start update pipelines for internal Concourse

2026-02-14 10:00:05 +00:00 · 2025-06-23 12:49:16 -07:00
parent 399b1d86b2
commit 86577ac403
16 changed files with 54 additions and 56 deletions
--- a/AD-SETUP.md
+++ b/AD-SETUP.md
@@ -18,8 +18,8 @@ gcloud auth login

 # Set some variables.
 project="REDACTED" # Change this to be the actual project name before running these commands.
-region="us-central1"
-zone="us-central1-b"
+region="us-west1"
+zone="us-west1-c"
 vpc_name="ad"

 # Create VPC.
--- a/README.md
+++ b/README.md
@@ -125,12 +125,12 @@ See [infra/README.md](./infra/README.md) for details about how Concourse was ins

 In addition to the many ephemeral Kubernetes clusters we use for testing, we also deploy a long-running acceptance environment.

-Google Kubernetes Engine (GKE) in the `gke-acceptance-cluster` cluster in our GCP project in the `us-central1-c` availability zone.
+Google Kubernetes Engine (GKE) in the `gke-acceptance-cluster` cluster in our GCP project in the `us-west1-c` availability zone.

 To access this cluster, download the kubeconfig to `gke-acceptance.yaml` by running:

 ```cmd
-KUBECONFIG=gke-acceptance.yaml gcloud container clusters get-credentials gke-acceptance-cluster --project "$PINNIPED_GCP_PROJECT" --zone us-central1-c
+KUBECONFIG=gke-acceptance.yaml gcloud container clusters get-credentials gke-acceptance-cluster --project "$PINNIPED_GCP_PROJECT" --zone us-west1-c
 ```

 The above command assumes that you have already set `PINNIPED_GCP_PROJECT` to be the name of the GCP project.
--- a/hack/prepare-remote-cluster-for-integration-tests.sh
+++ b/hack/prepare-remote-cluster-for-integration-tests.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # Assuming that you have somehow got your hands on a remote GKE or kind cluster,
@@ -240,7 +240,7 @@ gke | aks | eks)
  log_note "KUBECONFIG='$KUBECONFIG' TEST_ENV_PATH='/tmp/integration-test-env' SOURCE_PATH='$pinniped_repo' $ROOT/pipelines/shared-tasks/run-integration-tests/task.sh"
  ;;
 kind)
-  log_note "KUBECONFIG='$KUBECONFIG' TEST_ENV_PATH='/tmp/integration-test-env' SOURCE_PATH='$pinniped_repo' START_GCLOUD_PROXY=yes GCP_PROJECT=$PINNIPED_GCP_PROJECT GCP_ZONE=us-central1-b $ROOT/pipelines/shared-tasks/run-integration-tests/task.sh"
+  log_note "KUBECONFIG='$KUBECONFIG' TEST_ENV_PATH='/tmp/integration-test-env' SOURCE_PATH='$pinniped_repo' START_GCLOUD_PROXY=yes GCP_PROJECT=$PINNIPED_GCP_PROJECT GCP_ZONE=us-west1-b $ROOT/pipelines/shared-tasks/run-integration-tests/task.sh"
  ;;
 *)
  log_error "Huh? Should never get here."
--- a/hack/remote-workstation/create.sh
+++ b/hack/remote-workstation/create.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -13,7 +13,7 @@ fi
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-b"
 here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

 # Create a VM called $instance_name with some reasonable compute power and disk.
--- a/hack/remote-workstation/delete.sh
+++ b/hack/remote-workstation/delete.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -12,7 +12,7 @@ fi

 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-b"

 # Delete the instance forever. Will prompt for confirmation.
 echo "Destroying VM $instance_name..."
--- a/hack/remote-workstation/rsync-to-local.sh
+++ b/hack/remote-workstation/rsync-to-local.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # This is similar to rsync.sh, but with the src and dest flipped at the end.
@@ -19,7 +19,7 @@ dest_dir="./workspace/pinniped"
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-b"
 config_file="/tmp/gcp-ssh-config"
 here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

