Changes

HACKING.md: minor tweaks

We no longer have a cosa imagestream, and the Jenkins BuildConfig is now
called `jenkins-s2i`.

Noticed these while updating CoreOS CI today.

jobs: add `test-override` job

This job is similar in structure to `bump-lockfile` (i.e. it runs tests
on multiple arches in parallel), but is geared towards testing Bodhi
and/or Koji overrides. The `OVERRIDES` parameter supports a list of URLs
from those services that the job will automatically download into the
`overrides/rpm` directory when doing the build.

For now, like bump-lockfile, this only does local testing, i.e. QEMU and
testiso scenarios. We could extend this in the future to do some cloud
testing too.

This is prep for having another job that triggers this one based on
Bodhi Fedora messages, but it's structured to be useful on its own too
for ad-hoc testing.

jobs: add `bodhi-trigger` job

This job is a step towards better integrating our CI into the rest of
Fedora QA.

The job triggers on Fedora messages from Bodhi whenever an update is
created or edited. It then resolves the Bodhi update to a relevant FCOS
stream, and trigger the `test-override` job with the right parameters.

The implementation details here are a bit messy. Triggering on "a new
Bodhi update" isn't as simple as I would've liked and mapping back to
streams is a bit hairy, but it works!

There's of course a lot of cleanups we could do here (many are marked
in the code), though I'm hoping we can get this in to gain some early
experience and work on cleanups in parallel with the larger task of
adding reporting and socializing it.

See also: https://github.com/coreos/fedora-coreos-tracker/issues/17

jobs/test-override: update build description at the end

It's funny to still have it say 'Running' even when it's done.

jobs/bodhi-trigger: wrap testing in cosa pod

Prep for reporting, which will use code from cosa.

jobs/bodhi-trigger: add reporting to ResultsDB

Call out to the new `resultsdb-report` script in cosa to report test
results back to ResultsDB. Report when first running and then again with
final test results.

Just this alone seems sufficient for the results to show up in Bodhi's
"Automated Tests" tab.

With this, we'll then be able to work on adding policies in Greenwave.

jenkins/config: add JCASC dropin for jms-messaging-plugin

This configures the JMS messaging plugin to connect to the public
endpoint of the Fedora messaging bus.

The tricky thing is passing in the keystores. The plugin does
not support using Jenkins credentials[[1]] so we can't leverage
kubernetes-credentials-provider.

We could do it the old way, which is to mount the secret into the
Jenkins pod, but since d6d1f61, CoreOS CI now uses the exact same
`jenkins.yaml` manifest as the production pipeline and we don't want to
bind mount it there.

Instead, we hack around this by just baking the keystores in the Jenkins
image at `$JENKINS_HOME/jms-messaging-stores`.

[1]: https://github.com/jenkinsci/jms-messaging-plugin/issues/263

jobs/bodhi-trigger: fix result propagation

When propagating the result of test-override back to bodhi-trigger, we
were trying to read from the `test` variable where it was out of scope.

Move it within its scope.

ci: add sanity-check for Groovy files

So at least we got something.

This is copied from fedora-coreos-pipeline. We should probably put that
in coreos-ci-lib.

jobs/test-override: on mechanical streams, build on top of known good version

When testing a rawhide update, we should be testing on top of a rawhide
build that we know has worked. Otherwise, the test may fail for any
arbitrary reason. Since rawhide is not locked, we do this by autolocking
on top of the most recent build that contains all the relevant arches.

See also: https://github.com/coreos/fedora-coreos-releng-automation/issues/181

jobs/bodhi-trigger: simplify triggering

Now that Bodhi will always send the same message in all situations, we
should be able to simplify this by a lot.

Closes: #53

jobs/bodhi-trigger: fix CI retrigger message handling

Missed removing this bit from 4509014 ("jobs/bodhi-trigger: simplify
triggering").

jobs/bodhi-trigger: read SRPM list from `bodhi-testing.yaml`

Add a new `bodhi-testing.yaml` file containing the list of SRPMs to
test. We'll augment the schema of this file later on to allow e.g.
running only a subset of tests.

