-
Notifications
You must be signed in to change notification settings - Fork 4
/
orchestration.xml
302 lines (257 loc) · 12.6 KB
/
orchestration.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
<?xml version="1.0" encoding="UTF-8"?>
<project default="echoproperties">
<!--
*******************************************
*** ***
*** P R O P E R T Y S O U R C E S ***
*** ***
*******************************************
-->
<!--
os.family
Distinguish between the general kind of operating systems
we could be executing on.
Values: windows, macosx, linux, other.
-->
<condition property="os.family" value="windows">
<os family="windows"/>
</condition>
<condition property="os.family" value="macosx">
<os family="mac"/>
</condition>
<condition property="os.family" value="linux">
<os family="unix" name="Linux"/>
</condition>
<property name="os.family" value="other"/>
<!--
env
Distinguish between different classes of deployment,
e.g., development vs. production.
Values: dev, preprod, prod, prod-old
Defaults to "dev" here, but that can be overridden from the command
line, a Jenkins job, or in build.properties.
-->
<property name="env" value="dev"/>
<!--
External property files.
Pull in properties from external files. Because Ant properties are
immutable, amy properties declared in this file should be regarded as
defaults, and will be overridden by any definitions in the following
locations:
* on the command line
* in a Jenkins job definition
* in any of the external files listed below
The first location specifying a particular property sets the final value.
The build.properties file is not source controlled, and should be used
to override properties for a particular deployment, or to include
credentials.
-->
<property file="build.properties"/>
<property file="${os.family}.properties"/>
<property file="${env}.properties"/>
<property file="default.properties"/>
<!--
*******************************
*** ***
*** P R O P E R T I E S ***
*** ***
*******************************
-->
<!--
When invoking the targets related to orchestration, a production deployment
MUST define the following properties:
* shared.ws.dir - the full path the to the shared workspace on the orchestration machine
* node.fqdn - the fully-qualified domain name of the remote (signing) node
* compare.ws.dir - workspace where the compare jobs get their input
* node.to.publish - node from which we take signed products to publish
The following properties MUST be provided as arguments when invoking the targets that make use of them:
* jenkins.url.to.trigger.signing - full URL to trigger the Jenkins task responsible for signing
* jenkins.url.to.trigger.publication - full URL to trigger the Jenkins task responsible for publication
-->
<!-- git config -->
<property name="git.repo.project.products" value="ukf-products"/>
<!-- directories on the orchestration machine -->
<property name="build.dir" value="${shared.ws.dir}/build"/>
<property name="tooling.dir" value="${shared.ws.dir}/ukf-meta"/>
<property name="aggregates.dir" value="${shared.ws.dir}/${git.repo.project.products}/aggregates"/>
<property name="select.dir" value="${compare.ws.dir}/${node.to.publish}"/>
<!-- remote working directory may not be the same as the orchestrator (they are the same in production) -->
<property name="remote.ws.dir" value="${shared.ws.dir}"/>
<property name="remote.build.dir" value="${remote.ws.dir}/build"/>
<property name="remote.tooling.dir" value="${remote.ws.dir}/ukf-meta"/>
<!-- properties relating to the remote node -->
<property name="node.user" value="ukf-signing"/>
<property name="node.build.dir.url" value="${node.user}@${node.fqdn}:${remote.build.dir}"/>
<property name="node.tooling.dir.url" value="${node.user}@${node.fqdn}:${remote.tooling.dir}"/>
<!-- filenames of the unsigned aggregates -->
<property name="md.prod.unsigned" value="ukfederation-metadata-unsigned.xml"/>
<property name="md.test.unsigned" value="ukfederation-test-unsigned.xml"/>
<property name="md.export.unsigned" value="ukfederation-export-unsigned.xml"/>
<property name="md.export.preview.unsigned"
value="ukfederation-export-preview-unsigned.xml"/>
<property name="md.back.unsigned" value="ukfederation-back-unsigned.xml"/>
<property name="md.wayf.unsigned" value="ukfederation-wayf-unsigned.xml"/>
<property name="md.cdsall.unsigned" value="ukfederation-cdsall-unsigned.xml"/>
<property name="md.wugen.unsigned" value="ukfederation-wugen-unsigned.xml"/>
<!-- filenames of the signed aggregates -->
<property name="md.prod.signed" value="ukfederation-metadata.xml"/>
<property name="md.test.signed" value="ukfederation-test.xml"/>
<property name="md.export.signed" value="ukfederation-export.xml"/>
<property name="md.export.preview.signed"
value="ukfederation-export-preview.xml"/>
<property name="md.back.signed" value="ukfederation-back.xml"/>
<property name="md.wayf.signed" value="ukfederation-wayf.xml"/>
<property name="md.cdsall.signed" value="ukfederation-cdsall.xml"/>
<property name="md.wugen.signed" value="ukfederation-wugen.xml"/>
<!-- other files -->
<property name="mdq.cache" value="mdqcache.tar.gz"/>
<!--
*************************************
*** ***
*** O R C H E S T R A T I O N ***
*** ***
*************************************
-->
<!--
Some conventions:
* targets whose names start "process." are expected to be run by Jenkins
