From 20b40cbd4dec691aa24e261a544da8b515ae849d Mon Sep 17 00:00:00 2001
From: Hart Simha <hart.simha@suse.com>
Date: Thu, 18 Jun 2020 08:51:46 -0700
Subject: [PATCH 1/3] Remove AWS/EKS credentials from scripts

---
 cap-ci/common/destroy_k8s.tmpl             | 1 +
 cap-ci/common/eks_params.tmpl              | 4 ++++
 cap-ci/jobs/cf-acceptance-tests-brain.tmpl | 1 +
 cap-ci/jobs/cf-acceptance-tests.tmpl       | 1 +
 cap-ci/jobs/deploy-k8s.tmpl                | 1 +
 cap-ci/jobs/deploy-kubecf.tmpl             | 1 +
 cap-ci/jobs/deploy-stratos.tmpl            | 1 +
 cap-ci/jobs/destroy-kubecf.tmpl            | 1 +
 cap-ci/jobs/smoke-tests.tmpl               | 1 +
 cap-ci/jobs/sync-integration-tests.tmpl    | 1 +
 cap-ci/jobs/upgrade-kubecf.tmpl            | 1 +
 cap-ci/scripts/deploy_k8s.tmpl             | 2 --
 cap-ci/scripts/import_eks.tmpl             | 3 ---
 13 files changed, 14 insertions(+), 5 deletions(-)
 create mode 100644 cap-ci/common/eks_params.tmpl

