├── CLAUDE.md ├── jenkins ├── image_building │ ├── dib_elements │ │ ├── centos-ci │ │ │ ├── element-deps │ │ │ ├── README.md │ │ │ ├── install.d │ │ │ │ └── 55-install │ │ │ └── post-install.d │ │ │ │ └── 55-configure │ │ ├── leap-ci │ │ │ ├── element-deps │ │ │ ├── install.d │ │ │ │ └── 55-install │ │ │ ├── README.md │ │ │ ├── finalise.d │ │ │ │ └── 51-edit-grub-config │ │ │ └── post-install.d │ │ │ │ └── 55-configure │ │ ├── ubuntu-ci │ │ │ ├── element-deps │ │ │ ├── README.md │ │ │ └── install.d │ │ │ │ └── 55-install │ │ ├── centos-node │ │ │ ├── element-deps │ │ │ ├── post-install.d │ │ │ │ └── 90-pre-pull-images │ │ │ ├── package-installs.yaml │ │ │ ├── pre-install.d │ │ │ │ └── 55-setup-repos │ │ │ ├── README.md │ │ │ └── install.d │ │ │ │ └── 55-install │ │ ├── ubuntu-node │ │ │ ├── element-deps │ │ │ ├── package-installs.yaml │ │ │ ├── post-install.d │ │ │ │ └── 90-pre-pull-images │ │ │ ├── pre-install.d │ │ │ │ └── 55-setup-repos │ │ │ ├── README.md │ │ │ └── install.d │ │ │ │ └── 55-install │ │ ├── ci-base │ │ │ ├── element-deps │ │ │ ├── package-installs.yaml │ │ │ ├── README.md │ │ │ └── pkg-map │ │ └── leap-node │ │ │ ├── element-deps │ │ │ ├── post-install.d │ │ │ └── 90-pre-pull-images │ │ │ ├── package-installs.yaml │ │ │ ├── finalise.d │ │ │ └── 51-edit-grub-config │ │ │ ├── install.d │ │ │ └── 55-install │ │ │ ├── pre-install.d │ │ │ └── 55-setup-repos │ │ │ └── README.md │ ├── authorized_keys │ ├── initrd_sdk │ │ ├── unseal-and-open-luks.service │ │ ├── tpm2-unseal-key.sh │ │ ├── test_unlock_config │ │ ├── verify-realroot.sh │ │ └── README.md │ ├── verify-ci-image.sh │ ├── verify-node-image.sh │ └── upload-node-image.sh ├── scripts │ ├── bare_metal_lab │ │ ├── tasks │ │ │ └── pod_scaling │ │ │ │ ├── ansible.cfg │ │ │ │ └── inventory.ini │ │ ├── cleanup-lab.yaml │ │ ├── deploy-lab.yaml │ │ ├── files │ │ │ └── reset_network.sh │ │ ├── templates │ │ │ └── bmhosts_crs.yaml.j2 │ │ ├── bml_cleanup.sh │ │ ├── README.md │ │ └── default_vars │ │ │ └── vars.yaml │ ├── dynamic_worker_workflow │ │ ├── bmh-patch-short-serial.yaml │ │ ├── ipa_builder_elements │ │ │ ├── ipa-file-injector │ │ │ │ ├── environment.d │ │ │ │ │ └── 99-install-file-injector │ │ │ │ ├── install.d │ │ │ │ │ └── 99-enable-ipa-file-injector │ │ │ │ └── root.d │ │ │ │ │ ├── ipa-file-injector.service.template │ │ │ │ │ └── 99-install-file-injector │ │ │ ├── override-simple-init │ │ │ │ ├── environment.d │ │ │ │ │ └── 99-override-simple-init │ │ │ │ └── post-install.d │ │ │ │ │ ├── 99-override-simple-init │ │ │ │ │ └── glean-early-override-template.service │ │ │ ├── ipa-cleanup-dracut │ │ │ │ ├── finalise.d │ │ │ │ │ └── 99-delete-dracut │ │ │ │ └── cleanup.d │ │ │ │ │ └── 99-ipa-cleanup-dracut │ │ │ ├── cleanup-package │ │ │ │ ├── post-install.d │ │ │ │ │ └── 99-cleanup-package │ │ │ │ └── environment.d │ │ │ │ │ └── 99-cleanup-package │ │ │ ├── ipa-add-buildinfo │ │ │ │ └── install.d │ │ │ │ │ └── 80-ipa-add-buildinfo │ │ │ ├── ipa-lvm-support │ │ │ │ └── install.d │ │ │ │ │ └── 99-install-lvm2 │ │ │ ├── ipa-luks-tpm-support │ │ │ │ └── install.d │ │ │ │ │ └── 99-install-luks-tpm │ │ │ └── ipa-module-autoload │ │ │ │ └── install.d │ │ │ │ └── 80-ipa-module-autoload │ │ ├── run_clean.sh │ │ └── fullstack.sh │ ├── get_last_n_release_branches.sh │ └── get_latest_tag.sh ├── images │ └── jenkins_metal3_view.png └── jobs │ └── clean_resources.groovy ├── prow ├── images │ ├── webhook.png │ ├── green_webhook.png │ ├── metal3-io-bot.png │ └── token-scopes.png ├── manifests │ ├── base │ │ ├── namespace.yaml │ │ ├── test-pods.yaml │ │ ├── kustomization.yaml │ │ ├── ghproxy.yaml │ │ └── horologium.yaml │ └── overlays │ │ └── metal3 │ │ ├── limitrange.yaml │ │ ├── patches │ │ ├── deck.yaml │ │ ├── hook.yaml │ │ ├── crier.yaml │ │ ├── tide.yaml │ │ ├── sinker.yaml │ │ ├── ghproxy.yaml │ │ ├── horologium.yaml │ │ ├── cherrypicker.yaml │ │ ├── needs-rebase.yaml │ │ ├── jenkins-operator.yaml │ │ ├── statusreconciler.yaml │ │ └── prow-controller-manager.yaml │ │ ├── pdb.yaml │ │ ├── toleration-node-selector-patch.yaml │ │ ├── ingress.yaml │ │ ├── test-pods-externalsecrets.yaml │ │ ├── external-plugins │ │ ├── cherrypicker_service.yaml │ │ ├── needs-rebase_service.yaml │ │ ├── labels_cronjob.yaml │ │ ├── needs-rebase_deployment.yaml │ │ └── cherrypicker_deployment.yaml │ │ ├── prow-externalsecrets.yaml │ │ └── kustomization.yaml ├── bootstrap │ ├── external-secrets-operator │ │ ├── .gitignore │ │ ├── namespace.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── calico │ │ ├── kustomization.yaml │ │ └── toleration-node-selector-patch.yaml │ └── clustersecretstore.yaml ├── infra │ ├── ingress-controller-deployment-patch.yaml │ ├── kube-prometheus │ │ ├── manifests │ │ │ ├── setup │ │ │ │ ├── 0namespace-namespace.yaml │ │ │ │ ├── prometheus-operator-serviceAccount.yaml │ │ │ │ ├── prometheus-operator-clusterRoleBinding.yaml │ │ │ │ ├── prometheus-operator-service.yaml │ │ │ │ ├── prometheus-operator-networkPolicy.yaml │ │ │ │ └── prometheus-operator-clusterRole.yaml │ │ │ ├── grafana-serviceAccount.yaml │ │ │ ├── node-exporter-serviceAccount.yaml │ │ │ ├── kube-state-metrics-serviceAccount.yaml │ │ │ ├── prometheus-adapter-serviceAccount.yaml │ │ │ ├── prometheus-serviceAccount.yaml │ │ │ ├── alertmanager-serviceAccount.yaml │ │ │ ├── prometheus-adapter-clusterRoleServerResources.yaml │ │ │ ├── grafana-serviceMonitor.yaml │ │ │ ├── prometheus-roleConfig.yaml │ │ │ ├── prometheus-adapter-clusterRole.yaml │ │ │ ├── grafana-service.yaml │ │ │ ├── node-exporter-clusterRoleBinding.yaml │ │ │ ├── prometheus-clusterRole.yaml │ │ │ ├── kube-state-metrics-clusterRoleBinding.yaml │ │ │ ├── prometheus-adapter-clusterRoleBinding.yaml │ │ │ ├── node-exporter-clusterRole.yaml │ │ │ ├── prometheus-adapter-apiService.yaml │ │ │ ├── prometheus-clusterRoleBinding.yaml │ │ │ ├── grafana-config.yaml │ │ │ ├── node-exporter-service.yaml │ │ │ ├── prometheus-adapter-podDisruptionBudget.yaml │ │ │ ├── prometheus-adapter-service.yaml │ │ │ ├── prometheus-adapter-clusterRoleBindingDelegator.yaml │ │ │ ├── prometheus-roleBindingConfig.yaml │ │ │ ├── prometheus-adapter-roleBindingAuthReader.yaml │ │ │ ├── prometheus-podDisruptionBudget.yaml │ │ │ ├── alertmanager-podDisruptionBudget.yaml │ │ │ ├── prometheus-adapter-networkPolicy.yaml │ │ │ ├── kube-state-metrics-service.yaml │ │ │ ├── prometheus-adapter-clusterRoleAggregatedMetricsReader.yaml │ │ │ ├── kubernetes-serviceMonitorCoreDNS.yaml │ │ │ ├── prometheus-serviceMonitor.yaml │ │ │ ├── alertmanager-serviceMonitor.yaml │ │ │ ├── prometheus-service.yaml │ │ │ ├── alertmanager-service.yaml │ │ │ ├── grafana-dashboardSources.yaml │ │ │ ├── grafana-networkPolicy.yaml │ │ │ ├── grafana-dashboardDatasources.yaml │ │ │ ├── node-exporter-networkPolicy.yaml │ │ │ ├── prometheus-operator-serviceMonitor.yaml │ │ │ ├── kube-state-metrics-networkPolicy.yaml │ │ │ ├── node-exporter-serviceMonitor.yaml │ │ │ ├── prometheus-adapter-serviceMonitor.yaml │ │ │ ├── kubernetes-serviceMonitorKubeScheduler.yaml │ │ │ ├── alertmanager-networkPolicy.yaml │ │ │ ├── alertmanager-alertmanager.yaml │ │ │ ├── prometheus-networkPolicy.yaml │ │ │ ├── kube-state-metrics-serviceMonitor.yaml │ │ │ ├── grafana-prometheusRule.yaml │ │ │ ├── alertmanager-secret.yaml │ │ │ ├── prometheus-roleBindingSpecificNamespaces.yaml │ │ │ └── prometheus-prometheus.yaml │ │ ├── Makefile │ │ ├── jsonnetfile.json │ │ ├── README.md │ │ └── build.sh │ ├── ingress-controller-job-patch.yaml │ ├── service.yaml │ ├── storageclass.yaml │ ├── ingress-controller-pdb.yaml │ ├── toleration-node-selector-patch.yaml │ ├── cluster-issuer-http.yaml │ └── kustomization.yaml ├── .gitignore ├── container-images │ └── basic-checks │ │ ├── Dockerfile │ │ └── README.md ├── cluster-resources │ ├── coredns-pdb.yaml │ ├── externalsecret.yaml │ └── toleration-node-selector-patch.yaml ├── Makefile ├── capi │ ├── core.yaml │ ├── infrastructure.yaml │ ├── bootstrap.yaml │ ├── control-plane.yaml │ └── toleration-node-selector-patch.yaml ├── capo-cluster │ ├── cluster.yaml │ ├── kubeadmconfigtemplate.yaml │ ├── externalsecret.yaml │ ├── infra-kct.yaml │ ├── infra-md.yaml │ ├── machinedeployment.yaml │ ├── kustomization.yaml │ ├── kubeadmcontrolplane.yaml │ ├── openstackcluster.yaml │ └── openstackmachinetemplates.yaml └── config │ ├── generic-autobumper-config.yaml │ └── jobs │ ├── metal3-io │ ├── community.yaml │ ├── utility-images.yaml │ ├── ironic-hardware-inventory-recorder-image.yaml │ ├── metal3-docs.yaml │ ├── metal3-io.github.io.yaml │ ├── ironic-image.yaml │ ├── ironic-image-release-27.0.yaml │ ├── ironic-image-release-29.0.yaml │ ├── ironic-image-release-31.0.yaml │ ├── ironic-image-release-32.0.yaml │ ├── ironic-image-release-33.0.yaml │ ├── ironic-standalone-operator-release-0.6.yaml │ ├── mariadb-image.yaml │ └── ironic-ipa-downloader.yaml │ └── Nordix │ ├── metal3-clusterapi-docs.yaml │ ├── sles-ironic-python-agent-builder.yaml │ └── metal3-dev-tools.yaml ├── .lycheeignore ├── README.md ├── .gitignore ├── OWNERS_ALIASES ├── .yamllint.yaml ├── OWNERS ├── .markdownlint-cli2.yaml ├── SECURITY_CONTACTS ├── .groovylintrc.json ├── .github ├── workflows │ ├── pr-groovy-lint.yml │ ├── build-images-action.yml │ ├── pr-gh-workflow-approve.yaml │ ├── scheduled-link-check.yml │ └── pr-verifier.yaml └── dependabot.yml ├── hack ├── shellcheck.sh ├── markdownlint.sh └── spellcheck.sh ├── .cspell-config.json └── DCO /CLAUDE.md: -------------------------------------------------------------------------------- 1 | AGENTS.md -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-ci/element-deps: -------------------------------------------------------------------------------- 1 | centos 2 | ci-base 3 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-ci/element-deps: -------------------------------------------------------------------------------- 1 | opensuse 2 | ci-base 3 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-ci/element-deps: -------------------------------------------------------------------------------- 1 | ubuntu 2 | ci-base 3 | -------------------------------------------------------------------------------- /prow/images/webhook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/metal3-io/project-infra/HEAD/prow/images/webhook.png -------------------------------------------------------------------------------- /prow/manifests/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: prow 5 | -------------------------------------------------------------------------------- /prow/manifests/base/test-pods.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-pods 5 | -------------------------------------------------------------------------------- /prow/bootstrap/external-secrets-operator/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore helm charts folder created by kustomize 2 | charts 3 | -------------------------------------------------------------------------------- /prow/images/green_webhook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/metal3-io/project-infra/HEAD/prow/images/green_webhook.png -------------------------------------------------------------------------------- /prow/images/metal3-io-bot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/metal3-io/project-infra/HEAD/prow/images/metal3-io-bot.png -------------------------------------------------------------------------------- /prow/images/token-scopes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/metal3-io/project-infra/HEAD/prow/images/token-scopes.png -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-node/element-deps: -------------------------------------------------------------------------------- 1 | centos 2 | base 3 | vm 4 | openssh-server 5 | package-installs 6 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-node/element-deps: -------------------------------------------------------------------------------- 1 | ubuntu 2 | base 3 | vm 4 | openssh-server 5 | package-installs 6 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/tasks/pod_scaling/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | host_key_checking = False 3 | connection = ssh 4 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ci-base/element-deps: -------------------------------------------------------------------------------- 1 | base 2 | vm 3 | devuser 4 | openssh-server 5 | pkg-map 6 | package-installs 7 | -------------------------------------------------------------------------------- /jenkins/images/jenkins_metal3_view.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/metal3-io/project-infra/HEAD/jenkins/images/jenkins_metal3_view.png -------------------------------------------------------------------------------- /prow/bootstrap/external-secrets-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: external-secrets 5 | -------------------------------------------------------------------------------- /.lycheeignore: -------------------------------------------------------------------------------- 1 | https://jenkins.nordix.org/log/GHPRB/ 2 | https://jenkins.nordix.org/ghprbhook/ 3 | https://prow.apps.test.metal3.io/hook 4 | -------------------------------------------------------------------------------- /jenkins/image_building/authorized_keys: -------------------------------------------------------------------------------- 1 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAHIcNWjiBf0FaEMl6668hurboOMIKpt2C8MUGWS74lD estjorvas@est.tech 2 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/bmh-patch-short-serial.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | spec: 3 | rootDeviceHints: 4 | serialNumber: drive-scsi0-0-0-0 5 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-node/element-deps: -------------------------------------------------------------------------------- 1 | opensuse 2 | base 3 | vm 4 | openssh-server 5 | package-installs 6 | cloud-init-datasources 7 | -------------------------------------------------------------------------------- /prow/bootstrap/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - calico 5 | - external-secrets-operator 6 | - clustersecretstore.yaml 7 | -------------------------------------------------------------------------------- /prow/infra/ingress-controller-deployment-patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: ingress-nginx-controller 5 | namespace: ingress-nginx 6 | spec: 7 | replicas: 2 8 | -------------------------------------------------------------------------------- /prow/.gitignore: -------------------------------------------------------------------------------- 1 | clouds.yaml 2 | cloud.conf 3 | kubeconfig.yaml 4 | .s3cfg 5 | s3-credentials.json 6 | service-account.json 7 | github-token 8 | cherrypick-bot-github-token 9 | hmac-token 10 | jenkins-token 11 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-node/post-install.d/90-pre-pull-images: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | for container in $(env | grep "CALICO_*" | cut -f2 -d'='); do 6 | sudo crictl pull "${container}" 7 | done 8 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-node/post-install.d/90-pre-pull-images: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | for container in $(env | grep "CALICO_*" | cut -f2 -d'='); do 6 | sudo crictl pull "${container}" 7 | done 8 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/tasks/pod_scaling/inventory.ini: -------------------------------------------------------------------------------- 1 | [kube_control_plane] 2 | control-plane ansible_host=192.168.111.249 ansible_user=metal3 3 | 4 | [kube_worker_node] 5 | worker ansible_host=172.22.0.101 ansible_user=metal3 6 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-file-injector/environment.d/99-install-file-injector: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export DIB_FILE_INJECTOR_CONFIG_DRIVE_LABEL="${DIB_FILE_INJECTOR_CONFIG_DRIVE_LABEL:-ir-vfd-dev}" 4 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/override-simple-init/environment.d/99-override-simple-init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export DIB_SIMPLE_INIT_CONFIG_DRIVE_LABEL="${DIB_SIMPLE_INIT_CONFIG_DRIVE_LABEL:-ir-vfd-dev}" 4 | 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # metal3.io Project Infrastructure 2 | 3 | We operate a CI Cluster which runs [Prow](prow/README.md) to provide CI and 4 | some GitHub automation. 5 | 6 | We also run a [Jenkins](jenkins/README.md) server for some additional CI jobs. 7 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/cleanup-lab.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | connection: local 4 | vars_files: 5 | - default_vars/vars.yaml 6 | tasks: 7 | - name: Cleanup Bare Metal Lab 8 | include_tasks: tasks/cleanup-tasks.yaml 9 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-cleanup-dracut/finalise.d/99-delete-dracut: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | if [[ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]]; then 4 | set -x 5 | fi 6 | set -eu 7 | 8 | sudo dnf remove -y dracut 9 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-node/package-installs.yaml: -------------------------------------------------------------------------------- 1 | conntrack-tools: 2 | ca-certificates: 3 | coreutils: 4 | gcc: 5 | git: 6 | gpg2: 7 | net-tools: 8 | openssl: 9 | socat: 10 | ethtool: 11 | iptables: 12 | keepalived: 13 | NetworkManager: 14 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/setup/0namespace-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/warn: privileged 6 | pod-security.kubernetes.io/warn-version: latest 7 | name: monitoring 8 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Common editor / temporary files 2 | *~ 3 | *.tmp 4 | .DS_Store 5 | *.swp 6 | 7 | # Development containers 8 | .devcontainer 9 | 10 | # Zed 11 | .zed 12 | .zed_server 13 | 14 | # ai stuff 15 | .claude 16 | 17 | # python stuff 18 | hack/__pycache__ 19 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-cleanup-dracut/cleanup.d/99-ipa-cleanup-dracut: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | if [[ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]]; then 4 | set -x 5 | fi 6 | set -eu 7 | 8 | sudo rm -rf "$TARGET_ROOT/var/tmp/dracut"* 9 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-file-injector/install.d/99-enable-ipa-file-injector: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then 5 | set -x 6 | fi 7 | 8 | sudo systemctl enable "ipa-file-injector.service" 9 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/cleanup-package/post-install.d/99-cleanup-package: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then 4 | set -x 5 | fi 6 | set -eu 7 | set -o pipefail 8 | 9 | sudo dnf remove "cockpit*" -y 10 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/limitrange.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: LimitRange 3 | metadata: 4 | name: default-requests 5 | namespace: test-pods 6 | spec: 7 | limits: 8 | - defaultRequest: 9 | cpu: 1000m 10 | memory: 1Gi 11 | type: Container 12 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-ci/install.d/55-install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | ## Install atop and sysstat 6 | sudo zypper refresh 7 | sudo zypper -n in atop sysstat 8 | 9 | # Add metal3ci user to libvirt group 10 | sudo usermod -aG libvirt metal3ci 11 | -------------------------------------------------------------------------------- /prow/infra/ingress-controller-job-patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: not-important 5 | namespace: ingress-nginx 6 | spec: 7 | # Make sure that the job is deleted after it finishes so we don't get issues next time we apply. 