From 55b6d0bbddafd940389858f1728512316254b6f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20=C5=BBy=C5=82owski?=
 <michal.zylowski@intel.com>
Date: Tue, 3 Jan 2017 14:36:45 +0100
Subject: [PATCH 1/4] GITHUB: Added issue template file

---
 .github/ISSUE_TEMPLATE.md | 47 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE.md

diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
new file mode 100644
index 000000000..b82daadde
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,47 @@
+<!-- Thanks for filing an issue! Before hitting the button, please answer these questions.-->
+
+**Is this a BUG REPORT or FEATURE REQUEST?** (choose one):
+
+<!--
+If this is a BUG REPORT, please:
+  - Fill in as much of the template below as you can.  If you leave out
+    information, we can't help you as well.
+
+If this is a FEATURE REQUEST, please:
+  - Describe *in detail* the feature/behavior/change you'd like to see.
+
+In both cases, be ready for followup questions, and please respond in a timely
+manner.  If we can't reproduce a bug or think a feature already exists, we
+might close your issue.  If we're wrong, PLEASE feel free to reopen it and
+explain why.
+-->
+
+**Environment**:
+- **Cloud provider or hardware configuration:**
+
+- **OS (`printf "$(uname -srm)\n$(cat /etc/os-release)\n"`):**
+
+- **Version of Ansible** (`ansible --version`):
+
+
+**Kargo version (commit) (`git rev-parse --short HEAD`):**
+
+
+**Network plugin used**:
+
+
+**Copy of your inventory file:**
+
+
+**Command used to invoke ansible**:
+
+
+**Output of ansible run**:
+<!-- We recommend using snippets services like https://gist.github.com/ etc. -->
+
+**Anything else do we need to know**:
+<!-- By running scripts/collect-info.yaml you can get a lot of useful informations.
+Script can be started by:
+ansible-playbook -i <inventory_file_path> -u <ssh_user> -e ansible_ssh_user=<ssh_user> -b --become-user=root -e dir=`pwd` scripts/collect-info.yaml
+(If you using CoreOS remember to add '-e ansible_python_interpreter=/opt/bin/python').
+After running this command you can find logs in `pwd`/logs.tar.gz. You can even upload somewhere entire file and paste link here.-->

From d8a2941e9edfc844441ea7f9961d6b1647824831 Mon Sep 17 00:00:00 2001
From: Bogdan Dobrelya <bogdando@mail.ru>
Date: Fri, 30 Dec 2016 13:47:12 +0100
Subject: [PATCH 2/4] Fix cert paths for flannel/calico policy apps

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
---
 .../kubernetes-apps/ansible/defaults/main.yml |  2 ++
 .../tasks/calico-policy-controller.yml        |  7 ++++++-
 .../templates/calico-policy-controller.yml.j2 | 10 +++++-----
 .../calico/templates/calicoctl-container.j2   |  8 ++++----
 .../network_plugin/flannel/defaults/main.yml  |  3 +++
 roles/network_plugin/flannel/tasks/main.yml   | 19 +++++++++++++++++++
 .../flannel/templates/flannel-pod.yml         |  6 +++---
 7 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 90a5702bb..0a4319baa 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -51,3 +51,5 @@ netchecker_kubectl_memory_requests: 64M
 
 # SSL
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
+calico_cert_dir: "/etc/calico/certs"
+canal_cert_dir: "/etc/canal/certs"
diff --git a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
index a3915f9ba..447fb719f 100644
--- a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
+++ b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
@@ -1,8 +1,13 @@
+---
+- set_fact:
+    calico_cert_dir: "{{ canal_cert_dir }}"
+  when: kube_network_plugin == 'canal'
+  tags: facts
+
 - name: Write calico-policy-controller yaml
   template: src=calico-policy-controller.yml.j2 dest={{kube_config_dir}}/calico-policy-controller.yml
   when: inventory_hostname == groups['kube-master'][0]
 
