Skip to content

Commit 3e8ff56

Browse files
swghoshswghosh
committed
poc(prow): [2/2 approach] use inline built-ins w/o using ephemeral namespace
Signed-off-by: Swarup Ghosh <swghosh@redhat.com>
1 parent e339af0 commit 3e8ff56

1 file changed

Lines changed: 53 additions & 165 deletions

File tree

ci-operator/config/openshift-eng/oape-ai-e2e/openshift-eng-oape-ai-e2e-main.yaml

Lines changed: 53 additions & 165 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,7 @@ tests:
3333
as: run-workflow
3434
run_if_changed: ^prow-workflow/
3535
steps:
36-
env:
37-
BONFIRE_NAMESPACE_DURATION: 3h
38-
test:
36+
pre:
3937
- as: extract-params
4038
commands: |
4139
cp /params.env "${SHARED_DIR}/params.env"
@@ -45,183 +43,73 @@ tests:
4543
requests:
4644
cpu: 100m
4745
memory: 128Mi
48-
- as: deploy-and-run
46+
- as: mint-gh-token
4947
commands: |
5048
set -euo pipefail
49+
GH_APP_ID=$(cat /var/run/github-app/app-id)
50+
PEM_PATH="/var/run/github-app/private-key.pem"
5151
52-
# --- Ephemeral namespace access ---
53-
export KUBECONFIG="${SHARED_DIR}/ephemeral-kubeconfig"
54-
NAMESPACE=$(cat "${SHARED_DIR}/ephemeral-namespace")
55-
oc project "${NAMESPACE}"
56-
57-
# Load workflow params
58-
source "${SHARED_DIR}/params.env"
59-
60-
# --- Create secrets from mounted CI credentials ---
61-
oc create secret generic gcloud-adc \
62-
--from-file=application_default_credentials.json=/var/run/gcloud-adc/application_default_credentials.json
63-
oc create secret generic github-app \
64-
--from-file=private-key.pem=/var/run/github-app/private-key.pem
65-
66-
# --- Create worker ConfigMap (env vars) ---
67-
oc create configmap shift-worker-config \
68-
--from-literal=CLAUDE_CODE_USE_VERTEX=1 \
69-
--from-literal=CLOUD_ML_REGION=global \
70-
--from-literal=ANTHROPIC_VERTEX_PROJECT_ID=itpc-gcp-hcm-pe-eng-claude \
71-
--from-literal=ANTHROPIC_MODEL=claude-opus-4-6
72-
73-
# --- Deploy gh-token-minter ---
74-
cat <<DEPLOYEOF | oc apply -f -
75-
apiVersion: apps/v1
76-
kind: Deployment
77-
metadata:
78-
name: gh-token-minter
79-
spec:
80-
replicas: 1
81-
selector:
82-
matchLabels:
83-
app: gh-token-minter
84-
template:
85-
metadata:
86-
labels:
87-
app: gh-token-minter
88-
spec:
89-
containers:
90-
- name: minter
91-
image: ${GH_TOKEN_MINTER_IMAGE}
92-
ports:
93-
- containerPort: 8081
94-
env:
95-
- name: GH_APP_ID
96-
value: "3065249"
97-
- name: GH_APP_PEM_FILE_PATH
98-
value: /etc/github-app/private-key.pem
99-
- name: LISTEN_PORT
100-
value: "8081"
101-
volumeMounts:
102-
- name: gh-app-key
103-
mountPath: /etc/github-app
104-
readOnly: true
105-
volumes:
106-
- name: gh-app-key
107-
secret:
108-
secretName: github-app
109-
---
110-
apiVersion: v1
111-
kind: Service
112-
metadata:
113-
name: gh-token-minter
114-
spec:
115-
selector:
116-
app: gh-token-minter
117-
ports:
118-
- port: 8081
119-
targetPort: 8081
120-
DEPLOYEOF
121-
122-
oc wait --for=condition=Available deployment/gh-token-minter --timeout=120s
52+
HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
53+
NOW=$(date +%s)
54+
EXP=$((NOW + 300))
55+
PAYLOAD=$(printf '{"iat":%d,"exp":%d,"iss":"%s"}' "$NOW" "$EXP" "$GH_APP_ID" | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
56+
UNSIGNED="${HEADER}.${PAYLOAD}"
57+
SIGNATURE=$(printf '%s' "$UNSIGNED" | openssl dgst -sha256 -sign "$PEM_PATH" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
58+
JWT="${UNSIGNED}.${SIGNATURE}"
12359
124-
# --- Mint GH token via port-forward ---
125-
oc port-forward svc/gh-token-minter 8081:8081 &
126-
PF_PID=$!
127-
sleep 3
60+
INST_ID=$(curl -sf \
61+
-H "Authorization: Bearer ${JWT}" \
62+
-H "Accept: application/vnd.github+json" \
63+
-H "X-GitHub-Api-Version: 2022-11-28" \
64+
https://api.github.com/app/installations \
65+
| python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])")
12866
129-
# Disable tracing due to token handling
13067
set +x
131-
TOKEN_RESP=$(curl -sf http://localhost:8081/token)