8 | ttlSecondsAfterFinished: 600 9 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-add-buildinfo/install.d/80-ipa-add-buildinfo: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then 4 | set -x 5 | fi 6 | set -eu 7 | set -o pipefail 8 | 9 | echo "This IPA was built by ESJ on $(date)." > /buildinfo.txt 10 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/cleanup-package/environment.d/99-cleanup-package: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export DIB_CLEANUP_NVIDIA_GPUS="${DIB_CLEANUP_NVIDIA_GPUS:-false}" 4 | 5 | if [[ "${DIB_CLEANUP_NVIDIA_GPUS}" == "true" ]]; then 6 | sudo rm -rf /usr/lib/firmware/nvidia 7 | fi 8 | -------------------------------------------------------------------------------- /prow/bootstrap/calico/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - https://raw.githubusercontent.com/projectcalico/calico/v3.30.1/manifests/calico.yaml 5 | patches: 6 | - path: toleration-node-selector-patch.yaml 7 | target: 8 | kind: Deployment 9 | -------------------------------------------------------------------------------- /prow/infra/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: ingress-nginx-controller 5 | namespace: ingress-nginx 6 | annotations: 7 | loadbalancer.openstack.org/keep-floatingip: "true" 8 | spec: 9 | loadBalancerIP: 129.192.83.117 10 | externalTrafficPolicy: Cluster 11 | -------------------------------------------------------------------------------- /prow/infra/storageclass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: csi-cinderplugin 5 | annotations: 6 | storageclass.kubernetes.io/is-default-class: "true" 7 | provisioner: cinder.csi.openstack.org 8 | reclaimPolicy: Delete 9 | volumeBindingMode: Immediate 10 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-lvm-support/install.d/99-install-lvm2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | if [[ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]]; then 6 | set -x 7 | fi 8 | 9 | # Works on Cnetos 9 stream, wasn't tested on other distros 10 | sudo dnf install -y lvm2 11 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/Makefile: -------------------------------------------------------------------------------- 1 | export CONTAINER_RUNTIME ?= docker 2 | 3 | .phony: build 4 | 5 | build: 6 | $(CONTAINER_RUNTIME) run --rm \ 7 | --volume "${PWD}:/workdir:rw,z" \ 8 | --workdir /workdir \ 9 | --entrypoint /workdir/build.sh \ 10 | docker.io/golang:1.23 \ 11 | metal3-kube-prometheus.jsonnet 12 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ci-base/package-installs.yaml: -------------------------------------------------------------------------------- 1 | bash-completion: 2 | build-essential: 3 | curl: 4 | dnsmasq: 5 | git: 6 | jq: 7 | libguestfs-tools: 8 | libvirt-daemon-system: 9 | make: 10 | openjdk-21-jre: 11 | ovmf: 12 | python3: 13 | python3-pip: 14 | qemu-kvm: 15 | tree: 16 | vim: 17 | virt-manager: 18 | wget: 19 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/deck.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: deck 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: deck 11 | resources: 12 | requests: 13 | cpu: 130m 14 | memory: 80Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/hook.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: hook 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: hook 11 | resources: 12 | requests: 13 | cpu: 120m 14 | memory: 40Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/crier.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: crier 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: crier 11 | resources: 12 | requests: 13 | cpu: 100m 14 | memory: 60Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/tide.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: tide 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: tide 11 | resources: 12 | requests: 13 | cpu: 100m 14 | memory: 120Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/sinker.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: sinker 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: sinker 11 | resources: 12 | requests: 13 | cpu: 100m 14 | memory: 50Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/ghproxy.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | namespace: prow 6 | name: ghproxy 7 | spec: 8 | template: 9 | spec: 10 | containers: 11 | - name: ghproxy 12 | resources: 13 | requests: 14 | cpu: 120m 15 | memory: 20Mi 16 | -------------------------------------------------------------------------------- /OWNERS_ALIASES: -------------------------------------------------------------------------------- 1 | # See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md 2 | 3 | aliases: 4 | project-infra-maintainers: 5 | - kashifest 6 | - lentzi90 7 | - Sunnatillo 8 | - tuminoid 9 | 10 | project-infra-reviewers: 11 | - adilGhaffarDev 12 | - dtantsur 13 | - elfosardo 14 | - Rozzii 15 | - smoshiur1237 16 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/horologium.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: horologium 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: horologium 11 | resources: 12 | requests: 13 | cpu: 50m 14 | memory: 25Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - crier.yaml 5 | - deck.yaml 6 | - ghproxy.yaml 7 | - hook.yaml 8 | - horologium.yaml 9 | - namespace.yaml 10 | - prow-controller-manager.yaml 11 | - sinker.yaml 12 | - statusreconciler.yaml 13 | - test-pods.yaml 14 | - tide.yaml 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/cherrypicker.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: cherrypicker 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: cherrypicker 11 | resources: 12 | requests: 13 | cpu: 50m 14 | memory: 20Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/needs-rebase.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: needs-rebase 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: needs-rebase 11 | resources: 12 | requests: 13 | cpu: 50m 14 | memory: 20Mi 15 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-luks-tpm-support/install.d/99-install-luks-tpm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | if [[ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]]; then 6 | set -x 7 | fi 8 | 9 | # Works on Cnetos 9 stream, wasn't tested on other distros 10 | sudo dnf install -y tpm2-tools tpm2-tss tpm2-abrmd tpm2-abrmd cryptsetup 11 | -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | yaml-files: 2 | - '*.yaml' 3 | - '*.yml' 4 | - '.yamllint' 5 | 6 | rules: 7 | trailing-spaces: enable 8 | key-duplicates: enable 9 | indentation: 10 | spaces: 2 11 | indent-sequences: false # Enforce k8s-style indentation 12 | check-multi-line-strings: false 13 | truthy: 14 | allowed-values: ['true', 'false', 'yes', 'no', 'on'] 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/jenkins-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: jenkins-operator 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: jenkins-operator 11 | resources: 12 | requests: 13 | cpu: 50m 14 | memory: 50Mi 15 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/statusreconciler.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: statusreconciler 5 | namespace: prow 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: statusreconciler 11 | resources: 12 | requests: 13 | cpu: 50m 14 | memory: 20Mi 15 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | # See the OWNERS docs at https://go.k8s.io/owners 2 | 3 | approvers: 4 | - project-infra-maintainers 5 | 6 | reviewers: 7 | - project-infra-maintainers 8 | - project-infra-reviewers 9 | 10 | emeritus_approvers: 11 | - fmuyassarov 12 | - furkatgofurov7 13 | - maelk 14 | - mboukhalfa 15 | - russellb 16 | 17 | emeritus_reviewers: 18 | - macaptain 19 | - mquhuy 20 | -------------------------------------------------------------------------------- /.markdownlint-cli2.yaml: -------------------------------------------------------------------------------- 1 | # Reference: https://github.com/DavidAnson/markdownlint-cli2#markdownlint-cli2yaml 2 | 3 | config: 4 | ul-indent: 5 | # Kramdown wanted us to have 3 earlier, tho this CLI recommends 2 or 4 6 | indent: 3 7 | line-length: 8 | tables: false 9 | code_blocks: false 10 | 11 | # Don't autofix anything, we're linting here 12 | fix: false 13 | -------------------------------------------------------------------------------- /prow/container-images/basic-checks/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG GO_VERSION=1.24.10@sha256:7b13449f08287fdb53114d65bdf20eb3965e4e54997903b5cb9477df0ea37c12 2 | FROM docker.io/golang:${GO_VERSION} 3 | 4 | # Install additional packages not present in regular golang image 5 | RUN apt-get update \ 6 | && apt-get -y upgrade \ 7 | && apt-get install -y libvirt-dev podman \ 8 | && apt-get clean 9 | -------------------------------------------------------------------------------- /prow/infra/ingress-controller-pdb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | name: ingress-nginx 5 | namespace: ingress-nginx 6 | spec: 7 | minAvailable: 1 8 | selector: 9 | matchLabels: 10 | app.kubernetes.io/component: controller 11 | app.kubernetes.io/instance: ingress-nginx 12 | app.kubernetes.io/name: ingress-nginx 13 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/patches/prow-controller-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: prow-controller-manager 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: prow-controller-manager 11 | resources: 12 | requests: 13 | cpu: 130m 14 | memory: 50Mi 15 | -------------------------------------------------------------------------------- /prow/cluster-resources/coredns-pdb.yaml: -------------------------------------------------------------------------------- 1 | # The cluster autoscaler will not remove nodes with pods 2 | # in the kube-system namespace, unless they have a PDB that 3 | # allows it. 4 | apiVersion: policy/v1 5 | kind: PodDisruptionBudget 6 | metadata: 7 | name: coredns 8 | namespace: kube-system 9 | spec: 10 | minAvailable: 1 11 | selector: 12 | matchLabels: 13 | k8s-app: kube-dns 14 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/jsonnetfile.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": 1, 3 | "dependencies": [ 4 | { 5 | "source": { 6 | "git": { 7 | "remote": "https://github.com/prometheus-operator/kube-prometheus.git", 8 | "subdir": "jsonnet/kube-prometheus" 9 | } 10 | }, 11 | "version": "v0.14.0" 12 | } 13 | ], 14 | "legacyImports": true 15 | } 16 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-module-autoload/install.d/80-ipa-module-autoload: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then 4 | set -x 5 | fi 6 | set -eu 7 | set -o pipefail 8 | 9 | MODULES=${ADDITIONAL_IPA_KERNEL_MODULES:-""} 10 | 11 | for mod_name in $MODULES; do 12 | echo "$mod_name" >> /etc/modules-load.d/load.conf 13 | done 14 | 15 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | automountServiceAccountToken: false 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: grafana 7 | app.kubernetes.io/name: grafana 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 11.2.0 10 | name: grafana 11 | namespace: monitoring 12 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-node/package-installs.yaml: -------------------------------------------------------------------------------- 1 | apt-transport-https: 2 | bridge-utils: 3 | ca-certificates: 4 | conntrack: 5 | coreutils: 6 | curl: 7 | gcc: 8 | git: 9 | gnupg-agent: 10 | jq: 11 | keepalived: 12 | make: 13 | net-tools: 14 | openssl: 15 | socat: 16 | software-properties-common: 17 | tree: 18 | vim: 19 | wget: 20 | python3: 21 | python3-pip: 22 | python3-kubernetes: 23 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/deploy-lab.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | connection: local 4 | environment: 5 | DHCP_HOSTS: "{{ DHCP_HOSTS }}" 6 | DHCP_IGNORE: "{{ DHCP_IGNORE }}" 7 | vars_files: 8 | - default_vars/vars.yaml 9 | tasks: 10 | - name: Deploy Bare Metal Lab 11 | block: 12 | - include_tasks: tasks/cleanup-tasks.yaml 13 | - include_tasks: tasks/deploy-tasks.yaml 14 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/node-exporter-serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | automountServiceAccountToken: false 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: exporter 7 | app.kubernetes.io/name: node-exporter 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 1.8.2 10 | name: node-exporter 11 | namespace: monitoring 12 | -------------------------------------------------------------------------------- /jenkins/image_building/initrd_sdk/unseal-and-open-luks.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Unseal TPM key and open LUKS volume 3 | DefaultDependencies=no 4 | Before=initrd-switch-root.target 5 | After=initrd-udevadm-cleanup-db.service 6 | 7 | [Service] 8 | Type=oneshot 9 | ExecStart=/bin/sh -c '/etc/unlock-mount-luks.sh || /bin/dracut-emergency' 10 | RemainAfterExit=yes 11 | 12 | [Install] 13 | WantedBy=initrd-switch-root.target 14 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-file-injector/root.d/ipa-file-injector.service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=IPA file injection process 3 | After=network-pre.target 4 | 5 | [Service] 6 | Type=oneshot 7 | User=root 8 | ExecStart=/usr/bin/ipa-file-injector.sh 9 | RemainAfterExit=true 10 | StandardOutput=journal+console 11 | Environment= 12 | 13 | [Install] 14 | WantedBy=basic.target 15 | 16 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/kube-state-metrics-serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | automountServiceAccountToken: false 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: exporter 7 | app.kubernetes.io/name: kube-state-metrics 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.13.0 10 | name: kube-state-metrics 11 | namespace: monitoring 12 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | automountServiceAccountToken: false 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: metrics-adapter 7 | app.kubernetes.io/name: prometheus-adapter 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 0.12.0 10 | name: prometheus-adapter 11 | namespace: monitoring 12 | -------------------------------------------------------------------------------- /jenkins/image_building/initrd_sdk/tpm2-unseal-key.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script provides access to persistent key's stored in a TPM2.0 chip 3 | 4 | address="${1:-0x81010002}" 5 | auth="${2:-secret}" 6 | # other usual auth with IPA is "pcr:sha256:0" 7 | dry_run="${3:-false}" 8 | 9 | if [[ "${dry_run}" == "false" ]]; then 10 | tpm2_unseal -c "${address}" -p "${auth}" 11 | else 12 | printf "Fake secret, you're welcome!\n" 13 | fi 14 | 15 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/setup/prometheus-operator-serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | automountServiceAccountToken: false 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: controller 7 | app.kubernetes.io/name: prometheus-operator 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 0.76.2 10 | name: prometheus-operator 11 | namespace: monitoring 12 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/pdb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | name: hook 5 | namespace: prow 6 | spec: 7 | minAvailable: 1 8 | selector: 9 | matchLabels: 10 | app: hook 11 | --- 12 | apiVersion: policy/v1 13 | kind: PodDisruptionBudget 14 | metadata: 15 | name: deck 16 | namespace: prow 17 | spec: 18 | minAvailable: 1 19 | selector: 20 | matchLabels: 21 | app: deck 22 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | automountServiceAccountToken: true 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: prometheus 7 | app.kubernetes.io/instance: k8s 8 | app.kubernetes.io/name: prometheus 9 | app.kubernetes.io/part-of: kube-prometheus 10 | app.kubernetes.io/version: 2.54.1 11 | name: prometheus-k8s 12 | namespace: monitoring 13 | -------------------------------------------------------------------------------- /prow/Makefile: -------------------------------------------------------------------------------- 1 | export CONTAINER_RUNTIME ?= docker 2 | 3 | .phony: validate 4 | 5 | validate: 6 | $(CONTAINER_RUNTIME) run --rm \ 7 | --volume "${PWD}:/workdir:ro,z" \ 8 | --entrypoint /ko-app/checkconfig \ 9 | us-docker.pkg.dev/k8s-infra-prow/images/checkconfig:v20251125-e3ae8cf22 \ 10 | --config-path /workdir/config/config.yaml \ 11 | --job-config-path /workdir/config/jobs \ 12 | --plugin-config /workdir/config/plugins.yaml \ 13 | --strict 14 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/alertmanager-serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | automountServiceAccountToken: false 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: alert-router 7 | app.kubernetes.io/instance: main 8 | app.kubernetes.io/name: alertmanager 9 | app.kubernetes.io/part-of: kube-prometheus 10 | app.kubernetes.io/version: 0.27.0 11 | name: alertmanager-main 12 | namespace: monitoring 13 | -------------------------------------------------------------------------------- /prow/cluster-resources/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: cloud-config 5 | namespace: kube-system 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | creationPolicy: Owner 12 | data: 13 | - secretKey: cloud.conf 14 | remoteRef: 15 | # /[section-name/] 16 | key: "xerces-credentials/cloud.conf" 17 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-node/package-installs.yaml: -------------------------------------------------------------------------------- 1 | conntrack-tools: 2 | containers-common: 3 | device-mapper-persistent-data: 4 | ebtables: 5 | gcc: 6 | git: 7 | glib2-devel: 8 | glibc-devel: 9 | go: 10 | jq: 11 | keepalived: 12 | kernel-devel: 13 | kernel-headers: 14 | libgpg-error-devel: 15 | libseccomp-devel: 16 | libselinux-devel: 17 | linux-firmware: 18 | lvm2: 19 | make: 20 | pkgconf-pkg-config: 21 | pkgconfig: 22 | python3: 23 | python3-pip: 24 | socat: 25 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-node/post-install.d/90-pre-pull-images: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | export USERDATA_HOSTNAME=${HOSTNAME:-"metal3node-test"} 5 | 6 | sudo sed -i "/^127.0.0.1/ s/$/ ${USERDATA_HOSTNAME}/" /etc/hosts 7 | sudo sed -i "s/MACAddressPolicy=persistent/MACAddressPolicy=none/g" /usr/lib/systemd/network/99-default.link 8 | 9 | for container in $(env | grep "CALICO_*" | cut -f2 -d'='); do 10 | sudo crictl pull "${container}" 11 | done 12 | -------------------------------------------------------------------------------- /prow/capi/core.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.cluster.x-k8s.io/v1alpha2 2 | kind: CoreProvider 3 | metadata: 4 | name: cluster-api 5 | namespace: capi-system 6 | spec: 7 | version: v1.10.4 8 | deployment: 9 | nodeSelector: 10 | node-role.kubernetes.io/infra: "" 11 | tolerations: 12 | - key: node-role.kubernetes.io/infra 13 | operator: Exists 14 | effect: NoSchedule 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: capi-system 20 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/override-simple-init/post-install.d/99-override-simple-init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then 5 | set -x 6 | fi 7 | 8 | SCRIPTDIR=$(dirname "$0") 9 | 10 | SEDSTRING="s/Environment=/Environment=\"GLEAN_CONFIG_DRIVE_LABEL=${DIB_SIMPLE_INIT_CONFIG_DRIVE_LABEL}\"/" 11 | 12 | sed -e "${SEDSTRING}" "${SCRIPTDIR}/glean-early-override-template.service" > "/etc/systemd/system/glean-early.service" 13 | 14 | -------------------------------------------------------------------------------- /prow/capi/infrastructure.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.cluster.x-k8s.io/v1alpha2 2 | kind: InfrastructureProvider 3 | metadata: 4 | name: openstack 5 | namespace: capo-system 6 | spec: 7 | version: v0.12.4 8 | deployment: 9 | nodeSelector: 10 | node-role.kubernetes.io/infra: "" 11 | tolerations: 12 | - key: node-role.kubernetes.io/infra 13 | operator: Exists 14 | effect: NoSchedule 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: capo-system 20 | -------------------------------------------------------------------------------- /SECURITY_CONTACTS: -------------------------------------------------------------------------------- 1 | # Reporting a security vulnerability 2 | 3 | Please do: 4 | - not disclose any security issue publicly e.g. Pull Requests, Comments. 