DPTP-4401: Add configs for build03 (openshift#64354)

Author: liangxia

ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml

@@ -181222,6 +181222,52 @@ periodics:
         - key: sa.config-updater.build02.config
           path: kubeconfig
         secretName: config-updater
+- agent: kubernetes
+  cluster: app.ci
+  decorate: true
+  extra_refs:
+  - base_ref: master
+    org: openshift
+    repo: release
+  interval: 12h
+  labels:
+    ci.openshift.io/build-farm: build03
+    ci.openshift.io/generator: cluster-init
+    ci.openshift.io/role: infra
+  name: periodic-openshift-release-master-build03-apply
+  spec:
+    containers:
+    - args:
+      - --config-dir=clusters/build-clusters/build03
+      - --as=
+      - --kubeconfig=/etc/build-farm-credentials/kubeconfig
+      - --confirm=true
+      command:
+      - applyconfig
+      env:
+      - name: build03_id
+        valueFrom:
+          secretKeyRef:
+            key: build03-id
+            name: build03-dex-oidc
+      image: applyconfig:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/build-farm-credentials
+        name: build-farm-credentials
+        readOnly: true
+    serviceAccountName: config-updater
+    volumes:
+    - name: build-farm-credentials
+      secret:
+        items:
+        - key: sa.config-updater.build03.config
+          path: kubeconfig
+        secretName: config-updater
 - agent: kubernetes
   cluster: app.ci
   decorate: true

ci-operator/jobs/openshift/release/openshift-release-master-postsubmits.yaml

@@ -133,6 +133,50 @@ postsubmits:
           - key: sa.config-updater.build02.config
             path: kubeconfig
           secretName: config-updater
+  - agent: kubernetes
+    branches:
+    - ^master$
+    cluster: app.ci
+    decorate: true
+    labels:
+      ci.openshift.io/build-farm: build03
+      ci.openshift.io/generator: cluster-init
+      ci.openshift.io/role: infra
+    max_concurrency: 1
+    name: branch-ci-openshift-release-master-build03-apply
+    spec:
+      containers:
+      - args:
+        - --config-dir=clusters/build-clusters/build03
+        - --as=
+        - --kubeconfig=/etc/build-farm-credentials/kubeconfig
+        - --confirm=true
+        command:
+        - applyconfig
+        env:
+        - name: build03_id
+          valueFrom:
+            secretKeyRef:
+              key: build03-id
+              name: build03-dex-oidc
+        image: registry.ci.openshift.org/ci/applyconfig:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/build-farm-credentials
+          name: build-farm-credentials
+          readOnly: true
+      serviceAccountName: config-updater
+      volumes:
+      - name: build-farm-credentials
+        secret:
+          items:
+          - key: sa.config-updater.build03.config
+            path: kubeconfig
+          secretName: config-updater
   - agent: kubernetes
     branches:
     - ^master$

ci-operator/jobs/openshift/release/openshift-release-master-presubmits.yaml

@@ -464,6 +464,60 @@ presubmits:
       - emptyDir: {}
         name: tmp
     trigger: (?m)^/test( | .* )build02-dry,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^master$
+    - ^master-
+    cluster: app.ci
+    context: ci/build-farm/build03-dry
+    decorate: true
+    labels:
+      ci.openshift.io/build-farm: build03
+      ci.openshift.io/generator: cluster-init
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-release-master-build03-dry
+    rerun_command: /test build03-dry
+    run_if_changed: ^clusters/.*
+    spec:
+      containers:
+      - args:
+        - --config-dir=clusters/build-clusters/build03
+        - --as=
+        - --kubeconfig=/etc/build-farm-credentials/kubeconfig
+        command:
+        - applyconfig
+        env:
+        - name: HOME
+          value: /tmp
+        - name: build03_id
+          valueFrom:
+            secretKeyRef:
+              key: build03-id
+              name: build03-dex-oidc
+        image: registry.ci.openshift.org/ci/applyconfig:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/build-farm-credentials
+          name: build-farm-credentials
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+      serviceAccountName: config-updater
+      volumes:
+      - name: build-farm-credentials
+        secret:
+          items:
+          - key: sa.config-updater.build03.config
+            path: kubeconfig
+          secretName: config-updater
+      - emptyDir: {}
+        name: tmp
+    trigger: (?m)^/test( | .* )build03-dry,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

clusters/app.ci/dex/manifests.yaml

@@ -163,6 +163,11 @@ spec:
             redirectURIs:
             - https://oauth-openshift.apps.build10.ci.devcluster.openshift.com/oauth2callback/RedHat_Internal_SSO
             secretEnv: BUILD10-SECRET
+          - idEnv: BUILD03-ID
+            name: build03
+            redirectURIs:
+            - https://oauth-openshift.apps.build03.ci.devcluster.openshift.com/oauth2callback/RedHat_Internal_SSO
+            secretEnv: BUILD03-SECRET
           storage:
             config:
               inCluster: true
@@ -390,6 +395,16 @@ spec:
             secretKeyRef:
               key: build10-secret
               name: build10-secret
+        - name: BUILD03-ID
+          valueFrom:
+            secretKeyRef:
+              key: build03-id
+              name: build03-secret
+        - name: BUILD03-SECRET
+          valueFrom:
+            secretKeyRef:
+              key: build03-secret
+              name: build03-secret
         image: ghcr.io/dexidp/dex:v2.31.0
         name: dex
         ports:

