Description

DOING

• [x] Don't create authentified user while its local consumer has not been verified through it email address. @richardlt
• [x] ui: edit "Patterns of configuration scripts" as admin. @richardlt
• [x] ui: edit Worker model as admin. @richardlt
• [ ] shared.infra should be removed from the worker consumer groups.
• [x] api: update consumer if Ring change. @richardlt
• [ ] doc: explain auth entities and scopes. @richardlt
• [x] cdsctl: signup and reset (send mail that gives cdsctl instructions). @fsamin
• [x] ui: component password strength, add it to reset page. @richardlt
• [x] ui: password limit size (256). @richardlt
• [x] cdsctl: merge refact context ctl #4576. @fsamin
• [x] to merge #4573. @fsamin
• [x] api: to encrypt data we should add some extra, use a value that allows to access the data (ex: key name). @fsamin
• [x] instrumentation: router metrics. @fsamin
• [x] ui: access /auth/signin should redirect if already signed in. @richardlt
• [x] database downgrade
• [x] user migration

TODO

• [x] Engine config file external key file management.
• [x] update RUST client.

TEST:

• [x] it: create a test to init CDS to replace exiting scripting.
• [x] it: test change group of a consumer should disabled or invalid part of it.
• [x] it: clictl_access_token.yml
• [x] it: clictl_action.yml
• [x] it: clictl_admin_broadcast.yml
• [x] it: clictl_admin_database.yml
• [x] it: clictl_admin_integration_model.yml
• [x] it: clictl_admin_metadata.yml
• [x] it: clictl_admin_plugin_and_integrations.yml
• [x] it: clictl_admin_services.yml
• [x] it: clictl_common_options.yml
• [x] it: clictl_group.yml
• [x] it: clictl_project.yml
• [x] it: clictl_template.yml
• [x] it: clictl_template_apply.yml
• [x] it: clictl_template_bulk.yml
• [x] it: clictl_token.yml
• [x] it: clictl_user.yml
• [x] it: clictl_version.yml
• [x] it: clictl_worker_model.yml
• [x] it: sc_workflow_check_secret.yml
• [x] it: sc_workflow_create_run_join.yml
• [x] it: sc_workflow_create_simple.yml
• [x] it: sc_workflow_edit_scheduler.yml
• [x] it: sc_workflow_git_clone_tag.yml
• [x] it: sc_workflow_integration_deploy_plugin_req.yml
• [x] it: sc_workflow_key_install.yml
• [x] it: sc_workflow_run_cache.yml
• [x] it: sc_workflow_run_check_payload.yml
• [x] it: sc_workflow_run_cmd_tmpl.yml
• [x] it: sc_workflow_run_node_perm.yml
• [x] it: sc_workflow_run_simple.yml
• [x] it: sc_workflow_simple_serve.yml
• [x] it: sc_workflow_stop_simple.yml
• [x] it: sc_workflow_storage_awss3_artifact.yml
• [x] it: sc_workflow_storage_awss3_worker_artifact.yml
• [x] it: sc_workflow_storage_awss3_worker_cache.yml
• [x] it: sc_workflow_storage_swift_artifact.yml
• [x] it: sc_workflow_storage_swift_staticfiles.yml
• [x] it: sc_workflow_storage_swift_worker_artifact.yml
• [x] it: sc_workflow_storage_swift_worker_cache.yml
• [x] it: sc_workflow_update_run.yml

TO PLAN

• [ ] cdsctl: signout (and clean context and secret)
• [ ] cdsctl getting started: on first cdsctl run (without any context), run a login to configure all the things
• [ ] api: update all requirements when renaming a group.
• [ ] ui,api: add XSRF for signin local and ldap.
• [ ] api: session lifetime should be based on last usage.
• [ ] api: consumer "data" map should be scoped to authentication package.
• [ ] Send mail on primary contact when a new consumer is added.
• [ ] Active sessions managements, show all consulmers an session in an admin page.
• [ ] instrumentation: Logger with session ID Field.
• [ ] instrumentation: Expose TLS.
• [ ] managed in memory cache of prepare statement in the gorpmapping layer
• [ ] managed in memory cache of entities in the gorpmapping layer - to be used with sticky session on LB
• [ ] remove deprecated tables

