From 915fb3aadc47f448ae994067c73ea47a4c592867 Mon Sep 17 00:00:00 2001 From: Yann David Date: Tue, 2 Aug 2022 14:29:01 -0400 Subject: [PATCH 01/34] Notes about v1.25.0 and base64 cert. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d886bda..826dbd5 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ Heavily based on the work of [`linkyard/concourse-helm-resource`][linkyard]. ## IMPORTANT NOTES +- Version 1.25.0 expects `cluster_ca` in base64 format in a new parameter called `cluster_ca_base64`. `cluster_ca` can still be used if a plain certificate is passed. - Version 1.21.0 to 1.24.2 seems to be broken for certain uses cases. See [Issue#83](https://github.com/Typositoire/concourse-helm3-resource/issues/83) - Version 1.21.0 to 1.24.2 seems to be missing helm diff plugin due to the use of HELM_PLUGINS environment variable - HELM_PLUGINS was used as a build arg to store plugins list, which made the plugins be installed in a weird From 97caf4a201134caf080655430b52f2e30df98de5 Mon Sep 17 00:00:00 2001 From: Matthew Curtice Date: Wed, 3 Aug 2022 09:41:22 -0400 Subject: [PATCH 02/34] Wait for Jobs (#85) * Wait for Jobs New parameter to set the --wait-for-jobs flag: ` --wait-for-jobs if set and --wait enabled, will wait until all Jobs have been completed before marking the release as successful. It will wait for as long as --timeout` * added parameter for `wait-for-jobs` * removed duplicate code * use elif * Bump minor version * Update VERSION --- README.md | 1 + VERSION | 2 +- assets/out | 6 +++++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 826dbd5..6bdefa5 100644 --- a/README.md +++ b/README.md @@ -115,6 +115,7 @@ Deploy an helm chart charts (i.e. 1.0.2-rc1) without having to specify a version. (Default: false) - `debug`: _Optional._ Dry run the helm install with the debug flag which logs interpolated chart templates. (Default: false) - `check_is_ready`: _Optional._ Requires that `wait` is set to Default. Applies --wait without timeout. (Default: false) +- `wait_for_jobs`: _Optional._ Requires that `wait` is set to Default. Applies --wait and --wait-for-jobs without timeout. (Default: false) - `atomic`: _Optional._ This flag will cause failed installs to purge the release, and failed upgrades to rollback to the previous release. (Default: false) - `reuse_values`: _Optional._ When upgrading, reuse the last release's values. (Default: false) - `reset_values`: _Optional._ When upgrading, reset the values to the ones built into the chart. (Default: false) diff --git a/VERSION b/VERSION index f2538f8..5ff8c4f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.25.0 \ No newline at end of file +1.26.0 diff --git a/assets/out b/assets/out index 8e21b19..cf8327e 100755 --- a/assets/out +++ b/assets/out @@ -41,6 +41,7 @@ reuse_values=$(jq -r '.params.reuse_values // "false"' < $payload) reset_values=$(jq -r '.params.reset_values // "false"' < $payload) wait=$(jq -r '.params.wait // 0' < $payload) check_is_ready=$(jq -r '.params.check_is_ready // "false"' < $payload) +wait_for_jobs=$(jq -r '.params.wait_for_jobs // "false"' < $payload) timeout=$(jq -r '.params.timeout // "5m0s"' < $payload) skip_missing_values=$(jq -r '.params.skip_missing_values // "false"' < $payload) @@ -148,8 +149,11 @@ helm_upgrade() { upgrade_args+=("--create-namespace") fi - if [ "$check_is_ready" == "true" ]; then + if [ "$wait_for_jobs" == "true" ]; then upgrade_args+=("--wait") + upgrade_args+=("--wait-for-jobs") + elif [ "$check_is_ready" == "true" ]; then + upgrade_args+=("--wait") fi if [ "$atomic" == "true" ]; then From 19b424ebe6bf1580294d8d4974586519d9019a28 Mon Sep 17 00:00:00 2001 From: "David \"BA\" Kohl" Date: Fri, 14 Oct 2022 11:44:24 -0400 Subject: [PATCH 03/34] QOL patches: helm diff color & README update for stable_repo: "false' (#87) * concourse can handle color - ref: https://github.com/databus23/helm-diff/issues/281 * improve README for stable_repo: "false" usage * bump version Co-authored-by: David Kohl --- README.md | 2 +- VERSION | 2 +- assets/out | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6bdefa5..8db61ef 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ resource_types: - `helm_history_max`: _Optional._ Limits the maximum number of revisions. (Default: 0 = no limit) - `repos`: _Optional._ Array of Helm repositories to initialize, each repository is defined as an object with properties `name`, `url` (required) username and password (optional). - `plugins`: _Optional._ Array of Helm plugins to install, each defined as an object with properties `url` (required), `version` (optional). -- `stable_repo`: _Optional_ A `false` value will disable using a default Helm stable repo. Any other value will be used to Override default Helm stable repo URL . Useful if running helm deploys without internet access. +- `stable_repo`: _Optional_ A `"false"` (must be "string" not boolean) value will disable using a default Helm stable repo. Any other value will be used to Override default Helm stable repo URL . Useful