5 | - not disclose any security issue directly to any owner of the repository or 6 | to any other contributor. 7 | 8 | In this repository security reports are handled according to the 9 | Metal3-io project's security policy. For more information about the security 10 | policy consult the User-Guide [here](https://book.metal3.io/security_policy.html). 11 | 12 | -------------------------------------------------------------------------------- /prow/container-images/basic-checks/README.md: -------------------------------------------------------------------------------- 1 | # Basic-checks image 2 | 3 | This Dockerfile is used to create the `quay.io/metal3-io/basic-checks` image, 4 | which is used to run the basic tests in prow. 5 | 6 | ## Updating image 7 | 8 | Make a PR and upon merging, a workflow will build and push the image to Quay to 9 | be used in future test runs. If you switch Golang minor version, update the 10 | workflow file in `.github/workflows/build-images-action.yml` and then update 11 | Prow `config.yaml` accordingly. 12 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-ci/README.md: -------------------------------------------------------------------------------- 1 | # leap-ci element 2 | 3 | ## Overview 4 | 5 | **leap-ci** element installs packages and makes configuration changes 6 | specifically for leap-ci images. This element consists of two 7 | shell scripts: ***install*** which runs during the install.d phase, and 8 | ***configure*** which runs during the post-install.d phase. 9 | 10 | ## Depends 11 | 12 | * [opensuse](https://docs.openstack.org/diskimage-builder/latest/elements/opensuse/README.html) 13 | * ci-base 14 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-ci/README.md: -------------------------------------------------------------------------------- 1 | # centos-ci element 2 | 3 | ## Overview 4 | 5 | **centos-ci** element installs packages and makes configuration changes 6 | specifically for centos-ci images. This element consists of two 7 | shell scripts: ***install*** which runs during the install.d phase, and 8 | ***configure*** which runs during the post-install.d phase. 9 | 10 | ## Depends 11 | 12 | * [centos](https://docs.openstack.org/diskimage-builder/latest/elements/centos/README.html) 13 | * ci-base 14 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/run_clean.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | if [[ "${IMAGE_OS}" == "ubuntu" ]]; then 6 | export CONTAINER_RUNTIME="docker" 7 | export BOOTSTRAP_CLUSTER="kind" 8 | else 9 | export BOOTSTRAP_CLUSTER="minikube" 10 | fi 11 | 12 | if [[ "${REPO_NAME}" == "metal3-dev-env" ]] || 13 | [[ "${REPO_NAME}" == "cluster-api-provider-metal3" ]] \ 14 | ; then 15 | pushd "${HOME}/tested_repo" 16 | else 17 | pushd "${HOME}/metal3" 18 | fi 19 | 20 | make clean 21 | -------------------------------------------------------------------------------- /prow/capi/bootstrap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.cluster.x-k8s.io/v1alpha2 2 | kind: BootstrapProvider 3 | metadata: 4 | name: kubeadm 5 | namespace: capi-kubeadm-bootstrap-system 6 | spec: 7 | version: v1.10.4 8 | deployment: 9 | nodeSelector: 10 | node-role.kubernetes.io/infra: "" 11 | tolerations: 12 | - key: node-role.kubernetes.io/infra 13 | operator: Exists 14 | effect: NoSchedule 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: capi-kubeadm-bootstrap-system 20 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-clusterRoleServerResources.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: resource-metrics-server-resources 10 | rules: 11 | - apiGroups: 12 | - metrics.k8s.io 13 | resources: 14 | - '*' 15 | verbs: 16 | - '*' 17 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: grafana 6 | app.kubernetes.io/name: grafana 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 11.2.0 9 | name: grafana 10 | namespace: monitoring 11 | spec: 12 | endpoints: 13 | - interval: 15s 14 | port: http 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/name: grafana 18 | -------------------------------------------------------------------------------- /prow/capo-cluster/cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.x-k8s.io/v1beta1 2 | kind: Cluster 3 | metadata: 4 | name: prow 5 | spec: 6 | clusterNetwork: 7 | pods: 8 | cidrBlocks: 9 | - 192.168.0.0/16 10 | serviceDomain: cluster.local 11 | controlPlaneRef: 12 | apiVersion: controlplane.cluster.x-k8s.io/v1beta1 13 | kind: KubeadmControlPlane 14 | name: prow-control-plane 15 | infrastructureRef: 16 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 17 | kind: OpenStackCluster 18 | name: prow 19 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-roleConfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s-config 11 | namespace: monitoring 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - configmaps 17 | verbs: 18 | - get 19 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/override-simple-init/post-install.d/glean-early-override-template.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Early glean execution 3 | Before=network-pre.target 4 | Wants=network-pre.target 5 | After=local-fs.target 6 | 7 | [Service] 8 | Type=oneshot 9 | User=root 10 | ExecStart=/usr/glean/lib64/python3.9/site-packages/glean/init/glean-early.sh --debug 11 | RemainAfterExit=true 12 | 13 | StandardOutput=journal+console 14 | Environment= 15 | 16 | [Install] 17 | WantedBy=multi-user.target 18 | 19 | -------------------------------------------------------------------------------- /prow/capi/control-plane.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.cluster.x-k8s.io/v1alpha2 2 | kind: ControlPlaneProvider 3 | metadata: 4 | name: kubeadm 5 | namespace: capi-kubeadm-control-plane-system 6 | spec: 7 | version: v1.10.4 8 | deployment: 9 | nodeSelector: 10 | node-role.kubernetes.io/infra: "" 11 | tolerations: 12 | - key: node-role.kubernetes.io/infra 13 | operator: Exists 14 | effect: NoSchedule 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: capi-kubeadm-control-plane-system 20 | -------------------------------------------------------------------------------- /prow/capo-cluster/kubeadmconfigtemplate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 2 | kind: KubeadmConfigTemplate 3 | metadata: 4 | name: prow-md-0 5 | spec: 6 | template: 7 | spec: 8 | joinConfiguration: 9 | nodeRegistration: 10 | kubeletExtraArgs: 11 | cloud-provider: external 12 | provider-id: "openstack:///'{{ v1.instance_id }}'" 13 | kube-reserved: cpu=200m,memory=100Mi 14 | system-reserved: cpu=100m,memory=100Mi 15 | name: '{{ v1.local_hostname }}' 16 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-clusterRole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: prometheus-adapter 10 | rules: 11 | - apiGroups: 12 | - "" 13 | resources: 14 | - nodes 15 | - namespaces 16 | - pods 17 | - services 18 | verbs: 19 | - get 20 | - list 21 | - watch 22 | -------------------------------------------------------------------------------- /.groovylintrc.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": "recommended", 3 | "rules": { 4 | "CompileStatic": { "enabled": false }, 5 | "LineLength": { "enabled": false }, 6 | "NestedBlockDepth": { "enabled": false }, 7 | "VariableName": { "enabled": false }, 8 | "DuplicateMapLiteral": { "enabled": false }, 9 | "DuplicateStringLiteral": { "enabled": false }, 10 | "DuplicateNumberLiteral": { "enabled": false }, 11 | "UnusedVariable": { "enabled": false }, 12 | "VariableTypeRequired": { "enabled": false }, 13 | "NoDef": { "enabled": false } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: grafana 6 | app.kubernetes.io/name: grafana 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 11.2.0 9 | name: grafana 10 | namespace: monitoring 11 | spec: 12 | ports: 13 | - name: http 14 | port: 3000 15 | targetPort: http 16 | selector: 17 | app.kubernetes.io/component: grafana 18 | app.kubernetes.io/name: grafana 19 | app.kubernetes.io/part-of: kube-prometheus 20 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/node-exporter-clusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: node-exporter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 1.8.2 9 | name: node-exporter 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: node-exporter 14 | subjects: 15 | - kind: ServiceAccount 16 | name: node-exporter 17 | namespace: monitoring 18 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-clusterRole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - nodes/metrics 16 | verbs: 17 | - get 18 | - nonResourceURLs: 19 | - /metrics 20 | - /metrics/slis 21 | verbs: 22 | - get 23 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-ci/finalise.d/51-edit-grub-config: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Replaces rootfs label in the kernel command line. 4 | # 5 | # The problem stems from the fact that DIB assigns label cloudimg-rootfs to the 6 | # root filesystem and this cannot be modified. If we don't change the kernel 7 | # command line parameters, the image will try to look for nonexistent label 8 | # ROOT during boot and the boot will fail. 9 | 10 | sed -i 's/GRUB_CMDLINE_LINUX.*/GRUB_CMDLINE_LINUX="root=LABEL=cloudimg-rootfs"/' /etc/default/grub 11 | grub2-mkconfig --output=/boot/grub2/grub.cfg 12 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-node/finalise.d/51-edit-grub-config: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Replaces rootfs label in the kernel command line. 4 | # 5 | # The problem stems from the fact that DIB assigns label cloudimg-rootfs to the 6 | # root filesystem and this cannot be modified. If we don't change the kernel 7 | # command line parameters, the image will try to look for nonexistent label 8 | # ROOT during boot and the boot will fail. 9 | 10 | sed -i 's/GRUB_CMDLINE_LINUX.*/GRUB_CMDLINE_LINUX="root=LABEL=cloudimg-rootfs"/' /etc/default/grub 11 | grub2-mkconfig --output=/boot/grub2/grub.cfg 12 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/files/reset_network.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Ensure that the network in the BML has a clean base to work from. 3 | 4 | # By default, BIND is installed in the lab, but we use systemd-resolved instead. 5 | sudo killall named 6 | 7 | # Sometimes minikube doesn't record which DHCP addresses it has allocated. 8 | # A restart seems to work around this occasional issue. 9 | sudo systemctl restart dnsmasq 10 | 11 | # Ensure that DNS resolution is up. 12 | sudo systemctl restart systemd-resolved 13 | 14 | # Ensure that network is up. 15 | sudo systemctl restart systemd-networkd 16 | sleep 5 17 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/kube-state-metrics-clusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: kube-state-metrics 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 2.13.0 9 | name: kube-state-metrics 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: kube-state-metrics 14 | subjects: 15 | - kind: ServiceAccount 16 | name: kube-state-metrics 17 | namespace: monitoring 18 | -------------------------------------------------------------------------------- /prow/capo-cluster/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: prow-cloud-config 5 | spec: 6 | secretStoreRef: 7 | kind: ClusterSecretStore 8 | name: onepassword 9 | target: 10 | creationPolicy: Owner 11 | template: 12 | metadata: 13 | labels: 14 | # Make the secret move with clusterctl move. 15 | clusterctl.cluster.x-k8s.io/move: "true" 16 | data: 17 | - secretKey: clouds.yaml 18 | remoteRef: 19 | # /[section-name/] 20 | key: "xerces-credentials/clouds.yaml" 21 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-clusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: prometheus-adapter 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: prometheus-adapter 14 | subjects: 15 | - kind: ServiceAccount 16 | name: prometheus-adapter 17 | namespace: monitoring 18 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/node-exporter-clusterRole.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: node-exporter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 1.8.2 9 | name: node-exporter 10 | rules: 11 | - apiGroups: 12 | - authentication.k8s.io 13 | resources: 14 | - tokenreviews 15 | verbs: 16 | - create 17 | - apiGroups: 18 | - authorization.k8s.io 19 | resources: 20 | - subjectaccessreviews 21 | verbs: 22 | - create 23 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/setup/prometheus-operator-clusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: controller 6 | app.kubernetes.io/name: prometheus-operator 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.76.2 9 | name: prometheus-operator 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: prometheus-operator 14 | subjects: 15 | - kind: ServiceAccount 16 | name: prometheus-operator 17 | namespace: monitoring 18 | -------------------------------------------------------------------------------- /prow/capi/toleration-node-selector-patch.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/tolerations/- 3 | value: 4 | key: node-role.kubernetes.io/infra 5 | operator: Exists 6 | effect: NoSchedule 7 | # We add the node selector for node-role.kubernetes.io/infra="" 8 | # The key has to be included in the path or it would overwrite any existing nodeSelectors. 9 | # We have to write the "/" as "~1" since it is the separator in the path field. 10 | # See https://datatracker.ietf.org/doc/html/rfc6901#section-3 11 | - op: add 12 | path: /spec/template/spec/nodeSelector/node-role.kubernetes.io~1infra 13 | value: "" 14 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-apiService.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiregistration.k8s.io/v1 2 | kind: APIService 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: v1beta1.metrics.k8s.io 10 | spec: 11 | group: metrics.k8s.io 12 | groupPriorityMinimum: 100 13 | insecureSkipTLSVerify: true 14 | service: 15 | name: prometheus-adapter 16 | namespace: monitoring 17 | version: v1beta1 18 | versionPriority: 100 19 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-clusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: prometheus-k8s 15 | subjects: 16 | - kind: ServiceAccount 17 | name: prometheus-k8s 18 | namespace: monitoring 19 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: grafana 6 | app.kubernetes.io/name: grafana 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 11.2.0 9 | name: grafana-config 10 | namespace: monitoring 11 | stringData: 12 | grafana.ini: | 13 | [auth] 14 | disable_login_form = true 15 | [auth.anonymous] 16 | enabled = true 17 | org_role = Viewer 18 | [auth.basic] 19 | enabled = false 20 | [security] 21 | disable_gravatar = true 22 | type: Opaque 23 | -------------------------------------------------------------------------------- /prow/bootstrap/calico/toleration-node-selector-patch.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/tolerations/- 3 | value: 4 | key: node-role.kubernetes.io/infra 5 | operator: Exists 6 | effect: NoSchedule 7 | # We add the node selector for node-role.kubernetes.io/infra="" 8 | # The key has to be included in the path or it would overwrite any existing nodeSelectors. 9 | # We have to write the "/" as "~1" since it is the separator in the path field. 10 | # See https://datatracker.ietf.org/doc/html/rfc6901#section-3 11 | - op: add 12 | path: /spec/template/spec/nodeSelector/node-role.kubernetes.io~1infra 13 | value: "" 14 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/node-exporter-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: node-exporter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 1.8.2 9 | name: node-exporter 10 | namespace: monitoring 11 | spec: 12 | clusterIP: None 13 | ports: 14 | - name: https 15 | port: 9100 16 | targetPort: https 17 | selector: 18 | app.kubernetes.io/component: exporter 19 | app.kubernetes.io/name: node-exporter 20 | app.kubernetes.io/part-of: kube-prometheus 21 | -------------------------------------------------------------------------------- /prow/cluster-resources/toleration-node-selector-patch.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/tolerations/- 3 | value: 4 | key: node-role.kubernetes.io/infra 5 | operator: Exists 6 | effect: NoSchedule 7 | # We add the node selector for node-role.kubernetes.io/infra="" 8 | # The key has to be included in the path or it would overwrite any existing nodeSelectors. 9 | # We have to write the "/" as "~1" since it is the separator in the path field. 10 | # See https://datatracker.ietf.org/doc/html/rfc6901#section-3 11 | - op: add 12 | path: /spec/template/spec/nodeSelector/node-role.kubernetes.io~1infra 13 | value: "" 14 | -------------------------------------------------------------------------------- /prow/config/generic-autobumper-config.yaml: -------------------------------------------------------------------------------- 1 | gitHubToken: "/etc/github/token" 2 | skipPullRequest: false 3 | gitHubOrg: "metal3-io" 4 | gitHubRepo: "project-infra" 5 | remoteName: "project-infra" 6 | includedConfigPaths: 7 | - "prow" 8 | targetVersion: "latest" 9 | extraFiles: 10 | - "prow/Makefile" 11 | prefixes: 12 | - name: "k8s-prow images" 13 | prefix: "us-docker.pkg.dev/k8s-infra-prow/images/" 14 | repo: "https://github.com/metal3-io/project-infra" 15 | summarise: false 16 | - name: "test-infra images" 17 | prefix: "gcr.io/k8s-staging-test-infra/" 18 | repo: "https://github.com/metal3-io/project-infra" 19 | summarise: false 20 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-podDisruptionBudget.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: prometheus-adapter 10 | namespace: monitoring 11 | spec: 12 | minAvailable: 1 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/component: metrics-adapter 16 | app.kubernetes.io/name: prometheus-adapter 17 | app.kubernetes.io/part-of: kube-prometheus 18 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: prometheus-adapter 10 | namespace: monitoring 11 | spec: 12 | ports: 13 | - name: https 14 | port: 443 15 | targetPort: 6443 16 | selector: 17 | app.kubernetes.io/component: metrics-adapter 18 | app.kubernetes.io/name: prometheus-adapter 19 | app.kubernetes.io/part-of: kube-prometheus 20 | -------------------------------------------------------------------------------- /prow/bootstrap/external-secrets-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: external-secrets 4 | resources: 5 | - namespace.yaml 6 | helmCharts: 7 | - name: external-secrets 8 | includeCRDs: true 9 | repo: https://charts.external-secrets.io 10 | releaseName: external-secrets 11 | namespace: external-secrets 12 | version: 1.1.0 13 | valuesInline: 14 | global: 15 | nodeSelector: 16 | node-role.kubernetes.io/infra: "" 17 | tolerations: 18 | - key: "node-role.kubernetes.io/infra" 19 | operator: "Exists" 20 | effect: "NoSchedule" 21 | -------------------------------------------------------------------------------- /prow/capo-cluster/infra-kct.