diff --git a/ci/input/inputs.yml b/ci/input/inputs.yml index 300d5675c..e8bf642df 100644 --- a/ci/input/inputs.yml +++ b/ci/input/inputs.yml @@ -131,6 +131,7 @@ untestedOpsReleases: windowsStemcells: - name: windows2019 + stack: windows2019 opsFile: windows2019-cell.yml opsFileDir: operations diff --git a/ci/pipelines/update-releases.yml b/ci/pipelines/update-releases.yml index c539f00b9..fae358a75 100644 --- a/ci/pipelines/update-releases.yml +++ b/ci/pipelines/update-releases.yml @@ -119,6 +119,9 @@ groups: jobs: - update-windows2019-stemcell - update-windows2019fs-offline-release +- name: update-fips-stemcell + jobs: + - update-fips-stemcell - name: debug jobs: [] - name: cleanup @@ -143,6 +146,11 @@ resource_types: source: repository: cfcommunity/slack-notification-resource tag: latest +- name: bosh-io-stemcell + source: + repository: foundationalinfrastructure/bosh-io-stemcell-resource + tag: v1.2.1 + type: docker-image resources: - name: cf-deployment-all-branches type: git @@ -213,6 +221,14 @@ resources: icon: dna source: name: bosh-google-kvm-ubuntu-jammy-go_agent +- name: fips-stemcell + type: bosh-io-stemcell + icon: dna + source: + name: bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent + auth: + access_key: ((ci_dev_gcp_service_account_hmac_access_key)) + secret_key: ((ci_dev_gcp_service_account_hmac_secret)) - name: stemcell-version-bump-detect type: stemcell-version-bump icon: dna @@ -14067,13 +14083,38 @@ jobs: params: tarball: false - task: update-windows-stemcell-ops - file: runtime-ci/tasks/update-windows-stemcell-ops/task.yml + file: runtime-ci/tasks/update-stemcell-ops/task.yml + input_mapping: + ops-files: cf-deployment-develop + stemcell: windows2019-stemcell + params: + STEMCELL_STACK: windows2019 + ORIGINAL_OPS_FILE_PATH: operations/windows2019-cell.yml + UPDATED_OPS_FILE_PATH: operations/windows2019-cell.yml + - put: cf-deployment-develop + params: + rebase: true + repository: updated-stemcell-ops-file +- name: update-fips-stemcell + public: true + serial: true + plan: + - in_parallel: + - get: runtime-ci + - get: cf-deployment-develop + - get: fips-stemcell + trigger: true + params: + tarball: false + - task: update-stemcell-ops + file: runtime-ci/tasks/update-stemcell-ops/task.yml input_mapping: ops-files: cf-deployment-develop - windows-stemcell: windows2019-stemcell + stemcell: fips-stemcell params: - ORIGINAL_WINDOWS_OPS_FILE_PATH: operations/windows2019-cell.yml - UPDATED_WINDOWS_OPS_FILE_PATH: operations/windows2019-cell.yml + STEMCELL_STACK: ubuntu-jammy + ORIGINAL_OPS_FILE_PATH: operations/test/fips-stemcell.yml + UPDATED_OPS_FILE_PATH: operations/test/fips-stemcell.yml - put: cf-deployment-develop params: rebase: true diff --git a/ci/template/update-releases.yml b/ci/template/update-releases.yml index 6640bb5b0..56d43c9ae 100644 --- a/ci/template/update-releases.yml +++ b/ci/template/update-releases.yml @@ -53,6 +53,9 @@ groups: #@ for r in data.values.windowsOfflineReleases: - #@ "update-" + r.name + "-offline-release" #@ end +- name: update-fips-stemcell + jobs: + - update-fips-stemcell - name: debug jobs: #@ for r in data.values.baseReleases: @@ -103,6 +106,13 @@ resource_types: repository: cfcommunity/slack-notification-resource tag: latest +#! TODO remove this resource type declaration when a final release of the resource is available +- name: bosh-io-stemcell + source: + repository: foundationalinfrastructure/bosh-io-stemcell-resource + tag: v1.2.1 + type: docker-image + resources: - name: cf-deployment-all-branches type: git @@ -184,6 +194,15 @@ resources: source: name: bosh-google-kvm-ubuntu-jammy-go_agent +- name: fips-stemcell + type: bosh-io-stemcell + icon: dna + source: + name: bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent + auth: + access_key: ((ci_dev_gcp_service_account_hmac_access_key)) + secret_key: ((ci_dev_gcp_service_account_hmac_secret)) + - name: stemcell-version-bump-detect type: stemcell-version-bump icon: dna @@ -716,19 +735,45 @@ jobs: params: tarball: false - task: update-windows-stemcell-ops - file: runtime-ci/tasks/update-windows-stemcell-ops/task.yml + file: runtime-ci/tasks/update-stemcell-ops/task.yml input_mapping: ops-files: cf-deployment-develop - windows-stemcell: #@ s.name + "-stemcell" + stemcell: #@ s.name + "-stemcell" params: - ORIGINAL_WINDOWS_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile) - UPDATED_WINDOWS_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile) + STEMCELL_STACK: #@ s.stack + ORIGINAL_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile) + UPDATED_OPS_FILE_PATH: #@ "{}/{}".format(s.opsFileDir, s.opsFile) - put: cf-deployment-develop params: rebase: true repository: updated-stemcell-ops-file #@ end +- name: update-fips-stemcell + public: true + serial: true + plan: + - in_parallel: + - get: runtime-ci + - get: cf-deployment-develop + - get: fips-stemcell + trigger: true + params: + tarball: false + - task: update-stemcell-ops + file: runtime-ci/tasks/update-stemcell-ops/task.yml + input_mapping: + ops-files: cf-deployment-develop + stemcell: fips-stemcell + params: + STEMCELL_STACK: ubuntu-jammy + ORIGINAL_OPS_FILE_PATH: operations/test/fips-stemcell.yml + UPDATED_OPS_FILE_PATH: operations/test/fips-stemcell.yml + - put: cf-deployment-develop + params: + rebase: true + repository: updated-stemcell-ops-file + - name: detect-stemcell-bump plan: - in_parallel: diff --git a/operations/test/README.md b/operations/test/README.md index 0e3d1942a..58c79621c 100644 --- a/operations/test/README.md +++ b/operations/test/README.md @@ -18,5 +18,6 @@ They may change without notice. | [`enable-nfs-test-server.yml`](enable-nfs-test-server.yml) | adds an NFS server to the deployment | nfstestserver can be reached at nfstestserver.service.cf.internal for acceptance testing purposes | | [`enable-nfs-test-ldapserver.yml`](enable-nfs-test-ldapserver.yml) | Adds an LDAP server to the deployment to allow testing of NFS volume services configured with LDAP authentication | Requires enable-nfs-volume-service.yml and enable-nfs-test-server.yml. nfstestldapserver can be reached at nfstestldapserver.service.cf.internal | | [`enable-smb-test-server.yml`](enable-smb-test-server.yml) | adds an SMB server to the deployment | smbtestserver can be reached at smbtestserver.service.cf.internal for acceptance testing purposes | +| [`fips-stemcell.yml`](fips-stemcell.yml) | Contains the validated version of the FIPS-compliant stemcell | | [`speed-up-dynamic-asgs.yml`](speed-up-dynamic-asgs.yml) | decreases the polling time for policy-server-asg-syncer and vxlan-policy-agent to speed up cf-acceptance-tests | Not suitable for production envs | | [`set-smoke-test-timeout-scale.yml`](set-smoke-test-timeout-scale.yml) | set the timeout scale to 5 | used when retrieving logs in the smoke tests timeout. usualy happens with gcp enviorments that do not have a ephemeral ips | \ No newline at end of file diff --git a/operations/test/fips-stemcell.yml b/operations/test/fips-stemcell.yml new file mode 100644 index 000000000..9c65ba3f7 --- /dev/null +++ b/operations/test/fips-stemcell.yml @@ -0,0 +1,6 @@ +- type: replace + path: /stemcells/- + value: + alias: default + os: ubuntu-jammy + version: "1.406" diff --git a/units/tests/test_test/operations.yml b/units/tests/test_test/operations.yml index b4e71d8d4..12d8c16d8 100644 --- a/units/tests/test_test/operations.yml +++ b/units/tests/test_test/operations.yml @@ -19,6 +19,7 @@ enable-smb-test-server.yml: vars: - smb-password=FOO.PASS - smb-username=BAR.USER +fips-stemcell.yml: {} scale-to-one-az-addon-parallel-cats.yml: ops: - ../scale-to-one-az.yml