if running helm deploys without internet access. - `tracing_enabled`: _Optional._ Enable extremely verbose tracing for this resource. Useful when developing the resource itself. May allow secrets to be displayed. (Default: false) - `helm_setup_purge_all`: _Optional._ Uninstalls and purge every helm release. Use with extreme caution. (Default: false) diff --git a/VERSION b/VERSION index 5ff8c4f..dd43a14 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.26.0 +1.26.1 diff --git a/assets/out b/assets/out index cf8327e..51984b2 100755 --- a/assets/out +++ b/assets/out @@ -225,7 +225,7 @@ helm_upgrade() { if [ "$show_diff" = true ] ; then echo "Release diff:" - $helm_bin diff "${helm_diff_args[@]}" | tee "$logfile" + $helm_bin diff --no-color=false "${helm_diff_args[@]}" | tee "$logfile" fi echo "Running command helm ${helm_echo_args[@]} | tee $logfile" From 8965643537c128923974f7a436f0f0008c18307c Mon Sep 17 00:00:00 2001 From: Joshua Vandenhoek <86263105+jvandenhoek@users.noreply.github.com> Date: Tue, 7 Feb 2023 14:39:36 -0700 Subject: [PATCH 04/34] upgrade helm docker image to 3.10.2, version bump (#89) --- Dockerfile | 2 +- VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3eaff54..dbd7e55 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine/helm:3.8.0 +FROM alpine/helm:3.10.2 LABEL maintainer "Yann David (@Typositoire) " #Versions for gcloud,kubectl,doctl diff --git a/VERSION b/VERSION index dd43a14..5db08bf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.26.1 +1.27.0 From 57dcf54d80409915d9e3a11d8bcf0e23ecf58263 Mon Sep 17 00:00:00 2001 From: Joshua Vandenhoek <86263105+jvandenhoek@users.noreply.github.com> Date: Tue, 7 Feb 2023 15:37:48 -0700 Subject: [PATCH 05/34] Gcloud upgrade 416 (#90) * upgrade helm docker image to 3.10.2, version bump * gcloud too old to be used with alpine/helm:3.10.2, upgrading to 416 * version bump --- Dockerfile | 2 +- VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index dbd7e55..27223e1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ LABEL maintainer "Yann David (@Typositoire) " #Versions for gcloud,kubectl,doctl ARG KUBERNETES_VERSION=1.21.5 -ARG GCLOUD_VERSION=327.0.0 +ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 ARG HELM_PLUGINS_TO_INSTALL="https://github.com/databus23/helm-diff" diff --git a/VERSION b/VERSION index 5db08bf..08002f8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.27.0 +1.27.1 From e103afec1cafebc27821f947c8fefc92306e6ef7 Mon Sep 17 00:00:00 2001 From: Joshua Vandenhoek <86263105+jvandenhoek@users.noreply.github.com> Date: Thu, 9 Feb 2023 13:11:45 -0700 Subject: [PATCH 06/34] Need to install gke-gcloud-auth-plugin with new versions of gcloud (#91) --- Dockerfile | 10 +++++++++- VERSION | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 27223e1..c8a08d8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,9 +21,17 @@ RUN curl -sL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GCLOUD_VERSION}-linux-x86_64.tar.gz \ -O /tmp/google-cloud-sdk.tar.gz | bash +# For use with gke-gcloud-auth-plugin below +# see https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke +# for details +ENV USE_GKE_GCLOUD_AUTH_PLUGIN=True + RUN mkdir -p /usr/local/gcloud \ && tar -C /usr/local/gcloud -xvzf /tmp/google-cloud-sdk.tar.gz \ - && /usr/local/gcloud/google-cloud-sdk/install.sh -q + && /usr/local/gcloud/google-cloud-sdk/install.sh -q \ + ## auth package is split out now, need explicit install + ## --quiet disables interactive prompts + && gcloud components install gke-gcloud-auth-plugin --quiet #copy scripts ADD assets /opt/resource diff --git a/VERSION b/VERSION index 08002f8..cfc7307 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.27.1 +1.28.0 From e05e66ebec7a667896a056238627ff42fc8a92d3 Mon Sep 17 00:00:00 2001 From: Fabien Huitelec Date: Wed, 22 Feb 2023 13:53:28 +0100 Subject: [PATCH 07/34] Add cluster tls-server-name source parameter (#92) * Add cluster tls-server-name source parameter * fix: bump minor version --- README.md | 1 + VERSION | 2 +- assets/common.sh | 9 +++++++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8db61ef..87df5eb 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ resource_types: - `insecure_cluster`: _Optional._ Skip TLS verification for cluster API. (Required if `cluster_ca` is nil) - `token`: _Optional._ Bearer token for Kubernetes. This, `token_path` or `admin_key`/`admin_cert` are required if `cluster_url` is https. - `token_path`: _Optional._ Path to file containing the bearer token for Kubernetes. This, 'token' or `admin_key`/`admin_cert` are required if `cluster_url` is https. +- `tls_server_name`: _Optional._ Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used. - `admin_key`: _Optional._ Base64 encoded PEM. Required if `cluster_url` is https and no `token` or 'token_path' is provided. - `admin_cert`: _Optional._ Base64 encoded PEM. Required if `cluster_url` is https and no `token` or 'token_path' is provided. - `release`: _Optional._ Name of the release (not a