Merge pull request #777 from jenkins-infra/helpdesk-4774

feat(packaging) stop generating RPM repository on remote VM + introduces staging

(cherry picked from commit 5f20e41)

Author: dduportal

Jenkinsfile.d/core/package

@@ -70,7 +70,7 @@ pipeline {
   }
 
 //  ENV JENKINS_VERSION
-//    stable: It represents the latest stable version that satifies version pattern X.Y.Z
+//    stable: It represents the latest stable version that satisfies version pattern X.Y.Z
 //    weekly: It represents the latest weekly version that satisfies version pattern X.Y
 //    <version>: where version represent any valid existing version like 2.176.2
 
@@ -119,18 +119,17 @@ pipeline {
 
     }
     stage('Get GPG key') {
-
       steps {
         checkout scm
-        dir (WORKING_DIRECTORY){
+        dir (WORKING_DIRECTORY) {
           git branch: PACKAGING_GIT_BRANCH, credentialsId: 'release-key', url: PACKAGING_GIT_REPOSITORY
         }
 
         sh '''
           ./utils/release.bash --getGPGKeyFromAzure
         '''
 
-        dir (WORKING_DIRECTORY){
+        dir (WORKING_DIRECTORY) {
           stash includes: GPG_FILE , name: 'GPG'
         }
 
@@ -139,7 +138,6 @@ pipeline {
     }
 
     stage('Get Code Signing Certificate') {
-
       steps {
         sh '''
           utils/release.bash --downloadAzureKeyvaultSecret
@@ -150,52 +148,48 @@ pipeline {
       }
     }
 
-    stage('Download WAR archive to package'){
+    stage('Download WAR archive to package') {
       steps{
         sh '''
           ./utils/release.bash --downloadJenkins
         '''
-        dir (WORKING_DIRECTORY){
+        dir (WORKING_DIRECTORY) {
           stash includes: WAR_FILENAME, name: "WAR"
           archiveArtifacts artifacts: "*.war"
         }
       }
     }
-    stage('Package'){
+    stage('Package') {
       failFast false
       parallel {
         stage('WAR') {
           stages {
-            stage('Publish'){
+            stage('Publish') {
               steps {
-                sshagent(['pkgserver']) {
-                  sh '''
-                    ./utils/release.bash --packaging war.publish
-                  '''
-                }
+                sh '''
+                  ./utils/release.bash --packaging war.publish
+                '''
               }
             }
           }
         }
         stage('Debian') {
           stages {
-            stage('Build'){
+            stage('Build') {
               steps {
                 sh '''
                   ./utils/release.bash --packaging deb
                 '''
-                dir (WORKING_DIRECTORY){
+                dir (WORKING_DIRECTORY) {
                   archiveArtifacts artifacts: "target/debian/*.deb"
                 }
               }
             }
-            stage('Publish'){
+            stage('Publish') {
               steps {
-                sshagent(['pkgserver']) {
-                  sh '''
-                    ./utils/release.bash --packaging deb.publish
-                  '''
-                }
+                sh '''
+                  ./utils/release.bash --packaging deb.publish
+                '''
               }
             }
           }
@@ -214,11 +208,9 @@ pipeline {
             }
             stage('Publish'){
               steps {
-                sshagent(['pkgserver']) {
-                  sh '''
-                    ./utils/release.bash --packaging rpm.publish
-                  '''
-                }
+                sh '''
+                  ./utils/release.bash --packaging rpm.publish
+                '''
               }
             }
           }
@@ -262,7 +254,7 @@ pipeline {
               steps {
                 container('dotnet') {
                   checkout scm
-                  dir (WORKING_DIRECTORY){
+                  dir (WORKING_DIRECTORY) {
                     git branch: PACKAGING_GIT_BRANCH, credentialsId: 'release-key', url: PACKAGING_GIT_REPOSITORY
 
                     unstash 'GPG'
@@ -283,21 +275,19 @@ pipeline {
                 }
               }
             }
-            stage('Publish'){
+            stage('Publish') {
               steps {
                 unarchive mapping: ['*.msi*': WORKING_DIRECTORY]
-                sshagent(['pkgserver']) {
-                  sh '''
-                    ./utils/release.bash --packaging msi.publish
-                  '''
-                }
+                sh '''
+                  ./utils/release.bash --packaging msi.publish
+                '''
               }
             }
           }
         }
       }
     }
-    stage('Promote'){
+    stage('Promote') {
       failFast true
       parallel {
         stage('Maven Repository') {
@@ -306,38 +296,45 @@ pipeline {
           }
 