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 2 | kind: KubeadmConfigTemplate 3 | metadata: 4 | name: infra-0 5 | spec: 6 | template: 7 | spec: 8 | joinConfiguration: 9 | nodeRegistration: 10 | kubeletExtraArgs: 11 | cloud-provider: external 12 | provider-id: "openstack:///'{{ v1.instance_id }}'" 13 | kube-reserved: cpu=200m,memory=100Mi 14 | system-reserved: cpu=100m,memory=100Mi 15 | name: '{{ v1.local_hostname }}' 16 | taints: 17 | - key: node-role.kubernetes.io/infra 18 | effect: NoSchedule 19 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-clusterRoleBindingDelegator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: resource-metrics:system:auth-delegator 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: system:auth-delegator 14 | subjects: 15 | - kind: ServiceAccount 16 | name: prometheus-adapter 17 | namespace: monitoring 18 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-roleBindingConfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s-config 11 | namespace: monitoring 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: prometheus-k8s-config 16 | subjects: 17 | - kind: ServiceAccount 18 | name: prometheus-k8s 19 | namespace: monitoring 20 | -------------------------------------------------------------------------------- /.github/workflows/pr-groovy-lint.yml: -------------------------------------------------------------------------------- 1 | name: Groovy Lint Check 2 | 3 | on: 4 | pull_request: 5 | types: [opened, edited, reopened, synchronize, ready_for_review] 6 | paths: 7 | - 'jenkins/jobs/**/*.groovy' 8 | 9 | permissions: {} 10 | 11 | jobs: 12 | groovy-lint-check: 13 | runs-on: ubuntu-latest 14 | container: 15 | image: nvuillam/npm-groovy-lint@sha256:60cf2ae84bfb5b112bc74352dba26f78e91790d30b2addb35fc4eab76bf93bd1 # v15.2.2 16 | steps: 17 | - name: Check out repository 18 | uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 19 | 20 | - name: Run groovy linter 21 | run: npm-groovy-lint 22 | -------------------------------------------------------------------------------- /prow/bootstrap/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ClusterSecretStore 3 | metadata: 4 | name: onepassword 5 | spec: 6 | provider: 7 | onepasswordSDK: 8 | vault: Prow_GitOps 9 | auth: 10 | serviceAccountSecretRef: 11 | namespace: external-secrets 12 | name: onepassword-prow-service-account 13 | key: token 14 | # Only allow this to be used from specific namespaces 15 | conditions: 16 | - namespaces: 17 | - default # CAPO cluster resources 18 | - kube-system # CPO runs here 19 | - prow # Prow components run here 20 | - test-pods # Pods for ProwJobs run here 21 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-node/pre-install.d/55-setup-repos: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | export KUBERNETES_MINOR_VERSION=${KUBERNETES_VERSION%.*} 6 | export CRIO_MINOR_VERSION=${CRIO_VERSION%.*} 7 | 8 | curl -fsSL "https://download.opensuse.org/repositories/isv:/cri-o:/stable:/${CRIO_MINOR_VERSION}/deb/Release.key" | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg 9 | echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://download.opensuse.org/repositories/isv:/cri-o:/stable:/${CRIO_MINOR_VERSION}/deb/ /" | tee /etc/apt/sources.list.d/cri-o.list 10 | 11 | sudo apt-get update 12 | sudo apt-get dist-upgrade -f -y 13 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-roleBindingAuthReader.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: resource-metrics-auth-reader 10 | namespace: kube-system 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: Role 14 | name: extension-apiserver-authentication-reader 15 | subjects: 16 | - kind: ServiceAccount 17 | name: prometheus-adapter 18 | namespace: monitoring 19 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/setup/prometheus-operator-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: controller 6 | app.kubernetes.io/name: prometheus-operator 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.76.2 9 | name: prometheus-operator 10 | namespace: monitoring 11 | spec: 12 | clusterIP: None 13 | ports: 14 | - name: https 15 | port: 8443 16 | targetPort: https 17 | selector: 18 | app.kubernetes.io/component: controller 19 | app.kubernetes.io/name: prometheus-operator 20 | app.kubernetes.io/part-of: kube-prometheus 21 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-node/pre-install.d/55-setup-repos: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | export KUBERNETES_MINOR_VERSION=${KUBERNETES_VERSION%.*} 6 | export CRIO_MINOR_VERSION=${CRIO_VERSION%.*} 7 | 8 | sudo sed -i 's/enforcing/disabled/g' /etc/selinux/config /etc/selinux/config 9 | 10 | cat < [count] 5 | # Example: get_last_n_release_branches.sh https://github.com/metal3-io/cluster-api-provider-metal3.git 3 6 | 7 | REPO_URL="${1:?Usage: $0 [count]}" 8 | COUNT="${2:-2}" 9 | 10 | # Validate COUNT is a positive integer 11 | if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [ "${COUNT}" -lt 1 ]; then 12 | echo "Count must be a positive integer (given: ${COUNT})" >&2 13 | exit 1 14 | fi 15 | 16 | git ls-remote --heads "${REPO_URL}" \ 17 | | awk -F'/' '/refs\/heads\/release-/ {print $NF}' \ 18 | | sort -V \ 19 | | tail -n "${COUNT}" 20 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-podDisruptionBudget.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s 11 | namespace: monitoring 12 | spec: 13 | minAvailable: 1 14 | selector: 15 | matchLabels: 16 | app.kubernetes.io/component: prometheus 17 | app.kubernetes.io/instance: k8s 18 | app.kubernetes.io/name: prometheus 19 | app.kubernetes.io/part-of: kube-prometheus 20 | -------------------------------------------------------------------------------- /prow/infra/toleration-node-selector-patch.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/tolerations 3 | value: [] 4 | - op: add 5 | path: /spec/template/spec/tolerations/- 6 | value: 7 | key: node-role.kubernetes.io/infra 8 | operator: Exists 9 | effect: NoSchedule 10 | # We add the node selector for node-role.kubernetes.io/infra="" 11 | # The key has to be included in the path or it would overwrite any existing nodeSelectors. 12 | # We have to write the "/" as "~1" since it is the separator in the path field. 13 | # See https://datatracker.ietf.org/doc/html/rfc6901#section-3 14 | - op: add 15 | path: /spec/template/spec/nodeSelector/node-role.kubernetes.io~1infra 16 | value: "" 17 | -------------------------------------------------------------------------------- /hack/shellcheck.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -eux 4 | 5 | IS_CONTAINER="${IS_CONTAINER:-false}" 6 | CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-podman}" 7 | 8 | if [ "${IS_CONTAINER}" != "false" ]; then 9 | TOP_DIR="${1:-.}" 10 | find "${TOP_DIR}" -path ./vendor -prune -o -name '*.sh' -type f -exec shellcheck -s bash {} \+ 11 | else 12 | "${CONTAINER_RUNTIME}" run --rm \ 13 | --env IS_CONTAINER=TRUE \ 14 | --volume "${PWD}:/workdir:ro,z" \ 15 | --entrypoint sh \ 16 | --workdir /workdir \ 17 | docker.io/koalaman/shellcheck-alpine:v0.9.0@sha256:e19ed93c22423970d56568e171b4512c9244fc75dd9114045016b4a0073ac4b7 \ 18 | /workdir/hack/shellcheck.sh "$@" 19 | fi 20 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/alertmanager-podDisruptionBudget.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: alert-router 6 | app.kubernetes.io/instance: main 7 | app.kubernetes.io/name: alertmanager 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 0.27.0 10 | name: alertmanager-main 11 | namespace: monitoring 12 | spec: 13 | maxUnavailable: 1 14 | selector: 15 | matchLabels: 16 | app.kubernetes.io/component: alert-router 17 | app.kubernetes.io/instance: main 18 | app.kubernetes.io/name: alertmanager 19 | app.kubernetes.io/part-of: kube-prometheus 20 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | name: prometheus-adapter 10 | namespace: monitoring 11 | spec: 12 | egress: 13 | - {} 14 | ingress: 15 | - {} 16 | podSelector: 17 | matchLabels: 18 | app.kubernetes.io/component: metrics-adapter 19 | app.kubernetes.io/name: prometheus-adapter 20 | app.kubernetes.io/part-of: kube-prometheus 21 | policyTypes: 22 | - Egress 23 | - Ingress 24 | -------------------------------------------------------------------------------- /prow/infra/cluster-issuer-http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: letsencrypt-http-prod 5 | # ClusterIssuers are non-namespaced resources 6 | spec: 7 | acme: 8 | # You must replace this email address with your own. 9 | # Let's Encrypt will use this to contact you about expiring 10 | # certificates, and issues related to your account. 11 | email: estjorvas@est.tech 12 | server: https://acme-v02.api.letsencrypt.org/directory 13 | privateKeySecretRef: 14 | # Name of a secret used to store the ACME account private key 15 | name: letsencrypt-http-prod 16 | solvers: 17 | - http01: 18 | ingress: 19 | class: nginx 20 | selector: {} 21 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/kube-state-metrics-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: kube-state-metrics 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 2.13.0 9 | name: kube-state-metrics 10 | namespace: monitoring 11 | spec: 12 | clusterIP: None 13 | ports: 14 | - name: https-main 15 | port: 8443 16 | targetPort: https-main 17 | - name: https-self 18 | port: 9443 19 | targetPort: https-self 20 | selector: 21 | app.kubernetes.io/component: exporter 22 | app.kubernetes.io/name: kube-state-metrics 23 | app.kubernetes.io/part-of: kube-prometheus 24 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-adapter-clusterRoleAggregatedMetricsReader.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: metrics-adapter 6 | app.kubernetes.io/name: prometheus-adapter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.12.0 9 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 10 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 11 | rbac.authorization.k8s.io/aggregate-to-view: "true" 12 | name: system:aggregated-metrics-reader 13 | rules: 14 | - apiGroups: 15 | - metrics.k8s.io 16 | resources: 17 | - pods 18 | - nodes 19 | verbs: 20 | - get 21 | - list 22 | - watch 23 | -------------------------------------------------------------------------------- /hack/markdownlint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # markdownlint-cli2 has config file(s) named .markdownlint-cli2.yaml in the repo 3 | 4 | set -eux 5 | 6 | IS_CONTAINER="${IS_CONTAINER:-false}" 7 | CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-podman}" 8 | 9 | # all md files, but ignore .github 10 | if [ "${IS_CONTAINER}" != "false" ]; then 11 | markdownlint-cli2 "**/*.md" "#.github" 12 | else 13 | "${CONTAINER_RUNTIME}" run --rm \ 14 | --env IS_CONTAINER=TRUE \ 15 | --volume "${PWD}:/workdir:ro,z" \ 16 | --entrypoint sh \ 17 | --workdir /workdir \ 18 | docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 \ 19 | /workdir/hack/markdownlint.sh "$@" 20 | fi 21 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/kubernetes-serviceMonitorCoreDNS.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | app.kubernetes.io/name: coredns 6 | app.kubernetes.io/part-of: kube-prometheus 7 | name: coredns 8 | namespace: monitoring 9 | spec: 10 | endpoints: 11 | - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 12 | interval: 15s 13 | metricRelabelings: 14 | - action: drop 15 | regex: coredns_cache_misses_total 16 | sourceLabels: 17 | - __name__ 18 | port: metrics 19 | jobLabel: app.kubernetes.io/name 20 | namespaceSelector: 21 | matchNames: 22 | - kube-system 23 | selector: 24 | matchLabels: 25 | k8s-app: kube-dns 26 | -------------------------------------------------------------------------------- /jenkins/image_building/initrd_sdk/test_unlock_config: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This file is used to provide a test configuration for the 3 | # unlock-mount-luks.sh 4 | # This script acts as an example config file thus to avoid needless shellchecks 5 | # the '.sh' extension has been removed intentionally. 6 | 7 | # key handling 8 | key_script="${KEY_SCRIPT:-}" 9 | auth="${CRYPT_AUTH:-pcr:sha256:0}" 10 | secret_address="${SECRET_ADDRESS:-}" 11 | # root partition 12 | root_dev_part_path="${CRYPT_ROOT_DEV:-}" 13 | # config drive 14 | config_drive_dev_path="${CONFIG_DEV_PATH:-}" 15 | config_drive_part_num="${CONFIG_PART_NUM:-}" 16 | # dependency checks 17 | preparation_timeout="${PREP_TIMEOUT:-2}" 18 | # test config 19 | dry_run="${DRY_RUN:-true}" 20 | no_preparation="${NO_PREP:-true}" 21 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/templates/bmhosts_crs.yaml.j2: -------------------------------------------------------------------------------- 1 | {% for bmh in bare_metal_hosts %} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: bml-ilo-login-secret-{{ bmh.id }} 7 | type: Opaque 8 | data: 9 | username: "{{ bml_ilo_username | b64encode }}" 10 | password: "{{ bml_ilo_password | b64encode }}" 11 | --- 12 | apiVersion: metal3.io/v1alpha1 13 | kind: BareMetalHost 14 | metadata: 15 | name: eselda13u31s{{ bmh.id }} 16 | spec: 17 | online: true 18 | bootMACAddress: {{ bmh.mac }} 19 | bootMode: legacy 20 | bmc: 21 | address: ilo4://{{ bmh.ip }} 22 | credentialsName: bml-ilo-login-secret-{{ bmh.id }} 23 | disableCertificateVerification: true 24 | rootDeviceHints: 25 | deviceName: {{ bmh.rootDeviceHint }} 26 | {% endfor %} 27 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s 11 | namespace: monitoring 12 | spec: 13 | endpoints: 14 | - interval: 30s 15 | port: web 16 | - interval: 30s 17 | port: reloader-web 18 | selector: 19 | matchLabels: 20 | app.kubernetes.io/component: prometheus 21 | app.kubernetes.io/instance: k8s 22 | app.kubernetes.io/name: prometheus 23 | app.kubernetes.io/part-of: kube-prometheus 24 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-ci/README.md: -------------------------------------------------------------------------------- 1 | # ubuntu-ci element 2 | 3 | ## Overview 4 | 5 | **ubuntu-ci** element installs packages and makes configuration changes 6 | specifically for ubuntu-ci images. This element consists of two 7 | shell scripts: ***install*** which runs during the install.d phase, and 8 | ***configure*** which runs during the post-install.d phase. 9 | 10 | ## Depends 11 | 12 | * [ubuntu](https://docs.openstack.org/diskimage-builder/latest/elements/ubuntu/README.html) 13 | * ci-base 14 | 15 | ubuntu-ci element installs packages and makes configuration changes 16 | specifically for Ubuntu-ci images. This element consists of two shell scripts: 17 | install, which runs during the install.d phase, and configure, which runs 18 | during the post-install.d phase. 19 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/alertmanager-serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: alert-router 6 | app.kubernetes.io/instance: main 7 | app.kubernetes.io/name: alertmanager 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 0.27.0 10 | name: alertmanager-main 11 | namespace: monitoring 12 | spec: 13 | endpoints: 14 | - interval: 30s 15 | port: web 16 | - interval: 30s 17 | port: reloader-web 18 | selector: 19 | matchLabels: 20 | app.kubernetes.io/component: alert-router 21 | app.kubernetes.io/instance: main 22 | app.kubernetes.io/name: alertmanager 23 | app.kubernetes.io/part-of: kube-prometheus 24 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s 11 | namespace: monitoring 12 | spec: 13 | ports: 14 | - name: web 15 | port: 9090 16 | targetPort: web 17 | - name: reloader-web 18 | port: 8080 19 | targetPort: reloader-web 20 | selector: 21 | app.kubernetes.io/component: prometheus 22 | app.kubernetes.io/instance: k8s 23 | app.kubernetes.io/name: prometheus 24 | app.kubernetes.io/part-of: kube-prometheus 25 | sessionAffinity: ClientIP 26 | -------------------------------------------------------------------------------- /prow/infra/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - https://github.com/kubernetes/ingress-nginx/deploy/static/provider/cloud?ref=controller-v1.12.3 5 | - cluster-issuer-http.yaml 6 | - storageclass.yaml 7 | - ingress-controller-pdb.yaml 8 | 9 | patches: 10 | - path: service.yaml 11 | # Patch the ingress controller jobs with TTL to avoid issues when upgrading. 12 | - path: ingress-controller-job-patch.yaml 13 | target: 14 | # Target all jobs in the namespace (overrides name/namespace in the patch file) 15 | kind: Job 16 | namespace: ingress-nginx 17 | - path: ingress-controller-deployment-patch.yaml 18 | # Run on infra nodes 19 | - path: toleration-node-selector-patch.yaml 20 | target: 21 | kind: Deployment|Job 22 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/toleration-node-selector-patch.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/template/spec/tolerations 3 | value: [] 4 | - op: add 5 | path: /spec/template/spec/tolerations/- 6 | value: 7 | key: node-role.kubernetes.io/infra 8 | operator: Exists 9 | effect: NoSchedule 10 | - op: add 11 | path: /spec/template/spec/nodeSelector 12 | value: {} 13 | # We add the node selector for node-role.kubernetes.io/infra="" 14 | # The key has to be included in the path or it would overwrite any existing nodeSelectors. 15 | # We have to write the "/" as "~1" since it is the separator in the path field. 16 | # See https://datatracker.ietf.org/doc/html/rfc6901#section-3 17 | - op: add 18 | path: /spec/template/spec/nodeSelector/node-role.kubernetes.io~1infra 19 | value: "" 20 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | namespace: prow 5 | name: prow 6 | annotations: 7 | cert-manager.io/cluster-issuer: letsencrypt-http-prod 8 | spec: 9 | ingressClassName: nginx 10 | rules: 11 | - host: prow.apps.test.metal3.io 12 | http: 13 | paths: 14 | - path: / 15 | pathType: Prefix 16 | backend: 17 | service: 18 | name: deck 19 | port: 20 | number: 80 21 | - path: /hook 22 | pathType: Prefix 23 | backend: 24 | service: 25 | name: hook 26 | port: 27 | number: 8888 28 | tls: 29 | - hosts: 30 | - prow.apps.test.metal3.io 31 | secretName: metal3-io-tls 32 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Please see the documentation for all configuration options: 2 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 3 | 4 | version: 2 5 | updates: 6 | ## main branch config starts here 7 | - package-ecosystem: "github-actions" 8 | directory: "/" # Location of package manifests 9 | schedule: 10 | interval: "monthly" 11 | day: "thursday" 12 | target-branch: main 13 | ## group all action bumps into single PR 14 | groups: 15 | github-actions: 16 | patterns: ["*"] 17 | ignore: 18 | # Ignore major bumps in main, as it breaks the group bump process 19 | - dependency-name: "*" 20 | update-types: ["version-update:semver-major"] 21 | labels: 22 | - "ok-to-test" 23 | 24 | ## main branch config ends here 25 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/alertmanager-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: alert-router 6 | app.kubernetes.io/instance: main 7 | app.kubernetes.io/name: alertmanager 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 0.27.0 10 | name: alertmanager-main 11 | namespace: monitoring 12 | spec: 13 | ports: 14 | - name: web 15 | port: 9093 16 | targetPort: web 17 | - name: reloader-web 18 | port: 8080 19 | targetPort: reloader-web 20 | selector: 21 | app.kubernetes.io/component: alert-router 22 | app.kubernetes.io/instance: main 23 | app.kubernetes.io/name: alertmanager 24 | app.kubernetes.io/part-of: kube-prometheus 25 | sessionAffinity: ClientIP 26 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-dashboardSources.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | dashboards.yaml: |- 4 | { 5 | "apiVersion": 1, 6 | "providers": [ 7 | { 8 | "folder": "Default", 9 | "folderUid": "", 10 | "name": "0", 11 | "options": { 12 | "path": "/grafana-dashboard-definitions/0" 13 | }, 14 | "orgId": 1, 15 | "type": "file" 16 | } 17 | ] 18 | } 19 | kind: ConfigMap 20 | metadata: 21 | labels: 22 | app.kubernetes.io/component: grafana 23 | app.kubernetes.io/name: grafana 24 | app.kubernetes.io/part-of: kube-prometheus 25 | app.kubernetes.io/version: 11.2.0 26 | name: grafana-dashboards 27 | namespace: monitoring 28 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: grafana 6 | app.kubernetes.io/name: grafana 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 11.2.0 9 | name: grafana 10 | namespace: monitoring 11 | spec: 12 | egress: 13 | - {} 14 | ingress: 15 | - from: 16 | - podSelector: 17 | matchLabels: 18 | app.kubernetes.io/name: prometheus 19 | ports: 20 | - port: 3000 21 | protocol: TCP 22 | podSelector: 23 | matchLabels: 24 | app.kubernetes.io/component: grafana 25 | app.kubernetes.io/name: grafana 26 | app.kubernetes.io/part-of: kube-prometheus 27 | policyTypes: 28 | - Egress 29 | - Ingress 30 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-dashboardDatasources.