--- a/hack/remote-workstation/rsync.sh
+++ b/hack/remote-workstation/rsync.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env bash

-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

-# Copyright 2021 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -18,7 +18,7 @@ dest_dir="./workspace"
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-b"
 config_file="/tmp/gcp-ssh-config"
 here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

--- a/hack/remote-workstation/ssh.sh
+++ b/hack/remote-workstation/ssh.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -13,7 +13,7 @@ fi
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-b"

 # Run ssh with identities forwarded so you can use them with git on the remote host.
 # Optionally run an arbitrary command on the remote host.
--- a/hack/remote-workstation/start.sh
+++ b/hack/remote-workstation/start.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -12,7 +12,7 @@ fi

 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-b"

 # Start an instance which was previously stopped to save money.
 echo "Starting VM $instance_name..."
--- a/hack/remote-workstation/stop.sh
+++ b/hack/remote-workstation/stop.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -12,7 +12,7 @@ fi

 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-b"

 # Stop the instance, to save money, in a way that it can be restarted.
 echo "Stopping VM $instance_name..."
--- a/pipelines/concourse-workers/pipeline.yml
+++ b/pipelines/concourse-workers/pipeline.yml
@@ -9,21 +9,21 @@ meta:

  # GCP account info and which zone the workers should be created in and deleted from.
  gke_admin_params: &gke_admin_params
-    INSTANCE_ZONE: us-west1-b
+    INSTANCE_ZONE: us-west1-c
    PINNIPED_GCP_PROJECT: ((gcp-project-name))
    GCP_USERNAME: ((gke-cluster-developer-username))
    GCP_JSON_KEY: ((gke-cluster-developer-json-key))

  # GCP account info and which zone the workers should be created in and deleted from.
  gcp_account_params: &gcp_account_params
-    INSTANCE_ZONE: us-central1-b
+    INSTANCE_ZONE: us-west1-b
    GCP_PROJECT: ((gcp-project-name))
    GCP_USERNAME: ((gcp-instance-admin-username))
    GCP_JSON_KEY: ((gcp-instance-admin-json-key))

  # GKE account info and which zone the clusters should be created in and deleted from.
  gke_account_params: &gke_account_params
-    CLUSTER_ZONE: us-central1-c
+    CLUSTER_ZONE: us-west1-c
    GCP_PROJECT: ((gcp-project-name))
    GCP_SERVICE_ACCOUNT: ((gke-test-pool-manager-username))
    GCP_JSON_KEY: ((gke-test-pool-manager-json-key))
@@ -42,9 +42,9 @@ resources:
    type: git
    icon: github
    source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
      branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))

  - name: k8s-app-deployer-image
    type: registry-image
--- a/pipelines/kind-node-builder/pipeline.yml
+++ b/pipelines/kind-node-builder/pipeline.yml
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 display:
@@ -18,7 +18,7 @@ meta:

  # GCP account info and which zone the workers should be created in and deleted from.
  gcp_account_params: &gcp_account_params
-    INSTANCE_ZONE: us-central1-b
+    INSTANCE_ZONE: us-west1-b
    GCP_PROJECT: ((gcp-project-name))
    GCP_USERNAME: ((gcp-instance-admin-username))
    GCP_JSON_KEY: ((gcp-instance-admin-json-key))
--- a/pipelines/main/pipeline.yml
+++ b/pipelines/main/pipeline.yml
@@ -85,15 +85,15 @@ meta:

  # GKE account info and which zone the clusters should be created in and deleted from.
  gke_account_params: &gke_account_params
-    CLUSTER_ZONE: us-central1-c
+    CLUSTER_ZONE: us-west1-c
    GCP_PROJECT: ((gcp-project-name))
    GCP_SERVICE_ACCOUNT: ((gke-test-pool-manager-username))
    GCP_JSON_KEY: ((gke-test-pool-manager-json-key))