           steps {
-            sshagent(['pkgserver']) {
-              sh '''
-                ./utils/release.bash --promoteStagingMavenArtifacts
-              '''
-            }
+            sh '''
+              ./utils/release.bash --promoteStagingMavenArtifacts
+            '''
           }
         }
         stage('Git Repository') {
           when {
             environment name: 'GIT_STAGING_REPOSITORY_PROMOTION_ENABLED', value: 'true'
           }
           steps {
-            sshagent(['pkgserver']) {
-              sh '''
-                ./utils/release.bash --promoteStagingGitRepository
-              '''
-            }
+            sh '''
+              ./utils/release.bash --promoteStagingGitRepository
+            '''
           }
         }
       }
     }
     // Force mirror synchronization
-    stage('Synchronize mirror'){
+    stage('Promote Packages and sync mirrors') {
+      environment {
+        SSH_HOSTKEY_ARCHIVES_JENKINS_IO   = credentials('ssh-hostkey-archives.jenkins.io')
+        SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO = credentials('ssh-hostkey-pkg.origin.jenkins.io')
+      }
       steps{
-        sshagent(['pkgserver']) {
+        sshagent(credentials: [
+          'pkgserver',
+          'archives.jenkins.io',
+        ]) {
+          sh '''
+              mkdir -m 700 -p "${HOME}/.ssh"
+          cat "${SSH_HOSTKEY_ARCHIVES_JENKINS_IO}" "${SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO}" >> "${HOME}/.ssh/known_hosts"
+          '''
           sh '''
-            ./utils/release.bash --syncMirror
+            ./utils/release.bash --promotePackages
           '''
         }
       }
     }
-    stage('Invalidate Fastly Cache'){
+    stage('Invalidate Fastly Cache') {
       environment {
         FASTLY_API_TOKEN = credentials('fastly-api-token')
         FASTLY_SERVICE_ID = credentials('fastly_pkgserver_service_id')
@@ -349,9 +346,9 @@ pipeline {
       }
     }
   }
-    post {
-      failure {
-        input '''Can I delete the pod? '''
-      }
+  post {
+    failure {
+      input '''Can I delete the pod? '''
     }
+  }
 }

Jenkinsfile.d/infra-agents-health

@@ -26,6 +26,10 @@ pipeline {
               yamlFile 'PodTemplates.d/package-linux.yaml'
             }
           }
+          environment {
+            SSH_HOSTKEY_ARCHIVES_JENKINS_IO = credentials('ssh-hostkey-archives.jenkins.io')
+            SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO = credentials('ssh-hostkey-pkg.origin.jenkins.io')
+          }
           steps {
             // Ensure we can get the secondary git repository used for packaging
             dir ('./release'){
@@ -40,8 +44,23 @@ pipeline {
             // Ensure we get the correct Java and Maven versions
             sh 'mvn -v'
             // Ensure the correct storage is mounted in expected paths
-            sh 'ls -la /srv/releases/jenkins'
             sh 'ls -la /var/www/pkg.jenkins.io.staging/'
+            sh 'ls -la /var/www/pkg.jenkins.io.production/'
+            sh 'ls -la /var/www/get.jenkins.io.staging/'
+            sh 'ls -la /var/www/get.jenkins.io.production/'
+
+            // Ensure we can SSH-connect to required remote servers
+            sshagent(credentials: [
+              'pkgserver',
+              'archives.jenkins.io'
+            ]) {
+              sh '''
+              mkdir -m 700 -p "${HOME}/.ssh"
+              cat "${SSH_HOSTKEY_ARCHIVES_JENKINS_IO}" "${SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO}" >> "${HOME}/.ssh/known_hosts"
+              ssh -v [email protected] whoami
+              ssh -v [email protected] whoami
+              '''
+            }
           }
         }
         stage('Test Linux Agent `release-linux`') {