-
 - name: Start of Calico policy controller
   kube:
     name: "calico-policy-controller"
diff --git a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
index c92328f15..06bb78b7c 100644
--- a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
@@ -36,11 +36,11 @@ spec:
             - name: ETCD_ENDPOINTS
               value: "{{ etcd_access_endpoint }}"
             - name: ETCD_CA_CERT_FILE
-              value: "{{ etcd_cert_dir }}/ca.pem"
+              value: "{{ calico_cert_dir }}/ca_cert.crt"
             - name: ETCD_CERT_FILE
-              value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+              value: "{{ calico_cert_dir }}/cert.crt"
             - name: ETCD_KEY_FILE
-              value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+              value: "{{ calico_cert_dir }}/key.pem"
             # Location of the Kubernetes API - this shouldn't need to be
             # changed so long as it is used in conjunction with
             # CONFIGURE_ETC_HOSTS="true".
@@ -53,10 +53,10 @@ spec:
             - name: CONFIGURE_ETC_HOSTS
               value: "true"
           volumeMounts:
-          - mountPath: {{ etcd_cert_dir }}
+          - mountPath: {{ calico_cert_dir }}
             name: etcd-certs
             readOnly: true
       volumes:
       - hostPath:
-          path: {{ etcd_cert_dir }}
+          path: {{ calico_cert_dir }}
         name: etcd-certs
diff --git a/roles/network_plugin/calico/templates/calicoctl-container.j2 b/roles/network_plugin/calico/templates/calicoctl-container.j2
index 0ecfba0c1..ec8642c01 100644
--- a/roles/network_plugin/calico/templates/calicoctl-container.j2
+++ b/roles/network_plugin/calico/templates/calicoctl-container.j2
@@ -2,13 +2,13 @@
 {{ docker_bin_dir }}/docker run -i --privileged --rm \
 --net=host --pid=host \
 -e ETCD_ENDPOINTS={{ etcd_access_endpoint }} \
--e ETCD_CA_CERT_FILE=/etc/calico/certs/ca_cert.crt \
--e ETCD_CERT_FILE=/etc/calico/certs/cert.crt \
--e ETCD_KEY_FILE=/etc/calico/certs/key.pem \
+-e ETCD_CA_CERT_FILE={{ calico_cert_dir }}/ca_cert.crt \
+-e ETCD_CERT_FILE={{ calico_cert_dir }}/cert.crt \
+-e ETCD_KEY_FILE={{ calico_cert_dir }}/key.pem \
 -v {{ docker_bin_dir }}/docker:{{ docker_bin_dir }}/docker \
 -v /var/run/docker.sock:/var/run/docker.sock \
 -v /var/run/calico:/var/run/calico \
--v /etc/calico/certs:/etc/calico/certs:ro \
+-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
 --memory={{ calicoctl_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calicoctl_cpu_limit|regex_replace('m', '') }} \
 {{ calicoctl_image_repo }}:{{ calicoctl_image_tag}} \
 $@
diff --git a/roles/network_plugin/flannel/defaults/main.yml b/roles/network_plugin/flannel/defaults/main.yml
index b6768f1bd..f8be25969 100644
--- a/roles/network_plugin/flannel/defaults/main.yml
+++ b/roles/network_plugin/flannel/defaults/main.yml
@@ -16,3 +16,6 @@ flannel_memory_limit: 500M
 flannel_cpu_limit: 300m
 flannel_memory_requests: 256M
 flannel_cpu_requests: 150m
+
+flannel_cert_dir: /etc/flannel/certs
+etcd_cert_dir: /etc/ssl/etcd/ssl
diff --git a/roles/network_plugin/flannel/tasks/main.yml b/roles/network_plugin/flannel/tasks/main.yml
index 47aec49d9..4fb637975 100644
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -7,6 +7,25 @@
   delegate_to: "{{groups['etcd'][0]}}"
   run_once: true
 
+- name: Flannel | Create flannel certs directory
+  file:
+    dest: "{{ flannel_cert_dir }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: root
+
+- name: Flannel | Link etcd certificates for flanneld
+  file:
+    src: "{{ etcd_cert_dir }}/{{ item.s }}"
+    dest: "{{ flannel_cert_dir }}/{{ item.d }}"
+    state: hard
+    force: yes
+  with_items:
+    - {s: "ca.pem", d: "ca_cert.crt"}
+    - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
+    - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+
 - name: Flannel | Create flannel pod manifest
   template:
     src: flannel-pod.yml
diff --git a/roles/network_plugin/flannel/templates/flannel-pod.yml b/roles/network_plugin/flannel/templates/flannel-pod.yml
index f9b76ce5f..92ecada69 100644
--- a/roles/network_plugin/flannel/templates/flannel-pod.yml
+++ b/roles/network_plugin/flannel/templates/flannel-pod.yml
@@ -14,7 +14,7 @@
           path: "/run/flannel"
       - name: "etcd-certs"
         hostPath:
-          path: "{{ etcd_cert_dir }}"
+          path: "{{ flannel_cert_dir }}"
     containers:
       - name: "flannel-container"
         image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
@@ -29,7 +29,7 @@
         command:
           - "/bin/sh"
           - "-c"
-          - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ etcd_cert_dir }}/ca.pem -etcd-certfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -etcd-keyfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
+          - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ flannel_cert_dir }}/ca_cert.crt -etcd-certfile {{ flannel_cert_dir }}/cert.crt -etcd-keyfile {{ flannel_cert_dir }}/key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
         ports:
           - hostPort: 10253
             containerPort: 10253
@@ -37,7 +37,7 @@
           - name: "subnetenv"
             mountPath: "/run/flannel"
           - name: "etcd-certs"
-            mountPath: "{{ etcd_cert_dir }}"
+            mountPath: "{{ flannel_cert_dir }}"
             readOnly: true
         securityContext:
           privileged: true

From fcd9d97f1024672c34ed41c36be0a6029c073ce1 Mon Sep 17 00:00:00 2001
From: Bogdan Dobrelya <bogdando@mail.ru>
Date: Wed, 4 Jan 2017 09:56:09 +0100
Subject: [PATCH 3/4] Do not auto-trigger gitlab CI pipeline on PRs

For security and resources utilization reasons, do not auto-start CI
for opened/updated PRs.