* run git.pull.all in a separate "invoke ant" step before each of Jenkins targets are run
* inline targets as much as possible
-->
<!-- Step 3.0 runs on node -->
<target name="process.clear.build.dir">
<echo>Clearing build directory on node.</echo>
<delete includeemptydirs="true">
<fileset dir="${remote.build.dir}" includes="**/*"/>
</delete>
<echo>Output directory on node cleared.</echo>
</target>
<!-- Step 3.1 runs on orchestrator -->
<target name="process.transfer.files.to.node" depends="
fs.copy.tooling.to.node,
fs.copy.unsigned.aggregates.to.node">
<echo>Files transferred to node.</echo>
</target>
<target name="fs.copy.tooling.to.node">
<echo>Copying tooling from orchestrator ${tooling.dir} to ${node.tooling.dir.url}</echo>
<exec executable="rsync" dir="${tooling.dir}" failonerror="true">
<arg value="-a"/>
<arg value="--delete"/>
<arg value="--delete-excluded"/>
<!-- use ssh with default identity and known_hosts -->
<arg value="-e"/>
<arg value="ssh"/>
<!-- exclude .files and .direectories -->
<arg value="--exclude"/>
<arg value=".git"/>
<arg value="--exclude"/>
<arg value="charting"/>
<!-- the input files -->
<arg value="${tooling.dir}/"/>
<!-- remote directory must be last argument -->
<arg value="${node.tooling.dir.url}"/>
</exec>
</target>
<target name="fs.copy.unsigned.aggregates.to.node">
<echo>Copying unsigned aggregates from orchestrator ${build.dir} to ${node.build.dir.url}</echo>
<exec executable="rsync" dir="${build.dir}" failonerror="true">
<arg value="-av"/>
<arg value="--delete"/>
<arg value="--delete-excluded"/>
<!-- use ssh with default identity and known_hosts -->
<arg value="-e"/>
<arg value="ssh"/>
<!-- the input files -->
<arg value="--include"/>
<arg value="${md.prod.unsigned}"/>
<arg value="--include"/>
<arg value="${md.test.unsigned}"/>
<arg value="--include"/>
<arg value="${md.export.unsigned}"/>
<arg value="--include"/>
<arg value="${md.export.preview.unsigned}"/>
<arg value="--include"/>
<arg value="${md.back.unsigned}"/>
<arg value="--include"/>
<arg value="${md.wayf.unsigned}"/>
<arg value="--include"/>
<arg value="${md.cdsall.unsigned}"/>
<arg value="--include"/>
<arg value="${md.wugen.unsigned}"/>
<arg value="--exclude"/>
<arg value="*"/>
<arg value="${build.dir}/"/>
<!-- remote directory must be last argument -->
<arg value="${node.build.dir.url}"/>
</exec>
</target>
<!-- Step 3.2 sign and verify is not orchestration -->
<!-- Step 4.1.1 create MDQ cache is not orchestration -->
<!-- Step 4.1.2 sign MDQ all entities is not orchestration -->
<!-- Step 4.1.3 create tarfile of signed MDQ products is no orchestration -->
<!-- Step 4.2 collates products (signed and otherwise) on orchestrator -->
<target name="process.collate.products.on.orchestrator" depends="
fs.rsync.products.from.node,
fs.rsync.mdqcache.from.node">
<echo>Collated products on orchestrator</echo>
</target>
<target name="fs.rsync.products.from.node">
<echo>Copying signed products from node</echo>
<exec executable="rsync" dir="${aggregates.dir}" failonerror="true">
<arg value="-a"/>
<!-- use ssh with default identity and known_hosts -->
<arg value="-e"/>
<arg value="ssh"/>
<!-- source files on remote node -->
<arg value="${node.build.dir.url}/${md.prod.signed}"/>
<arg value="${node.build.dir.url}/${md.test.signed}"/>
<arg value="${node.build.dir.url}/${md.export.signed}"/>
<arg value="${node.build.dir.url}/${md.export.preview.signed}"/>
<arg value="${node.build.dir.url}/${md.back.signed}"/>
<arg value="${node.build.dir.url}/${md.wayf.signed}"/>
<arg value="${node.build.dir.url}/${md.cdsall.signed}"/>
<arg value="${node.build.dir.url}/${md.wugen.signed}"/>
<!-- bring them back to orchestrator working directory -->
<arg value="${aggregates.dir}"/>
</exec>
</target>
<target name="fs.rsync.mdqcache.from.node">
<echo>Copying mdqcache from node</echo>
<exec executable="rsync" dir="${build.dir}" failonerror="true">
<arg value="-a"/>
<!-- use ssh with default identity and known_hosts -->
<arg value="-e"/>
<arg value="ssh"/>
<!-- source files on remote node -->
<arg value="${node.build.dir.url}/${mdq.cache}"/>
<!-- bring them back to orchestrator working directory -->
<arg value="${build.dir}"/>
</exec>
</target>
<!-- Step SELECT copies the signed products to the appropriate directories -->
<target name="fs.select.signed.products">
<echo>Copying mdqcache to output directory in orchestrator's workspace</echo>
<copy todir="${build.dir}" file="${select.dir}/${mdq.cache}"/>
<echo>Copying signed aggregates to orchestrator's ukf-products repository</echo>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.prod.signed}"/>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.test.signed}"/>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.export.signed}"/>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.export.preview.signed}"/>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.back.signed}"/>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.wayf.signed}"/>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.cdsall.signed}"/>
<copy todir="${aggregates.dir}" file="${select.dir}/${md.wugen.signed}"/>
</target>
<!-- Step 5 transfer files back to repo uses the original build.xml -->
<!--
*******************************
*** ***
*** M I S C E L L A N Y ***
*** ***
*******************************
-->
<target name="echoproperties">
<echo>All properties:</echo>
<echoproperties/>
</target>
</project>