Merge pull request #3 from Evaneos/feat/update-helm3-resource

update helm3 resource from upstream
Evaneos · Jul 12, 2024 · 01993d6 · 01993d6
2 parents 7c987f0 + 693a050
commit 01993d6
Show file tree

Hide file tree

Showing 8 changed files with 357 additions and 33 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,28 @@
+name: Create and publish a Docker image
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Login to Docker registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER__USERNAME }}
+          password: ${{ secrets.DOCKER__TOKEN }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            evaneos/concourse-helm3-resource:latest
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,22 @@
-FROM alpine/helm:3.8.0
-LABEL maintainer "Yann David (@Typositoire) <davidyann88@gmail>"
+FROM --platform=linux/amd64 alpine/helm:3.13.3
+# Helm supported version along with K8 version: https://helm.sh/docs/topics/version_skew/
 
-#Versions for gcloud,kubectl,doctl
-ARG KUBERNETES_VERSION=1.21.5
-ARG GCLOUD_VERSION=327.0.0
+LABEL maintainer="Yann David (@Typositoire) <davidyann88@gmail>"
+
+# Versions for gcloud, kubectl, doctl, awscli
+# K8 versions: https://kubernetes.io/releases/
+ARG KUBERNETES_VERSION=1.28.7
+ARG GCLOUD_VERSION=416.0.0
 ARG DOCTL_VERSION=1.57.0
+ARG AWSCLI_VERSION=2.15.14-r0
 ARG HELM_PLUGINS_TO_INSTALL="https://github.com/databus23/helm-diff"
 
+
 #gcloud path
 ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
 
 #install packages
-RUN apk add --update --upgrade --no-cache jq bash curl git gettext libintl py-pip
+RUN apk add --update --upgrade --no-cache jq bash curl git gettext libintl py-pip aws-cli=${AWSCLI_VERSION}
 
 #install kubectl
 RUN curl -sL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl; \
@@ -21,9 +26,17 @@ RUN curl -sL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes
 RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GCLOUD_VERSION}-linux-x86_64.tar.gz \
     -O /tmp/google-cloud-sdk.tar.gz | bash
 
+# For use with gke-gcloud-auth-plugin below
+# see https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
+# for details
+ENV USE_GKE_GCLOUD_AUTH_PLUGIN=True
+
 RUN mkdir -p /usr/local/gcloud \
     && tar -C /usr/local/gcloud -xvzf /tmp/google-cloud-sdk.tar.gz \
-    && /usr/local/gcloud/google-cloud-sdk/install.sh -q
+    && /usr/local/gcloud/google-cloud-sdk/install.sh -q \
+    ## auth package is split out now, need explicit install
+    ## --quiet disables interactive prompts
+    && gcloud components install gke-gcloud-auth-plugin --quiet
 
 #copy scripts
 ADD assets /opt/resource

diff --git a/Makefile b/Makefile
@@ -1,13 +1,15 @@
 PROJECT = concourse-helm3
 ID = YOUR_DOCKER_HOST_HERE/${PROJECT}
+VERSION = $(shell cat VERSION)
+
 
 all: build push
 
 build:
-	docker build --tag ${ID}:release-candidate .
+	docker build --tag ${ID}:$(VERSION) .
 
 push:
-	docker push ${ID}
+	docker push ${ID}:$(VERSION)
 
 run:
 	docker run \

diff --git a/README.md b/README.md
@@ -4,12 +4,11 @@
 
 Deploy [Helm Charts](https://github.com/helm/helm) from [Concourse](https://concourse-ci.org/).
 
-Heavily based on the work of [`linkyard/concourse-helm-resource`][linkyard].
-
-[linkyard]: https://github.com/linkyard/concourse-helm-resource
+Heavily based on the work of [`linkyard/concourse-helm-resource`](https://github.com/linkyard/concourse-helm-resource).
 
 ## IMPORTANT NOTES
 
+- Version 1.25.0 expects `cluster_ca` in base64 format in a new parameter called `cluster_ca_base64`. `cluster_ca` can still be used if a plain certificate is passed.
 - Version 1.21.0 to 1.24.2 seems to be broken for certain uses cases. See [Issue#83](https://github.com/Typositoire/concourse-helm3-resource/issues/83)
 - Version 1.21.0 to 1.24.2 seems to be missing helm diff plugin due to the use of HELM_PLUGINS environment variable
   - HELM_PLUGINS was used as a build arg to store plugins list, which made the plugins be installed in a weird
@@ -18,6 +17,7 @@ Heavily based on the work of [`linkyard/concourse-helm-resource`][linkyard].
 - Most of those have been fixed with v1.25.0 available in GHCR only
 
 ## Docker Image
+
 You can pull the resource image from [`typositoire/concourse-helm3-resource`][dockerhub]. !["Dockerhub Pull Badge"](https://img.shields.io/docker/pulls/typositoire/concourse-helm3-resource.svg "Dockerhub Pull Badge")
 
 [dockerhub]: https://hub.docker.com/repository/docker/typositoire/concourse-helm3-resource
@@ -26,7 +26,7 @@ You can pull the resource image from [`typositoire/concourse-helm3-resource`][do
 
 Starting with version 1.25.0, can you can no longer pull this resource from Docker Hub.
 