A member of the kubernetes-incubator github org has first to approve
that the PR is reasonable to test by putting the "ci check this" into
the PR's comments.

If approved that way, the CI pipeline starts as always. Only the 1st step
of the pipeline is premoderatied, the rest will follow each over on
success.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
---
 .gitlab-ci.yml          |  7 ++++++-
 scripts/premoderator.sh | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 scripts/premoderator.sh

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 72d83d584..63b8c0f94 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -49,6 +49,7 @@ before_script:
   ANSIBLE_KEEP_REMOTE_FILES: "1"
   BOOTSTRAP_OS: none
   LOG_LEVEL: "-vv"
+  MAGIC: "ci check this"
 
 .gce: &gce
   <<: *job
@@ -202,7 +203,7 @@ before_script:
   CLUSTER_MODE: ha
   BOOTSTRAP_OS: coreos
 
-# Builds for PRs only (auto) and triggers (auto)
+# Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
 coreos-calico-sep:
   stage: deploy-gce-part1
   <<: *job
@@ -405,11 +406,15 @@ coreos-alpha-weave-ha:
   except: ['triggers']
   only: ['master', /^pr-.*$/]
 
+# Premoderated with manual actions
 syntax-check:
   <<: *job
   stage: unit-tests
+  before_script:
+    - apt-get -y install jq
   script:
     - ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root  -b --become-user=root cluster.yml -vvv  --syntax-check
+    - /bin/sh scripts/premoderator.sh
   except: ['triggers']
 
 tox-inventory-builder:
diff --git a/scripts/premoderator.sh b/scripts/premoderator.sh
new file mode 100644
index 000000000..f039205ae
--- /dev/null
+++ b/scripts/premoderator.sh
@@ -0,0 +1,14 @@
+#!/bin/sh -eux -o pipefail
+# A naive premoderation script to allow Gitlab CI pipeline on a specific PRs' comment
+# Exits with 0, if the pipeline is good to go
+
+CURL_ARGS="-fs --connect-timeout 5 --max-time 5 --retry-max-time 20 --retry 4 --retry-delay 5"
+MAGIC="${MAGIC:-ci check this}"
+
+# Get PR number from CI_BUILD_REF_NAME
+issue=$(echo ${CI_BUILD_REF_NAME} | perl -ne '/^pr-(\d+)-\S+$/ && print $1')
+# Get the user name from the PR comments with the wanted magic incantation casted
+user=$(curl ${CURL_ARGS} "https://api.github.com/repos/kubernetes-incubator/kargo/issues/${issue}/comments" \
+  | jq -M "map(select(.body | contains (\"$MAGIC\"))) | .[0] .user.login" | tr -d '"')
+# Check for the required user group membership to allow (exit 0) or decline (exit >0) the pipeline
+curl ${CURL_ARGS} "https://api.github.com/orgs/kubernetes-incubator/members/${user}"

From 447febcdd6239957dbd42d200793868b0d3c7531 Mon Sep 17 00:00:00 2001
From: Bogdan Dobrelya <bogdando@mail.ru>
Date: Wed, 4 Jan 2017 17:33:35 +0100
Subject: [PATCH 4/4] Fix pipeline premoderation/unit-tests

Do not run unit-tests for master merges.
Fix the permissive "null" user.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
---
 .gitlab-ci.yml          | 4 ++--
 scripts/premoderator.sh | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 63b8c0f94..0f8cbaad5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -415,7 +415,7 @@ syntax-check:
   script:
     - ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root  -b --become-user=root cluster.yml -vvv  --syntax-check
     - /bin/sh scripts/premoderator.sh
-  except: ['triggers']
+  except: ['triggers', 'master']
 
 tox-inventory-builder:
   stage: unit-tests
@@ -424,4 +424,4 @@ tox-inventory-builder:
     - pip install tox
     - cd contrib/inventory_builder && tox
   when: manual
-  except: ['triggers']
+  except: ['triggers', 'master']
diff --git a/scripts/premoderator.sh b/scripts/premoderator.sh
index f039205ae..2e730df7b 100644
--- a/scripts/premoderator.sh
+++ b/scripts/premoderator.sh
@@ -11,4 +11,5 @@ issue=$(echo ${CI_BUILD_REF_NAME} | perl -ne '/^pr-(\d+)-\S+$/ && print $1')
 user=$(curl ${CURL_ARGS} "https://api.github.com/repos/kubernetes-incubator/kargo/issues/${issue}/comments" \
   | jq -M "map(select(.body | contains (\"$MAGIC\"))) | .[0] .user.login" | tr -d '"')
 # Check for the required user group membership to allow (exit 0) or decline (exit >0) the pipeline
+[ "$user" != "null" ] || exit 1
 curl ${CURL_ARGS} "https://api.github.com/orgs/kubernetes-incubator/members/${user}"