file, a string). (Default: autogenerated by helm) diff --git a/VERSION b/VERSION index cfc7307..5e57fb8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.28.0 +1.29.0 diff --git a/assets/common.sh b/assets/common.sh index 7a308ad..b0b59cb 100755 --- a/assets/common.sh +++ b/assets/common.sh @@ -35,9 +35,14 @@ setup_kubernetes() { admin_cert=$(jq -r '.source.admin_cert // ""' < $payload) token=$(jq -r '.source.token // ""' < $payload) token_path=$(jq -r '.params.token_path // ""' < $payload) + tls_server_name=$(jq -r '.source.tls_server_name // ""' < $payload) + + if [[ ! -z "$tls_server_name" ]]; then + tls_server_name="--tls-server-name=$tls_server_name" + fi if [ "$insecure_cluster" == "true" ]; then - kubectl config set-cluster default --server=$cluster_url --insecure-skip-tls-verify=true + kubectl config set-cluster default --server=$cluster_url --insecure-skip-tls-verify=true $tls_server_name else ca_path="/root/.kube/ca.pem" if [[ ! -z "$cluster_ca_base64" ]]; then @@ -49,7 +54,7 @@ setup_kubernetes() { exit 1 fi - kubectl config set-cluster default --server=$cluster_url --certificate-authority=$ca_path + kubectl config set-cluster default --server=$cluster_url --certificate-authority=$ca_path $tls_server_name fi if [ -f "$source/$token_path" ]; then From 844295a93c38fec462d3ea00dc1de14ff5786b2a Mon Sep 17 00:00:00 2001 From: declement <104446084+declement@users.noreply.github.com> Date: Fri, 24 Feb 2023 13:10:10 +0100 Subject: [PATCH 08/34] Remove dry-run flag from helm diff when debug is on (#93) * fix: fix helm diff when debug is on * fix: bump minor version --- VERSION | 2 +- assets/out | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 5e57fb8..83cf0d9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.29.0 +1.29.1 diff --git a/assets/out b/assets/out index 51984b2..53761cf 100755 --- a/assets/out +++ b/assets/out @@ -163,7 +163,6 @@ helm_upgrade() { if [ "$debug" == "true" ]; then upgrade_args+=("--debug") upgrade_args+=("--dry-run") - upgrade_diff_args+=("--dry-run") fi if [ -n "$version" ]; then From c26aa001f51499d974aec6d5973ad85519418ca7 Mon Sep 17 00:00:00 2001 From: Thibault Delaune Date: Thu, 19 Oct 2023 18:15:32 +0200 Subject: [PATCH 09/34] Set helm upgrade history-max to 10 releases ... like the default Helm value --- README.md | 2 +- VERSION | 2 +- assets/common.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 87df5eb..c33f787 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ resource_types: - `admin_cert`: _Optional._ Base64 encoded PEM. Required if `cluster_url` is https and no `token` or 'token_path' is provided. - `release`: _Optional._ Name of the release (not a file, a string). (Default: autogenerated by helm) - `namespace`: _Optional._ Kubernetes namespace the chart will be installed into. (Default: default) -- `helm_history_max`: _Optional._ Limits the maximum number of revisions. (Default: 0 = no limit) +- `helm_history_max`: _Optional._ Limits the maximum number of revisions. Use 0 for no limit. (Default: 10) - `repos`: _Optional._ Array of Helm repositories to initialize, each repository is defined as an object with properties `name`, `url` (required) username and password (optional). - `plugins`: _Optional._ Array of Helm plugins to install, each defined as an object with properties `url` (required), `version` (optional). - `stable_repo`: _Optional_ A `"false"` (must be "string" not boolean) value will disable using a default Helm stable repo. Any other value will be used to Override default Helm stable repo URL . Useful if running helm deploys without internet access. diff --git a/VERSION b/VERSION index 83cf0d9..034552a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.29.1 +1.30.0 diff --git a/assets/common.sh b/assets/common.sh index b0b59cb..2ca9da4 100755 --- a/assets/common.sh +++ b/assets/common.sh @@ -128,7 +128,7 @@ setup_helm() { # $2 is the name of the source directory - history_max=$(jq -r '.source.helm_history_max // "0"' < $1) + history_max=$(jq -r '.source.helm_history_max // "10"' < $1) helm_bin="helm" From aabd96285d58e1b93bc8d2a93a658870185115de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roux=20J=C3=A9r=C3=B4me?= Date: Fri, 17 Nov 2023 15:04:16 +0100 Subject: [PATCH 10/34] add type file to override_values (#101) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add type file to override_values * change version for concourse * manage scrubbed overridden value * major version for new feature * add example in README.md --------- Co-authored-by: Jérôme Roux --- README.md | 4 ++++ VERSION | 2 +- assets/out | 25 ++++++++++++++----------- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 87df5eb..789133b 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,7 @@ Deploy an helm chart the file in that path. A `hide: true` parameter ensures that the value is not logged and instead replaced with `***HIDDEN***`. A `type: string` parameter makes sure Helm always treats the value as a string (uses the `--set-string` option to Helm; useful