Skip to content

Reestablished gitlab cicd connection to 47 Lining provided account.

Szymon Kowalewski requested to merge 47-pipeline into main

Type of change

  • Bug Fix
  • Feature

Please provide link to gitlab issue or ADR(Architecture Decision Record) in Title (using number of issue)

Does this introduce a change in the cloud provider implementation, if so which cloud?

  • Core
  • AWS
  • Azure
  • GCP
  • IBM

Does this introduce a breaking change?

  • Breaking change

What is the current behavior?

Pipeline deploys only to Open Forum aws community environment

What is the new/expected behavior?

Pipeline will additionally deploy to 47 Lining environment

Have you added/updated Unit Tests and Integration Tests and documentation?

  • Unit tests
  • Integration tests
  • Documentation

Any other useful information

In case of a new target account, there needs to be some manual work to be done.

  1. Change the repository variables appropriately with new values.
  2. Create 2 OSDU users on the target account, preferably using current OSDU version init scripts:
python3 init/scripts/init_cognito_users.py --osdu_instance_name $OSDU_INSTANCE_NAME --eks_cluster_name $EKS_CLUSTER_NAME --region $AWS_REGION --cognito_user $AWS_COGNITO_AUTH_PARAMS_USER --cognito_user_password $AWS_47_COGNITO_AUTH_PARAMS_PASSWORD

python3 init/scripts/init_entitlements.py --osdu_instance_name $OSDU_INSTANCE_NAME --eks_cluster_name $EKS_CLUSTER_NAME --region $AWS_REGION --cognito_user $AWS_COGNITO_AUTH_PARAMS_USER

python3 init/scripts/init_cognito_users.py --osdu_instance_name $OSDU_INSTANCE_NAME --eks_cluster_name $EKS_CLUSTER_NAME --region $AWS_REGION --cognito_user $AWS_COGNITO_AUTH_PARAMS_USER --cognito_user_password $AWS_47_COGNITO_AUTH_PARAMS_PASSWORD

  1. Configure an AWS IAM user on target account and create access key so that gitlab can have access to the account for deployment.

  2. Until it is done automatically from infrastructure, there needs to be update of AuthorizationPolicies for os-search-allow-services, os-storage-allow-services, os-schema-allow-services, os-entitlements-allow-services. One needs to add cluster.local/ns/<osdu-services-namespace>/sa/os-pws to list of principals here:

    spec:
action: ALLOW
rules:
- from:
- source:
        principals:
        - cluster.local/ns/osdu-instance-r3m22-ingress/sa/istio-ingress-r3m22
        - cluster.local/ns/osdu-instance-r3m22-core/sa/os-crs-catalog
        - cluster.local/ns/osdu-instance-r3m22-core/sa/os-ingestion-workflow
        - cluster.local/ns/osdu-instance-r3m22-core/sa/os-indexer
        - cluster.local/ns/osdu-instance-r3m22-airflow/sa/airflow-dag-upload
        - cluster.local/ns/osdu-instance-r3m22-airflow/sa/airflow-worker
        - cluster.local/ns/osdu-instance-r3m22-seismic-ddms/sa/os-seismic-store
        - cluster.local/ns/osdu-instance-r3m22-well-delivery/sa/os-welldelivery
        - cluster.local/ns/osdu-instance-r3m22-wellbore-ddms/sa/os-wellbore-ddmsbore-ddms

kubectl commands:

kubectl patch authorizationpolicy os-search-allow-services --type json --patch '[{"op":"add","path":"/spec/rules/0/from/0/source/principals/1","value":"cluster.local/ns/osdu-instance-r3m22-core/sa/os-pws"}]'
kubectl patch authorizationpolicy os-storage-allow-services --type json --patch '[{"op":"add","path":"/spec/rules/0/from/0/source/principals/1","value":"cluster.local/ns/osdu-instance-r3m22-core/sa/os-pws"}]'
kubectl patch authorizationpolicy os-schema-allow-services --type json --patch '[{"op":"add","path":"/spec/rules/0/from/0/source/principals/1","value":"cluster.local/ns/osdu-instance-r3m22-core/sa/os-pws"}]'
kubectl patch authorizationpolicy os-entitlements-allow-services --type json --patch '[{"op":"add","path":"/spec/rules/0/from/0/source/principals/1","value":"cluster.local/ns/osdu-instance-r3m22-core/sa/os-pws"}]'

Closes #47 (closed)

Merge request reports