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: grafana 6 | app.kubernetes.io/name: grafana 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 11.2.0 9 | name: grafana-datasources 10 | namespace: monitoring 11 | stringData: 12 | datasources.yaml: |- 13 | { 14 | "apiVersion": 1, 15 | "datasources": [ 16 | { 17 | "access": "proxy", 18 | "editable": false, 19 | "name": "prometheus", 20 | "orgId": 1, 21 | "type": "prometheus", 22 | "url": "http://prometheus-k8s.monitoring.svc:9090", 23 | "version": 1 24 | } 25 | ] 26 | } 27 | type: Opaque 28 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/node-exporter-networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: node-exporter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 1.8.2 9 | name: node-exporter 10 | namespace: monitoring 11 | spec: 12 | egress: 13 | - {} 14 | ingress: 15 | - from: 16 | - podSelector: 17 | matchLabels: 18 | app.kubernetes.io/name: prometheus 19 | ports: 20 | - port: 9100 21 | protocol: TCP 22 | podSelector: 23 | matchLabels: 24 | app.kubernetes.io/component: exporter 25 | app.kubernetes.io/name: node-exporter 26 | app.kubernetes.io/part-of: kube-prometheus 27 | policyTypes: 28 | - Egress 29 | - Ingress 30 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-operator-serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: controller 6 | app.kubernetes.io/name: prometheus-operator 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.76.2 9 | name: prometheus-operator 10 | namespace: monitoring 11 | spec: 12 | endpoints: 13 | - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 14 | honorLabels: true 15 | port: https 16 | scheme: https 17 | tlsConfig: 18 | insecureSkipVerify: true 19 | selector: 20 | matchLabels: 21 | app.kubernetes.io/component: controller 22 | app.kubernetes.io/name: prometheus-operator 23 | app.kubernetes.io/part-of: kube-prometheus 24 | app.kubernetes.io/version: 0.76.2 25 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/setup/prometheus-operator-networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: controller 6 | app.kubernetes.io/name: prometheus-operator 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 0.76.2 9 | name: prometheus-operator 10 | namespace: monitoring 11 | spec: 12 | egress: 13 | - {} 14 | ingress: 15 | - from: 16 | - podSelector: 17 | matchLabels: 18 | app.kubernetes.io/name: prometheus 19 | ports: 20 | - port: 8443 21 | protocol: TCP 22 | podSelector: 23 | matchLabels: 24 | app.kubernetes.io/component: controller 25 | app.kubernetes.io/name: prometheus-operator 26 | app.kubernetes.io/part-of: kube-prometheus 27 | policyTypes: 28 | - Egress 29 | - Ingress 30 | -------------------------------------------------------------------------------- /prow/capo-cluster/infra-md.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.x-k8s.io/v1beta1 2 | kind: MachineDeployment 3 | metadata: 4 | name: infra-0 5 | spec: 6 | clusterName: prow 7 | replicas: 1 8 | strategy: 9 | type: RollingUpdate 10 | rollingUpdate: 11 | maxUnavailable: 0 12 | selector: 13 | matchLabels: null 14 | template: 15 | metadata: 16 | labels: 17 | # This is propagated to the Machine and Node 18 | node-role.kubernetes.io/infra: "" 19 | spec: 20 | bootstrap: 21 | configRef: 22 | apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 23 | kind: KubeadmConfigTemplate 24 | name: infra-0 25 | clusterName: prow 26 | failureDomain: nova 27 | infrastructureRef: 28 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 29 | kind: OpenStackMachineTemplate 30 | name: prow-worker-v1-33-5 31 | version: v1.33.5 32 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/kube-state-metrics-networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: kube-state-metrics 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 2.13.0 9 | name: kube-state-metrics 10 | namespace: monitoring 11 | spec: 12 | egress: 13 | - {} 14 | ingress: 15 | - from: 16 | - podSelector: 17 | matchLabels: 18 | app.kubernetes.io/name: prometheus 19 | ports: 20 | - port: 8443 21 | protocol: TCP 22 | - port: 9443 23 | protocol: TCP 24 | podSelector: 25 | matchLabels: 26 | app.kubernetes.io/component: exporter 27 | app.kubernetes.io/name: kube-state-metrics 28 | app.kubernetes.io/part-of: kube-prometheus 29 | policyTypes: 30 | - Egress 31 | - Ingress 32 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/test-pods-externalsecrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: github-token 5 | namespace: test-pods 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | creationPolicy: Owner 12 | data: 13 | - secretKey: token 14 | remoteRef: 15 | # /[section-name/] 16 | key: "prow-github-token/password" 17 | --- 18 | apiVersion: external-secrets.io/v1 19 | kind: ExternalSecret 20 | metadata: 21 | name: s3-credentials 22 | namespace: test-pods 23 | spec: 24 | secretStoreRef: 25 | kind: ClusterSecretStore 26 | name: onepassword 27 | target: 28 | creationPolicy: Owner 29 | data: 30 | - secretKey: service-account.json 31 | remoteRef: 32 | # /[section-name/] 33 | key: "s3-credentials/service-account.json" 34 | -------------------------------------------------------------------------------- /prow/capo-cluster/machinedeployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.x-k8s.io/v1beta1 2 | kind: MachineDeployment 3 | metadata: 4 | name: prow-md-0 5 | annotations: 6 | cluster.x-k8s.io/cluster-api-autoscaler-node-group-min-size: "2" 7 | cluster.x-k8s.io/cluster-api-autoscaler-node-group-max-size: "5" 8 | spec: 9 | clusterName: prow 10 | # Replicas are handled by the autoscaler, don't touch this! 11 | # replicas: 3 12 | selector: 13 | matchLabels: null 14 | template: 15 | spec: 16 | bootstrap: 17 | configRef: 18 | apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 19 | kind: KubeadmConfigTemplate 20 | name: prow-md-0 21 | clusterName: prow 22 | failureDomain: nova 23 | infrastructureRef: 24 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 25 | kind: OpenStackMachineTemplate 26 | name: prow-worker-v1-33-5 27 | version: v1.33.5 28 | -------------------------------------------------------------------------------- /prow/capo-cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - cluster.yaml 5 | - kubeadmconfigtemplate.yaml 6 | - kubeadmcontrolplane.yaml 7 | - machinedeployment.yaml 8 | - openstackcluster.yaml 9 | - openstackmachinetemplates.yaml 10 | - infra-kct.yaml 11 | - infra-md.yaml 12 | - externalsecret.yaml 13 | 14 | ## If there is ever a need to deploy without ESO, the following can be used to create the secret directly. 15 | # generatorOptions: 16 | # disableNameSuffixHash: true 17 | # secretGenerator: 18 | # - files: 19 | # - clouds.yaml 20 | # name: prow-cloud-config 21 | # type: Opaque 22 | # # Add label for moving the prow-cloud-config secret with clusterctl move. 23 | # patches: 24 | # - patch: |- 25 | # apiVersion: v1 26 | # kind: Secret 27 | # metadata: 28 | # name: prow-cloud-config 29 | # labels: 30 | # clusterctl.cluster.x-k8s.io/move: "true" 31 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/external-plugins/cherrypicker_service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 The Kubernetes Authors All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: v1 16 | kind: Service 17 | metadata: 18 | name: cherrypicker 19 | namespace: prow 20 | spec: 21 | selector: 22 | app: cherrypicker 23 | ports: 24 | - port: 80 25 | targetPort: 8888 26 | type: ClusterIP 27 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/external-plugins/needs-rebase_service.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2018 The Kubernetes Authors All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: v1 16 | kind: Service 17 | metadata: 18 | namespace: prow 19 | name: needs-rebase 20 | spec: 21 | selector: 22 | app: needs-rebase 23 | ports: 24 | - port: 80 25 | targetPort: 8888 26 | type: ClusterIP 27 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/bml_cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | 5 | # Description: 6 | # Cleans the baremetal lab after successful integration tests 7 | # 8 | # Usage: 9 | # cleanup_bml.sh 10 | # 11 | export EXTERNAL_VLAN_ID="${EXTERNAL_VLAN_ID:-3}" 12 | export BOOTSTRAP_CLUSTER="${BOOTSTRAP_CLUSTER:-"minikube"}" 13 | export CAPI_VERSION="${CAPI_VERSION:-v1beta2}" 14 | export CAPM3_VERSION="${CAPM3_VERSION:-v1beta1}" 15 | export CAPM3RELEASEBRANCH="${CAPM3RELEASEBRANCH:-main}" 16 | export BMORELEASEBRANCH="${BMORELEASEBRANCH:-main}" 17 | export IMAGE_OS="${IMAGE_OS:-centos}" 18 | export NUM_NODES="${NUM_NODES:-2}" 19 | export CONTROL_PLANE_MACHINE_COUNT="${CONTROL_PLANE_MACHINE_COUNT:-1}" 20 | export WORKER_MACHINE_COUNT="${WORKER_MACHINE_COUNT:-1}" 21 | 22 | CI_DIR="$(dirname "$(readlink -f "${0}")")" 23 | 24 | echo "Cleaning up the lab" 25 | 26 | ANSIBLE_FORCE_COLOR=true ansible-playbook -v "${CI_DIR}"/cleanup-lab.yaml --skip-tags "clone" 27 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-ci/install.d/55-install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | sudo dnf distro-sync -y 6 | 7 | # Install EPEL repo (later required by atop, python3-bcrypt and python3-passlib) 8 | sudo dnf install epel-release -y 9 | 10 | # Install podman 11 | sudo dnf install podman -y 12 | 13 | # Without this minikube cannot start properly kvm and fails. 14 | # As a simple workaround, this will create an empty file which can 15 | # disable the new firmware, more details here [1], look for firmware description. 16 | # [1] 17 | # upstream commit fixing the behavior to not print error messages for unknown features 18 | # will be included in RHEL-AV-8.5.0 by next rebase to libvirt 7.4.0. 19 | sudo mkdir -p /etc/qemu/firmware 20 | sudo touch /etc/qemu/firmware/50-edk2-ovmf-cc.json 21 | 22 | # Add metal3ci user to libvirt group 23 | sudo usermod -aG libvirt metal3ci || true 24 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ci-base/README.md: -------------------------------------------------------------------------------- 1 | # ci-base element 2 | 3 | ## Overview 4 | 5 | This element takes care of installing common packages both for ubuntu and 6 | centos ci images. **ci-base** element utilizes package-installs to declarative 7 | method of installing packages for image build. 8 | 9 | ## Depends 10 | 11 | ci-base element depends following elements. 12 | 13 | * [base](https://docs.openstack.org/diskimage-builder/latest/elements/base/README.html) 14 | * [vm](https://docs.openstack.org/diskimage-builder/latest/elements/vm/README.html) 15 | * [devuser](https://docs.openstack.org/diskimage-builder/latest/elements/devuser/README.html) 16 | * [openssh-server](https://docs.openstack.org/diskimage-builder/latest/elements/openssh-server/README.html) 17 | * [pkg-map](https://docs.openstack.org/diskimage-builder/latest/elements/pkg-map/README.html) 18 | * [package-installs](https://docs.openstack.org/diskimage-builder/latest/elements/package-installs/README.html) 19 | -------------------------------------------------------------------------------- /.github/workflows/build-images-action.yml: -------------------------------------------------------------------------------- 1 | name: build-images-action 2 | 3 | on: 4 | repository_dispatch: 5 | push: 6 | branches: 7 | - 'main' 8 | paths: 9 | - 'prow/container-images/**/Dockerfile' 10 | - '.github/workflows/build-images-action.yml' 11 | - '.github/workflows/container-image-build.yml' 12 | 13 | jobs: 14 | build_basic_checks: 15 | name: Build basic-checks image 16 | if: github.repository == 'metal3-io/project-infra' 17 | permissions: 18 | contents: read 19 | id-token: write 20 | uses: ./.github/workflows/container-image-build.yml 21 | with: 22 | image-name: 'basic-checks' 23 | image-tag: 'golang-1.24' 24 | dockerfile-directory: 'prow/container-images/basic-checks' 25 | pushImage: true 26 | generate-sbom: true 27 | sign-image: true 28 | secrets: 29 | QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }} 30 | QUAY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} 31 | SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} 32 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/README.md: -------------------------------------------------------------------------------- 1 | # Kube-prometheus for Metal3 Prow 2 | 3 | This monitoring stack is based on 4 | [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus/tree/main). 5 | We also took inspiration from how [k8s.io is monitoring 6 | ProwJobs](https://github.com/kubernetes/k8s.io/pull/5355). 7 | 8 | This is how you apply it in the cluster: 9 | 10 | ```bash 11 | kubectl apply -f manifests/setup 12 | kubectl apply -f manifests 13 | kubectl apply -f prow-rules.yaml 14 | ``` 15 | 16 | The `manifests` are rendered using jsonnet based on 17 | `metal3-kube-prometheus.jsonnet`. Use the build script to render them after 18 | making changes: 19 | 20 | ```bash 21 | make build 22 | ``` 23 | 24 | ## How to access? 25 | 26 | For now, we have not exposed grafana or any other component. You can access them 27 | by using port-forward like this (after setting up access to the cluster itself): 28 | 29 | ```bash 30 | kubectl -n monitoring port-forward svc/grafana 3000 31 | ``` 32 | 33 | Then go to . 34 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/community.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/community: 3 | - name: markdownlint 4 | run_if_changed: '(\.md|markdownlint\.sh)$' 5 | decorate: true 6 | spec: 7 | containers: 8 | - args: 9 | - ./hack/markdownlint.sh 10 | command: 11 | - sh 12 | env: 13 | - name: IS_CONTAINER 14 | value: "TRUE" 15 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 16 | imagePullPolicy: Always 17 | - name: shellcheck 18 | run_if_changed: '((\.sh)|^Makefile)$' 19 | decorate: true 20 | spec: 21 | containers: 22 | - args: 23 | - ./hack/shellcheck.sh 24 | command: 25 | - sh 26 | env: 27 | - name: IS_CONTAINER 28 | value: "TRUE" 29 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 30 | imagePullPolicy: Always 31 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/node-exporter-serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: node-exporter 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 1.8.2 9 | name: node-exporter 10 | namespace: monitoring 11 | spec: 12 | endpoints: 13 | - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 14 | interval: 15s 15 | port: https 16 | relabelings: 17 | - action: replace 18 | regex: (.*) 19 | replacement: $1 20 | sourceLabels: 21 | - __meta_kubernetes_pod_node_name 22 | targetLabel: instance 23 | scheme: https 24 | tlsConfig: 25 | insecureSkipVerify: true 26 | jobLabel: app.kubernetes.io/name 27 | selector: 28 | matchLabels: 29 | app.kubernetes.io/component: exporter 30 | app.kubernetes.io/name: node-exporter 31 | app.kubernetes.io/part-of: kube-prometheus 32 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/utility-images.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/utility-images: 3 | - name: shellcheck 4 | run_if_changed: '((\.sh)|^Makefile)$' 5 | decorate: true 6 | spec: 7 | containers: 8 | - args: 9 | - ./hack/shellcheck.sh 10 | command: 11 | - sh 12 | env: 13 | - name: IS_CONTAINER 14 | value: "TRUE" 15 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 16 | imagePullPolicy: Always 17 | - name: markdownlint 18 | run_if_changed: '(\.md|markdownlint\.sh)$' 19 | decorate: true 20 | spec: 21 | containers: 22 | - args: 23 | - ./hack/markdownlint.sh 24 | command: 25 | - sh 26 | env: 27 | - name: IS_CONTAINER 28 | value: "TRUE" 29 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 30 | imagePullPolicy: Always 31 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-node/install.d/55-install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | KUBERNETES_SLES_VERSION="${KUBERNETES_VERSION//v}" 6 | CRIO_SLES_VERSION="${CRIO_VERSION//v}" 7 | CRICTL_SLES_VERSION="${CRICTL_VERSION//v}" 8 | 9 | sudo cat < {}.yaml' -- {} 26 | 27 | # Make sure to remove json files 28 | find manifests -type f ! -name '*.yaml' -delete 29 | rm -f kustomization 30 | -------------------------------------------------------------------------------- /.cspell-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "0.2", 3 | "language": "en", 4 | "ignorePaths": ["**/.github/workflows/**"], 5 | "patterns": [ 6 | { 7 | "name": "multiline-code-block", 8 | "pattern": "/^(>)?\\s*```(?:.|\\s)+?^(>)?\\s*```/mig" 9 | }, 10 | { 11 | "name": "inline-code", 12 | "pattern": "/`[^`].*`[^`]/g" 13 | } 14 | ], 15 | "ignoreRegExpList": ["multiline-code-block", "inline-code"], 16 | "words": [ 17 | "autoscaler", 18 | "baremetal", 19 | "capi", 20 | "capm", 21 | "checkconfig", 22 | "cherrypick", 23 | "cherrypicking", 24 | "cicd", 25 | "clusterapi", 26 | "clusterctl", 27 | "devuser", 28 | "diskimage", 29 | "estjorvas", 30 | "gerrit", 31 | "ghprb", 32 | "HMAC", 33 | "ipam", 34 | "jsonnet", 35 | "keypair", 36 | "kubeadm", 37 | "kubeadmcontrolplane", 38 | "kubeconfig", 39 | "kubelet", 40 | "kustomization", 41 | "kustomizations", 42 | "loadbalancer", 43 | "machinedeployment", 44 | "nordix", 45 | "openstackmachinetemplate", 46 | "presubmits", 47 | "tmpfs", 48 | "xerces" 49 | ] 50 | } 51 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/alertmanager-networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: alert-router 6 | app.kubernetes.io/instance: main 7 | app.kubernetes.io/name: alertmanager 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 0.27.0 10 | name: alertmanager-main 11 | namespace: monitoring 12 | spec: 13 | egress: 14 | - {} 15 | ingress: 16 | - from: 17 | - podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: prometheus 20 | ports: 21 | - port: 9093 22 | protocol: TCP 23 | - port: 8080 24 | protocol: TCP 25 | - from: 26 | - podSelector: 27 | matchLabels: 28 | app.kubernetes.io/name: alertmanager 29 | ports: 30 | - port: 9094 31 | protocol: TCP 32 | - port: 9094 33 | protocol: UDP 34 | podSelector: 35 | matchLabels: 36 | app.kubernetes.io/component: alert-router 37 | app.kubernetes.io/instance: main 38 | app.kubernetes.io/name: alertmanager 39 | app.kubernetes.io/part-of: kube-prometheus 40 | policyTypes: 41 | - Egress 42 | - Ingress 43 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/leap-ci/post-install.d/55-configure: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | sudo sed -i "0,/.*PermitRootLogin.*/s//PermitRootLogin yes/" /etc/ssh/sshd_config 6 | 7 | # SETUP MONITORING 8 | sudo zypper in -y sysstat atop atop-daemon cronie 9 | ## Collect all metrics every minute 10 | sudo tee -a /etc/sysconfig/atop < 8 | # 9 | # Of course, you should only include non-dictionary words that are correctly spelled! 