
- job:
name: zuul-jobs-test-zuul-tenant-conf-check
description: Test the zuul-tenant-conf-check role
parent: zuul-tenant-conf-check
files:
- roles/zuul-tenant-conf-check/.*
vars:
zuul_tenant_conf_check_zuul_conf_path: '{{ zuul.executor.work_root }}/{{ zuul.project.src_dir
}}/test-playbooks/zuul-tenant-conf-check/zuul.conf'
zuul_tenant_conf_check_tenant_config_path: '{{ zuul.executor.work_root }}/{{
zuul.project.src_dir }}/test-playbooks/zuul-tenant-conf-check/main.yaml'
# -* AUTOGENERATED *- # -* AUTOGENERATED *-
# The following project section is autogenerated by # The following project section is autogenerated by
# tox -e update-test-platforms # tox -e update-test-platforms
@ -1001,6 +1013,7 @@
- zuul-jobs-test-stage-output - zuul-jobs-test-stage-output
- zuul-jobs-test-fetch-translation-output - zuul-jobs-test-fetch-translation-output
- zuul-jobs-test-fetch-translation-output-synchronize - zuul-jobs-test-fetch-translation-output-synchronize
- zuul-jobs-test-zuul-tenant-conf-check
gate: gate:
jobs: *id001 jobs: *id001
periodic-weekly: periodic-weekly:

View File

@ -152,3 +152,58 @@
pre-run: playbooks/shake/pre.yaml pre-run: playbooks/shake/pre.yaml
run: playbooks/shake/run.yaml run: playbooks/shake/run.yaml
- job:
name: zuul-tenant-conf-check
description: |
Run the zuul-admin tenant-conf-check command.
This requires a partial zuul.conf (it only needs the connection
entries, and those without any credential information) and a
tenant config file. It will validate the syntax of the tenant
config file (but not the job configuration of any projects in
the tenants).
.. zuul:jobvar:: zuul_tenant_conf_check_zuul_conf_path
The path to the partial zuul.conf to use. This must contain the
connection entries, but no credentials are required. Any other
sections are ignored.
.. zuul:jobvar:: zuul_tenant_conf_check_tenant_config_path
The path to the tenant config file to check.
.. zuul:jobvar:: zuul_tenant_conf_check_image
:default: quay.io/zuul-ci/zuul-scheduler:latest
The Zuul scheduler container image which contains the zuul-admin
command to run.
.. zuul:jobvar:: zuul_tenant_conf_check_registry_credentials
An optional value, expected in the form of a secret, that supplies
credential information if zuul_tenant_conf_check_image is in a
registry that requires authentication. The format is a dictionary
keyed by the registry name. Example:
.. code-block:: yaml
zuul_tenant_conf_check_registry_credentials:
docker.io:
username: 'username'
password: 'password'
.. zuul:jobvar:: [registry_name]
The dictionary key should be the name of the registry
.. zuul:jobvar:: username
The registry username.
.. zuul:jobvar:: password
The registry password.
pre-run: playbooks/zuul-tenant-conf-check/pre.yaml
run: playbooks/zuul-tenant-conf-check/run.yaml