This will also in the short-term serve as the source of truth for which
packages are gated on these tests or not. Long-term, we may use this
file slightly differently, though likely the tests to run per component
will still live there (including the default tests to run on any
unlisted component).

While we're here, add a few more core packages to the list.

jobs/test-override: resolve Bodhi IDs to Koji IDs early on

It's silly to do this resolution on each builder separately. Let's just
do it once. That also simplifies the downloading loop.

bodhi-testing.yaml: support specifying tests to run

For some packages, it's silly to run the full testsuite when they're not
involved or tested at all in e.g. the testiso scenarios.

Let's allow configuring the list of tests to run per SRPM.

This is also prep for being able to run e.g. just `basic` for a much
wider set of packages.

README.md: update Jenkins URL

We forgot to update this when we migrated from CentOS infra to Fedora.

bodhi-testing.yaml: make test patterns more globby

The test pattern for `toolbox` was incorrect and so didn't match
anything.

For that component and some others, instead of specifying a full test
path, make the patterns more globby. That makes them more obviously
right, and resistant to the tests moving.

Fixes 6c1f869 ("bodhi-testing.yaml: support specifying tests to run").

jobs/seed-github-ci: add openshift/os

The Prow CI we have in those repos are extremely slow and annoying to
maintain. We're still going to need it for now to at least build RHCOS
with actual RHEL RPMs, but at least for CentOS Stream we should be able
to build that fine in CoreOS CI. (We don't have access to the OCP RPMs,
but with https://github.com/openshift/os/issues/799, we'll move those
out of the base compose anyway.)

Add `HOME` workaround to other shwrap helpers

We had it in `shwrap`, but not `shwrapCapture` and `shwrapRc`. We're
hitting an issue right now where `podman` wants to create `$HOME/.ssh`
when using the remote stuff but because we're running unprivileged,
we get

```
Error: failed to connect: ssh: handshake failed: mkdir /.ssh: permission denied
```

We're still trying to determine why this is new, but let's fix the
inconsistency for now.

kolaTestIso: Update to reflect new kola testiso in coreos-assembler

 - Clean up code to reflect changes done in kola testiso in coreos-assembler

Signed-off-by: Renata Ravanelli <rravanel@redhat.com>

Set `HOME` at the pod level instead of in shwrap helpers

That way we're sure it's always set.

Add `umask` workaround to other shwrap helpers

Didn't hit anything caused by this, but we should be consistent across
all the `shwrap` helpers on principle.

Revert "Set `HOME` at the pod level instead of in shwrap helpers"

This reverts commit 3577892a9cac46964a5f44be8881a9ef7741df8c.

Setting the `HOME` var to the workspace from the pod definition doesn't
work because it introduces a chicken-and-egg problem: the workspace
isn't yet allocated since the pod isn't running yet.

This isn't a pure revert since I wanted to keep 33d4910 ("Add `umask`
workaround to other shwrap helpers"), which came after.

pod: Enable secret subpath option

 - Add option for mounting secrets using subpath

Signed-off-by: Renata Ravanelli <rravanel@redhat.com>

kola: add support for allowRerunSuccess

We'll start now to default to passing in --allow-rerun-success tags=needs-internet
so that we can get notified less about intermittent network flakes.

If someone wants to disable this they can pass in allowRerunSuccess=false.

If someone wants to override the tags to use for rerun-success they can
use allowRerunSuccessArgs. For example, allowRerunSuccessArgs="tags=all".