-Starting with version 1.19.1, you can pull the resource from Github [`ghcr.io/typositoire/concourse-helm3-resource`][github packages]. Docker hub will eventually stop receiving new images.
+Starting with version 1.19.1, you can pull the resource from GitHub [`ghcr.io/typositoire/concourse-helm3-resource`][github packages]. Docker hub will eventually stop receiving new images.
 
 [github packages]: https://github.com/Typositoire/concourse-helm3-resource/pkgs/container/concourse-helm3-resource
 
@@ -53,12 +53,13 @@ resource_types:
 -   `admin_cert`: _Optional._ Base64 encoded PEM. Required if `cluster_url` is https and no `token` or 'token_path' is provided.
 -   `release`: _Optional._ Name of the release (not a file, a string). (Default: autogenerated by helm)
 -   `namespace`: _Optional._ Kubernetes namespace the chart will be installed into. (Default: default)
--   `helm_history_max`: _Optional._ Limits the maximum number of revisions. (Default: 0 = no limit)
+-   `helm_history_max`: _Optional._ Limits the maximum number of revisions. Use 0 for no limit. (Default: 10)
 -   `repos`: _Optional._ Array of Helm repositories to initialize, each repository is defined as an object with properties `name`, `url` (required) username and password (optional).
 -   `plugins`: _Optional._ Array of Helm plugins to install, each defined as an object with properties `url` (required), `version` (optional).
--   `stable_repo`: _Optional_ A `false` value will disable using a default Helm stable repo. Any other value will be used to Override default Helm stable repo URL <https://charts.helm.sh/stable>. Useful if running helm deploys without internet access.
+-   `stable_repo`: _Optional_ A `"false"` (must be "string" not boolean) value will disable using a default Helm stable repo. Any other value will be used to Override default Helm stable repo URL <https://charts.helm.sh/stable>. Useful if running helm deploys without internet access.
 -   `tracing_enabled`: _Optional._ Enable extremely verbose tracing for this resource. Useful when developing the resource itself. May allow secrets to be displayed. (Default: false)
 -   `helm_setup_purge_all`: _Optional._ Uninstalls and purge every helm release. Use with extreme caution. (Default: false)
+  - `env_vars`: _Optional._ A key/value pair of environment variables that will be set before running the helm command. This is useful for using different Helm storage options.
 
 ## Source options for Google Cloud
 
@@ -79,6 +80,16 @@ resource_types:
 -   `digitalocean.cluster_id` _Optional._ ClusterID on digitalocean to fetch kubeconfig.
 -   `digitalocean.access_token` _Optionl._ Read Access Token to fetch kubeconfig.
 
+## Source options for AWS EKS
+
+-   `aws.region` _Optional._ Region of the EKS cluster
+-   `aws.cluster_name` _Optionl._ Name of the EKS cluster
+-   `aws.profile` _Optional._ Name of the AWS profile to store/use credentials, defaults to `default`. Only used for non-role based authentication
+-   `aws.role.arn` _Optional._ ARN of the role to be used for EKS authentication
+-   `aws.role.session_name` _Optional._ Session name of the assume-role session
+-   `aws.user.access_key_id` _Optional._ Access key id of the user credential used for EKS authentication
+-   `aws.user.secret_access_key` _Optional._ Secret access key of the user credential used for EKS authentication
+
 ## Behavior
 