DONE

• [x] Test_checkWorkflowPermissionsByUser.
• [x] ui: detach, delete, signin
• [x] ui,api: regen consumers (should also invalidate old signin token).
• [x] ui: show password not enough strong.
• [x] api: username check syntax backend.
• [x] api: consumer lifecycle. When a user is removed from a group, when a group is deleted, check if some consumers need to be revoked or updated.
• [x] api: signin external should detect if there is a current consumer in session, then retrieve the user from it instead of username or email.
• [x] api: implement session clean goroutine on API side.
• [x] api: startup authentication drivers initialization.
• [x] api: implement permActionBuiltinName.
• [x] cdsctl: consumer & sessions management.
• [x] cdsctl: login with external driver.
• [x] cdsctl: if a signin token is given try to signin auto with builtin driver.
• [x] LDAP authentication drivers
• [x] api debug handlers getProfileIndexHandler
• [x] updateGroupHandlerchecks number of remaining admins
• [x] GetUserWorkflowEventssend email notifications- [x] postServiceRegisterHandler: for hatcheries, the user who created the used token must be admin of all groups in the token
• [x] serviceAPIHeartbeat: fake user ?
• [x] bookWorkerModelHandler: permModelID middleware
• [x] Implement a unit test for checkGroupPermissions
• [x] Implement a unit test for checkActionPermissions
• [x] Implement a unit tests for checkTemplateSlugPermissions
• [x] [ERROR] error executing query UPDATE services SET sig = $2 WHERE id = $1 with parameters services, id: pq: payload string too long
• [x] Worker is revoked while building a job.
• [x] admin: API symmecript rolling keys.
• [x] list all TODOs in the code.
• [x] ui,api: sse, send event based on permission need refacts. @fsamin
• [x] getActionsForGroupHandler, getWorkerModelsForGroupHandler: move this in a permGroupName middleware, check usage of the handlers and change it. @richardlt
• [x] Test_checkWorkerModelPermissionsByUser.
• [x] hook: get 403 when at startup, check scopes. @fsamin
• [x] Check the "triggered by" data when a workflow is run by a uService. @fsamin
• [x] Implement a unit test for checkWorkerModelPermissions.
• [x] secure the JWT cookie (http cookie attributes, path = "/"...). @richardlt
• [x] services should stay up when register failed then retry (useful for cds init and upgrade). @fsamin
• [x] test local hatchery
• [x] test swarm hatchery
• [x] test marathon hatchery
• [x] test k8s hatchery
• [x] test openstack hatchery
• [x] ui: missing shared infra in new consumer modal. @richardlt
• [x] api: handler /worker/model returns duplicate worker models
• [x] Asynchronous handlers not working anymore.
• [x] remove "communication with API" from worker model UI
• [x] starting multiple hatcheries on the same engine failed: jobs_sse_count: cannot register view "jobs_sse_count"; a different view with the same name is already registered

1. Description

• [ ] When a user is removed from a group, removed from admins, when a group is deleted, check if some consumers need to be revoked or updated.
• [ ] Use of a builtin signin token in CLI, should use the client that automatically signin. We can also signin manually.
• [ ] Consumer "data" map should be scoped to authentication package.

TODOs

• [ ] cdsclt consumer & sessions management
• [ ] getActionsForGroupHandler, getWorkerModelsForGroupHandler: move this in a permGroupID middleware
• [x] api startup authentication drivers initialization
• [x] LDAP authentication drivers
• [x] api debug handlers getProfileIndexHandler
• [x] updateGroupHandlerchecks number of remaining admins
• [ ] GetUserWorkflowEventssend email notifications
• [ ] Test_checkWorkerModelPermissionsByUser
• [x] Test_checkWorkflowPermissionsByUser
• [x] postServiceRegisterHandler: for hatcheries, the user who created the used token must be admin of all groups in the token
• [x] serviceAPIHeartbeat: fake user ?
• [x] bookWorkerModelHandler: permModelID middleware
• [x] Implement a unit test for checkGroupPermissions
• [ ] Implement a unit test for checkWorkerModelPermissions
• [ ] Implement a unit test for checkActionPermissions
• [ ] Implement permActionBuiltinName
• [x] Implement a unit tests for checkTemplateSlugPermissions
• [ ] Check the "triggered by" data when a workflow is run by a uService
• [x] [ERROR] error executing query UPDATE services SET sig = $2 WHERE id = $1 with parameters services, id: pq: payload string too long
• [x] Implement session clean goroutine on API side
• [ ] Add XSRF signin local and ldap
• [ ] username check syntax backend
• [ ] Update all requirements that was using the group name

