diff --git a/hack/clean_artifactory.sh b/hack/clean_artifactory.sh new file mode 100644 index 000000000..0624fb087 --- /dev/null +++ b/hack/clean_artifactory.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# This script is expected to be executed with minimal POSIX shell e.g ash +set -eu + +RT_TOKEN_FILE="${RT_TOKEN_FILE:-/etc/artifactory/token}" +CACHE_URL="${CACHE_URL:-https://artifactory.nordix.org/artifactory/openstack-remote-cache/ironic-python-agent/dib/ipa-centos9-master.tar.gz}" + +if [ ! -r "${RT_TOKEN_FILE}" ]; then + echo "ERROR: Token file '${RT_TOKEN_FILE}' does not exist or is not readable" >&2 + exit 1 +fi + +IFS= read -r RT_TOKEN <"${RT_TOKEN_FILE}" +if [ -z "${RT_TOKEN}" ]; then + echo "ERROR: Artifactory token is empty" >&2 + exit 1 +fi + +HTTP_CODE=$(curl -s -H "Authorization: Bearer ${RT_TOKEN}" -XDELETE "${CACHE_URL}" -o /dev/null -w "%{http_code}") +if [ "${HTTP_CODE}" -ne 204 ] && [ "${HTTP_CODE}" -ne 200 ]; then + echo "ERROR: DELET failed with status ${HTTP_CODE}, URL:${CACHE_URL}" >&2 + exit 1 +fi diff --git a/prow/README.md b/prow/README.md index 6c09c628d..a129d8ad0 100644 --- a/prow/README.md +++ b/prow/README.md @@ -227,8 +227,9 @@ Files with credentials and other sensitive information are not stored in this repository. You will need to add them manually before you can apply any manifests and build the kustomizations. CAPO needs access to the OpenStack API and so does the external cloud-provider. Prow needs a GitHub token for accessing -GitHub, a HMAC token for validating webhook requests, and S3 credentials for -storing logs and similar. +GitHub, a HMAC token for validating webhook requests, S3 credentials for +storing logs and similar and Nordix Artifactory token for cleaning the proxy +cache and in general accessing Artifactory. If you are deploying from scratch or rotating credentials, please make sure to save them in a secure place after creating them. If there is an existing @@ -246,6 +247,7 @@ Then you will be able to just copy and paste the snippets below. - `GITHUB_TOKEN` - `CHERRYPICK_TOKEN` - `JENKINS_TOKEN` +- `ARTIFACTORY_TOKEN` Now you are ready to create the files. @@ -337,6 +339,12 @@ Now you are ready to create the files. echo "${JENKINS_TOKEN}" > manifests/overlays/metal3/jenkins-token ``` +1. Save the Artifactory token as `manifests/overlays/metal3/artifactory-token`. + + ```bash + echo "${ARTIFACTORY_TOKEN}" > manifests/overlays/metal3/artifactory-token + ``` + ## Access existing instance For accessing an existing instance, you can simply get the relevant credentials diff --git a/prow/config/jobs/periodics.yaml b/prow/config/jobs/periodics.yaml index 9539866d3..dc775bb4b 100644 --- a/prow/config/jobs/periodics.yaml +++ b/prow/config/jobs/periodics.yaml @@ -85,3 +85,26 @@ periodics: - name: github-token secret: secretName: github-token +- name: clean-artifactory-cache + # At 04:00 AM every day + cron: 0 4 * * * + decorate: true + extra_refs: + - org: metal3-io + repo: project-infra + base_ref: main + spec: + containers: + - image: docker.io/alpine/curl:8.14.1@sha256:d9d451635fea7317186adda62cebe3f7e46810a3de6ddfcae662339e456b6c55 + command: + - sh + args: + - ./hack/clean_artifactory_cache.sh + volumeMounts: + - name: artifactory-token + mountPath: /etc/artifactory + readOnly: true + volumes: + - name: artifactory-token + secret: + secretName: artifactory-token diff --git a/prow/manifests/overlays/metal3/kustomization.yaml b/prow/manifests/overlays/metal3/kustomization.yaml index e6ecd176b..d8b7246be 100644 --- a/prow/manifests/overlays/metal3/kustomization.yaml +++ b/prow/manifests/overlays/metal3/kustomization.yaml @@ -57,6 +57,11 @@ secretGenerator: name: jenkins-token namespace: prow type: Opaque +- files: + - token=artifactory-token + name: artifactory-token + namespace: prow + type: Opaque patches: - path: patches/crier.yaml