 ### `check`: Check the release, not happy with dynamic releases.
@@ -91,6 +102,13 @@ Deploy an helm chart
 
 #### Parameters
 
+-   `private_registry.ecr.region`: _Optional._ Region of ECR `helm` registry.
+-   `private_registry.ecr.account_id`: _Optional._ AWS account id of ECR `helm` registry.
+-   `private_registry.ecr.profile` _Optional._ Name of the AWS profile to store/use credentials, defaults to `default`. Only used for non-role based authentication.
+-   `private_registry.ecr.role.arn`: _Optional._ AWS IAM role ARN to be used to authenticate with ECR `helm` registry.
+-   `private_registry.ecr.role.session_name`: _Optional._ AWS assume role session name for authenticating with ECR `helm` registry.
+-   `private_registry.ecr.user.access_key_id` _Optional._ Access key id of the user credential used for ECR `helm` registry authentication
+-   `private_registry.ecr.user.secret_access_key` _Optional._ Secret access key of the user credential used for ECR `helm` registry authentication
 -   `chart`: _Required._ Either the file containing the helm chart to deploy (ends with .tgz), the path to a local directory containing the chart or the name of the chart from a repo (e.g. `stable/mysql`).
 -   `namespace`: _Optional._ Either a file containing the name of the namespace or the name of the namespace. (Default: taken from source configuration).
 -   `create_namespace`: _Optional._ Create the namespace if it doesn't exist (Default: false).
@@ -101,6 +119,7 @@ Deploy an helm chart
     the file in that path. A `hide: true` parameter ensures that the value is not logged and instead replaced with `***HIDDEN***`.
     A `type: string` parameter makes sure Helm always treats the value as a string (uses the `--set-string` option to Helm; useful if the value varies
     and may look like a number, eg. if it's a Git commit hash).
+    A `type: file` parameter makes Helm treats the `path` as file (uses the `--set-file` option to Helm). 
     A `verbatim: true` parameter escapes backslashes so the value is passed as-is to the Helm chart (useful for `((credentials))`).
     The default behaviour of backslashes in `--set` is to quote the next character so `val\ue` is treated as `value` by Helm.
 -   `token_path`: _Optional._ Path to file containing the bearer token for Kubernetes.  This, 'token' or `admin_key`/`admin_cert` are required if `cluster_url` is https.
@@ -115,6 +134,7 @@ Deploy an helm chart
     charts (i.e. 1.0.2-rc1) without having to specify a version. (Default: false)
 -   `debug`: _Optional._ Dry run the helm install with the debug flag which logs interpolated chart templates. (Default: false)
 -   `check_is_ready`: _Optional._ Requires that `wait` is set to Default. Applies --wait without timeout. (Default: false)
+-   `wait_for_jobs`: _Optional._ Requires that `wait` is set to Default. Applies --wait and --wait-for-jobs without timeout. (Default: false)
 -   `atomic`: _Optional._ This flag will cause failed installs to purge the release, and failed upgrades to rollback to the previous release. (Default: false)
 -   `reuse_values`: _Optional._ When upgrading, reuse the last release's values. (Default: false)
 -   `reset_values`: _Optional._ When upgrading, reset the values to the ones built into the chart. (Default: false)
@@ -145,6 +165,9 @@ resources:
     repos:
       - name: some_repo
         url: https://somerepo.github.io/charts
+    env_vars:
+      HELM_DRIVER: sql
+      HELM_DRIVER_SQL_CONNECTION_STRING: postgresql://helm-postgres:5432/helm?user=helm&password=changeme
 ```
 
 DigitalOcean
@@ -178,6 +201,34 @@ resources:
         url: https://somerepo.github.io/charts
 ```
 
+Amazon EKS using IAM role
+```yaml
+resources:
+- name: myapp-helm
+  type: helm
+  source:
+    aws:
+      region: aws-region
+      cluster_name: eks-cluster-name
+      role:
+        arn: arn:aws:iam::<aws_account_id>:role/<my_eks_role>
+        session_name: EKSAssumeRoleSession
+```
+
+Amazon EKS using user
+```yaml
+resources:
+- name: myapp-helm
+  type: helm
+  source:
+    aws:
+      region: aws-region
+      cluster_name: eks-cluster-name
+      profile: eks_user
+      user:
+        access_key_id: <access_key_id>
+        secret_access_key: <secret_access_key>
+```
 
 Add to job:
 
@@ -200,4 +251,58 @@ jobs:
       - key: image.tag
         path: version/image_tag # Read value from version/number
         type: string            # Make sure it's interpreted as a string by Helm (not a number)
+      - key: configuration
+        path: configuration/production.yaml # add path to --set-file helm option 
+        type: file            # use --set-file helm option ( --set-file configuration=configuration/production.yaml )
+  # ...
+```
+
+Deploying charts from ECR private `helm` registry using IAM role auth
+
+```yaml
+jobs:
+  # ...
+  plan:
+  - put: myapp-helm
+    params:
+      private_registry:
+        ecr:
+          region: us-west-2
+          account_id: "01234567890"
+          role:
+            arn: "arn:aws:iam::09876543210:role/ecr_read_only"
+      # region and account_id of the OCI url need to match the configuration in private_registry.ecr
+      chart: oci://01234567890.dkr.ecr.us-west-2.amazonaws.com/myapp-helm-repo
+      version: 1.2.3-myapp-helm-version
+      namespace: myapp
+      # limitation: concourse uses EKS deploy role, which does not have permission to create namespace on EKS.
+      # for services, namespaces need to be created by service-lifecycle
+      # for addons, namespeces are created by terraform from infra repo
+      create_namespace: false
+      release: myapp
+      values: source-repo/values.yaml
+      override_values:
+      - key: image.tag
+        value: oldest
+  # ...
+```
+
+Deploying charts from ECR private `helm` registry using user auth
+```yaml
+jobs:
+  # ...
+  plan:
+  - put: myapp-helm
+    params:
+      private_registry:
+        ecr:
+          region: us-west-2
+          account_id: "01234567890"
+          profile: ecr_user
+          user:
+            access_key_id: <access_key_id>
+            secret_access_key: <secret_access_key>
+      # region and account_id of the OCI url need to match the configuration in private_registry.ecr
+      chart: oci://01234567890.dkr.ecr.us-west-2.amazonaws.com/myapp-helm-repo
+  # ...
 ```
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.25.0
+1.37.0
diff --git a/assets/check b/assets/check
@@ -54,5 +54,5 @@ fi
 
 # if we get here we couldnt find a revision to return so we bail - this is a good thing
 # since check should fail if its configuration cant point to a verifiable state.
-echo "Unable to confirm any revision for namspace: $namespace & release: $release" 
+echo "Unable to confirm any revision for namespace: $namespace & release: $release"
 exit 1