diff --git a/cap-ci/common/destroy_k8s.tmpl b/cap-ci/common/destroy_k8s.tmpl
index 7d44620..95d8eba 100644
--- a/cap-ci/common/destroy_k8s.tmpl
+++ b/cap-ci/common/destroy_k8s.tmpl
@@ -28,6 +28,7 @@ on_failure:
           QUIET_OUTPUT: true
           DOWNLOAD_CATAPULT_DEPS: false
           ENABLE_EIRINI: {{ eq .scheduler "eirini" }}
+          {{ tmpl.Exec "common_eks_params" | indent 10 | trimSpace }}
         run:
           path: "/bin/bash"
           args:
diff --git a/cap-ci/common/eks_params.tmpl b/cap-ci/common/eks_params.tmpl
new file mode 100644
index 0000000..84ddc33
--- /dev/null
+++ b/cap-ci/common/eks_params.tmpl
@@ -0,0 +1,4 @@
+{{ define "common_eks_params" }}
+AWS_ACCESS_KEY_ID: ((aws-ci-chuller-access-key-id))
+AWS_SECRET_ACCESS_KEY: ((aws-ci-chuller-secret-access-key))
+{{ end }}
diff --git a/cap-ci/jobs/cf-acceptance-tests-brain.tmpl b/cap-ci/jobs/cf-acceptance-tests-brain.tmpl
index 22c7b1d..e6b86e7 100644
--- a/cap-ci/jobs/cf-acceptance-tests-brain.tmpl
+++ b/cap-ci/jobs/cf-acceptance-tests-brain.tmpl
@@ -44,6 +44,7 @@
 {{- print .allbells }}
 {{- end }}
         KUBECF_TEST_SUITE: brain
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/cf-acceptance-tests.tmpl b/cap-ci/jobs/cf-acceptance-tests.tmpl
index 89c5425..0554927 100644
--- a/cap-ci/jobs/cf-acceptance-tests.tmpl
+++ b/cap-ci/jobs/cf-acceptance-tests.tmpl
@@ -44,6 +44,7 @@
 {{- print .allbells }}
 {{- end }}
         KUBECF_TEST_SUITE: cats
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/deploy-k8s.tmpl b/cap-ci/jobs/deploy-k8s.tmpl
index 5b4394c..414aee4 100644
--- a/cap-ci/jobs/deploy-k8s.tmpl
+++ b/cap-ci/jobs/deploy-k8s.tmpl
@@ -33,6 +33,7 @@
         BACKEND: {{ .backend }}
         QUIET_OUTPUT: true
         DOWNLOAD_CATAPULT_DEPS: false
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/deploy-kubecf.tmpl b/cap-ci/jobs/deploy-kubecf.tmpl
index 74b8cdb..47cd04c 100644
--- a/cap-ci/jobs/deploy-kubecf.tmpl
+++ b/cap-ci/jobs/deploy-kubecf.tmpl
@@ -66,6 +66,7 @@
 {{- if eq .avail "all" }}
 {{- print .allbells }}
 {{- end }}
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/deploy-stratos.tmpl b/cap-ci/jobs/deploy-stratos.tmpl
index 4b16d1c..88b9238 100644
--- a/cap-ci/jobs/deploy-stratos.tmpl
+++ b/cap-ci/jobs/deploy-stratos.tmpl
@@ -49,6 +49,7 @@
 {{- print .allbells }}
 {{- end }}
         BACKEND: {{ .backend }}
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/destroy-kubecf.tmpl b/cap-ci/jobs/destroy-kubecf.tmpl
index f05eacc..9aca796 100644
--- a/cap-ci/jobs/destroy-kubecf.tmpl
+++ b/cap-ci/jobs/destroy-kubecf.tmpl
@@ -31,6 +31,7 @@
       params:
         QUIET_OUTPUT: true
         DOWNLOAD_CATAPULT_DEPS: false
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/smoke-tests.tmpl b/cap-ci/jobs/smoke-tests.tmpl
index 8f3185d..eaa1712 100644
--- a/cap-ci/jobs/smoke-tests.tmpl
+++ b/cap-ci/jobs/smoke-tests.tmpl
@@ -44,6 +44,7 @@
 {{- print .allbells }}
 {{- end }}
         KUBECF_TEST_SUITE: smokes
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/sync-integration-tests.tmpl b/cap-ci/jobs/sync-integration-tests.tmpl
index 7e57c8a..6e65190 100644
--- a/cap-ci/jobs/sync-integration-tests.tmpl
+++ b/cap-ci/jobs/sync-integration-tests.tmpl
@@ -45,6 +45,7 @@
 {{- print .allbells }}
 {{- end }}
         KUBECF_TEST_SUITE: sits
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/jobs/upgrade-kubecf.tmpl b/cap-ci/jobs/upgrade-kubecf.tmpl
index 0d7993a..0ddda0a 100644
--- a/cap-ci/jobs/upgrade-kubecf.tmpl
+++ b/cap-ci/jobs/upgrade-kubecf.tmpl
@@ -48,6 +48,7 @@
 {{- print .allbells }}
 {{- end }}
         BACKEND: {{ .backend }}
+        {{ tmpl.Exec "common_eks_params" | indent 8 | trimSpace }}
       run:
         path: "/bin/bash"
         args:
diff --git a/cap-ci/scripts/deploy_k8s.tmpl b/cap-ci/scripts/deploy_k8s.tmpl
index 0c7e1a3..29c6db2 100644
--- a/cap-ci/scripts/deploy_k8s.tmpl
+++ b/cap-ci/scripts/deploy_k8s.tmpl
@@ -1,8 +1,6 @@
 {{ define "scripts_deploy_k8s" }}
 {{- /* create k8s cluster */}}
 export random_variable=$(hexdump -n 8 -e '2/4 "%08x"' /dev/urandom)
-export AWS_ACCESS_KEY_ID='((aws-ci-chuller-access-key-id))'
-export AWS_SECRET_ACCESS_KEY='((aws-ci-chuller-secret-access-key))'
 if [[ ${BACKEND} == "gke" ]]; then
   printf "%s" '((gke-key-json))' > $PWD/gke-key.json
   export GKE_CRED_JSON=$PWD/gke-key.json
diff --git a/cap-ci/scripts/import_eks.tmpl b/cap-ci/scripts/import_eks.tmpl
index 2808362..bbe5ba2 100644
--- a/cap-ci/scripts/import_eks.tmpl
+++ b/cap-ci/scripts/import_eks.tmpl
@@ -1,9 +1,6 @@
 {{ define "scripts_import_eks" }}
 {{- /* create buildfolder prepared for eks */}}
 export BACKEND=eks
-{{- /* AWS vars exported here so hijacking doesn't contain them in env */}}
-export AWS_ACCESS_KEY_ID='((aws-ci-chuller-access-key-id))'
-export AWS_SECRET_ACCESS_KEY='((aws-ci-chuller-secret-access-key))'
 export KUBECFG=$PWD/kubeconfig_$CLUSTER_NAME
 make kubeconfig
 {{ end }}