if the value varies and may look like a number, eg. if it's a Git commit hash). + A `type: file` parameter makes Helm treats the `path` as file (uses the `--set-file` option to Helm). A `verbatim: true` parameter escapes backslashes so the value is passed as-is to the Helm chart (useful for `((credentials))`). The default behaviour of backslashes in `--set` is to quote the next character so `val\ue` is treated as `value` by Helm. - `token_path`: _Optional._ Path to file containing the bearer token for Kubernetes. This, 'token' or `admin_key`/`admin_cert` are required if `cluster_url` is https. @@ -202,4 +203,7 @@ jobs: - key: image.tag path: version/image_tag # Read value from version/number type: string # Make sure it's interpreted as a string by Helm (not a number) + - key: configuration + path: configuration/production.yaml # add path to --set-file helm option + type: file # use --set-file helm option ( --set-file configuration=configuration/production.yaml ) ``` diff --git a/VERSION b/VERSION index 83cf0d9..034552a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.29.1 +1.30.0 diff --git a/assets/out b/assets/out index 53761cf..6bca58f 100755 --- a/assets/out +++ b/assets/out @@ -88,24 +88,27 @@ fi set_overridden_values() { while read -r -d '' key && read -r -d '' value && read -r -d '' path && read -r -d '' hidden && read -r -d '' type && read -r -d '' verbatim; do - if [ -n "$path" ]; then - value="$(< "$source/$path")" - fi + if [ "$type" == 'file' ]; then + helm_set_opt='--set-file' + value="$source/$path" + else + if [ -n "$path" ]; then + value="$(< "$source/$path")" + fi - if [ "$verbatim" != 'false' ]; then - value="${value/\\/\\\\}" + if [ "$verbatim" != 'false' ]; then + value="${value/\\/\\\\}" + fi + helm_set_opt='--set' + if [ "$type" == 'string' ]; then + helm_set_opt='--set-string' + fi fi - scrubbed_value="$value" if [ "$hidden" != 'false' ]; then scrubbed_value='***HIDDEN***' fi - helm_set_opt='--set' - if [ "$type" == 'string' ]; then - helm_set_opt='--set-string' - fi - overridden_args+=("$helm_set_opt" "$key=$value") scrubbed_overridden_args+=("$helm_set_opt" "$key=$scrubbed_value") done < <(jq -j '.params.override_values[]? | if has("key") and (has("value") or has("path")) then (.key, .value // "", .path // "", .hide // false, .type, .verbatim // false) else empty end | tostring + "\u0000"' < $payload) From 62cd24934d9c8965e7258fe3f3e12d985bdc3144 Mon Sep 17 00:00:00 2001 From: Yann David Date: Fri, 17 Nov 2023 09:06:21 -0500 Subject: [PATCH 11/34] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 789133b..5a51fa1 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ +# IMPORTANT + +https://github.com/Typositoire/concourse-helm3-resource/issues/102 + # Helm Resource for Concourse ![CI Build](https://concourse.pubb-it.com/api/v1/teams/main/pipelines/concourse-helm3-resource/jobs/build-image-tag/badge) From 170fae6764b4a610e0e8b941ef28e6df9b7eb2f8 Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Thu, 21 Dec 2023 14:58:16 -0800 Subject: [PATCH 12/34] Support AWS EKS (#97) * Support EKS. * Tweak * Reset Make and update VERSION. * Update README * Update common.sh * Fix * Bump version * Update VERSION --- Dockerfile | 11 ++++++++--- Makefile | 6 ++++-- README.md | 12 ++++++++++++ VERSION | 2 +- assets/check | 2 +- assets/common.sh | 33 +++++++++++++++++++++++++++++++++ 6 files changed, 59 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index c8a08d8..8ea50a9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,12 @@ -FROM alpine/helm:3.10.2 -LABEL maintainer "Yann David (@Typositoire) " +FROM --platform=linux/amd64 alpine/helm:3.10.2 +LABEL maintainer="Yann David (@Typositoire) " -#Versions for gcloud,kubectl,doctl +# Versions for gcloud, kubectl, doctl, awscli ARG KUBERNETES_VERSION=1.21.5 ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 +# https://pypi.org/project/awscli/ +ARG AWSCLI_VERSION=1.31.10 ARG HELM_PLUGINS_TO_INSTALL="https://github.com/databus23/helm-diff" #gcloud path @@ -21,6 +23,9 @@ RUN curl -sL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GCLOUD_VERSION}-linux-x86_64.tar.gz \ -O /tmp/google-cloud-sdk.tar.gz | bash +#install awscli +RUN pip install awscli==${AWSCLI_VERSION} + # For use with gke-gcloud-auth-plugin below # see https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke # for details diff --git a/Makefile b/Makefile index 646b30b..f8f0592 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,15 @@ PROJECT = concourse-helm3 ID = YOUR_DOCKER_HOST_HERE/${PROJECT} +VERSION = $(shell cat VERSION) + all: build push build: - docker build --tag ${ID}:release-candidate . + docker build --tag ${ID}:$(VERSION) . push: - docker push ${ID} + docker push ${ID}:$(VERSION) run: docker run \ diff --git a/README.md b/README.md index 5a51fa1..e37dfe9 100644 --- a/README.md +++ b/README.md @@ -185,6 +185,18 @@ resources: url: https://somerepo.github.io/charts ``` +Amazon EKS +```yaml +resources: +- name: myapp-helm + type: helm + source: + aws_cluster_auth: true + aws_access_key_id: key + aws_secret_access_key: value + aws_region: aws-region + aws_cluster_name: eks-cluster-name +``` Add to job: diff --git a/VERSION b/VERSION index 034552a..34aae15 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.30.0 +1.31.0 diff --git a/assets/check b/assets/check index a84b2e4..206f17e 100755 --- a/assets/check +++ b/assets/check @@ -54,5 +54,5 @@ fi # if we get here we couldnt find a revision to return so we bail - this is a good thing # since check should fail if its configuration cant point to a verifiable state. -echo "Unable to confirm any revision for namspace: $namespace & release: $release" +echo "Unable to confirm any revision for namespace: $namespace & release: $release" exit 1 diff --git a/assets/common.sh b/assets/common.sh index b0b59cb..c90d6a7 100755 --- a/assets/common.sh +++ b/assets/common.sh @@ -82,6 +82,35 @@ setup_kubernetes() { kubectl version } +setup_aws_kubernetes() { +# Need to pass in: +# source.aws_cluster_auth (bool) +# source.aws_access_key_id +# source.aws_secret_access_key +# source.aws_region +# source.aws_cluster_name + payload=$1 + source=$2 + + aws_access_key_id=$(jq -r '.source.aws_access_key_id // ""' < $payload) + aws_secret_access_key=$(jq -r '.source.aws_secret_access_key // ""' < $payload) + aws_region=$(jq -r '.source.aws_region // ""' < $payload) + aws_cluster_name=$(jq -r '.source.aws_cluster_name // ""' < $payload) + + if [ -z "$aws_access_key_id" ] || [ -z "$aws_secret_access_key" ] || [ -z "$aws_region" ] || [ -z "$aws_cluster_name" ]; then + echo "invalid payload for AWS EKS auth, please pass all required params" + exit 1 + fi + # -p so that it doesn't fail if folder already exists. + mkdir -p ~/.aws + echo "[default] + aws_access_key_id=$aws_access_key_id + aws_secret_access_key=$aws_secret_access_key + region=$aws_region" > ~/.aws/credentials + + aws eks update-kubeconfig --region $aws_region --name $aws_cluster_name +} + setup_gcp_kubernetes() { payload=$1 source=$2 @@ -217,6 +246,7 @@ setup_resource() { do_cluster_id=$(jq -r '.source.digitalocean.cluster_id // "false"' < $1) do_access_token=$(jq -r '.source.digitalocean.access_token // "false"' < $1) gcloud_cluster_auth=$(jq -r '.source.gcloud_cluster_auth // "false"' < $1) + aws_cluster_auth=$(jq -r '.source.aws_cluster_auth // "false"' < $1) if [ "$do_cluster_id" != "false" ] && [ "$do_access_token" != "false" ]; then echo "Initializing digitalocean..." @@ -224,6 +254,9 @@ setup_resource() { elif [ "$gcloud_cluster_auth" = "true" ]; then echo "Initializing kubectl access using gcloud service account file" setup_gcp_kubernetes $1 $2 + elif [ "$aws_cluster_auth" = "true" ]; then + echo "Initializing kubectl access using AWS credentials" + setup_aws_kubernetes $1 $2 else echo "Initializing kubectl using certificates" setup_kubernetes $1 $2 From 5f433eea56192ebd325030c1e206935298ed17f3 Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Sun, 18 Feb 2024 18:44:26 -0800 Subject: [PATCH 13/34] Update K8s to 1.26.0. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8ea50a9..0de600c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM --platform=linux/amd64 alpine/helm:3.10.2 LABEL maintainer="Yann David (@Typositoire) " # Versions for gcloud, kubectl, doctl, awscli -ARG KUBERNETES_VERSION=1.21.5 +ARG KUBERNETES_VERSION=1.26.0 ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 # https://pypi.org/project/awscli/ From 76860c774faaa2dbd0f42c59100aad0a4f0418bd Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Sun, 18 Feb 2024 18:45:38 -0800 Subject: [PATCH 14/34] Add a comment for K8s vers. --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 0de600c..ed3979a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ FROM --platform=linux/amd64 alpine/helm:3.10.2 LABEL maintainer="Yann David (@Typositoire) " # Versions for gcloud, kubectl, doctl, awscli +# K8 versions: https://kubernetes.io/releases/ ARG KUBERNETES_VERSION=1.26.0 ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 From 1e97b123775ea36cc5b0c7371169a4531f3f4078 Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Tue, 20 Feb 2024 10:15:01 -0800 Subject: [PATCH 15/34] Upgrade to K8s 1.26.0. (#1) * Upgrade to 1.26.0. * Update Version. --- Dockerfile | 3 ++- VERSION | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8ea50a9..ed3979a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,8 @@ FROM --platform=linux/amd64 alpine/helm:3.10.2 LABEL maintainer="Yann David (@Typositoire) " # Versions for gcloud, kubectl, doctl, awscli -ARG KUBERNETES_VERSION=1.21.5 +# K8 versions: https://kubernetes.io/releases/ +ARG KUBERNETES_VERSION=1.26.0 ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 # https://pypi.org/project/awscli/ diff --git a/VERSION b/VERSION index 34aae15..359c410 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.31.0 +1.32.0 From a6be5ea20496c2dfee5e2f1e2f18c7d172679dda Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Tue, 20 Feb 2024 16:54:19 -0800 Subject: [PATCH 16/34] Upgrading