feat: Updated kubevirtci s390x jobs to use GCS REST API

As gsutils or glcoud cli aren't supported on s390x arch, using REST APIs to do file operations from s390x. Signed-off-by: chandramerla <Chandra.Merla@ibm.com>
kubevirt · Sep 10, 2024 · 8ecec41 · 8ecec41
1 parent 5c0f5c3
commit 8ecec41
Show file tree

Hide file tree

Showing 4 changed files with 139 additions and 8 deletions.
diff --git a/github/ci/prow-deploy/files/jobs/kubevirt/kubevirtci/kubevirtci-periodics.yaml b/github/ci/prow-deploy/files/jobs/kubevirt/kubevirtci/kubevirtci-periodics.yaml
@@ -139,7 +139,6 @@ periodics:
         SHORT_SHA=$(git rev-parse --short HEAD) &&
         image_tag=$(cat cluster-provision/k8s/base-image | cut -d ':' -f 2) &&
         echo "$image_tag" > amd64-centos9-$SHORT_SHA &&
-        #TODO: replace with methods which work on s390x as gsutil not supported for s390x.
         gsutil cp ./amd64-centos9-$SHORT_SHA gs://kubevirt-prow/release/kubevirt/kubevirtci/amd64-centos9-$SHORT_SHA
       # docker-in-docker needs privileged mode
       env:
@@ -187,16 +186,17 @@ periodics:
         SHORT_SHA=$(git rev-parse --short HEAD) &&
         GCS_FILE_PATH=gs://kubevirt-prow/release/kubevirt/kubevirtci/amd64-centos9-$SHORT_SHA &&
         CHECK_INTERVAL=30 &&
+        source /usr/local/bin/gcs_restapi.sh &&
         while true; do
-            if gsutil -q stat "$GCS_FILE_PATH"; then
+            if stat_gcs_file kubevirt-prow "$GCS_FILE_PATH"; then
                 echo "File $GCS_FILE_PATH is now available."
                 break
             else
                 echo "File $GCS_FILE_PATH not found. Checking again in $CHECK_INTERVAL seconds."
                 sleep $CHECK_INTERVAL
             fi
         done &&
-        export KUBEVIRTCI_TAG=$(gsutil cat "$GCS_FILE_PATH") || echo "Failed to fetch KUBEVIRTCI_TAG" &&
+        export KUBEVIRTCI_TAG=$(cat_gcs_file kubevirt-prow "$GCS_FILE_PATH") || { echo "Failed to fetch KUBEVIRTCI_TAG"; exit 1; } &&
         echo "Fetched KUBEVIRTCI_TAG: $KUBEVIRTCI_TAG" &&
         cat $QUAY_PASSWORD | podman login --username $(<$QUAY_USER) --password-stdin quay.io &&
         ./hack/bump-centos-version.sh &&

diff --git a/github/ci/prow-deploy/files/jobs/kubevirt/kubevirtci/kubevirtci-postsubmits.yaml b/github/ci/prow-deploy/files/jobs/kubevirt/kubevirtci/kubevirtci-postsubmits.yaml
@@ -100,21 +100,23 @@ postsubmits:
             cat $QUAY_PASSWORD | podman login --username $(<$QUAY_USER) --password-stdin quay.io &&
             SHORT_SHA=$(git rev-parse --short HEAD) &&
             GCS_FILE_PATH=gs://kubevirt-prow/release/kubevirt/kubevirtci/amd64-$SHORT_SHA &&
+            source /usr/local/bin/gcs_restapi.sh
             CHECK_INTERVAL=30 &&
             while true; do
-                if gsutil -q stat "$GCS_FILE_PATH"; then
+                if stat_gcs_file kubevirt-prow "$GCS_FILE_PATH"; then
                     echo "File $GCS_FILE_PATH is now available."
                     break
                 else
                     echo "File $GCS_FILE_PATH not found. Checking again in $CHECK_INTERVAL seconds."
                     sleep $CHECK_INTERVAL
                 fi
             done &&
-            export KUBEVIRTCI_TAG=$(gsutil cat "$GCS_FILE_PATH") &&
+            export KUBEVIRTCI_TAG=$(cat_gcs_file kubevirt-prow "$GCS_FILE_PATH") || { echo "Failed to fetch KUBEVIRTCI_TAG"; exit 1; } &&
+            echo "Fetched KUBEVIRTCI_TAG: $KUBEVIRTCI_TAG" &&
             ./publish.sh &&
             echo "$(git tag --points-at HEAD | head -1)" > latest &&
-            gsutil cp ./latest gs://kubevirt-prow/release/kubevirt/kubevirtci/latest
-            gsutil rm "$GCS_FILE_PATH"
+            upload_to_gcs ./latest kubevirt-prow release/kubevirt/kubevirtci/latest
+            rm_gcs_file kubevirt-prow "$GCS_FILE_PATH"
           # docker-in-docker needs privileged mode
           env:
           - name: GIMME_GO_VERSION

diff --git a/images/bootstrap/Dockerfile b/images/bootstrap/Dockerfile
@@ -59,6 +59,7 @@ RUN dnf install -y \
     qemu-user-static \
     bind-utils \
     wget \
+    openssl \
     python3-jinja2 &&\
   dnf -y clean all
 