PodTemplates.d/package-linux.yaml

@@ -13,8 +13,6 @@ spec:
       image: jenkinsciinfra/packaging:8.1.21
       imagePullPolicy: "IfNotPresent"
       env:
-        - name: "HOME"
-          value: "/home/jenkins/agent/workspace"
         - name: "JENKINS_JAVA_BIN"
           value: "/opt/jdk-21/bin/java"
         - name: "JENKINS_JAVA_OPTS"
@@ -32,11 +30,17 @@ spec:
         runAsGroup: 1000
       volumeMounts:
         - name: data-storage-jenkins-io
-          mountPath: /srv/releases/jenkins
+          mountPath: /var/www/get.jenkins.io.staging
+          subPath: ./get.jenkins.io/mirrorbits-staging/
+        - name: data-storage-jenkins-io
+          mountPath: /var/www/get.jenkins.io.production
           subPath: ./get.jenkins.io/mirrorbits/
         - name: data-storage-jenkins-io
           mountPath: /var/www/pkg.jenkins.io.staging
           subPath: ./pkg.jenkins.io/staging/
+        - name: data-storage-jenkins-io
+          mountPath: /var/www/pkg.jenkins.io.production
+          subPath: ./pkg.jenkins.io/production/
   volumes:
     - name: data-storage-jenkins-io
       persistentVolumeClaim:

README.adoc

@@ -152,18 +152,8 @@ More information in https://github.com/jenkins-infra/release/blob/master/utils/g
 |
 | x
 
-| `PKGSERVER`
-| Defines where the different packages will be published.
-|
-| x
-
-| `PKGSERVER_SSH_OPTS`
-| Defines custom ssh options used to connect to `PKGSERVER`.
-|
-| x
-
 | `PROMOTE_STAGING_MAVEN_ARTIFACTS_ARGS`
-| Defines parameters used by `promoteMavenArtifacts.py`.   
+| Defines parameters used by `promoteMavenArtifacts.py`.
 
 Default value is set to `item --mode copy --source $MAVEN_REPOSITORY_NAME --destination $MAVEN_REPOSITORY_PRODUCTION_NAME --url $MAVEN_REPOSITORY_URL --username $MAVEN_REPOSITORY_USERNAME --password $MAVEN_REPOSITORY_PASSWORD --search '/org/jenkins-ci/main' $(./utils/getJenkinsVersion.py --version)}"`
 
@@ -435,16 +425,16 @@ Show certificate information
   openssl x509 -in jenkins-release.crt -text -noout
 
 Convert p7b to pkcs12
-  
+
   # Based from https://knowledge.digicert.com/solution/SO26449.html and https://github.com/jenkins-infra/release/blob/7a03f98eff839d4fed75ea96cf7bebbc963e3a91/README.adoc#certificate
   # P7B to PFX: 1/2
   openssl pkcs7 -print_certs -in digicert.p7b -out jenkins-release.crt
     ## Asks for the Export password, transmitted by Digicert from another channel
     ## Asks for the `jenkins-release.key` private key passphrase
-  
+
   # Check for the intermediate certificate attributes
   openssl x509 -in jenkins-release.crt -text -noout
-  
+
   # P7B to PFX: 2/2
   openssl pkcs12 -export -in jenkins-release.crt -inkey jenkins-release.key -out jenkins-release.pfx
     ## Asks for an Export password: do not set any (type enter only)

env/package.mk

@@ -0,0 +1,21 @@
+#
+# Environment definition for the packaging process
+#
+
+# where to put binary files
+export BASE_BIN_DIR=/var/www/get.jenkins.io.staging
+export WARDIR=${BASE_BIN_DIR}/war${RELEASELINE}
+export MSIDIR=${BASE_BIN_DIR}/windows${RELEASELINE}
+export DEBDIR=${BASE_BIN_DIR}/debian${RELEASELINE}
+export RPMDIR=${BASE_BIN_DIR}/rpm${RELEASELINE}
+
+# where to put repository index and other web contents
+export BASE_PKG_DIR=/var/www/pkg.jenkins.io.staging
+export RPM_WEBDIR=${BASE_PKG_DIR}/rpm${RELEASELINE}
+export MSI_WEBDIR=${BASE_PKG_DIR}/windows${RELEASELINE}
+export DEB_WEBDIR=${BASE_PKG_DIR}/debian${RELEASELINE}
+
+# URL to the aforementioned webdir.
+WEBSERVER=https://pkg.jenkins.io
+export RPM_URL=${WEBSERVER}/rpm${RELEASELINE}
+export DEB_URL=${WEBSERVER}/debian${RELEASELINE}

profile.d/experimental

@@ -12,9 +12,3 @@ SIGN_ALIAS=jenkins
 
 # PACKAGING ENV used from jenkinsci/packaging
 RELEASELINE="-experimental"
-
-BUILDENV=env/azure.mk
-
-# Define endpoint used to force mirror synchronization
-[email protected]
-PKGSERVER_SSH_OPTS="-p 22 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"