  # GCP account info and which zone the kind workers should be created in and deleted from.
  gcp_account_params: &gcp_account_params
-    INSTANCE_ZONE: us-central1-b # which zone the kind worker VMs should be created in and deleted from
-    GCP_ZONE: us-central1-b
+    INSTANCE_ZONE: us-west1-b # which zone the kind worker VMs should be created in and deleted from
+    GCP_ZONE: us-west1-b
    GCP_PROJECT: ((gcp-project-name))
    GCP_USERNAME: ((gcp-instance-admin-username))
    GCP_JSON_KEY: ((gcp-instance-admin-json-key))
@@ -297,8 +297,7 @@ resources:
  - name: pinniped
    type: git
    icon: github
-    check_every: 10m
-    webhook_token: ((github-webhook-token))
+    check_every: 1m
    source:
      uri: git@github.com:vmware-tanzu/pinniped.git
      branch: main
@@ -2493,13 +2492,13 @@ jobs:
          <<: *jumpcloud_integration_env_vars
          <<: *active_directory_integration_env_vars
          <<: *github_integration_env_vars
-      - task: install-and-configure-cert-manager
-        file: pinniped-ci/pipelines/shared-tasks/install-and-configure-cert-manager/task.yml
-        image: k8s-app-deployer-image
-        timeout: 15m
-        params:
-          PINNIPED_GCP_PROJECT: ((gcp-project-name))
-          CERT_MANAGER_DNS_ADMIN_JSON_KEY: ((cert-manager-dns-admin-json-key))
+#      - task: install-and-configure-cert-manager
+#        file: pinniped-ci/pipelines/shared-tasks/install-and-configure-cert-manager/task.yml
+#        image: k8s-app-deployer-image
+#        timeout: 15m
+#        params:
+#          PINNIPED_GCP_PROJECT: ((gcp-project-name))
+#          CERT_MANAGER_DNS_ADMIN_JSON_KEY: ((cert-manager-dns-admin-json-key))
      - task: run-integration-tests
        timeout: 75m
        file: pinniped-ci/pipelines/shared-tasks/run-integration-tests/task.yml
--- a/pipelines/pull-requests/pipeline.yml
+++ b/pipelines/pull-requests/pipeline.yml
@@ -73,15 +73,15 @@ meta:

  # GKE account info and which zone the clusters should be created in and deleted from.
  gke_account_params: &gke_account_params
-    CLUSTER_ZONE: us-central1-c
+    CLUSTER_ZONE: us-west1-c
    GCP_PROJECT: ((gcp-project-name))
    GCP_SERVICE_ACCOUNT: ((gke-test-pool-manager-username))
    GCP_JSON_KEY: ((gke-test-pool-manager-json-key))

  # GCP account info and which zone the workers should be created in and deleted from.
  gcp_account_params: &gcp_account_params
-    INSTANCE_ZONE: us-central1-b # which zone the kind worker VMs should be created in and deleted from
-    GCP_ZONE: us-central1-b
+    INSTANCE_ZONE: us-west1-b # which zone the kind worker VMs should be created in and deleted from
+    GCP_ZONE: us-west1-b
    GCP_PROJECT: ((gcp-project-name))
    GCP_USERNAME: ((gcp-instance-admin-username))
    GCP_JSON_KEY: ((gcp-instance-admin-json-key))
@@ -199,10 +199,9 @@ resources:
  - name: pinniped-pr
    type: pull-request
    icon: source-pull
-    check_every: 10m
-    webhook_token: ((github-webhook-token))
+    check_every: 1m
    source:
-      repository: vmware-tanzu/pinniped
+      repository: vmware/pinniped
      access_token: ((ci-bot-access-token-with-repo-status-permission))
      disable_forks: false
      base_branch: main
@@ -218,9 +217,9 @@ resources:
    type: git
    icon: github
    source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
      branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))