Closes https://github.com/coreos/fedora-coreos-pipeline/issues/842

kola: don't use whitespace in --allow-rerun-success option

If we have a whitespace the parsing needle that we have to thread
thread through cmd-kola into `kola run-upgrade` doesn't work right.
We end up with:

```
[dustymabe@media fcos]$ cosa kola --rerun --allow-rerun-success tags=all --upgrades
kola -p qemu-unpriv tags=all --rerun --allow-rerun-success --output-dir tmp/kola-upgrade --qemu-image-dir tmp/kola-qemu-cache -v --find-parent-image
Error: unknown command "tags=all" for "kola"
Run 'kola --help' for usage.
2023-05-05 21:03:38.033149 C | cli: unknown command "tags=all" for "kola"
error: failed to execute cmd-kola: exit status 1
```

pod: Allow caller to specify name of pod

Allowing the caller to specify the pod name would make it easier to
identify what pods were created for what purpose.

We are planning to use this in the debug pod pipeline job to allow
users to identify which debug pods they own.

Ref: https://github.com/coreos/fedora-coreos-pipeline/issues/803

kola: refactor and add support for warn: true tests

This commit refactors the arguments and error handling for `kola`
into a runKola closure to make it easier to manage. Most calls in
this file use mostly the same arguments, so this is a nice cleanup.

This commit also adds the `--on-warn-failure-exit-77` option [1]
and adds handling to mark a test as `warn()` if that happens versus
the typical `error()`.

[1] https://github.com/coreos/coreos-assembler/pull/3551

kola: specify action to runKola helper

Right now in the upgrade case we end up with `cosa kola run --upgrades`
and that doesn't quite pass through everything right:

```
+ cosa kola run --rerun --allow-rerun-success=tags=needs-internet --build=39.20230823.92.0 --output-dir=/home/jenkins/agent/workspace/kola-gcp/tmp/kola-UJ7JH/kola-upgrade --on-warn-failure-exit-77 --arch=x86_64 -p=gcp --gcp-json-key=**** --gcp-project=fedora-coreos-testing --upgrades

kola --build 39.20230823.92.0 run --rerun --allow-rerun-success=tags=needs-internet --on-warn-failure-exit-77 --arch=x86_64 -p=gcp --gcp-json-key=**** --gcp-project=fedora-coreos-testing --output-dir /home/jenkins/agent/workspace/kola-gcp/tmp/kola-UJ7JH/kola-upgrade --qemu-image-dir tmp/kola-qemu-cache -v --find-parent-image

Error: unknown flag: --qemu-image-dir
```

We need the ultimate command to be `kola run-upgrade`. Let's add the
action we want as an argument to the runKola helper.

kola: use `=` for options with values

The way cosa kola parses things and then passes it on to kola is
a mess. Let's remove the spaces so we can make sure the value doesn't
get separated from the option when it's processed.

checkoutToDir: Recurse submodules

Prep for adding a git submodule to fedora-coreos-config.

job.yaml: fix apiVersion and other tweaks

The API version for templates is now `template.openshift.io/v1`.
Possibly `v1` was accepted before but not anymore? Fix it.

While we're here, tweak the template name to make it clearer that the
template itself is never created as an object.

Also remove the parameter default value to hard require clients to
always specify it.

buildconfig.json: fix apiVersion

The API version for templates is now `template.openshift.io/v1`.
Possibly `v1` was accepted before but not anymore? Fix it.

Missed doing this as part of badbfa0 ("job.yaml: fix apiVersion and
other tweaks").

kola/kolaTestIso: use `kola-junit` to publish JUnit test results

This will allow us to much more easily inspect failing kola tests.
Goes together with https://github.com/coreos/coreos-assembler/pull/3667,
which has more details.

While we're here, use `kola-testiso` as marker since it looks clearer
and for consistency with `kola-upgrade`.

pod: support setting env vars in the pod

We'll set NAME=VALUE for each requested environment variable.

Part of https://github.com/coreos/fedora-coreos-pipeline/issues/939

cosaBuild: add `srcConfig` and `variant` parameters

I want to start building CentOS Stream CoreOS in CoreOS CI for at least
openshift/os and coreos/coreos-assembler.

Let's make it easier to point to a different source config than the
default FCOS.