Changes

jobs: drop butane

That repo doesn't use CoreOS CI at all, so just delete it.

README-upstream-ci.md: fix links to coreos-ci-lib

The `coreos-ci` branch is outdated (and will soon be deleted). Fix the
links to use `main`.

Reported-by: Luca BRUNO <luca.bruno@coreos.com>

README-upstream-ci: document contributor trust

We hit this recently. Let's write this stuff down so it's easier to know
in the future what needs to be done.

manifests/jenkins: enable OVERRIDE_PV_PLUGINS_WITH_IMAGE_PLUGINS

Jenkins stores configs and plugins in a single directory, which is on a
PVC mount. When updating the Jenkins image, by default new plugins in
the image are not copied over into the PVC. If we want to make the image
plugins authoritative (i.e. if we actually want plugin updates), we need
to opt into it via an env var.

manifests/jenkins: override default jenkins-agent image

This matches what we did in the FCOS pipeline:
https://github.com/coreos/fedora-coreos-pipeline/pull/671

The bits from that PR to actually set up the imagestream, we will
already inherit here.

Stop mounting GitHub OAuth secret into Jenkins

Just have it live directly in the configmap. This is not as elegant as
the kubernetes-credentials-provider but takes us a step closer to
dropping `jenkins.yaml`.

There isn't really a difference today in terms of RBAC in our namespace
between secrets and configmaps (e.g. all authenticated users with access
to the namespace can access both, and so can the `jenkins` SA).

Manage coreosbot GitHub token with k8s credentials provider

Another step closer to getting rid of `jenkins.yaml`.

Manage GitHub webhook secret with k8s credentials provider

Another step closer to getting rid of `jenkins.yaml`.

Use same `jenkins.yaml` as FCOS pipeline

Now that we don't have to mount any secrets into Jenkins, use the same
template we use in the FCOS pipeline to set it up. This allows us to
automatically gain improvements and rebases done in the pipeline here.

Adapt to latest pipeutils

In the pipeline repo, we've dropped `pipeutils.get_config()` now in
favour of `pipelines.load_jenkins_config()`. The configmap name is now
also `jenkins-config`. Adapt this codebase.

Use same `pipeline.yaml` as FCOS pipeline

Now that the FCOS pipeline has learned to have a `config.yaml`, the
`pipeline.yaml` manifest is purely about high-level pipeline
configuration. It defines the `jenkins-config` configmap and the cosa
imagestream. Rather than duplicating it here, let's just also use the
FCOS pipeline one.

Move from Quay.io to app.ci

The latter mirrors to the former, but it's a periodic that runs every
hour. So let's just use the images directly from app.ci for faster
iteration.

buildImage: add support for setting memory and cpu

In cosa CI, we're hitting:

> runtime: failed to create new OS thread

I think this is another instance of non-Kubernetes-aware multiprocessing
like in https://github.com/coreos/coreos-ci/issues/23.

Let's expose the `resources` knob for building images like we already do
for `pod`. This will allow us in cosa to request a specific amount, and
then asking golang to respect it.

buildImage: fix resource request

We need to initialize the maps before we can set keys inside.

Fixes decacbc ("buildImage: add support for setting memory and cpu").

Add withPodmanRemote

- Add wrapper to allow podman remote commands using the
environment variables CONTAINER_SSHKEY and CONTAINER_HOST
in Jenkins execution

Signed-off-by: Renata Ravanelli <rravanel@redhat.com>

pod: set both the resource CPU request and limit

Right now, we're not setting any CPU limit in the pods we schedule. This
means our workloads runs without constraints and can hog the hosts
they're running on if there are no namespace-wide default resource
limits.

Unlike with memory requests/limits, limits are enforced at the CPU
scheduling level, so IIUC it's not possible to be evicted due to
excessive CPU usage.

So let's start defaulting to a reasonable not too large value and ensure
we set both the CPU requests and limits. This also allows cgroups-aware
applications to derive the correct number of "equivalent CPUs" to use
for multi-threaded/multi-processing steps.

fcosKola: parallelize kola to the number of CPUs

As of 7b552e1134, we're enforcing CPU resource limits on our pods.  The
current defaults allocate 2 CPUs and then use them to run 8 parallel kola
tests and a kola upgrade test.  Reduce oversubscription by having kola
parallelize to the number of available CPUs by default.  There's still
some oversubscription because we're running the kola upgrade test in
parallel with that, but that currently only needs 1 CPU.

cosaPod: point back to Quay.io for cosa

The canonical location is Quay.io again so let's use that so we don't
have to wait for app.ci to mirror it.

job.yaml: switch to minimal image; use :latest tag

Since the role of the container here is super minimal let's just
use the minimal container and also follow the :latest tag so that
we don't ever have to worry about being on an EOL release.