  - name: ci-build-image
    type: registry-image
--- a/pipelines/shared-tasks/deploy-kind-cluster-vm/gce-init.sh
+++ b/pipelines/shared-tasks/deploy-kind-cluster-vm/gce-init.sh
@@ -1,6 +1,6 @@
 #!/bin/bash

-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 # This is the script that runs at startup to launch Kind on GCE.
@@ -16,7 +16,7 @@ function cleanup() {
 }
 trap "cleanup" EXIT SIGINT

-PUBLIC_IP="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip -H "Metadata-Flavor: Google")"
+INTERNAL_IP="$(curl --retry-all-errors --retry 5 http://metadata/computeMetadata/v1/instance/network-interfaces/0/ip -H "Metadata-Flavor: Google")"
 KIND_VERSION="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/attributes/kind_version -H "Metadata-Flavor: Google")"
 K8S_VERSION="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/attributes/k8s_version -H "Metadata-Flavor: Google")"
 KIND_NODE_IMAGE="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/attributes/kind_node_image -H "Metadata-Flavor: Google")"
@@ -92,7 +92,7 @@ kubeadmConfigPatches:
  apiVersion: ${KUBE_ADM_VERSION}
  kind: ClusterConfiguration
  # ControlPlaneEndpoint sets a stable IP address or DNS name for the control plane.
-  controlPlaneEndpoint: "${PUBLIC_IP}:6443"
+  controlPlaneEndpoint: "${INTERNAL_IP}:6443"
  # mount the kind extraMounts into the API server static pod so we can use the audit config
  apiServer:
    extraVolumes:
@@ -177,8 +177,8 @@ fi

 /var/lib/google/kind create cluster --wait 5m --kubeconfig /tmp/kubeconfig.yaml --image "$image" --config /tmp/kind.yaml |& tee /tmp/kind-cluster-create.log

-# Change the kubeconfig to make the server address match the public IP configured as controlPlaneEndpoint above.
-sed -i "s/0\\.0\\.0\\.0/${PUBLIC_IP}/" /tmp/kubeconfig.yaml
+# Change the kubeconfig to make the server address match the IP configured as controlPlaneEndpoint above.
+sed -i "s/0\\.0\\.0\\.0/${INTERNAL_IP}/" /tmp/kubeconfig.yaml

 # The above YAML config file specifies one node, and Kind should never put the "control-plane"
 # taint on the node for single-node clusters. Due to the issue described in
--- a/pipelines/shared-tasks/deploy-to-acceptance-gke/task.sh
+++ b/pipelines/shared-tasks/deploy-to-acceptance-gke/task.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash

-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0

 set -euo pipefail
@@ -20,7 +20,7 @@ gcloud auth activate-service-account "$GKE_USERNAME" --key-file <(echo "$GKE_JSO

 # https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
 export USE_GKE_GCLOUD_AUTH_PLUGIN=True
-gcloud container clusters get-credentials "$GKE_CLUSTER_NAME" --zone us-central1-c --project "$PINNIPED_GCP_PROJECT"
+gcloud container clusters get-credentials "$GKE_CLUSTER_NAME" --zone us-west1-c --project "$PINNIPED_GCP_PROJECT"

 pushd pinniped >/dev/null

@@ -81,7 +81,7 @@ cp /tmp/integration-test-env integration-test-env-vars/

 # So that the tests can avoid using the GKE auth plugin, create an admin kubeconfig which uses certs (without the plugin).
 # Get the cluster details back, including the admin certificate:
-gcloud container clusters describe "$GKE_CLUSTER_NAME" --zone us-central1-c --format json >/tmp/cluster.json
+gcloud container clusters describe "$GKE_CLUSTER_NAME" --zone us-west1-c --format json >/tmp/cluster.json
 # Make a new kubeconfig user "cluster-admin" using the admin cert.
 jq -r .masterAuth.clientCertificate /tmp/cluster.json | base64 -d >/tmp/client.crt
 jq -r .masterAuth.clientKey /tmp/cluster.json | base64 -d >/tmp/client.key