add periodic artifactory cache cleanup

This commit:

- Introduces a new periodic prow job to clean up the IPA proxy cache
  in nordix artifactory
  - introduces new script to do the cleanup
  - introduces new artifactory token secret
  - introduces new generic artifactory deletion script that utilizes
    only token authentication

Signed-off-by: Adam Rozman <[email protected]>

Author: Rozzii

hack/clean_artifactory.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+# This script is expected to be executed with minimal POSIX shell e.g ash
+set -eu
+
+RT_TOKEN_FILE="${RT_TOKEN_FILE:-/etc/artifactory}"
+IFS= read -r RT_TOKEN <"${RT_TOKEN_FILE}"
+CACHE_URL="${CACHE_URL:-https://artifactory.nordix.org/artifactory/openstack-remote-cache/ironic-python-agent/dib/ipa-centos9-master.tar.gz}"
+
+curl -s -H "Authorization: Bearer ${RT_TOKEN}" -XDELETE "${CACHE_URL}"

prow/README.md

@@ -227,8 +227,9 @@ Files with credentials and other sensitive information are not stored in this
 repository. You will need to add them manually before you can apply any
 manifests and build the kustomizations. CAPO needs access to the OpenStack API
 and so does the external cloud-provider. Prow needs a GitHub token for accessing
-GitHub, a HMAC token for validating webhook requests, and S3 credentials for
-storing logs and similar.
+GitHub, a HMAC token for validating webhook requests, S3 credentials for
+storing logs and similar and Nordix Artifactory token for cleaning the proxy
+cache and in general accessing Artfactory.
 
 If you are deploying from scratch or rotating credentials, please make sure to
 save them in a secure place after creating them. If there is an existing
@@ -246,6 +247,7 @@ Then you will be able to just copy and paste the snippets below.
 - `GITHUB_TOKEN`
 - `CHERRYPICK_TOKEN`
 - `JENKINS_TOKEN`
+- `ARTIFACTORY_TOKEN`
 
 Now you are ready to create the files.
 
@@ -337,6 +339,12 @@ Now you are ready to create the files.
    echo "${JENKINS_TOKEN}" > manifests/overlays/metal3/jenkins-token
    ```
 
+1. Save the Artifactory token as `manifests/overlays/metal3/artifactory-token`.
+
+   ```bash
+   echo "${ARTIFACTORY_TOKEN}" > manifests/overlays/metal3/artifactory-token
+   ```
+
 ## Access existing instance
 
 For accessing an existing instance, you can simply get the relevant credentials

prow/config/jobs/periodics.yaml

@@ -85,3 +85,26 @@ periodics:
     - name: github-token
       secret:
         secretName: github-token
+- name: clean-artifactory-cache
+  # At 04:00 AM every day
+  cron: 0 4 * * *
+  decorate: true
+  extra_refs:
+  - org: metal3-io
+    repo: project-infra
+    base_ref: main
+  spec:
+    containers:
+    - image: docker.io/alpine/curl:8.14.1@sha256:d9d451635fea7317186adda62cebe3f7e46810a3de6ddfcae662339e456b6c55
+      command:
+      - sh
+      args:
+      - ./hack/clean_artifactory_cache.sh
+      volumeMounts:
+      - name: artifactory-token
+        mountPath: /etc/artifactory
+        readOnly: true
+    volumes:
+    - name: artifactory-token
+      secret:
+        secretName: artifactory-token

prow/manifests/overlays/metal3/kustomization.yaml

@@ -57,6 +57,11 @@ secretGenerator:
   name: jenkins-token
   namespace: prow
   type: Opaque
+- files:
+  - token=artifactory-token
+  name: artifactory-token
+  namespace: prow
+  type: Opaque
 
 patches:
 - path: patches/crier.yaml