pod: set memory limit also

When deploying the RHCOS pipeline we ran into a case where there was
a limitrange set with a default memory limit:

```
oc describe limitrange
Type        Resource  Min  Max  Default Request  Default Limit  Max Limit/Request Ratio
----        --------  ---  ---  ---------------  -------------  -----------------------
Container   cpu       -    -    300m             4              -
Container   memory    -    -    400Mi            6656Mi         -
```

In this case we also needed to bump the memory for the COSA pod to 8Gi.
Bumping it to 8Gi (via cosaPod()) set the request but not the limit.
The pod inherited the default limit of 6656 Mi and we got an error:

```
Invalid value: "8Gi": must be less than or equal to memory limit
```

Let's just set the limit to the same value as the request here. We'll
adapt later if we find we need more knobs.

Add `tryWithCredentials` custom step

This new step can be used just like `withCredentials`, except that if
the credentials don't exist, we'll gracefully return.

Upstreamed from the FCOS pipeline.

tree: drop FCOS name from custom steps

Signed-off-by: Renata Ravanelli <rravanel@redhat.com>

tree: drop FCOS wording from various places

Signed-off-by: Renata Ravanelli <rravanel@redhat.com>

tree: Add symbolic links for compatibility

Signed-off-by: Renata Ravanelli <rravanel@redhat.com>

kola: run provisioning tests separately

This effectively upstreams
https://github.com/coreos/fedora-coreos-pipeline/commit/c3af4ad57ab4.

The same reasons apply, but we're doing it now here too because it'll
help with not hitting against our memory limits.

utils: add substituteStr

This will be used by the pipeline to process some of the templated
fields in `config.yaml`. Putting it here allows us to work around the
fact that the `SimpleTemplateEngine` API would normally have to be
allowed by an administrator first.

vars/utils: add compat symlink from /srv/fcos to /srv/coreos

Commit 3719f69 ("tree: drop FCOS wording from various places") broke
multiple upstream CI jobs which still reference the old location. We
need to temporarily support both locations as we migrate them.

Add a compat symlink.

kolaTestIso: reduce conditional logic with scenariosArg var

Reducing the branches makes it a little easier to read and understand
what's going on.

kolaTestIso: port over some changes from kola.groovy

This mostly ports over 8804c62 and 042c0ba from kola.groovy
which makes it so multiple runs can happen at the same time and
also allows the caller to give a marker (some identifying info)
about this run that will be stored in it's output filename. This
makes it easier to find which archive to download in the Jenkins
web UI.

{kola,kolaTestIso}: reduce number of try/finally blocks

This makes the finally block (the log collection) more generic and
allows for it to run at the end so that we can reduce the number of
scopes in our code.

{kola,kolaTestIso}: initial stab at multi-arch support

The rule here is mostly to run things through either `cosa` commands
or run generic bash commands through `cosa shell --`. This also is
made easier if we're running the `cosa` command within `shwrap()`
from the cosa dir already, so let's use `dir(cosaDir)` to try to
enable that simplification.

kola: simplify tests on non-QEMU or if user passed extraArgs

We only need to worry about basic-qemu-scenarios and running reprovision
tests separately when the platform is QEMU (the default). Loosely detect
if the target platform is something other than QEMU by checking to see
if the user provided platformArgs and if we are running against non-QEMU
then just run all the tests up front and not in separate runs.

Similarly if the user passed in `extraArgs` let's assume they want greater
control and could be passing arguments that conflict with our `--tag`
specifications in the invocations below. Given this assumption it would
be better to just run the extraArgs in a single invocation up front.

kola: add allowUpgradeFail argument

This commit adds the ability to warn rather than error if upgrades fail.

{kola,kolaTestIso}: make the parallel run names more meaningful

In the bump-lockfile job in the pipeline we run all the architecture
tests together so it helps to have the architecture in the name too.

{kola,kolaTestIso}: remove the unnecessary stage declaration

When nesting `parallel` calls like we do in the `bump-lockfile` job
in our FCOS pipeline the extra stage declaration confuses the Blue
Ocean view. Let's just drop it.

{kola,kolaTestIso}: make the collection of logs non-fatal

In case a test blew up for another reason let's not make the collection
of the logs tank the entire run.

kolaTestIso: scope the testIsoRuns* vars

I'm seeing some concurrency issues when running the bump-lockfile job.
It turns out when running kolaTestIso concurrently these variables are
stepping on each other from the other runs. Let's scope them
appropriately.

kolaTestIso: collapse all runs into single map

In this commit we collapse all test iso run definition into a single
map (testIsoRuns) rather than two (testIsoRuns1, testIsoRuns2), while
still retaining the property of only running two parallel runs at any
given time.

The reason for doing this is I noticed in an s390x run it would first
run `s390x:kola:metal` and then run `s390x:kola:multipath`, serially. In
this case it would be more appropriate to run both of those together
in a single parallel run.