$ cdsctl admin database unlock api id-to-unlock $ cdsctl admin database unlock cdn id-to-unlock $ cdsctl admin database delete api id-migration-to-delete $ cdsctl admin database delete cdn id-migration-to-delete $ cdsctl admin database list api $ cdsctl admin database list cdn

Signed-off-by: Yvonnick Esnault [email protected]

• [x] Store logs from step
  • [x] Update Item when last logs
  • [x] Add api ref information in logs send by worker
• [x] Store Sevice Logs
  • [x] Use the same algo
  • [x] Update Book Handler to have all api_ref data in hatchery
  • [x] Add api ref information in logs send by hatchery
  • [x] Append Logs
  • [x] Send Status information ( send done message when deleting the containers )
    • [x] Swarm send status
    • [x] Kube send status

@ovh/cds

API:

• [x] model definition
• [x] CRUD Handlers
• [x] hooks execution
• [x] hooks triggers processing
• [x] as code
• [x] cds.status compute
• [x] handle stop

HOOKS:

• [x] outgoing webhook execution
• [x] outgoing workflow execution
• [x] errors on execution
• [x] interpolate variable on outgoing hook payload
• [x] hide secrets in outgoing hook payload logs
• [x] delete old executions

UI:

• [x] workflow edition (add and remove outgoing hooks)
• [x] hooks edition (update outgoing hooks)
• [x] run view
• [x] hook run details (logs)
• [x] hooks triggers
• [x] link from child pipeline run to parent pipeline run

1. Description

• [x] Remove one pipeline mode
• [x] Use a slice for notifications
• [x] Display warning when load v1.0 workflow

1. Related issues
2. About tests
3. Mentions

@ovh/cds

Hi All, I am trying to integrate kafka with CDS, I have currently set up kafka in my host machine with single node in port 9092 as mentioned in official CDS documentation and also with CLI i am able to send and receive message but when I am trying to give the same configuration in CDS UI it is failing . I have attached the CDS UI screenshot and logs as well. Kindly let me know if i have missed out anything.

HI Guys,

Thanks for the new features in version 0.40.0

Although, I can say that I'm having a very hard time to set CDS up no my k8s cluster. I'll describe my setup steps and point where thing gone wrong:

1. I have a k8s cluster on aws-eks

2. Helm, kubectl, tiller and aws cli installed and configured correctly on my Mac

3. cloned the git repo - https://github.com/ovh/cds.git to my home directory

4. inside ~/cds, git checkout 0.40.0. Now I'm in release 0.40. 0

5. in contrib/helm/cds, installed CDS with helm helm dependency update helm install --name cds-weka . Issue 1: in helm/cds directory, tag values in values.yaml for cds image are 0.39.2, therefore, the installation resulted with older version - 0.39.2. 'app version' in Charts.yaml is also 0.39.2

6. I deleted the helm installation- 'helm delete cds-weka --purge'

7. modified values.yaml and Charts.yaml to the correct version -0.40.0

8. helm dependency update helm install --name cds-weka . Now, version 0.40.0 is installed.

9. added the bitbucketcloud section to config.toml, cluentid and secret and delete api and vcs pods. exactly as written in this guide: https://ovh.github.io/cds/docs/integrations/bitbucketcloud/ issue 2: open the cds ui--> enter a project advanced tab--> see no 'bitbucketcloud' in the 'Link to a repository manager' drop-down-list. I think there's missing documentation for how to enable the service.

10. Go back to condig.toml- give a name to the 'name' field in 'CDS VCS Settings'- cds-weka-cds-vcs.

11. kill api and vcs pods

12. Finally, see bitbucketcloud in project's advanced tab.

13. Connect to bitbucket--> 'grant access' in the bitbucket redirected page.

14. Enter the code that is found url to 'validate' field in cds UI

15. see the message - linked successfully to repository.