10 | # If the error happens because of a common technical term or proper name that is likely 11 | # to appear many times, then please edit "../.cspell-config.json" and add it to the 12 | # "words" list. 13 | # shellcheck disable=SC2292 14 | 15 | set -eux 16 | 17 | IS_CONTAINER="${IS_CONTAINER:-false}" 18 | CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-podman}" 19 | WORKDIR="${WORKDIR:-/workdir}" 20 | 21 | # all md files, but ignore .github and node_modules 22 | if [ "${IS_CONTAINER}" != "false" ]; then 23 | cspell-cli --show-suggestions -c .cspell-config.json -- "./**/*.md" 24 | else 25 | "${CONTAINER_RUNTIME}" run --rm \ 26 | --env IS_CONTAINER=TRUE \ 27 | --volume "${PWD}:${WORKDIR}:ro,z" \ 28 | --entrypoint sh \ 29 | --workdir "${WORKDIR}" \ 30 | ghcr.io/streetsidesoftware/cspell:8.13.3@sha256:03df0e485775a43531c9c0e829227f39b3380796e92faab4166137dc5712d40a \ 31 | "${WORKDIR}"/hack/spellcheck.sh "$@" 32 | fi 33 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: prometheus-k8s 11 | namespace: monitoring 12 | spec: 13 | egress: 14 | - {} 15 | ingress: 16 | - from: 17 | - podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: prometheus 20 | ports: 21 | - port: 9090 22 | protocol: TCP 23 | - port: 8080 24 | protocol: TCP 25 | - from: 26 | - podSelector: 27 | matchLabels: 28 | app.kubernetes.io/name: prometheus-adapter 29 | ports: 30 | - port: 9090 31 | protocol: TCP 32 | - from: 33 | - podSelector: 34 | matchLabels: 35 | app.kubernetes.io/name: grafana 36 | ports: 37 | - port: 9090 38 | protocol: TCP 39 | podSelector: 40 | matchLabels: 41 | app.kubernetes.io/component: prometheus 42 | app.kubernetes.io/instance: k8s 43 | app.kubernetes.io/name: prometheus 44 | app.kubernetes.io/part-of: kube-prometheus 45 | policyTypes: 46 | - Egress 47 | - Ingress 48 | -------------------------------------------------------------------------------- /prow/capo-cluster/openstackcluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 2 | kind: OpenStackCluster 3 | metadata: 4 | name: prow 5 | spec: 6 | apiServerLoadBalancer: 7 | enabled: true 8 | allowedCIDRs: 9 | - 10.6.0.0/24 10 | # Jumphost 11 | - 129.192.83.86/32 12 | externalNetwork: 13 | id: df26cc5b-b122-4506-b948-a213d2b0a7d8 14 | identityRef: 15 | cloudName: prow 16 | name: prow-cloud-config 17 | managedSecurityGroups: 18 | allNodesSecurityGroupRules: 19 | - description: Calico - BGP 20 | direction: ingress 21 | etherType: IPv4 22 | name: BGP (calico) 23 | portRangeMax: 179 24 | portRangeMin: 179 25 | protocol: tcp 26 | remoteManagedGroups: 27 | - controlplane 28 | - worker 29 | - description: Calico IP-in-IP 30 | direction: ingress 31 | etherType: IPv4 32 | name: IP-in-IP (calico) 33 | protocol: "4" 34 | remoteManagedGroups: 35 | - controlplane 36 | - worker 37 | allowAllInClusterTraffic: true 38 | managedSubnets: 39 | - cidr: 10.6.0.0/24 40 | dnsNameservers: 41 | - 8.8.8.8 42 | bastion: 43 | enabled: true 44 | spec: 45 | flavor: c1m2-est 46 | image: 47 | # Ubuntu-24.04 48 | id: 19e017ae-2759-479c-90ac-a400a3f64678 49 | sshKeyName: prow 50 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-ci/post-install.d/55-configure: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Configure network (set nameservers and disable peer DNS). 4 | set -eux 5 | 6 | sudo sed -i "0,/.*PermitRootLogin.*/s//PermitRootLogin yes/" /etc/ssh/sshd_config 7 | 8 | # SETUP MONITORING 9 | ## Install atop and sysstat 10 | sudo dnf install sysstat atop --enablerepo=epel -y 11 | 12 | ## Collect all metrics every minute 13 | sudo sed -i 's/^LOGINTERVAL=600.*/LOGINTERVAL=60/' /etc/sysconfig/atop 14 | sudo mkdir -v /etc/systemd/system/sysstat-collect.timer.d/ 15 | sudo bash -c "sed -e 's|every 10 minutes|every 1 minute|g' -e '/^OnCalendar=/ s|/10$|/1|' /usr/lib/systemd/system/sysstat-collect.timer > /etc/systemd/system/sysstat-collect.timer.d/override.conf" 16 | sudo sed -i 's|^SADC_OPTIONS=.*|SADC_OPTIONS=" -S XALL"|' /etc/sysconfig/sysstat 17 | 18 | ## Reduce metrics retention to 3 days 19 | sudo sed -i 's/^LOGGENERATIONS=.*/LOGGENERATIONS=3/' /etc/sysconfig/atop 20 | sudo sed -i 's|^HISTORY=.*|HISTORY=3|' /etc/sysconfig/sysstat 21 | 22 | ## Standardize sysstat log directory 23 | sudo mkdir -p /var/log/sysstat 24 | sudo sed -i 's|^SA_DIR=.*|SA_DIR="/var/log/sysstat"|' /etc/sysconfig/sysstat 25 | 26 | ## Enable services 27 | sudo systemctl enable atop.service crond.service sysstat.service 28 | 29 | # Change default to shell to bash 30 | sudo usermod --shell /bin/bash metal3ci -------------------------------------------------------------------------------- /jenkins/scripts/get_latest_tag.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | 4 | # Usage: get_latest_tag.sh [excludePattern] 5 | # Example: get_latest_tag.sh https://proxy.golang.org/github.com/metal3-io/cluster-api-provider-metal3/@v/list release-1.10 'beta|rc|alpha|pre' 6 | 7 | get_latest_release_from_goproxy() { 8 | local listUrl="${1:?no list url given}" # full @v/list URL 9 | local release="${2:?no release given}" # e.g. release-1.10 10 | local exclude="${3:-}" # optional exclude regex 11 | 12 | release="${release/release-/v}." 13 | local release_tag 14 | if [[ -z "${exclude}" ]]; then 15 | release_tag=$(curl -s "${listUrl}" \ 16 | | sed '/-/!{s/$/_/}' \ 17 | | sort -rV \ 18 | | sed 's/_$//' \ 19 | | grep -m1 "^${release}") 20 | else 21 | release_tag=$(curl -s "${listUrl}" \ 22 | | sort -rV \ 23 | | grep -vE "${exclude}" \ 24 | | grep -m1 "^${release}") 25 | fi 26 | 27 | if [[ -z "${release_tag}" ]]; then 28 | echo "Error: release not found for prefix ${release} in ${listUrl}" >&2 29 | exit 1 30 | fi 31 | echo "${release_tag}" 32 | } 33 | 34 | if [[ $# -lt 2 ]]; then 35 | echo "Usage: $0 [excludePattern]" >&2 36 | exit 2 37 | fi 38 | 39 | get_latest_release_from_goproxy "$1" "$2" "${3:-}" 40 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/ipa_builder_elements/ipa-file-injector/root.d/99-install-file-injector: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | if [ "${DIB_DEBUG_TRACE:-1}" -gt 0 ]; then 5 | set -x 6 | fi 7 | 8 | # The TARGET_ROOT env var is expected to be provided by the base os element e.g. 'centos'. 9 | # The value of TARGET_ROOT is automatically generated so there is no default value available 10 | # for this environment variable. 11 | # The script is expected to fail if the TARGET_ROOT is unbound or if it is an empty string. 12 | if [ -z "${TARGET_ROOT}" ]; then 13 | echo "TARGET_ROOT is unbound durin ipa-file-injecto installation, the build process will exit!" 14 | exit 1 15 | fi 16 | 17 | SCRIPTDIR=$(dirname "$0") 18 | 19 | SEDSTRING="s/Environment=/Environment=\"FILE_INJECTOR_CONFIG_DRIVE_LABEL=${DIB_FILE_INJECTOR_CONFIG_DRIVE_LABEL}\"/" 20 | 21 | 22 | # Output redirection was causing permission errors in DIB when done between host and mounted init 23 | # filesystem, that is why the the template is rendered first to /tmp then copied to the mounted disk. 24 | sed -e "${SEDSTRING}" "${SCRIPTDIR}/ipa-file-injector.service.template" > "/tmp/ipa-file-injector.service" 25 | 26 | sudo cp "/tmp/ipa-file-injector.service" "${TARGET_ROOT}/lib/systemd/system/ipa-file-injector.service" 27 | 28 | sudo cp "${SCRIPTDIR}/ipa-file-injector.sh" "${TARGET_ROOT}/usr/bin/ipa-file-injector.sh" 29 | 30 | -------------------------------------------------------------------------------- /jenkins/image_building/verify-node-image.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | verify_node_image() { 6 | current_dir="$(dirname "$(readlink -f "${0}")")" 7 | REPO_ROOT="$(realpath "${current_dir}/../..")" 8 | 9 | img_name="$1" 10 | IMAGE_DIR="${2:-"${REPO_ROOT}"}" 11 | 12 | # So that no extra components are built later 13 | export IMAGE_TESTING="true" 14 | 15 | # Run "make clean" after test, so that next job can start from clean state 16 | export CLEANUP_AFTERWARDS="${CLEANUP_AFTERWARDS:-false}" 17 | 18 | # Tests expect the image name to have the file type extension 19 | export IMAGE_NAME="${img_name}.qcow2" 20 | export IMAGE_OS="${IMAGE_OS}" 21 | export IMAGE_TYPE="${IMAGE_TYPE}" 22 | export IMAGE_LOCATION="${IMAGE_DIR}" 23 | 24 | # Similar config to periodic integration tests 25 | export REPO_BRANCH="main" 26 | export REPO_ORG="metal3-io" 27 | export REPO_NAME="metal3-dev-env" 28 | export UPDATED_REPO="metal3-io/metal3-dev-env" 29 | export UPDATED_BRANCH="main" 30 | export NUM_NODES=2 31 | 32 | export IRONIC_INSTALL_TYPE="rpm" 33 | 34 | "${current_dir}/../scripts/dynamic_worker_workflow/dev_env_integration_tests.sh" 35 | } 36 | 37 | # If the script was run directly (i.e. not sourced), run the verify_node_image func 38 | if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then 39 | verify_node_image "$@" 40 | fi 41 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/kube-state-metrics-serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: exporter 6 | app.kubernetes.io/name: kube-state-metrics 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 2.13.0 9 | name: kube-state-metrics 10 | namespace: monitoring 11 | spec: 12 | endpoints: 13 | - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 14 | honorLabels: true 15 | interval: 30s 16 | metricRelabelings: 17 | - action: drop 18 | regex: kube_endpoint_address_not_ready|kube_endpoint_address_available 19 | sourceLabels: 20 | - __name__ 21 | port: https-main 22 | relabelings: 23 | - action: labeldrop 24 | regex: (pod|service|endpoint|namespace) 25 | scheme: https 26 | scrapeTimeout: 30s 27 | tlsConfig: 28 | insecureSkipVerify: true 29 | - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token 30 | interval: 30s 31 | port: https-self 32 | scheme: https 33 | tlsConfig: 34 | insecureSkipVerify: true 35 | jobLabel: app.kubernetes.io/name 36 | selector: 37 | matchLabels: 38 | app.kubernetes.io/component: exporter 39 | app.kubernetes.io/name: kube-state-metrics 40 | app.kubernetes.io/part-of: kube-prometheus 41 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/README.md: -------------------------------------------------------------------------------- 1 | # Baremetal Lab Setup 2 | 3 | The Bare Metal Lab needs some special treatment compared to other pipelines 4 | since it does not use VMs for the target cluster. This is taken care of in the 5 | `deploy-lab.yaml` playbook. 6 | 7 | ## Ansible installation 8 | 9 | `sudo pip3 install ansible` 10 | 11 | ## Running the playbook 12 | 13 | * Comment/uncomment the hosts you want to use in the `vars` section of 14 | `deploy-lab.yaml` 15 | * Set environment variables `BML_ILO_USERNAME` and `BML_ILO_PASSWORD` for the 16 | login to the bare metal hosts 17 | 18 | Then: 19 | 20 | `ansible-playbook ./deploy-lab.yaml -u --ask-become-pass` 21 | 22 | ## Running tests for pull requests on Github 23 | 24 | You can trigger builds to run in the bare metal lab by adding the following 25 | line as a comment on the PR: 26 | 27 | ```text 28 | /test-integration-bml-centos 29 | ``` 30 | 31 | **Note:** Concurrent builds are disabled for the BML, since they would run on 32 | the same host and interfere with each other. This means that if there is already 33 | one build job running in the BML, a new one will not start before the first has 34 | finished. Github won't show the usual *Details* link for this specific run but 35 | build status can be checked from the 36 | [Jenkins dashboard](https://jenkins.nordix.org/job/metal3-bml-integration-test-centos/) 37 | where the build will be scheduled and stay in pending at this time. 38 | Once the build starts, the status will be updated with a link. 39 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/metal3-docs.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/metal3-docs: 3 | - name: markdownlint 4 | run_if_changed: '(\.md|markdownlint\.sh)$' 5 | decorate: true 6 | spec: 7 | containers: 8 | - args: 9 | - ./hack/markdownlint.sh 10 | command: 11 | - sh 12 | env: 13 | - name: IS_CONTAINER 14 | value: "TRUE" 15 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 16 | imagePullPolicy: Always 17 | - name: shellcheck 18 | run_if_changed: '((\.sh)|^Makefile)$' 19 | decorate: true 20 | spec: 21 | containers: 22 | - args: 23 | - ./hack/shellcheck.sh 24 | command: 25 | - sh 26 | env: 27 | - name: IS_CONTAINER 28 | value: "TRUE" 29 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 30 | imagePullPolicy: Always 31 | - name: spellcheck 32 | run_if_changed: '(\.md|spellcheck\.sh|.cspell-config.json)$' 33 | decorate: true 34 | spec: 35 | containers: 36 | - args: 37 | - ./hack/spellcheck.sh 38 | command: 39 | - sh 40 | env: 41 | - name: IS_CONTAINER 42 | value: "TRUE" 43 | image: ghcr.io/streetsidesoftware/cspell:8.13.3@sha256:03df0e485775a43531c9c0e829227f39b3380796e92faab4166137dc5712d40a 44 | imagePullPolicy: Always 45 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-node/README.md: -------------------------------------------------------------------------------- 1 | # ubuntu-node element 2 | 3 | 4 | 5 | ## Overview 6 | 7 | **ubuntu-node** element installs packages and makes configuration changes 8 | specifically for ubuntu-node images. This element consists of three 9 | shell scripts: ***setup-repos*** which runs during the pre-install.d phase, 10 | and ***install*** which runs during the install.d phase. Finally 11 | ***pre-pull-images*** which runs during the post-install step. 12 | 13 | Note that cloud-init datasource defaults to EC2 exclusively. 14 | Which is different from a fresh Ubuntu installation that usually has all 15 | different options. This can be set with env variable `DIB_CLOUD_INIT_DATASOURCES`. 16 | See cloud-init element documentation for more information 17 | [cloud-init documentation](https://docs.openstack.org/diskimage-builder/latest/elements/cloud-init/README.html) 18 | 19 | ## Depends 20 | 21 | * [ubuntu](https://docs.openstack.org/diskimage-builder/latest/elements/ubuntu/README.html) 22 | * [base](https://docs.openstack.org/diskimage-builder/latest/elements/base/README.html) 23 | * [vm](https://docs.openstack.org/diskimage-builder/latest/elements/vm/README.html) 24 | * [openssh-server](https://docs.openstack.org/diskimage-builder/latest/elements/openssh-server/README.html) 25 | * [modprobe](https://docs.openstack.org/diskimage-builder/latest/elements/modprobe/README.html) 26 | * [package-installs](https://docs.openstack.org/diskimage-builder/latest/elements/package-installs/README.html) 27 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/metal3-io.github.io.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/metal3-io.github.io: 3 | - name: shellcheck 4 | run_if_changed: '((\.sh)|^Makefile)$' 5 | decorate: true 6 | spec: 7 | containers: 8 | - args: 9 | - ./hack/shellcheck.sh 10 | command: 11 | - sh 12 | env: 13 | - name: IS_CONTAINER 14 | value: "TRUE" 15 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 16 | imagePullPolicy: Always 17 | - name: markdownlint 18 | run_if_changed: '(\.md|markdownlint\.sh)$' 19 | decorate: true 20 | spec: 21 | containers: 22 | - args: 23 | - ./hack/markdownlint.sh 24 | command: 25 | - sh 26 | env: 27 | - name: IS_CONTAINER 28 | value: "TRUE" 29 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 30 | imagePullPolicy: Always 31 | - name: spellcheck 32 | run_if_changed: '(\.md|spellcheck\.sh|.cspell-config.json)$' 33 | decorate: true 34 | spec: 35 | containers: 36 | - args: 37 | - ./hack/spellcheck.sh 38 | command: 39 | - sh 40 | env: 41 | - name: IS_CONTAINER 42 | value: "TRUE" 43 | image: ghcr.io/streetsidesoftware/cspell:8.13.3@sha256:03df0e485775a43531c9c0e829227f39b3380796e92faab4166137dc5712d40a 44 | imagePullPolicy: Always 45 | -------------------------------------------------------------------------------- /DCO: -------------------------------------------------------------------------------- 1 | Developer Certificate of Origin 2 | Version 1.1 3 | 4 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 5 | 1 Letterman Drive 6 | Suite D4700 7 | San Francisco, CA, 94129 8 | 9 | Everyone is permitted to copy and distribute verbatim copies of this 10 | license document, but changing it is not allowed. 11 | 12 | 13 | Developer's Certificate of Origin 1.1 14 | 15 | By making a contribution to this project, I certify that: 16 | 17 | (a) The contribution was created in whole or in part by me and I 18 | have the right to submit it under the open source license 19 | indicated in the file; or 20 | 21 | (b) The contribution is based upon previous work that, to the best 22 | of my knowledge, is covered under an appropriate open source 23 | license and I have the right under that license to submit that 24 | work with modifications, whether created in whole or in part 25 | by me, under the same open source license (unless I am 26 | permitted to submit under a different license), as indicated 27 | in the file; or 28 | 29 | (c) The contribution was provided directly to me by some other 30 | person who certified (a), (b) or (c) and I have not modified 31 | it. 32 | 33 | (d) I understand and agree that this project and the contribution 34 | are public and that a record of the contribution (including all 35 | personal information I submit with it, including my sign-off) is 36 | maintained indefinitely and may be redistributed consistent with 37 | this project or the open source license(s) involved. 38 | -------------------------------------------------------------------------------- /.github/workflows/pr-gh-workflow-approve.yaml: -------------------------------------------------------------------------------- 1 | # adapted from github.com/kubernetes-sigs/cluster-api/.github/workflows/pr-gh-workflow-approve.yaml 2 | # this workflow approves workflows if the PR has /ok-to-test 3 | # related Prow feature request https://github.com/kubernetes/test-infra/issues/25210 4 | 5 | name: Approve GH Workflows 6 | 7 | on: 8 | pull_request_target: 9 | types: [opened, edited, reopened, synchronize, ready_for_review] 10 | 11 | permissions: {} 12 | 13 | jobs: 14 | approve: 15 | name: Approve on ok-to-test 16 | runs-on: ubuntu-latest 17 | 18 | permissions: 19 | actions: write 20 | 21 | if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') 22 | steps: 23 | - name: Update PR 24 | uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 25 | continue-on-error: true 26 | with: 27 | github-token: ${{ secrets.GITHUB_TOKEN }} 28 | script: | 29 | const result = await github.rest.actions.listWorkflowRunsForRepo({ 30 | owner: context.repo.owner, 31 | repo: context.repo.repo, 32 | event: "pull_request", 33 | status: "action_required", 34 | head_sha: context.payload.pull_request.head.sha, 35 | per_page: 100 36 | }); 37 | 38 | for (var run of result.data.workflow_runs) { 39 | await github.rest.actions.approveWorkflowRun({ 40 | owner: context.repo.owner, 41 | repo: context.repo.repo, 42 | run_id: run.id 43 | }); 44 | } 45 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/grafana-prometheusRule.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: PrometheusRule 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: grafana 6 | app.kubernetes.io/name: grafana 7 | app.kubernetes.io/part-of: kube-prometheus 8 | app.kubernetes.io/version: 11.2.0 9 | prometheus: k8s 10 | role: alert-rules 11 | name: grafana-rules 12 | namespace: monitoring 13 | spec: 14 | groups: 15 | - name: GrafanaAlerts 16 | rules: 17 | - alert: GrafanaRequestsFailing 18 | annotations: 19 | message: '{{ $labels.namespace }}/{{ $labels.job }}/{{ $labels.handler }} is experiencing {{ $value | humanize }}% errors' 20 | runbook_url: https://runbooks.prometheus-operator.dev/runbooks/grafana/grafanarequestsfailing 21 | expr: | 22 | 100 * sum without (status_code) (namespace_job_handler_statuscode:grafana_http_request_duration_seconds_count:rate5m{handler!~"/api/datasources/proxy/:id.*|/api/ds/query|/api/tsdb/query", status_code=~"5.."}) 23 | / 24 | sum without (status_code) (namespace_job_handler_statuscode:grafana_http_request_duration_seconds_count:rate5m{handler!~"/api/datasources/proxy/:id.*|/api/ds/query|/api/tsdb/query"}) 25 | > 50 26 | for: 5m 27 | labels: 28 | severity: warning 29 | - name: grafana_rules 30 | rules: 31 | - expr: | 32 | sum by (namespace, job, handler, status_code) (rate(grafana_http_request_duration_seconds_count[5m])) 33 | record: namespace_job_handler_statuscode:grafana_http_request_duration_seconds_count:rate5m 34 | -------------------------------------------------------------------------------- /prow/manifests/base/ghproxy.yaml: -------------------------------------------------------------------------------- 1 | kind: PersistentVolumeClaim 2 | apiVersion: v1 3 | metadata: 4 | namespace: prow 5 | labels: 6 | app: ghproxy 7 | name: ghproxy 8 | spec: 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: 100Gi 14 | --- 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | namespace: prow 19 | name: ghproxy 20 | labels: 21 | app: ghproxy 22 | spec: 23 | selector: 24 | matchLabels: 25 | app: ghproxy 26 | strategy: 27 | type: Recreate 28 | # GHProxy does not support HA 29 | replicas: 1 30 | template: 31 | metadata: 32 | labels: 33 | app: ghproxy 34 | spec: 35 | containers: 36 | - name: ghproxy 37 | image: us-docker.pkg.dev/k8s-infra-prow/images/ghproxy:v20251125-e3ae8cf22 38 | args: 39 | - --cache-dir=/cache 40 | - --cache-sizeGB=99 41 | - --serve-metrics=true 42 | - --legacy-disable-disk-cache-partitions-by-auth-header=false 43 | ports: 44 | - containerPort: 8888 45 | volumeMounts: 46 | - name: cache 47 | mountPath: /cache 48 | volumes: 49 | - name: cache 50 | persistentVolumeClaim: 51 | claimName: ghproxy 52 | --- 53 | apiVersion: v1 54 | kind: Service 55 | metadata: 56 | labels: 57 | app: ghproxy 58 | namespace: prow 59 | name: ghproxy 60 | spec: 61 | ports: 62 | - name: main 63 | port: 80 64 | protocol: TCP 65 | targetPort: 8888 66 | - name: metrics 67 | port: 9090 68 | selector: 69 | app: ghproxy 70 | type: ClusterIP 71 | -------------------------------------------------------------------------------- /jenkins/image_building/initrd_sdk/verify-realroot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | # This script is used to provide a controlled wait loop in order to give time 6 | # to other services to prepare the root file system. 