- Write a "story". Here's a help article on writing a story.
- You'll need to be a contributing 'writer' for the 'cri-o' publication. If you're not already a contributor ping someone in IRC #cri-o on Freenode to be added.
- Submit for review.
Aaron Weitekamp aweiteka
- When developing an APB with an existing template, keep parameters the same as the template.
- All end-user parameter defaults should be defined in apb.yml.
- All parameter defaults defined in nested directories (e.g.
roles/provision/defaults/main.yml) should be considered application constants that the end-user is not expected to alter. These are values that are proliferated throughout the playbook but are not exposed to the end-user. - Keep it simple
- Do not use jinja2-style template files unless absolutely necessary
- Use a common set of kubernetes/openshift resources where the state is parameterized based on provision or deprovision playbook.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| async: optional | |
| bindable: false | |
| description: "Jenkins service with optional persistent storage and S2I build" | |
| image: ansibleplaybookbundle/jenkins-apb | |
| metadata: | |
| console.openshift.io/iconClass: icon-jenkins | |
| dependencies: | |
| - "jenkins:latest" | |
| displayName: "Jenkins (APB)" |
aweiteka
/ automate-apb-builds.md
Last active
August 11, 2017 15:20
Method for building APBs without specific tooling
The apb tooling adds very little value outside of apb prepare, which simply base64 encodes apb.yml, specifically base64 --wrap=0 apb.yml as an image label, a.k.a. "Dockerfile label". This value may be passed into an OpenShift buildconfig object.
apiVersion: v1
kind: BuildConfig
metadata:
annotations:
openshift.io/generated-by: OpenShiftNewBuild
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo skopeo --tls-verify=false --username unused --password TOKEN copy docker://docker.io/aweiteka/busybox:latest docker://docker.io/aweitekatest/busybox:foo |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # docker run --net=host -it --rm --name nginx -p 80:80 -v `pwd`/nginx.conf:/etc/nginx/nginx.conf:ro nginx | |
| # registry endpoint auth not passing through | |
| # use includes | |
| # make rules more dry | |
| # test scale (100s of image layers?) | |
| # pass through cdn CA and cert/key | |
| events { | |
| worker_connections 1024; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [local-test] | |
| localhost |
$ atomic trust show
REPO ACTION SIGSTORE
---- ------ --------
docker.io accept
docker.io/centos require signature https://s3.amazonaws.com/centos-sigstore/
registry.access.redhat.com require signature https://cdn.redhat.com/containers/sigstore
* reject
$ atomic trust show --raw
aweiteka
/ secure_registry_route.sh
Last active
September 2, 2016 12:20
Automate securing registry route
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # per https://access.redhat.com/documentation/en/openshift-enterprise/3.2/paged/installation-and-configuration/chapter-2-installing#securing-the-registry | |
| # Get route hostname, create self-signed certs, create cert secret, add to deployment, update env vars and patch the probes | |
| ROUTE=$(oc get route docker-registry --template={{.spec.host}}) -n default | |
| SERVICEIP=$(oc get service docker-registry --template={{.spec.clusterIP}}) | |
| oadm ca create-server-cert \ | |
| --signer-cert=/etc/origin/master/ca.crt \ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "critical": { | |
| "identity": { | |
| "docker-reference": "busybox" | |
| }, | |
| "image": { | |
| "docker-manifest-digest": "sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6" | |
| }, | |
| "type": "atomic container signature" | |
| }, |