16. now, trying to synchronise my repo list (drop down list) leads to: issue 3: the repositories drop down list is empty! authentication to my bitbucket cloud account probably not authorized...
    looking at the api pod logs, I see this: Reading configuration file config.toml 2019-07-02 07:32:36 [INFO] Directory /app/keys has been created 2019-07-02 07:32:36 [INFO] api> Service registered 2019-07-02 07:32:36 [INFO] Starting CDS API Server 0.40.0+cds.9951 2019-07-02 07:32:36 [INFO] Initializing mail driver... 2019-07-02 07:32:36 [INFO] Initializing feature flipping with izanami 2019-07-02 07:32:36 [INFO] Initializing local objectstore... 2019-07-02 07:32:36 [INFO] ObjectStore> Initialize Filesystem driver on directory: /app/artifacts 2019-07-02 07:32:36 [INFO] Initializing database connection... Starting service api 2019-07-02 07:32:36 [INFO] Bootstrapping database... 2019-07-02 07:32:36 [INFO] Initializing redis cache on weka-cds-devops-redis-master:6379... 2019-07-02 07:32:36 [INFO] Initializing HTTP router 2019-07-02 07:32:36 [INFO] Initializing Events broker 2019-07-02 07:32:36 [INFO] api> Stats initialized 2019-07-02 07:32:36 [INFO] Initializing Metrics 2019-07-02 07:32:36 [INFO] api> Metrics initialized 2019-07-02 07:32:36 [INFO] Initializing Authentication driver... 2019-07-02 07:32:36 [INFO] Auth> Initializing driver (local) 2019-07-02 07:32:36 [INFO] Auth> Connecting to session store 2019-07-02 07:32:36 [INFO] Initializing event broker... 2019-07-02 07:32:36 [INFO] Initializing internal routines... 2019-07-02 07:32:36 [INFO] Migration> CleanArtifactBuiltinActions> Already done (status: DONE) 2019-07-02 07:32:36 [INFO] Migration> WorkflowOldStruct> Already done (status: DONE) 2019-07-02 07:32:36 [INFO] Starting GRPC services on :8082 2019-07-02 07:32:36 [INFO] Migration> StageConditions> Already done (status: DONE) 2019-07-02 07:32:36 [INFO] Migration> WorkflowNotification> Already done (status: DONE) 2019-07-02 07:32:36 [INFO] Migration> ActionModelRequirements> Already done (status: DONE) 2019-07-02 07:32:36 [INFO] Starting CDS API HTTP Server on :8081 2019-07-02 07:35:06 [WARN] pprofLabel>recoverWrap>Handle>attachRepositoriesManagerHandler: repository not found (caused by: attachRepositoriesManager> Cannot get repo undefined: pprofLabel>recoverWrap>Handle>attachRepositoriesManagerHandler>RepoByFullname>doJSONRequest: resource not found (caused by: unable to get repo undefined from bitbucketcloud: pprofLabel>recoverWrap>Handle>attachRepositoriesManagerHandler>RepoByFullname>doJSONRequest>DoJSONRequest>doJSONRequest>ErrorWithFallback>NewErrorWithStack: wrong request (from: Unable to perform request on service weka-cds-devops-cds-vcs (vcs)) (caused by: Request Failed))) error_uuid=e9769dc1-9c9b-11e9-bd2e-76f3b50cd5a9 method=POST request_uri=/project/DEVOPTE/repositories_manager/bitbucketcloud/application/devops-test-app/attach?fullname=undefined stack_trace=attachRepositoriesManager> Cannot get repo undefined: pprofLabel>recoverWrap>Handle>attachRepositoriesManagerHandler>RepoByFullname>doJSONRequest: resource not found (caused by: unable to get repo undefined from bitbucketcloud: pprofLabel>recoverWrap>Handle>attachRepositoriesManagerHandler>RepoByFullname>doJSONRequest>DoJSONRequest>doJSONRequest>ErrorWithFallback>NewErrorWithStack: wrong request (from: Unable to perform request on service weka-cds-devops-cds-vcs (vcs)) (caused by: Request Failed)) github.com/ovh/cds/sdk.WrapError /go/src/github.com/ovh/cds/sdk/error.go:732 github.com/ovh/cds/engine/api.(*API).attachRepositoriesManagerHandler.func1 /go/src/github.com/ovh/cds/engine/api/repositories_manager.go:476 github.com/ovh/cds/engine/api.(*Router).Handle.func1 /go/src/github.com/ovh/cds/engine/api/router.go:245 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:1995 github.com/ovh/cds/engine/api.(*Router).recoverWrap.func1 /go/src/github.com/ovh/cds/engine/api/router.go:152 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:1995 github.com/ovh/cds/vendor/github.com/gorilla/handlers.CompressHandlerLevel.func1 /go/src/github.com/ovh/cds/vendor/github.com/gorilla/handlers/compress.go:143 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:1995 github.com/ovh/cds/engine/api.(*Router).pprofLabel.func1 /go/src/github.com/ovh/cds/engine/api/router.go:89 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:1995 github.com/ovh/cds/vendor/github.com/gorilla/mux.(*Router).ServeHTTP /go/src/github.com/ovh/cds/vendor/github.com/gorilla/mux/mux.go:114 net/http.serverHandler.ServeHTTP