7 | # Arguments: 8 | # - timeout: number of verification retries with 1 sec waits each 9 | timeout="${1:-60}" 10 | declare -i counter 11 | counter=0 12 | while true; do 13 | if [[ "${counter}" -ge "${timeout}" ]]; then 14 | printf "Root stiching verification timeout %ds has been reached" \ 15 | "${counter}" 16 | exit 1 17 | fi 18 | if [[ -r "/realroot/bin" ]]; then 19 | printf "INFO: Realroot mount point is present.\n" 20 | # /tmp/crypt_config is created by the unlock script that supposed to 21 | # run in an earlier stage 22 | if [[ ! -r "/tmp/crypt_config" ]]; then 23 | printf "INFO: Config drive is not encrypted.\n" 24 | break 25 | elif [[ -r "/dev/mapper/config-2" ]]; then 26 | printf "INFO: Config drive has been unlocked.\n" 27 | break 28 | fi 29 | else 30 | printf "INFO: Waiting for realroot and/or config drive!\n" 31 | # Introduce a 1-second delay using the read command 32 | # sleep might not be available but this way we stress 33 | # the CPU less 34 | counter=$((++counter)) 35 | read -r -t 1 < /dev/zero || true 36 | fi 37 | done 38 | 39 | # Prepare for switching 40 | # Execute operations that help the root switching go more smoothly 41 | 42 | mount --bind /dev /realroot/dev 43 | mount --bind /proc /realroot/proc 44 | mount --bind /sys /realroot/sys 45 | mount --bind /run /realroot/run 46 | -------------------------------------------------------------------------------- /.github/workflows/scheduled-link-check.yml: -------------------------------------------------------------------------------- 1 | name: Scheduled Check Links 2 | 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: "0 0 1 * *" 7 | repository_dispatch: 8 | # run manually 9 | types: [check-links] 10 | workflow_call: 11 | 12 | permissions: {} 13 | 14 | jobs: 15 | check-links: 16 | runs-on: ubuntu-latest 17 | 18 | permissions: 19 | contents: read 20 | issues: write 21 | 22 | steps: 23 | - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 24 | 25 | - name: Link Checker 26 | id: linkcheck 27 | uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2.7.0 28 | env: 29 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 30 | with: 31 | args: | 32 | --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Brave/131" 33 | --root-dir "$(pwd)/" 34 | --fallback-extensions "md" 35 | --github-token "${{ secrets.GITHUB_TOKEN }}" 36 | --max-concurrency 8 37 | --max-retries 5 38 | --retry-wait-time 10 39 | --insecure 40 | --exclude-all-private 41 | --no-progress 42 | "./**/*.md" 43 | output: /tmp/lychee_output.md 44 | fail: false 45 | 46 | - name: Create Issue From File 47 | if: steps.linkcheck.outputs.exit_code != 0 48 | uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1 49 | with: 50 | title: Link Checker Report 51 | content-filepath: /tmp/lychee_output.md 52 | labels: | 53 | kind/bug 54 | -------------------------------------------------------------------------------- /prow/capo-cluster/openstackmachinetemplates.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 2 | kind: OpenStackMachineTemplate 3 | metadata: 4 | name: prow-control-plane-v1-32-5 5 | spec: 6 | template: 7 | spec: 8 | flavor: c4m12-est 9 | identityRef: 10 | cloudName: prow 11 | name: prow-cloud-config 12 | image: 13 | filter: 14 | name: ubuntu-2404-kube-v1.32.5 15 | sshKeyName: prow 16 | --- 17 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 18 | kind: OpenStackMachineTemplate 19 | metadata: 20 | name: prow-worker-v1-32-5 21 | spec: 22 | template: 23 | spec: 24 | flavor: c8m24-est 25 | identityRef: 26 | cloudName: prow 27 | name: prow-cloud-config 28 | image: 29 | filter: 30 | name: ubuntu-2404-kube-v1.32.5 31 | sshKeyName: prow 32 | --- 33 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 34 | kind: OpenStackMachineTemplate 35 | metadata: 36 | name: prow-control-plane-v1-33-5 37 | spec: 38 | template: 39 | spec: 40 | flavor: c4m12-est 41 | identityRef: 42 | cloudName: prow 43 | name: prow-cloud-config 44 | image: 45 | filter: 46 | name: ubuntu-2404-kube-v1.33.5 47 | sshKeyName: prow 48 | --- 49 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 50 | kind: OpenStackMachineTemplate 51 | metadata: 52 | name: prow-worker-v1-33-5 53 | spec: 54 | template: 55 | spec: 56 | flavor: c8m24-est 57 | identityRef: 58 | cloudName: prow 59 | name: prow-cloud-config 60 | image: 61 | filter: 62 | name: ubuntu-2404-kube-v1.33.5 63 | sshKeyName: prow 64 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/alertmanager-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: alert-router 6 | app.kubernetes.io/instance: main 7 | app.kubernetes.io/name: alertmanager 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 0.27.0 10 | name: alertmanager-main 11 | namespace: monitoring 12 | stringData: 13 | alertmanager.yaml: |- 14 | "global": 15 | "resolve_timeout": "5m" 16 | "inhibit_rules": 17 | - "equal": 18 | - "namespace" 19 | - "alertname" 20 | "source_matchers": 21 | - "severity = critical" 22 | "target_matchers": 23 | - "severity =~ warning|info" 24 | - "equal": 25 | - "namespace" 26 | - "alertname" 27 | "source_matchers": 28 | - "severity = warning" 29 | "target_matchers": 30 | - "severity = info" 31 | - "equal": 32 | - "namespace" 33 | "source_matchers": 34 | - "alertname = InfoInhibitor" 35 | "target_matchers": 36 | - "severity = info" 37 | "receivers": 38 | - "name": "Default" 39 | - "name": "Watchdog" 40 | - "name": "Critical" 41 | - "name": "null" 42 | "route": 43 | "group_by": 44 | - "namespace" 45 | "group_interval": "5m" 46 | "group_wait": "30s" 47 | "receiver": "Default" 48 | "repeat_interval": "12h" 49 | "routes": 50 | - "matchers": 51 | - "alertname = Watchdog" 52 | "receiver": "Watchdog" 53 | - "matchers": 54 | - "alertname = InfoInhibitor" 55 | "receiver": "null" 56 | - "matchers": 57 | - "severity = critical" 58 | "receiver": "Critical" 59 | type: Opaque 60 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-ci/install.d/55-install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euxo pipefail 4 | 5 | sudo apt-get update 6 | sudo apt-get install -y \ 7 | coreutils \ 8 | apt-transport-https \ 9 | ca-certificates \ 10 | gnupg-agent \ 11 | software-properties-common \ 12 | openssl \ 13 | python-is-python3 \ 14 | chrony \ 15 | qemu-system \ 16 | qemu-utils 17 | 18 | # Configure 19 | sudo chronyc -a 'burst 4/4' && sudo chronyc -a makestep 20 | sudo systemctl enable chrony 21 | sudo systemctl start chrony 22 | 23 | # Enable nested virtualization 24 | sudo bash -c 'cat << EOF > /etc/modprobe.d/qemu-system-x86.conf 25 | options kvm-intel nested=y enable_apicv=n 26 | EOF' 27 | echo "Reboot required" 28 | 29 | # Install Docker 30 | sudo mkdir -m 0755 -p /etc/apt/keyrings 31 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg 32 | sudo echo \ 33 | "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ 34 | $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list 35 | 36 | sudo apt-get update 37 | sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin jq -y 38 | sudo groupadd docker || true 39 | sudo usermod -aG docker metal3ci || true 40 | sudo systemctl enable docker 41 | 42 | # Configure Docker daemon with BuildKit support 43 | sudo mkdir -p /etc/docker 44 | sudo tee /etc/docker/daemon.json <> /home/metal3ci/.bashrc' 56 | 57 | # Add metal3ci user to libvirt group 58 | sudo adduser metal3ci libvirt 59 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/ironic-image.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/ironic-image: 3 | - name: shellcheck 4 | branches: 5 | - main 6 | run_if_changed: '((\.sh)|^Makefile)$' 7 | decorate: true 8 | spec: 9 | containers: 10 | - args: 11 | - ./hack/shellcheck.sh 12 | command: 13 | - sh 14 | env: 15 | - name: IS_CONTAINER 16 | value: "TRUE" 17 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 18 | imagePullPolicy: Always 19 | - name: markdownlint 20 | branches: 21 | - main 22 | run_if_changed: '(\.md|markdownlint\.sh)$' 23 | decorate: true 24 | spec: 25 | containers: 26 | - args: 27 | - ./hack/markdownlint.sh 28 | command: 29 | - sh 30 | env: 31 | - name: IS_CONTAINER 32 | value: "TRUE" 33 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 34 | imagePullPolicy: Always 35 | # name: {job_prefix}-{image_os}-e2e-integration-test-{capm3_target_branch} 36 | - name: metal3-centos-e2e-integration-test-main 37 | branches: 38 | - main 39 | agent: jenkins 40 | always_run: false 41 | optional: false 42 | - name: metal3-ubuntu-e2e-integration-test-main 43 | branches: 44 | - main 45 | agent: jenkins 46 | always_run: false 47 | optional: false 48 | - name: metal3-dev-env-integration-test-centos-main 49 | branches: 50 | - main 51 | agent: jenkins 52 | always_run: false 53 | optional: true 54 | - name: metal3-dev-env-integration-test-ubuntu-main 55 | branches: 56 | - main 57 | agent: jenkins 58 | always_run: false 59 | optional: true 60 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/ironic-image-release-27.0.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/ironic-image: 3 | - name: shellcheck 4 | branches: 5 | - release-27.0 6 | run_if_changed: '((\.sh)|^Makefile)$' 7 | decorate: true 8 | spec: 9 | containers: 10 | - args: 11 | - ./hack/shellcheck.sh 12 | command: 13 | - sh 14 | env: 15 | - name: IS_CONTAINER 16 | value: "TRUE" 17 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 18 | imagePullPolicy: Always 19 | - name: markdownlint 20 | branches: 21 | - release-27.0 22 | run_if_changed: '(\.md|markdownlint\.sh)$' 23 | decorate: true 24 | spec: 25 | containers: 26 | - args: 27 | - ./hack/markdownlint.sh 28 | command: 29 | - sh 30 | env: 31 | - name: IS_CONTAINER 32 | value: "TRUE" 33 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 34 | imagePullPolicy: Always 35 | - name: metal3-centos-e2e-integration-test-release-1-9 36 | branches: 37 | - release-27.0 38 | agent: jenkins 39 | always_run: false 40 | optional: false 41 | - name: metal3-ubuntu-e2e-integration-test-release-1-9 42 | branches: 43 | - release-27.0 44 | agent: jenkins 45 | always_run: false 46 | optional: false 47 | - name: metal3-dev-env-integration-test-centos-release-1-9 48 | branches: 49 | - release-27.0 50 | agent: jenkins 51 | always_run: false 52 | optional: true 53 | - name: metal3-dev-env-integration-test-ubuntu-release-1-9 54 | branches: 55 | - release-27.0 56 | agent: jenkins 57 | always_run: false 58 | optional: true 59 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/external-plugins/labels_cronjob.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 The Kubernetes Authors All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | apiVersion: batch/v1 15 | kind: CronJob 16 | metadata: 17 | name: label-sync 18 | namespace: prow 19 | spec: 20 | schedule: "0 0 * * *" # Run once a day 21 | concurrencyPolicy: Forbid 22 | jobTemplate: 23 | metadata: 24 | labels: 25 | app: label-sync 26 | spec: 27 | template: 28 | spec: 29 | containers: 30 | - name: label-sync 31 | image: gcr.io/k8s-staging-test-infra/label_sync:v20251031-d6af3d3e19 32 | args: 33 | - --config=/etc/config/labels.yaml 34 | - --confirm=true 35 | - --orgs=metal3-io 36 | - --token=/etc/github/token 37 | volumeMounts: 38 | - name: github-token 39 | mountPath: /etc/github 40 | readOnly: true 41 | - name: config 42 | mountPath: /etc/config 43 | readOnly: true 44 | restartPolicy: Never 45 | volumes: 46 | - name: github-token 47 | secret: 48 | secretName: github-token 49 | - name: config 50 | configMap: 51 | name: label-config 52 | -------------------------------------------------------------------------------- /jenkins/scripts/dynamic_worker_workflow/fullstack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Fail the script if any command fails 3 | set -eu 4 | 5 | CI_DIR="$(dirname "$(readlink -f "${0}")")" 6 | IPA_BUILDER_SCRIPT_NAME="${IPA_BUILDER_SCRIPT_NAME:-build_ipa.sh}" 7 | 8 | echo "Running Ironic image building script" 9 | "${CI_DIR}/fullstack_build_ironic.sh" 10 | 11 | IPA_REPO="${IPA_REPO:-https://opendev.org/openstack/ironic-python-agent.git}" 12 | IPA_BRANCH="${IPA_BRANCH:-master}" 13 | IPA_BUILDER_REPO="${IPA_BUILDER_REPO:-https://opendev.org/openstack/ironic-python-agent-builder.git}" 14 | IPA_BUILDER_BRANCH="${IPA_BUILDER_BRANCH:-master}" 15 | IPA_BUILDER_COMMIT="${IPA_BUILDER_COMMIT:-HEAD}" 16 | METAL3_DEV_ENV_REPO="${METAL3_DEV_ENV_REPO:-https://github.com/metal3-io/metal3-dev-env.git}" 17 | METAL3_DEV_ENV_BRANCH="${METAL3_DEV_ENV_BRANCH:-main}" 18 | METAL3_DEV_ENV_COMMIT="${METAL3_DEV_ENV_COMMIT:-HEAD}" 19 | BMOREPO="${BMOREPO:-https://github.com/metal3-io/baremetal-operator.git}" 20 | BMO_BRANCH="${BMO_BRANCH:-main}" 21 | BMO_COMMIT="${BMO_COMMIT:-HEAD}" 22 | CAPM3_REPO="${CAPM3_REPO:-https://github.com/metal3-io/cluster-api-provider-metal3.git}" 23 | CAPM3_BRANCH="${CAPM3_BRANCH:-main}" 24 | CAPM3_COMMIT="${CAPM3_COMMIT:-HEAD}" 25 | IPAM_REPO="${IPAM_REPO:-https://github.com/metal3-io/ip-address-manager.git}" 26 | IPAM_BRANCH="${IPAM_BRANCH:-main}" 27 | IPAM_COMMIT="${IPAM_COMMIT:-HEAD}" 28 | CAPI_REPO="${CAPI_REPO:-https://github.com/kubernetes-sigs/cluster-api.git}" 29 | CAPI_BRANCH="${CAPI_BRANCH:-main}" 30 | CAPI_COMMIT="${CAPI_COMMIT:-HEAD}" 31 | BUILD_CAPM3_LOCALLY="${BUILD_CAPM3_LOCALLY:-true}" 32 | BUILD_BMO_LOCALLY="${BUILD_BMO_LOCALLY:-true}" 33 | BUILD_IPAM_LOCALLY="${BUILD_IPAM_LOCALLY:-true}" 34 | BUILD_CAPI_LOCALLY="${BUILD_CAPI_LOCALLY:-false}" 35 | 36 | echo "Running IPA, CAPI, CAPM3, IPAM, BMO, DEV-ENV building, deploying, testing scripts" 37 | "${CI_DIR}/${IPA_BUILDER_SCRIPT_NAME}" 38 | -------------------------------------------------------------------------------- /prow/manifests/base/horologium.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: prow 5 | name: horologium 6 | labels: 7 | app: horologium 8 | spec: 9 | replicas: 1 # Do not scale up. 10 | strategy: 11 | type: Recreate 12 | selector: 13 | matchLabels: 14 | app: horologium 15 | template: 16 | metadata: 17 | labels: 18 | app: horologium 19 | spec: 20 | serviceAccountName: "horologium" 21 | terminationGracePeriodSeconds: 30 22 | containers: 23 | - name: horologium 24 | image: us-docker.pkg.dev/k8s-infra-prow/images/horologium:v20251125-e3ae8cf22 25 | args: 26 | - --dry-run=false 27 | - --config-path=/etc/config/config.yaml 28 | - --job-config-path=/etc/job-config 29 | volumeMounts: 30 | - name: config 31 | mountPath: /etc/config 32 | readOnly: true 33 | - name: job-config 34 | mountPath: /etc/job-config 35 | readOnly: true 36 | volumes: 37 | - name: config 38 | configMap: 39 | name: config 40 | - name: job-config 41 | configMap: 42 | name: job-config 43 | --- 44 | kind: ServiceAccount 45 | apiVersion: v1 46 | metadata: 47 | namespace: prow 48 | name: "horologium" 49 | --- 50 | kind: Role 51 | apiVersion: rbac.authorization.k8s.io/v1 52 | metadata: 53 | namespace: prow 54 | name: "horologium" 55 | rules: 56 | - apiGroups: 57 | - "prow.k8s.io" 58 | resources: 59 | - prowjobs 60 | verbs: 61 | - create 62 | - list 63 | - watch 64 | --- 65 | kind: RoleBinding 66 | apiVersion: rbac.authorization.k8s.io/v1 67 | metadata: 68 | namespace: prow 69 | name: "horologium" 70 | roleRef: 71 | apiGroup: rbac.authorization.k8s.io 72 | kind: Role 73 | name: "horologium" 74 | subjects: 75 | - kind: ServiceAccount 76 | name: "horologium" 77 | -------------------------------------------------------------------------------- /jenkins/image_building/initrd_sdk/README.md: -------------------------------------------------------------------------------- 1 | # Initrd SDK 2 | 3 | 4 | 5 | The Initrd SDK folder contains scripts and documentation to help integrate 6 | features e.g. LUKS and TPM support into the linux "initrd/initramfs" of disk 7 | images built as part of the Metal3 project. 8 | 9 | This directory is just a loose collection of scripts and information that 10 | can be injected at different stages of the image building and would be 11 | eventually executed during the boot process of a machine. 12 | 13 | ## Initrd environment 14 | 15 | Usually in initrd/initramfs images are built with e.g. a tool like `dracut`. 16 | An initrd is required to be as small as possible so it usually lacks any kind 17 | of user space tooling. 18 | 19 | ## unlock-mount-luks.sh 20 | 21 | This is a script that can be injected to initramfs images that were built with 22 | dracut and the script relies on only two external tools `blkid` and 23 | `systemd-cryptsetup`. If an image was built with `dracut` and the `dracut` 24 | module `crypt` is enabled then both `blkid` and `systemd-cryptsetup` should be 25 | present in the initrd environment. 26 | 27 | ## unseal-and-open-luks.service 28 | 29 | This is the systemd service unit file that automatically starts the 30 | `unlock-mount-luks.sh`. This service has to be enabled with `systemctl enable` 31 | during or after the initrd build process. 32 | 33 | ## verify-realroot.sh 34 | 35 | This script is used to provide a controlled wait loop in order to give time 36 | to other systemd services to prepare the root file system. The intention is to 37 | have a deterministic check/wait loop before the initrd root switching is 38 | initiated in order to avoid potential race conditions. 39 | 40 | This script has to be executed by the `initrd-switch-root.service` as a 41 | `ExecStartPre` option such as: 42 | `ExecStartPre=/bin/sh -c '/etc/verify-realroot.sh'` 43 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/ironic-image-release-29.0.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/ironic-image: 3 | - name: shellcheck 4 | branches: 5 | - release-29.0 6 | run_if_changed: '((\.sh)|^Makefile)$' 7 | decorate: true 8 | spec: 9 | containers: 10 | - args: 11 | - ./hack/shellcheck.sh 12 | command: 13 | - sh 14 | env: 15 | - name: IS_CONTAINER 16 | value: "TRUE" 17 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 18 | imagePullPolicy: Always 19 | - name: markdownlint 20 | branches: 21 | - release-29.0 22 | run_if_changed: '(\.md|markdownlint\.sh)$' 23 | decorate: true 24 | spec: 25 | containers: 26 | - args: 27 | - ./hack/markdownlint.sh 28 | command: 29 | - sh 30 | env: 31 | - name: IS_CONTAINER 32 | value: "TRUE" 33 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 34 | imagePullPolicy: Always 35 | # name: {job_prefix}-{image_os}-e2e-integration-test-{capm3_target_branch} 36 | - name: metal3-centos-e2e-integration-test-release-1-10 37 | branches: 38 | - release-29.0 39 | agent: jenkins 40 | always_run: false 41 | optional: false 42 | - name: metal3-ubuntu-e2e-integration-test-release-1-10 43 | branches: 44 | - release-29.0 45 | agent: jenkins 46 | always_run: false 47 | optional: false 48 | - name: metal3-dev-env-integration-test-centos-release-1-10 49 | branches: 50 | - release-29.0 51 | agent: jenkins 52 | always_run: false 53 | optional: true 54 | - name: metal3-dev-env-integration-test-ubuntu-release-1-10 55 | branches: 56 | - release-29.0 57 | agent: jenkins 58 | always_run: false 59 | optional: true 60 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/ironic-image-release-31.0.