Helm and Kubernetes. (#2) * Upgrading Helm and Kubernetes. * Update. * Remove redundant comment. --- Dockerfile | 14 ++++++-------- Makefile | 2 +- VERSION | 2 +- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index ed3979a..00951bb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,21 @@ -FROM --platform=linux/amd64 alpine/helm:3.10.2 +FROM --platform=linux/amd64 alpine/helm:3.13.3 +# Helm supported version along with K8 version: https://helm.sh/docs/topics/version_skew/ + LABEL maintainer="Yann David (@Typositoire) " # Versions for gcloud, kubectl, doctl, awscli # K8 versions: https://kubernetes.io/releases/ -ARG KUBERNETES_VERSION=1.26.0 +ARG KUBERNETES_VERSION=1.27.11 ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 -# https://pypi.org/project/awscli/ -ARG AWSCLI_VERSION=1.31.10 +ARG AWSCLI_VERSION=2.13.25-r0 ARG HELM_PLUGINS_TO_INSTALL="https://github.com/databus23/helm-diff" #gcloud path ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin #install packages -RUN apk add --update --upgrade --no-cache jq bash curl git gettext libintl py-pip +RUN apk add --update --upgrade --no-cache jq bash curl git gettext libintl py-pip aws-cli=${AWSCLI_VERSION} #install kubectl RUN curl -sL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl; \ @@ -24,9 +25,6 @@ RUN curl -sL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes RUN wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GCLOUD_VERSION}-linux-x86_64.tar.gz \ -O /tmp/google-cloud-sdk.tar.gz | bash -#install awscli -RUN pip install awscli==${AWSCLI_VERSION} - # For use with gke-gcloud-auth-plugin below # see https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke # for details diff --git a/Makefile b/Makefile index f8f0592..66f136e 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ PROJECT = concourse-helm3 -ID = YOUR_DOCKER_HOST_HERE/${PROJECT} +ID = artielabs/${PROJECT} VERSION = $(shell cat VERSION) diff --git a/VERSION b/VERSION index 359c410..7aa332e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.32.0 +1.33.0 From af8b0f9f82b11a6e9f24b14742189e8bd9f87f2c Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Tue, 20 Feb 2024 17:08:30 -0800 Subject: [PATCH 17/34] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 8602511..7aa332e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.32.0 \ No newline at end of file +1.33.0 From 28d53bbd8a94b185d127f2247ea61124f707ba52 Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Tue, 20 Feb 2024 17:36:25 -0800 Subject: [PATCH 18/34] Update Make. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 66f136e..f8f0592 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ PROJECT = concourse-helm3 -ID = artielabs/${PROJECT} +ID = YOUR_DOCKER_HOST_HERE/${PROJECT} VERSION = $(shell cat VERSION) From a58f05493dd073f41fe2afc8fc6118e2dc755dac Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Tue, 20 Feb 2024 17:36:47 -0800 Subject: [PATCH 19/34] Bump version. --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7aa332e..2b17ffd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.33.0 +1.34.0 From 5d11b8d306775970729654738eb51d12f7b06638 Mon Sep 17 00:00:00 2001 From: Xing Du <95306979+xdu-opendoor@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:21:33 -0800 Subject: [PATCH 20/34] Support role-based authentication for authenticating with EKS and supporting ECR as OCI helm registry (#107) * use role arn for aws eks auth * use role based auth for AWS EKS * supporting using ECR for helm registry login * updating README * version bump to 1.35.0 * addressing minor feedback first * supporting user auth for both EKS and ECR * adding examples to readme * adding log and remove empty lines --- README.md | 96 +++++++++++++++++++++++++++++++++++++++++++++--- VERSION | 2 +- assets/common.sh | 90 +++++++++++++++++++++++++++++++++++---------- assets/out | 79 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 240 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 66fc2b1..0c60bd6 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,16 @@ resource_types: - `digitalocean.cluster_id` _Optional._ ClusterID on digitalocean to fetch kubeconfig. - `digitalocean.access_token` _Optionl._ Read Access Token to fetch kubeconfig. +## Source options for AWS EKS + +- `aws.region` _Optional._ Region of the EKS cluster +- `aws.cluster_name` _Optionl._ Name of the EKS cluster +- `aws.profile` _Optional._ Name of the AWS profile to store/use credentials, defaults to `default`. Only used for non-role based authentication +- `aws.role.arn` _Optional._ ARN of the role to be used for EKS authentication +- `aws.role.session_name` _Optional._ Session name of the assume-role session +- `aws.user.access_key_id` _Optional._ Access key id of the user credential used for EKS authentication +- `aws.user.secret_access_key` _Optional._ Secret access key of the user credential used for EKS authentication + ## Behavior ### `check`: Check the release, not happy with dynamic releases. @@ -96,6 +106,13 @@ Deploy an helm