132-
kill $PF_PID || true
133-
GH_TOKEN=$(echo "$TOKEN_RESP" | jq -r '.token')
134-
135-
oc create secret generic gh-token-secret \
136-
--from-literal=GH_TOKEN="${GH_TOKEN}"
137-
138-
# --- Create agent-worker Job ---
139-
JOB_ID="ci-$(date +%s)"
140-
cat <<JOBEOF | oc apply -f -
141-
apiVersion: batch/v1
142-
kind: Job
143-
metadata:
144-
name: shift-workflow-${JOB_ID}
145-
labels:
146-
app: shift-worker
147-
spec:
148-
backoffLimit: 0
149-
template:
150-
spec:
151-
restartPolicy: Never
152-
containers:
153-
- name: worker
154-
image: ${AGENT_WORKER_IMAGE}
155-
command: ["sh", "-c", "python3.11 /app/main.py"]
156-
env:
157-
- name: EP_URL
158-
value: "${EP_URL}"
159-
- name: REPO_URL
160-
value: "${REPO_URL}"
161-
- name: BASE_BRANCH
162-
value: "${BASE_BRANCH}"
163-
- name: PYTHONUNBUFFERED
164-
value: "1"
165-
- name: GOOGLE_APPLICATION_CREDENTIALS
166-
value: /secrets/gcloud/application_default_credentials.json
167-
envFrom:
168-
- configMapRef:
169-
name: shift-worker-config
170-
- secretRef:
171-
name: gh-token-secret
172-
resources:
173-
requests:
174-
cpu: 500m
175-
memory: 512Mi
176-
limits:
177-
cpu: "2"
178-
memory: 4Gi
179-
volumeMounts:
180-
- name: gcloud-adc
181-
mountPath: /secrets/gcloud
182-
readOnly: true
183-
volumes:
184-
- name: gcloud-adc
185-
secret:
186-
secretName: gcloud-adc
187-
JOBEOF
68+
TOKEN=$(curl -sf -X POST \
69+
-H "Authorization: Bearer ${JWT}" \
70+
-H "Accept: application/vnd.github+json" \
71+
-H "X-GitHub-Api-Version: 2022-11-28" \
72+
"https://api.github.com/app/installations/${INST_ID}/access_tokens" \
73+
| python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
74+
echo "${TOKEN}" > "${SHARED_DIR}/gh-token"
75+
credentials:
76+
- mount_path: /var/run/github-app
77+
name: openshift-app-platform-shift-github-bot
78+
namespace: test-credentials
79+
from: agent-worker
80+
resources:
81+
requests:
82+
cpu: 100m
83+
memory: 128Mi
84+
test:
85+
- as: agent-workflow
86+
commands: |
87+
set -euo pipefail
88+
source "${SHARED_DIR}/params.env"
89+
export EP_URL REPO_URL BASE_BRANCH
18890
189-
echo "Agent-worker Job shift-workflow-${JOB_ID} created."
91+
set +x
92+
export GH_TOKEN
93+
GH_TOKEN=$(cat "${SHARED_DIR}/gh-token")
19094
191-
# --- Wait for pod, stream logs, check result ---
192-
oc wait --for=condition=Ready pod -l job-name=shift-workflow-${JOB_ID} --timeout=300s || true
193-
POD=$(oc get pods -l job-name=shift-workflow-${JOB_ID} -o jsonpath='{.items[0].metadata.name}')
194-
oc logs -f "${POD}" || true
95+
export GOOGLE_APPLICATION_CREDENTIALS="/var/run/gcloud-adc/application_default_credentials.json"
96+
export CLAUDE_CODE_USE_VERTEX="1"
97+
export CLOUD_ML_REGION="global"
98+
export ANTHROPIC_VERTEX_PROJECT_ID="itpc-gcp-hcm-pe-eng-claude"
99+
export ANTHROPIC_MODEL="claude-opus-4-6"
100+
export PYTHONUNBUFFERED=1
195101
196-
# Check final status
197-
if oc wait --for=condition=complete --timeout=30s job/shift-workflow-${JOB_ID} 2>/dev/null; then
198-
echo "Workflow completed successfully."
199-
else
200-
echo "Workflow failed."
201-
exit 1
202-
fi
102+
gh auth setup-git && python3.11 main.py
203103
credentials:
204104
- mount_path: /var/run/gcloud-adc
205105
name: oap-lts-claude-gcp-vertex-sa
206106
namespace: test-credentials
207-
- mount_path: /var/run/github-app
208-
name: openshift-app-platform-shift-github-bot
209-
namespace: test-credentials
210-
dependencies:
211-
- env: AGENT_WORKER_IMAGE
212-
name: agent-worker
213-
- env: GH_TOKEN_MINTER_IMAGE
214-
name: gh-token-minter
215-
from_image:
216-
name: cli-jq
217-
namespace: ocp
218-
tag: latest
107+
from: agent-worker
219108
resources:
220109
requests:
221-
cpu: 100m
222-
memory: 256Mi
223-
timeout: 2h0m0s
224-
workflow: ephemeral-namespace
110+
cpu: "1"
111+
memory: 500Mi
112+
timeout: 2h30m0s
225113
zz_generated_metadata:
226114
branch: main
227115
org: openshift-eng

0 commit comments

Comments
 (0)