I tried many times since then, couldn't fix it. Please assist guys, thank you for your effort.

if there is no binary in docker image, there will be auto downloaded from github or artifactory if configured.

Signed-off-by: Yvonnick Esnault [email protected]

1. Description
2. Related issues
3. About tests
4. Mentions

@ovh/cds

I create a workflow with a bad dependencies cycle and the only error I get was: [2022-12-08T16:50:52] ⚠ An error has occurred: wrong request

Having either:

• More precise error message
• Possible error cause

Would help debugging

It was hard to find how to add a pipeline parameters and modify it inside a workflow and to use a cds vars as a value inside the workflow. I added element to explain how to do it.

@ovh/cds

When I launch:

cdsctl workflow run-delete -n PROJECT my-workflow-name 315
# or 
cdsctl workflow run-delete --no-interactive PROJECT my-workflow-name 315

it asks for confirmation

? Are you sure to delete? (Y/n)

Version:

❯ cdsctl version
cdsctl:
  version: 0.52.0
  architecture: arm64
  os: darwin
  git_hash: 1da97b5e45e1630f2da5b07c3e1789dd6d939e8d
  build_time: 09/26/22-14:58:49
  keychain: false
api:
  version: 0.52.0-42-g20c5156.18205
  architecture: amd64
  os: linux
  git_hash: 20c51569bd1ffeae6f672a8941874cf4ee3a2e0c
  build_time: 11/08/22-10:10:46
  db_migrate: "0"

Hi. I have some pipelines with script action, and there are some bash strings with date format, git log format etc.

For example: TZ=UTC-3 date +"%F %T" or git tag -l --format='%(refname:short) %(creatordate:short)'

And when I'm doing ./cdsctl pipeline export $PROJECT $PIPELINE_NAME > file.yaml

i get these strings in file like TZ=UTC-3 date +"%!F(MISSING) %!T(MISSING)"

Is it a bug? Or how to deal with that?

Max DB connections is set to 20. After some running period I see DB connections is growing to more than 100. I'm using Postgres as DB.

DB currently have a limit of 100, so after this max is reached CDS is hanging. The setup I'm using currently is:

cds-engine start api ui cdn hooks vcs repositories hatchery:local so 1 process for all services. Local hatchery. max workers is set to 4.

I do have a couple of workflows building my apps.

attached a part of the logfile after a clean start.

cds-engine.log

In the following conditional, the Boolean expressions at both sides of the && operator are identical

https://github.com/ovh/cds/blob/77a1606908ee7113a5d23a1f1c0e89211904f6a9/engine/api/workflow/dao.go#L1088-L1090

It seems to be a typo in the slice index: one should be i and the other should be j:

!sdk.IsInInt64Array(int64(i), duplicateHookIdx) && !sdk.IsInInt64Array(int64(j), duplicateHookIdx)

Found with revive