chart #### Parameters +- `private_registry.ecr.region`: _Optional._ Region of ECR `helm` registry. +- `private_registry.ecr.account_id`: _Optional._ AWS account id of ECR `helm` registry. +- `private_registry.ecr.profile` _Optional._ Name of the AWS profile to store/use credentials, defaults to `default`. Only used for non-role based authentication. +- `private_registry.ecr.role.arn`: _Optional._ AWS IAM role ARN to be used to authenticate with ECR `helm` registry. +- `private_registry.ecr.role.session_name`: _Optional._ AWS assume role session name for authenticating with ECR `helm` registry. +- `private_registry.ecr.user.access_key_id` _Optional._ Access key id of the user credential used for ECR `helm` registry authentication +- `private_registry.ecr.user.secret_access_key` _Optional._ Secret access key of the user credential used for ECR `helm` registry authentication - `chart`: _Required._ Either the file containing the helm chart to deploy (ends with .tgz), the path to a local directory containing the chart or the name of the chart from a repo (e.g. `stable/mysql`). - `namespace`: _Optional._ Either a file containing the name of the namespace or the name of the namespace. (Default: taken from source configuration). - `create_namespace`: _Optional._ Create the namespace if it doesn't exist (Default: false). @@ -185,17 +202,33 @@ resources: url: https://somerepo.github.io/charts ``` -Amazon EKS +Amazon EKS using IAM role +```yaml +resources: +- name: myapp-helm + type: helm + source: + aws: + region: aws-region + cluster_name: eks-cluster-name + role: + arn: arn:aws:iam:::role/ + session_name: EKSAssumeRoleSession +``` + +Amazon EKS using user ```yaml resources: - name: myapp-helm type: helm source: - aws_cluster_auth: true - aws_access_key_id: key - aws_secret_access_key: value - aws_region: aws-region - aws_cluster_name: eks-cluster-name + aws: + region: aws-region + cluster_name: eks-cluster-name + profile: eks_user + user: + access_key_id: + secret_access_key: ``` Add to job: @@ -222,4 +255,55 @@ jobs: - key: configuration path: configuration/production.yaml # add path to --set-file helm option type: file # use --set-file helm option ( --set-file configuration=configuration/production.yaml ) + # ... +``` + +Deploying charts from ECR private `helm` registry using IAM role auth + +```yaml +jobs: + # ... + plan: + - put: myapp-helm + params: + private_registry: + ecr: + region: us-west-2 + account_id: "01234567890" + role: + arn: "arn:aws:iam::09876543210:role/ecr_read_only" + # region and account_id of the OCI url need to match the configuration in private_registry.ecr + chart: oci://01234567890.dkr.ecr.us-west-2.amazonaws.com/myapp-helm-repo + version: 1.2.3-myapp-helm-version + namespace: myapp + # limitation: concourse uses EKS deploy role, which does not have permission to create namespace on EKS. + # for services, namespaces need to be created by service-lifecycle + # for addons, namespeces are created by terraform from infra repo + create_namespace: false + release: myapp + values: source-repo/values.yaml + override_values: + - key: image.tag + value: oldest + # ... +``` + +Deploying charts from ECR private `helm` registry using user auth +```yaml +jobs: + # ... + plan: + - put: myapp-helm + params: + private_registry: + ecr: + region: us-west-2 + account_id: "01234567890" + profile: ecr_user + user: + access_key_id: + secret_access_key: + # region and account_id of the OCI url need to match the configuration in private_registry.ecr + chart: oci://01234567890.dkr.ecr.us-west-2.amazonaws.com/myapp-helm-repo + # ... ``` diff --git a/VERSION b/VERSION index 2b17ffd..2aeaa11 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.34.0 +1.35.0 diff --git a/assets/common.sh b/assets/common.sh index 7e36d98..046ce61 100755 --- a/assets/common.sh +++ b/assets/common.sh @@ -84,31 +84,81 @@ setup_kubernetes() { setup_aws_kubernetes() { # Need to pass in: -# source.aws_cluster_auth (bool) -# source.aws_access_key_id -# source.aws_secret_access_key -# source.aws_region -# source.aws_cluster_name +# source.aws.region +# source.aws.cluster_name +# source.role **or** source.user payload=$1 source=$2 - aws_access_key_id=$(jq -r '.source.aws_access_key_id // ""' < $payload) - aws_secret_access_key=$(jq -r '.source.aws_secret_access_key // ""' < $payload) - aws_region=$(jq -r '.source.aws_region // ""' < $payload) - aws_cluster_name=$(jq -r '.source.aws_cluster_name // ""' < $payload) + region=$(jq -r '.source.aws.region // ""' < $payload) + cluster_name=$(jq -r '.source.aws.cluster_name // ""' < $payload) + + # only relevant to non-role based auth + # no default value in order to support instance profile + profile=$(jq -r '.source.aws.profile // ""' < $payload) + profile_opt="" + if [ -n "$profile" ]; then + profile_opt="--profile ${profile}" + fi - if [ -z "$aws_access_key_id" ] || [ -z "$aws_secret_access_key" ] || [ -z "$aws_region" ] || [ -z "$aws_cluster_name" ]; then - echo "invalid payload for AWS EKS