clusters/build-clusters/_cluster-init.yaml

@@ -1,13 +1,14 @@
 managed:
 - build01
 - build02
+- build03
 - build04
 - build05
 - build06
 - build07
 - build09
-- build11
 - build10
+- build11
 osd:
 - build04
 - build05

clusters/build-clusters/build03/assets/admin_cluster_oauth_template.yaml

@@ -0,0 +1,40 @@
+# !!! WARNING - DO NOT MODIFY !!!
+# Generated by cluster-init: https://github.com/openshift/ci-tools/tree/master/cmd/cluster-init
+# Modifying this file manually might break some tests in both openshift/ci-tools and openshift/release repositories.
+# Please consider, instead, writing a yaml patch in one of the cluster-install.yaml into clusters/_cluster-install/
+# or, alternatively, modifying the cluster-init tool itself.
+
+apiVersion: template.openshift.io/v1
+kind: Template
+objects:
+- apiVersion: config.openshift.io/v1
+  kind: OAuth
+  metadata:
+    name: cluster
+  spec:
+    identityProviders:
+    - mappingMethod: claim
+      name: RedHat_Internal_SSO
+      openID:
+        claims:
+          email:
+          - email
+          name:
+          - name
+          preferredUsername:
+          - preferred_username
+          - email
+        clientID: ${build03_id}
+        clientSecret:
+          name: dex-rh-sso
+        extraScopes:
+        - email
+        - profile
+        issuer: https://idp.ci.openshift.org
+      type: OpenID
+    tokenConfig:
+      accessTokenMaxAgeSeconds: 2419200
+parameters:
+- description: build03_id
+  name: build03_id
+  required: true

clusters/build-clusters/build03/assets/quayio-pull-through-cache-icsp.yaml

@@ -0,0 +1,15 @@
+# !!! WARNING - DO NOT MODIFY !!!
+# Generated by cluster-init: https://github.com/openshift/ci-tools/tree/master/cmd/cluster-init
+# Modifying this file manually might break some tests in both openshift/ci-tools and openshift/release repositories.
+# Please consider, instead, writing a yaml patch in one of the cluster-install.yaml into clusters/_cluster-install/
+# or, alternatively, modifying the cluster-init tool itself.
+
+apiVersion: operator.openshift.io/v1alpha1
+kind: ImageContentSourcePolicy
+metadata:
+  name: quayio-pull-through-cache-icsp
+spec:
+  repositoryDigestMirrors:
+  - mirrors:
+    - quayio-pull-through-cache-us-east-1-ci.apps.ci.l2s4.p1.openshiftapps.com
+    source: quay.io

clusters/build-clusters/build03/cert-manager-operator/operator.yaml

@@ -0,0 +1,45 @@
+# !!! WARNING - DO NOT MODIFY !!!
+# Generated by cluster-init: https://github.com/openshift/ci-tools/tree/master/cmd/cluster-init
+# Modifying this file manually might break some tests in both openshift/ci-tools and openshift/release repositories.
+# Please consider, instead, writing a yaml patch in one of the cluster-install.yaml into clusters/_cluster-install/
+# or, alternatively, modifying the cluster-init tool itself.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager-operator
+---
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: cert-manager-operator
+  namespace: cert-manager-operator
+spec:
+  targetNamespaces:
+  - cert-manager-operator
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  labels:
+    operators.coreos.com/openshift-cert-manager-operator.cert-manager-operator: ""
+  name: openshift-cert-manager-operator
+  namespace: cert-manager-operator
+spec:
+  channel: stable-v1
+  installPlanApproval: Automatic
+  name: openshift-cert-manager-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  startingCSV: cert-manager-operator.v1.15.1
+---
+apiVersion: operator.openshift.io/v1alpha1
+kind: CertManager
+metadata:
+  name: cluster
+spec:
+  unsupportedConfigOverrides:
+    controller:
+      args:
+      - --dns01-recursive-nameservers=8.8.8.8:53
+      - --dns01-recursive-nameservers-only

clusters/build-clusters/build03/cert-manager/certificate.yaml

@@ -0,0 +1,50 @@
+# !!! WARNING - DO NOT MODIFY !!!
+# Generated by cluster-init: https://github.com/openshift/ci-tools/tree/master/cmd/cluster-init
+# Modifying this file manually might break some tests in both openshift/ci-tools and openshift/release repositories.
+# Please consider, instead, writing a yaml patch in one of the cluster-install.yaml into clusters/_cluster-install/
+# or, alternatively, modifying the cluster-init tool itself.
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    aws-project: openshift-ci-infra
+  name: apiserver-tls
+  namespace: openshift-config
+spec:
+  dnsNames:
+  - api.build03.ci.devcluster.openshift.com
+  issuerRef:
+    kind: ClusterIssuer
+    name: cert-issuer-aws
+  secretName: apiserver-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    aws-project: openshift-ci-infra
+  name: apps-tls
+  namespace: openshift-ingress
+spec:
+  dnsNames:
+  - '*.apps.build03.ci.devcluster.openshift.com'
+  issuerRef:
+    kind: ClusterIssuer
+    name: cert-issuer-aws
+  secretName: apps-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    gcp-project: openshift-ci-infra
+  name: registry-tls
+  namespace: openshift-image-registry
+spec:
+  dnsNames:
+  - registry.build03.ci.openshift.org
+  issuerRef:
+    kind: ClusterIssuer
+    name: cert-issuer
+  secretName: public-route-tls