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/ironic-image: 3 | - name: shellcheck 4 | branches: 5 | - release-31.0 6 | run_if_changed: '((\.sh)|^Makefile)$' 7 | decorate: true 8 | spec: 9 | containers: 10 | - args: 11 | - ./hack/shellcheck.sh 12 | command: 13 | - sh 14 | env: 15 | - name: IS_CONTAINER 16 | value: "TRUE" 17 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 18 | imagePullPolicy: Always 19 | - name: markdownlint 20 | branches: 21 | - release-31.0 22 | run_if_changed: '(\.md|markdownlint\.sh)$' 23 | decorate: true 24 | spec: 25 | containers: 26 | - args: 27 | - ./hack/markdownlint.sh 28 | command: 29 | - sh 30 | env: 31 | - name: IS_CONTAINER 32 | value: "TRUE" 33 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 34 | imagePullPolicy: Always 35 | # name: {job_prefix}-{image_os}-e2e-integration-test-{capm3_target_branch} 36 | - name: metal3-centos-e2e-integration-test-release-1-11 37 | branches: 38 | - release-31.0 39 | agent: jenkins 40 | always_run: false 41 | optional: false 42 | - name: metal3-ubuntu-e2e-integration-test-release-1-11 43 | branches: 44 | - release-31.0 45 | agent: jenkins 46 | always_run: false 47 | optional: false 48 | - name: metal3-dev-env-integration-test-centos-release-1-11 49 | branches: 50 | - release-31.0 51 | agent: jenkins 52 | always_run: false 53 | optional: true 54 | - name: metal3-dev-env-integration-test-ubuntu-release-1-11 55 | branches: 56 | - release-31.0 57 | agent: jenkins 58 | always_run: false 59 | optional: true 60 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/ironic-image-release-32.0.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/ironic-image: 3 | - name: shellcheck 4 | branches: 5 | - release-32.0 6 | run_if_changed: '((\.sh)|^Makefile)$' 7 | decorate: true 8 | spec: 9 | containers: 10 | - args: 11 | - ./hack/shellcheck.sh 12 | command: 13 | - sh 14 | env: 15 | - name: IS_CONTAINER 16 | value: "TRUE" 17 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 18 | imagePullPolicy: Always 19 | - name: markdownlint 20 | branches: 21 | - release-32.0 22 | run_if_changed: '(\.md|markdownlint\.sh)$' 23 | decorate: true 24 | spec: 25 | containers: 26 | - args: 27 | - ./hack/markdownlint.sh 28 | command: 29 | - sh 30 | env: 31 | - name: IS_CONTAINER 32 | value: "TRUE" 33 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 34 | imagePullPolicy: Always 35 | # name: {job_prefix}-{image_os}-e2e-integration-test-{capm3_target_branch} 36 | - name: metal3-centos-e2e-integration-test-release-1-11 37 | branches: 38 | - release-32.0 39 | agent: jenkins 40 | always_run: false 41 | optional: false 42 | - name: metal3-ubuntu-e2e-integration-test-release-1-11 43 | branches: 44 | - release-32.0 45 | agent: jenkins 46 | always_run: false 47 | optional: false 48 | - name: metal3-dev-env-integration-test-centos-release-1-11 49 | branches: 50 | - release-32.0 51 | agent: jenkins 52 | always_run: false 53 | optional: true 54 | - name: metal3-dev-env-integration-test-ubuntu-release-1-11 55 | branches: 56 | - release-32.0 57 | agent: jenkins 58 | always_run: false 59 | optional: true 60 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/ironic-image-release-33.0.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/ironic-image: 3 | - name: shellcheck 4 | branches: 5 | - release-33.0 6 | run_if_changed: '((\.sh)|^Makefile)$' 7 | decorate: true 8 | spec: 9 | containers: 10 | - args: 11 | - ./hack/shellcheck.sh 12 | command: 13 | - sh 14 | env: 15 | - name: IS_CONTAINER 16 | value: "TRUE" 17 | image: docker.io/koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 18 | imagePullPolicy: Always 19 | - name: markdownlint 20 | branches: 21 | - release-33.0 22 | run_if_changed: '(\.md|markdownlint\.sh)$' 23 | decorate: true 24 | spec: 25 | containers: 26 | - args: 27 | - ./hack/markdownlint.sh 28 | command: 29 | - sh 30 | env: 31 | - name: IS_CONTAINER 32 | value: "TRUE" 33 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 34 | imagePullPolicy: Always 35 | # name: {job_prefix}-{image_os}-e2e-integration-test-{capm3_target_branch} 36 | - name: metal3-centos-e2e-integration-test-release-1-12 37 | branches: 38 | - release-33.0 39 | agent: jenkins 40 | always_run: false 41 | optional: false 42 | - name: metal3-ubuntu-e2e-integration-test-release-1-12 43 | branches: 44 | - release-33.0 45 | agent: jenkins 46 | always_run: false 47 | optional: false 48 | - name: metal3-dev-env-integration-test-centos-release-1-12 49 | branches: 50 | - release-33.0 51 | agent: jenkins 52 | always_run: false 53 | optional: true 54 | - name: metal3-dev-env-integration-test-ubuntu-release-1-12 55 | branches: 56 | - release-33.0 57 | agent: jenkins 58 | always_run: false 59 | optional: true 60 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-roleBindingSpecificNamespaces.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | items: 3 | - apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: prometheus 8 | app.kubernetes.io/instance: k8s 9 | app.kubernetes.io/name: prometheus 10 | app.kubernetes.io/part-of: kube-prometheus 11 | app.kubernetes.io/version: 2.54.1 12 | name: prometheus-k8s 13 | namespace: default 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: Role 17 | name: prometheus-k8s 18 | subjects: 19 | - kind: ServiceAccount 20 | name: prometheus-k8s 21 | namespace: monitoring 22 | - apiVersion: rbac.authorization.k8s.io/v1 23 | kind: RoleBinding 24 | metadata: 25 | labels: 26 | app.kubernetes.io/component: prometheus 27 | app.kubernetes.io/instance: k8s 28 | app.kubernetes.io/name: prometheus 29 | app.kubernetes.io/part-of: kube-prometheus 30 | app.kubernetes.io/version: 2.54.1 31 | name: prometheus-k8s 32 | namespace: kube-system 33 | roleRef: 34 | apiGroup: rbac.authorization.k8s.io 35 | kind: Role 36 | name: prometheus-k8s 37 | subjects: 38 | - kind: ServiceAccount 39 | name: prometheus-k8s 40 | namespace: monitoring 41 | - apiVersion: rbac.authorization.k8s.io/v1 42 | kind: RoleBinding 43 | metadata: 44 | labels: 45 | app.kubernetes.io/component: prometheus 46 | app.kubernetes.io/instance: k8s 47 | app.kubernetes.io/name: prometheus 48 | app.kubernetes.io/part-of: kube-prometheus 49 | app.kubernetes.io/version: 2.54.1 50 | name: prometheus-k8s 51 | namespace: monitoring 52 | roleRef: 53 | apiGroup: rbac.authorization.k8s.io 54 | kind: Role 55 | name: prometheus-k8s 56 | subjects: 57 | - kind: ServiceAccount 58 | name: prometheus-k8s 59 | namespace: monitoring 60 | kind: RoleBindingList 61 | -------------------------------------------------------------------------------- /prow/infra/kube-prometheus/manifests/prometheus-prometheus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: Prometheus 3 | metadata: 4 | labels: 5 | app.kubernetes.io/component: prometheus 6 | app.kubernetes.io/instance: k8s 7 | app.kubernetes.io/name: prometheus 8 | app.kubernetes.io/part-of: kube-prometheus 9 | app.kubernetes.io/version: 2.54.1 10 | name: k8s 11 | namespace: monitoring 12 | spec: 13 | alerting: 14 | alertmanagers: 15 | - apiVersion: v2 16 | name: alertmanager-main 17 | namespace: monitoring 18 | port: web 19 | enableFeatures: [] 20 | externalLabels: {} 21 | image: quay.io/prometheus/prometheus:v2.54.1 22 | nodeSelector: 23 | kubernetes.io/os: linux 24 | node-role.kubernetes.io/infra: "" 25 | podMetadata: 26 | labels: 27 | app.kubernetes.io/component: prometheus 28 | app.kubernetes.io/instance: k8s 29 | app.kubernetes.io/name: prometheus 30 | app.kubernetes.io/part-of: kube-prometheus 31 | app.kubernetes.io/version: 2.54.1 32 | podMonitorNamespaceSelector: {} 33 | podMonitorSelector: {} 34 | probeNamespaceSelector: {} 35 | probeSelector: {} 36 | replicas: 2 37 | resources: 38 | requests: 39 | memory: 400Mi 40 | retention: 30d 41 | ruleNamespaceSelector: {} 42 | ruleSelector: {} 43 | scrapeConfigNamespaceSelector: {} 44 | scrapeConfigSelector: {} 45 | securityContext: 46 | fsGroup: 2000 47 | runAsNonRoot: true 48 | runAsUser: 1000 49 | serviceAccountName: prometheus-k8s 50 | serviceMonitorNamespaceSelector: {} 51 | serviceMonitorSelector: {} 52 | storage: 53 | volumeClaimTemplate: 54 | apiVersion: v1 55 | kind: PersistentVolumeClaim 56 | spec: 57 | accessModes: 58 | - ReadWriteOnce 59 | resources: 60 | requests: 61 | storage: 100Gi 62 | storageClassName: csi-cinderplugin 63 | tolerations: 64 | - effect: NoSchedule 65 | key: node-role.kubernetes.io/infra 66 | operator: Exists 67 | version: 2.54.1 68 | -------------------------------------------------------------------------------- /jenkins/scripts/bare_metal_lab/default_vars/vars.yaml: -------------------------------------------------------------------------------- 1 | # Ensure provisioning host accepts all variables passed through ssh. 2 | # Check /etc/ssh/sshd_config file has following line: 3 | # AcceptEnv LANG LC_* BML_* GITHUB_TOKEN REPO_NAME PR_* 4 | bml_ilo_username: "{{ lookup('env', 'BML_ILO_USERNAME') }}" 5 | bml_ilo_password: "{{ lookup('env', 'BML_ILO_PASSWORD') }}" 6 | github_token: "{{ lookup('env', 'GITHUB_TOKEN') }}" 7 | # If REPO_NAME == metal3-dev-env clone to tested_repo otherwise clone to metal3 8 | metal3_dir: "{{ (lookup('env', 'REPO_NAME') == 'metal3-dev-env') | ternary('tested_repo', 'metal3') }}" 9 | metal3_dev_env_repo: "{{ lookup('env', 'BML_METAL3_DEV_ENV_REPO') }}" 10 | metal3_dev_env_branch: "{{ lookup('env', 'BML_METAL3_DEV_ENV_BRANCH') }}" 11 | pr_id: "{{ lookup('env', 'PR_ID') }}" 12 | serial_log_location: "/tmp/BMLlog" 13 | bare_metal_hosts: 14 | - id: "03" 15 | mac: b4:b5:2f:6d:89:d8 16 | ip: "192.168.1.24" 17 | rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:1" 18 | # - id: "04" 19 | # mac: 80:c1:6e:7a:e8:10 20 | # ip: "192.168.1.13" 21 | # rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:0" 22 | - id: "05" 23 | mac: 80:c1:6e:7a:5a:a8 24 | ip: "192.168.1.14" 25 | rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:0" 26 | # - id: "06" 27 | # mac: b4:b5:2f:6d:68:10 28 | # ip: "192.168.1.15" 29 | # rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:0" 30 | # - id: "07" 31 | # mac: b4:b5:2f:6d:a9:d8 32 | # ip: "192.168.1.16" 33 | # rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:0" 34 | # - id: "14" 35 | # mac: 6c:3b:e5:b5:03:c8 36 | # ip: "192.168.1.32" 37 | # rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:0" 38 | # - id: "15" 39 | # mac: 10:60:4b:b4:be:00 40 | # ip: "192.168.1.37" 41 | # rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:0" 42 | # - id: "16" 43 | # mac: b4:b5:2f:6f:01:40 44 | # ip: "192.168.1.33" 45 | # rootDeviceHint: "/dev/disk/by-path/pci-0000:03:00.0-scsi-0:1:0:0" 46 | DHCP_HOSTS: "{{ bare_metal_hosts | map(attribute='mac') | join(';') }}" 47 | DHCP_IGNORE: "tag:!known" 48 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ubuntu-node/install.d/55-install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | sudo cat </[section-name/] 16 | key: "prow-github-token/password" 17 | --- 18 | apiVersion: external-secrets.io/v1 19 | kind: ExternalSecret 20 | metadata: 21 | name: hmac-token 22 | namespace: prow 23 | spec: 24 | secretStoreRef: 25 | kind: ClusterSecretStore 26 | name: onepassword 27 | target: 28 | creationPolicy: Owner 29 | data: 30 | - secretKey: hmac 31 | remoteRef: 32 | # /[section-name/] 33 | key: "hmac-token/password" 34 | --- 35 | apiVersion: external-secrets.io/v1 36 | kind: ExternalSecret 37 | metadata: 38 | name: s3-credentials 39 | namespace: prow 40 | spec: 41 | secretStoreRef: 42 | kind: ClusterSecretStore 43 | name: onepassword 44 | target: 45 | creationPolicy: Owner 46 | data: 47 | - secretKey: service-account.json 48 | remoteRef: 49 | # /[section-name/] 50 | key: "s3-credentials/service-account.json" 51 | --- 52 | apiVersion: external-secrets.io/v1 53 | kind: ExternalSecret 54 | metadata: 55 | name: cherrypick-bot-github-token 56 | namespace: prow 57 | spec: 58 | secretStoreRef: 59 | kind: ClusterSecretStore 60 | name: onepassword 61 | target: 62 | creationPolicy: Owner 63 | data: 64 | - secretKey: token 65 | remoteRef: 66 | # /[section-name/] 67 | key: "prow-cherrypick-github-token/password" 68 | --- 69 | apiVersion: external-secrets.io/v1 70 | kind: ExternalSecret 71 | metadata: 72 | name: jenkins-token 73 | namespace: prow 74 | spec: 75 | secretStoreRef: 76 | kind: ClusterSecretStore 77 | name: onepassword 78 | target: 79 | creationPolicy: Owner 80 | data: 81 | - secretKey: token 82 | remoteRef: 83 | # /[section-name/] 84 | key: "prow-jenkins-token/password" 85 | -------------------------------------------------------------------------------- /prow/config/jobs/metal3-io/ironic-standalone-operator-release-0.6.yaml: -------------------------------------------------------------------------------- 1 | presubmits: 2 | metal3-io/ironic-standalone-operator: 3 | - name: gomod 4 | branches: 5 | - release-0.6 6 | skip_if_only_changed: '(((^|/)OWNERS)|((^|/)OWNERS_ALIASES)|(\.md))$' 7 | decorate: true 8 | spec: 9 | containers: 10 | - args: 11 | - ./hack/gomod.sh 12 | command: 13 | - sh 14 | env: 15 | - name: IS_CONTAINER 16 | value: "TRUE" 17 | image: docker.io/golang:1.24 18 | imagePullPolicy: Always 19 | - name: markdownlint 20 | branches: 21 | - release-0.6 22 | run_if_changed: '(\.md|markdownlint\.sh)$' 23 | decorate: true 24 | spec: 25 | containers: 26 | - args: 27 | - ./hack/markdownlint.sh 28 | command: 29 | - sh 30 | env: 31 | - name: IS_CONTAINER 32 | value: "TRUE" 33 | image: docker.io/pipelinecomponents/markdownlint-cli2:0.12.0@sha256:a3977fba9814f10d33a1d69ae607dc808e7a6470b2ba03e84c17193c0791aac0 34 | imagePullPolicy: Always 35 | - name: manifestlint 36 | branches: 37 | - release-0.6 38 | skip_if_only_changed: '(((^|/)OWNERS)|((^|/)OWNERS_ALIASES)|(\.md))$' 39 | decorate: true 40 | spec: 41 | containers: 42 | - args: 43 | - ./hack/manifestlint.sh 44 | command: 45 | - sh 46 | env: 47 | - name: IS_CONTAINER 48 | value: "TRUE" 49 | - name: KUBECONFORM_PATH 50 | value: "/" 51 | image: ghcr.io/yannh/kubeconform:v0.6.7-alpine@sha256:824e0c248809e4b2da2a768b16b107cf17ada88a89ec6aa6050e566ba93ebbc6 52 | imagePullPolicy: Always 53 | #NOTE(elfosardo): commented out until metal3-dev-env starts using IrSO 54 | # name: metal3-dev-env-integration-test-{image_os}-release-1-11 55 | # - name: metal3-dev-env-integration-test-ubuntu-release-1-11 56 | # branches: 57 | # - release-0.6 58 | # agent: jenkins 59 | # always_run: false 60 | # optional: true 61 | # - name: metal3-dev-env-integration-test-centos-release-1-11 62 | # branches: 63 | # - release-0.6 64 | # agent: jenkins 65 | # always_run: false 66 | # optional: true 67 | -------------------------------------------------------------------------------- /prow/manifests/overlays/metal3/external-plugins/cherrypicker_deployment.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 The Kubernetes Authors All rights reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: apps/v1 16 | kind: Deployment 17 | metadata: 18 | namespace: prow 19 | name: cherrypicker 20 | labels: 21 | app: cherrypicker 22 | spec: 23 | replicas: 1 24 | strategy: 25 | type: RollingUpdate 26 | rollingUpdate: 27 | maxSurge: 1 28 | maxUnavailable: 1 29 | selector: 30 | matchLabels: 31 | app: cherrypicker 32 | template: 33 | metadata: 34 | labels: 35 | app: cherrypicker 36 | spec: 37 | serviceAccountName: "" 38 | serviceAccount: "" 39 | terminationGracePeriodSeconds: 180 40 | containers: 41 | - name: cherrypicker 42 | image: us-docker.pkg.dev/k8s-infra-prow/images/cherrypicker:v20251125-e3ae8cf22 43 | imagePullPolicy: Always 44 | args: 45 | - --github-token-path=/etc/github/token 46 | - --github-endpoint=http://ghproxy 47 | - --github-endpoint=https://api.github.com 48 | - --dry-run=false 49 | ports: 50 | - name: http 51 | containerPort: 8888 52 | volumeMounts: 53 | - name: hmac 54 | mountPath: /etc/webhook 55 | readOnly: true 56 | - name: github-token 57 | mountPath: /etc/github 58 | readOnly: true 59 | - name: tmp 60 | mountPath: /tmp 61 | volumes: 62 | - name: tmp 63 | emptyDir: {} 64 | - name: hmac 65 | secret: 66 | secretName: hmac-token 67 | - name: github-token 68 | secret: 69 | secretName: cherrypick-bot-github-token 70 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/ci-base/pkg-map: -------------------------------------------------------------------------------- 1 | { 2 | "release": { 3 | "ubuntu": { 4 | "24.04": { 5 | "ntp": "chrony" 6 | } 7 | } 8 | }, 9 | "family": { 10 | "redhat": { 11 | "bash-completion":"bash-completion", 12 | "build-essential":"", 13 | "curl": "curl", 14 | "dnsmasq":"dnsmasq", 15 | "git": "git", 16 | "libguestfs-tools":"libguestfs-tools", 17 | "libvirt-daemon-system":"", 18 | "make": "make", 19 | "openjdk-21-jre": "java-21-openjdk", 20 | "ovmf":"edk2-ovmf", 21 | "python3": "python3", 22 | "python3-pip":"python3-pip", 23 | "qemu-kvm":"qemu-kvm", 24 | "tree": "tree", 25 | "vim": "vim-enhanced", 26 | "virt-manager": "virt-install", 27 | "wget": "wget" 28 | }, 29 | "debian":{ 30 | "bash-completion":"bash-completion", 31 | "build-essential":"build-essential", 32 | "curl": "curl", 33 | "dnsmasq":"dnsmasq", 34 | "git": "git", 35 | "libguestfs-tools":"libguestfs-tools", 36 | "libvirt-daemon-system":"libvirt-daemon-system", 37 | "make": "make", 38 | "openjdk-21-jre": "openjdk-21-jre", 39 | "ovmf":"ovmf", 40 | "python3": "python3", 41 | "python3-pip":"python3-pip", 42 | "qemu-kvm":"qemu-kvm", 43 | "tree": "tree", 44 | "vim": "vim", 45 | "virt-manager": "virt-manager", 46 | "wget": "wget" 47 | }, 48 | "suse":{ 49 | "bash-completion":"bash-completion", 50 | "build-essential":"", 51 | "curl": "curl", 52 | "dnsmasq":"dnsmasq", 53 | "git": "git", 54 | "libguestfs-tools":"libguestfs", 55 | "libvirt-daemon-system":"libvirt-daemon", 56 | "make": "make", 57 | "openjdk-21-jre": "java-21-openjdk", 58 | "ovmf":"ovmf", 59 | "python3": "python3", 60 | "python3-pip":"python3-pip", 61 | "qemu-kvm":"qemu", 62 | "tree": "tree", 63 | "vim": "vim", 64 | "virt-manager": "virt-manager", 65 | "wget": "wget" 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /.github/workflows/pr-verifier.yaml: -------------------------------------------------------------------------------- 1 | name: Check PR Title 2 | permissions: {} 3 | 4 | on: 5 | workflow_call: 6 | 7 | jobs: 8 | check-title: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Check out repository 12 | uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 13 | 14 | - name: Validate PR Title 15 | env: 16 | PR_TITLE: ${{ github.event.pull_request.title }} 17 | run: | 18 | WIP_REGEX='^\W?WIP\W' 19 | TAG_REGEX='^\[[[:alnum:]\._-]*\]' 20 | 21 | # Trim WIP and tags from title 22 | trimmed_title=$(echo "${PR_TITLE}" | sed -E "s/${WIP_REGEX}//" | sed -E "s/${TAG_REGEX}//" | xargs) 23 | 24 | # Normalize common emojis in text form to actual emojis 25 | trimmed_title=$(echo "$trimmed_title" | sed -E "s/:warning:/⚠/g") 26 | trimmed_title=$(echo "$trimmed_title" | sed -E "s/:sparkles:/✨/g") 27 | trimmed_title=$(echo "$trimmed_title" | sed -E "s/:bug:/🐛/g") 28 | trimmed_title=$(echo "$trimmed_title" | sed -E "s/:book:/📖/g") 29 | trimmed_title=$(echo "$trimmed_title" | sed -E "s/:rocket:/🚀/g") 30 | trimmed_title=$(echo "$trimmed_title" | sed -E "s/:seedling:/🌱/g") 31 | 32 | # Check PR type prefix 33 | if [[ "${trimmed_title}" =~ ^(⚠|✨|🐛|📖|🚀|🌱) ]]; then 34 | echo "PR title is valid: $trimmed_title" 35 | else 36 | echo "Error: No matching PR type indicator found in title." 37 | echo "You need to have one of these as the prefix of your PR title:" 38 | echo "- Breaking change: ⚠ (:warning:)" 39 | echo "- Non-breaking feature: ✨ (:sparkles:)" 40 | echo "- Patch fix: 🐛 (:bug:)" 41 | echo "- Docs: 📖 (:book:)" 42 | echo "- Release: 🚀 (:rocket:)" 43 | echo "- Infra/Tests/Other: 🌱 (:seedling:)" 44 | exit 1 45 | fi 46 | 47 | # Check that PR title does not contain Issue or PR number 48 | if [[ "${trimmed_title}" =~ \#[0-9]+ ]]; then 49 | echo "Error: PR title should not contain issue or PR number." 50 | echo "Issue numbers belong in the PR body as either \"Fixes #XYZ\" (if it closes the issue or PR), or something like \"Related to #XYZ\" (if it's just related)." 51 | exit 1 52 | fi 53 | -------------------------------------------------------------------------------- /jenkins/image_building/dib_elements/centos-node/install.d/55-install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eux 4 | 5 | export CRIO_BINARIES_VERSION="${CRIO_BINARIES_VERSION:-${CRIO_VERSION}}" 6 | 7 | sudo cat <