@@ -121,7 +122,7 @@ RUN git config --global --add safe.directory '*'
 # env PODMAN_IN_CONTAINER_ENABLED is set and similarly responsible for generating
 
 # .bazelrc files if bazel remote caching is enabled
-COPY ["entrypoint.sh", "runner.sh", "create_bazel_cache_rcs.sh", \
+COPY ["entrypoint.sh", "gcs_restapi.sh", "runner.sh", "create_bazel_cache_rcs.sh", \
         "/usr/local/bin/"]
 
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
diff --git a/images/bootstrap/gcs_restapi.sh b/images/bootstrap/gcs_restapi.sh
@@ -0,0 +1,128 @@
+#!/usr/bin/env bash
+# Copyright 2018 The Kubernetes Authors.
+# Copyright 2021 The KubeVirt Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Function to get access token
+get_access_token() {
+    local sa_email=$(jq -r '.client_email' "$GOOGLE_APPLICATION_CREDENTIALS")
+    local sa_key=$(jq -r '.private_key' "$GOOGLE_APPLICATION_CREDENTIALS")
+    local jwt_header=$(echo -n '{"alg":"RS256","typ":"JWT"}' | base64 -w 0 | tr '+/' '-_' | tr -d '=')
+    local jwt_claim=$(echo -n '{"iss":"'$sa_email'","scope":"https://www.googleapis.com/auth/cloud-platform","aud":"https://oauth2.googleapis.com/token","exp":'$(($(date +%s) + 3600))',"iat":'$(date +%s)'}' | base64 -w 0 | tr '+/' '-_' | tr -d '=')
+    local jwt_signature=$(echo -n "$jwt_header.$jwt_claim" | openssl dgst -binary -sha256 -sign <(echo "$sa_key") | base64 -w 0 | tr '+/' '-_' | tr -d '=')
+    local jwt="$jwt_header.$jwt_claim.$jwt_signature"
+
+    local response=$(curl -s -X POST https://oauth2.googleapis.com/token \
+         -H "Content-Type: application/x-www-form-urlencoded" \
+         -d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=$jwt")
+
+    echo $(echo "$response" | jq -r '.access_token')
+}
+
+# Function to validate GOOGLE_APPLICATION_CREDENTIALS and obtain an access token
+get_access_token_or_exit() {
+    if [ -z "${GOOGLE_APPLICATION_CREDENTIALS}" ]; then
+        echo "GOOGLE_APPLICATION_CREDENTIALS is not set. Please set it to the path of your service account key file."
+        exit 1
+    fi
+
+    access_token=$(get_access_token)
+    if [ -z "$access_token" ]; then
+        echo "Failed to obtain access token. Check your service account key file."
+        exit 1
+    fi
+}
+
+# Function to upload a file to Google Cloud Storage
+upload_to_gcs() {
+    local source_file="$1"
+    local bucket_name="$2"
+    local destination_blob="$3"
+    local content_type="application/octet-stream"
+
+    get_access_token_or_exit
+
+    upload_response=$(curl -X POST \
+      --data-binary @"$source_file" \
+      -H "Authorization: Bearer $access_token" \
+      -H "Content-Type: $content_type" \
+      "https://storage.googleapis.com/upload/storage/v1/b/$bucket_name/o?uploadType=media&name=$destination_blob")
+
+    if echo "$upload_response" | jq -e '.name' > /dev/null; then
+       echo "File $source_file uploaded successfully as $destination_blob"
+       return 0
+    else
+       echo "Upload failed. Response:"
+       echo "$upload_response" | jq '.'
+       return 1
+    fi
+}
+
+# Function to check if a file exists in GCS
+stat_gcs_file() {
+    local bucket_name="$1"
+    local gcs_file_path="$2"
+
+    get_access_token_or_exit
+
+    stat_response=$(curl -s -X GET \
+      -H "Authorization: Bearer $access_token" \
+      "https://storage.googleapis.com/storage/v1/b/$bucket_name/o/$gcs_file_path")
+
+    if echo "$stat_response" | jq -e '.error' > /dev/null; then
+        return 1
+    else
+        return 0
+    fi
+}
+
+# Function to read the content of a file from GCS
+cat_gcs_file() {
+    local bucket_name="$1"
+    local gcs_file_path="$2"
+
+    get_access_token_or_exit
+
+    file_content=$(curl -s -X GET \
+      -H "Authorization: Bearer $access_token" \
+      "https://storage.googleapis.com/storage/v1/b/$bucket_name/o/$gcs_file_path?alt=media")
+
+    if echo "$file_content" | jq -e '.error' > /dev/null; then
+        return 1
+    else
+        echo "$file_content"
+        return 0
+    fi
+}
+
+# Function to delete a file from GCS
+rm_gcs_file() {
+    local bucket_name="$1"
+    local gcs_file_path="$2"
+
+    get_access_token_or_exit
+
+    delete_response=$(curl -s -X DELETE \
+      -H "Authorization: Bearer $access_token" \
+      "https://storage.googleapis.com/storage/v1/b/$bucket_name/o/$gcs_file_path")
+
+    if [ -z "$delete_response" ]; then
+        echo "File $gcs_file_path deleted successfully."
+        return 0
+    else
+        echo "Failed to delete file. Response:"
+        echo "$delete_response" | jq '.'
+        return 1
+    fi
+}