{kola,kolaTestIso}: workaround issue with accessDenied from dir()

When using `dir()` in the kola and kolaTestIso jobs we are getting a
permission denied error if the directory is isn't under the env.WORKSPACE
directory.

Let's go back to using a `cd ${cosaDir}` for now to workaround this while
we find better solutions. This `cd ${cosaDir}` will have no effect on
multi-arch where we'll be operating in a remote session anyway.

Revert "vars/utils: add compat symlink from /srv/fcos to /srv/coreos"

This reverts commit 8dc6b0c06f1b7f450931b29e4152a52bdb892210.

All the repos have been updated now, so we can drop the compat symlinks.

Revert "tree: Add symbolic links for compatibility"

This reverts commit ef3d9eeb9bd0cca181b7d0aad4e29ce76fa2ab45.

All the repos have been updated now, so we can drop the compat symlinks.

kola: run with parallel even if single stage

I think with 380ffa5 it makes the optimization from 362e995 no longer
required. In it's current form the kola-azure and kola-openstack tests
in the pipeline don't have the kola tests broken out into a separate
stage (they skip the upgrade test) so it's hard to find a failure in
the blue ocean view when one happens.

utils: add credentialsExist() helper

utils: add syncCredentialsIfInRemoteSession() helper

This will help us copy over credentials to the remote node if we're
inside a remote session. Having the code in a single place means we're
less likely to copy/paste and make mistakes.

kola: make marker default to ""

I meant to do this in ce42c55 in the refactor there.

{kola,kolaTestIso}: remove Arch from stage run titles by default

Including the arch everywhere is a bit overboard. Where it's really
needed is in our pipeline bump-lockfile job where we run tests from
all architectures at once. Everywhere else it's not really welcome.

Let's change the model a bit to include the marker given by the client
in the stage titles. Otherwise we won't add anything to them.

utils: add runParallel() function

This function will behave the same as jenkins parallel but will
only run `max` number of runs in parallel at once.

kola/kolaTestIso: fix tar path

If we pass the full directory name to `tar -c`, it'll want to recreate
the whole structure on extracting. Instead, use `-C` so we only pass the
final directory to `tar`. That'll ensure we still create at least one
directory on extraction instead of filling up the working directory. We
used to do this, but I think it got lost in the recent enhancements on
these steps.

CODEOWNERS: drop saqibali-2k

Saqib is no longer an owner of this repo.

kola/kolaTestIso: support skipSecureBoot

This will be used by the pipeline when SecureBoot tests should be
skipped (e.g. when testing an unsigned kernel).

withPodmanRemote: add port 22 to CONTAINER_HOST env var

There is a regression in podman [1] that causes podman remote sessions
to not work unless the port is specified. Let's just add the port so we
can get unblocked.

[1] https://github.com/containers/podman/issues/16509

kola: denylist rhcos.upgrade.from-ocp-rhcos for now

This is a hack but we're in a time crunch and this is the fastest
way to effect a change.

We'll revert this in the near future.

Drop gangplank.groovy

AFAIK, we've never used these functions and we've moved away from
gangplank for now in favour of `podman remote`. Let's delete it. We can
always restore it in the future if needed.

Add warn helper

We started using this convention in a few places in the pipeline. Let's
add a helper for it. Make it top-level so it feels as ergonomic as an
`error` call.

Revert "kola: denylist rhcos.upgrade.from-ocp-rhcos for now"

This reverts commit 06425433fb9d87f1467681f428a26c51164e3c12.

This test should be fixed now by
https://github.com/coreos/coreos-assembler/pull/3266 and backports.

buildImage: use variable instead of duplicated string

buildImage: put tarball in directory itself

Currently, we're putting the tarball in `/tmp`, but if we're running on
the Jenkins controller, that's a semi-permanent shared location. Since
our generated tarball has a predictable name, we additionally run the
risk of racing with other `buildImage` calls on the controller and then
passing the wrong `dir.tar` to `oc start-build`.

Fix this by putting the tarball in the workspace itself. That way, it's
properly lifecycled to the job run, and there's no chance of racing with
other jobs.

buildImage: drop support for `workspace` parameter

The current trend is to avoid these kinds of parameters in favour of
requiring the caller to instead use `dir(...) { }` when calling us. But
anyway, the only caller I know of using this function (cosa) isn't
currently passing that parameter, so we can safely drop it.

kola: fix allowUpgradeFail by removing id from log check

If the kola upgrade test fails early enough that logs werene't even
created then we'll get a failure like:

```
10:50:22  + cosa shell -- test -d /home/jenkins/agent/workspace/build/tmp/kola-5JOIO/kola-upgrade
10:50:22  error: failed to execute cmd-shell: exit status 1
```

Let's try to remove the log from consideration if that's the case.