Merge pull request knative#9 from mgencur/enable_admission_webhook

Enable admission webhooks in CI
vdemeester · Nov 22, 2018 · 749d85d · 749d85d
2 parents 7909794 + 7fc4950
commit 749d85d
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 0 deletions.
diff --git a/openshift/admission-webhooks.yaml b/openshift/admission-webhooks.yaml
@@ -0,0 +1,38 @@
+---
+- hosts: all
+  become: yes
+  become_user: root
+  tasks:
+    - name: Backup master-config.yaml to master-config.yaml.prepatch
+      copy:
+        src: /etc/origin/master/master-config.yaml
+        dest: /etc/origin/master/master-config.yaml.prepatch
+        remote_src: yes
+        backup: yes
+    - name: Set master_patch variable
+      set_fact:
+        master_patch: |
+          admissionConfig:
+            pluginConfig:
+              MutatingAdmissionWebhook:
+                configuration:
+                  apiVersion: apiserver.config.k8s.io/v1alpha1
+                  kubeConfigFile: /dev/null
+                  kind: WebhookAdmission
+              ValidatingAdmissionWebhook:
+                configuration:
+                  apiVersion: apiserver.config.k8s.io/v1alpha1
+                  kubeConfigFile: /dev/null
+                  kind: WebhookAdmission
+    - name: Apply patch for admission webhooks
+      shell: oc ex config patch /etc/origin/master/master-config.yaml.prepatch -p "{{ master_patch }}" > /etc/origin/master/master-config.yaml
+    - name: Restart API server and constollers
+      shell: /usr/local/bin/master-restart api && /usr/local/bin/master-restart controllers
+    - name: Wait for API server to be available
+      command: oc login -u system:admin
+      register: login_res
+      until: login_res.rc == 0
+      ignore_errors: yes
+      retries: 30
+      delay: 1
+
diff --git a/openshift/e2e-tests-openshift.sh b/openshift/e2e-tests-openshift.sh
@@ -4,6 +4,7 @@ source $(dirname $0)/../vendor/github.com/knative/test-infra/scripts/e2e-tests.s
 
 set -x
 
+export API_SERVER=$(oc config view --minify | grep server | awk -F'//' '{print $2}' | awk -F':' '{print $1}')
 export USER=$KUBE_SSH_USER #satisfy e2e_flags.go#initializeFlags()
 export OPENSHIFT_REGISTRY=registry.svc.ci.openshift.org
 export TEST_NAMESPACE=build-tests
@@ -13,6 +14,33 @@ export IGNORES="git-volume"
 
 env
 
+function enable_admission_webhooks(){
+  header "Enabling admission webhooks"
+  add_current_user_to_etc_passwd
+  disable_strict_host_checking
+  echo "API_SERVER=$API_SERVER"
+  echo "KUBE_SSH_USER=$KUBE_SSH_USER"
+  chmod 600 ~/.ssh/google_compute_engine
+  echo "$API_SERVER ansible_ssh_private_key_file=~/.ssh/google_compute_engine" > inventory.ini
+  ansible-playbook ${REPO_ROOT_DIR}/openshift/admission-webhooks.yaml -i inventory.ini -u $KUBE_SSH_USER
+  rm inventory.ini
+}
+
+function add_current_user_to_etc_passwd(){
+  if ! whoami &>/dev/null; then
+    echo "${USER:-default}:x:$(id -u):$(id -g):Default User:$HOME:/sbin/nologin" >> /etc/passwd
+  fi
+  cat /etc/passwd
+}
+
+function disable_strict_host_checking(){
+  cat >> ~/.ssh/config <<EOF
+Host *
+   StrictHostKeyChecking no
+   UserKnownHostsFile=/dev/null
+EOF
+}
+
 function install_build(){
   header "Installing Knative Build"
   # Grant the necessary privileges to the service accounts Knative will use:
@@ -146,6 +174,8 @@ function teardown() {
   delete_build_openshift
 }
 
+enable_admission_webhooks
+
 teardown
 
 create_test_namespace