From d6fe15d4387f1dcb4a1f4e32af76e629076d5750 Mon Sep 17 00:00:00 2001
From: Hart Simha <hart.simha@suse.com>
Date: Thu, 18 Jun 2020 09:21:36 -0700
Subject: [PATCH 2/3] Only use 'passed:' when position>0

---
 cap-ci/jobs/destroy-kubecf.tmpl | 2 ++
 cap-ci/pipeline.yaml.tmpl       | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/cap-ci/jobs/destroy-kubecf.tmpl b/cap-ci/jobs/destroy-kubecf.tmpl
index 9aca796..98d9ba9 100644
--- a/cap-ci/jobs/destroy-kubecf.tmpl
+++ b/cap-ci/jobs/destroy-kubecf.tmpl
@@ -5,9 +5,11 @@
   plan:
   - get: catapult
   - get: {{ .backend }}-pool.kube-hosts
+    {{- if ne .position 0 }}
     passed:
     - {{ index .jobs_enabled (sub .position 1) }}-{{ .scheduler }}-{{ .backend }}-{{ .avail }}
     trigger: true
+    {{- end }}
   {{- if index .jobs "deploy-k8s" }}
   - get: tfstate-pool
     {{- if ne .position 0 }}
diff --git a/cap-ci/pipeline.yaml.tmpl b/cap-ci/pipeline.yaml.tmpl
index a211804..b2019d1 100644
--- a/cap-ci/pipeline.yaml.tmpl
+++ b/cap-ci/pipeline.yaml.tmpl
@@ -86,7 +86,7 @@ resources:
       url: http://opensource.suse.com/stratos-metrics/
 {{ end }}
 
-{{- if or (index $config.jobs "deploy-k8s") (index $config.jobs "destroy-k8s") }}
+{{- if index $config.jobs "deploy-k8s" }}
 - name: tfstate-pool
   type: pool
   source:

From e48d2272570fed7f40d34c942eed0c5cd0fc1681 Mon Sep 17 00:00:00 2001
From: Hart Simha <hart.simha@suse.com>
Date: Thu, 18 Jun 2020 09:37:52 -0700
Subject: [PATCH 3/3] Always destroy k8s if job != deploy-k8s

- Pass the job name to the job context
- If the last job is not deploy-k8s (meaning it's the only job) use ensure
  instead of on_failure, to always teardown after the last job
---
 cap-ci/common/destroy_k8s.tmpl | 2 +-
 cap-ci/pipeline.yaml.tmpl      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cap-ci/common/destroy_k8s.tmpl b/cap-ci/common/destroy_k8s.tmpl
index 95d8eba..82d2c8e 100644
--- a/cap-ci/common/destroy_k8s.tmpl
+++ b/cap-ci/common/destroy_k8s.tmpl
@@ -1,6 +1,6 @@
 {{ define "common_destroy_k8s" }}
 {{- /* if this is the last enabled job, but not the *only* enabled job (deploy-k8s) */ -}}
-{{- if and (eq .position (sub (len .jobs_enabled) 1)) (ne .position 0) }}
+{{- if and (eq .position (sub (len .jobs_enabled) 1)) (ne .job "deploy-k8s" ) }}
 ensure:
 {{- else }}{{/* if deploy-k8s is the only job, or this job isn't the last job */}}
 on_failure:
diff --git a/cap-ci/pipeline.yaml.tmpl b/cap-ci/pipeline.yaml.tmpl
index b2019d1..e232f23 100644
--- a/cap-ci/pipeline.yaml.tmpl
+++ b/cap-ci/pipeline.yaml.tmpl
@@ -119,7 +119,7 @@ jobs:
 {{- range $backend, $enabled :=  $config.backends }}{{ if $enabled }}
 {{- range $avail, $enabled := $config.availabilities }}{{ if $enabled }}
 {{- range $scheduler, $enabled := $config.schedulers }}{{ if $enabled }}
-{{- $context := $context | merge (dict "position" $job_index "backend" $backend "avail" $avail "scheduler" $scheduler) -}}
+{{- $context := $context | merge (dict "position" $job_index "backend" $backend "avail" $avail "scheduler" $scheduler "job" $job) -}}
 {{ tmpl.Exec ( print "jobs_" $job ) $context }}
 {{- end }}{{ end }}
 {{- end }}{{ end }}