auth, please pass all required params" + if [ -z "$region" ] || [ -z "$cluster_name" ]; then + echo "invalid payload for AWS EKS, please pass all required params" exit 1 fi - # -p so that it doesn't fail if folder already exists. - mkdir -p ~/.aws - echo "[default] - aws_access_key_id=$aws_access_key_id - aws_secret_access_key=$aws_secret_access_key - region=$aws_region" > ~/.aws/credentials - - aws eks update-kubeconfig --region $aws_region --name $aws_cluster_name + + use_role_base_auth=$(jq -r '.source.aws|has("role")' < $payload) + use_user_base_auth=$(jq -r '.source.aws|has("user")' < $payload) + + if [ "${use_role_base_auth}" = true ]; then + # prioritize role based auth if both are specified. + echo "proceed with assume-role to set up kubeconfig." + role_arn=$(jq -r '.source.aws.role.arn // ""' < $payload) + role_session_name=$(jq -r '.source.aws.role.session_name // ""' < $payload) + + echo "role_arn=${role_arn} role_session_name=${role_session_name}" + if [ -z "${role_arn}" ]; then + echo "invalid role arn for AWS EKS" + exit 1 + fi + # `aws eks update-kubeconfig --role-arn` only populates the `role-arn` to be used + # for `get-token`, and the role specified is not used for the initial describe cluster action + # name-based discovery is limited to same account as whatever profile is being used. + # additional functionality added to assume the same specified role in order to discover the cluster + $(printf "env AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ + $(aws sts assume-role \ + --role-arn ${role_arn} \ + --role-session-name ${role_session_name:-EKSAssumeRoleSession} \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text)) aws eks update-kubeconfig --region ${region} --name ${cluster_name} --role-arn ${role_arn} + + # assumed role credentail will **NOT** be persisted on the disk + elif [ "${use_user_base_auth}" = true ]; then + echo "proceed with user credentials to set up kubeconfig." + + access_key_id=$(jq -r '.source.aws.user.access_key_id // ""' < $payload) + secret_access_key=$(jq -r '.source.aws.user.secret_access_key // ""' < $payload) + + if [ -z "$access_key_id" ] || [ -z "$secret_access_key" ]; then + echo "invalid user auth payload for AWS EKS, please pass all required params" + exit 1 + fi + + # user credentail will be persisted on the disk under a specific profile + # in order to call `aws eks get-token` + mkdir -p ~/.aws + echo "[${profile:-default}] + aws_access_key_id=${access_key_id} + aws_secret_access_key=${secret_access_key} + region=${region}" > ~/.aws/credentials + + aws eks update-kubeconfig --region ${region} --name ${cluster_name} ${profile_opt} + else + # defaults to use instance identity. + echo "no role or user specified. Fallback to use identity of the instance e.g. instance profile) to set up kubeconfig" + + aws eks update-kubeconfig --region ${region} --name ${cluster_name} ${profile_opt} + fi + echo "done setting up kubeconfig for EKS" } setup_gcp_kubernetes() { @@ -246,7 +296,7 @@ setup_resource() { do_cluster_id=$(jq -r '.source.digitalocean.cluster_id // "false"' < $1) do_access_token=$(jq -r '.source.digitalocean.access_token // "false"' < $1) gcloud_cluster_auth=$(jq -r '.source.gcloud_cluster_auth // "false"' < $1) - aws_cluster_auth=$(jq -r '.source.aws_cluster_auth // "false"' < $1) + aws_cluster_auth=$(jq -r '.source|has("aws")' < $1) if [ "$do_cluster_id" != "false" ] && [ "$do_access_token" != "false" ]; then echo "Initializing digitalocean..." diff --git a/assets/out b/assets/out index 6bca58f..8a5fd22 100755 --- a/assets/out +++ b/assets/out @@ -18,6 +18,7 @@ setup_resource $payload $source setup_repos $payload $source echo "Resource setup successful." +private_registry=$(jq -r '.params|has("private_registry")' < $payload) namespace=$(jq -r '.source.namespace // "default"' < $payload) release=$(jq -r '.source.release // ""' < $payload) chart=$(jq -r '.params.chart // ""' < $payload) @@ -86,6 +87,78 @@ else chart_full="$chart" fi +helm_registry_login() { + ecr=$(jq -r '.params.private_registry|has("ecr")' < $payload) + if [ "${ecr}" = true ]; then + region=$(jq -r '.params.private_registry.ecr.region // ""' < $payload) + account_id=$(jq -r '.params.private_registry.ecr.account_id // ""' < $payload) + # only relevant to non-role based auth + # no default value in order to support instance profile + profile=$(jq -r '.params.private_registry.ecr.profile // ""' < $payload) + profile_opt="" + if [ -n "$profile" ]; then + profile_opt="--profile ${profile}" + fi + + echo "authenticating with ECR. region=${region} account_id=${account_id}" + if [ -z "$region" ] || [ -z "$account_id" ]; then + echo "invalid payload for AWS ECR, please pass all required params" + exit 1 + fi + + use_role_base_auth=$(jq -r '.params.private_registry.ecr|has("role")' < $payload) + use_user_base_auth=$(jq -r '.params.private_registry.ecr|has("user")' < $payload) + + if [ "${use_role_base_auth}" = true ]; then + echo "use role to authenticate with ECR." + role_arn=$(jq -r '.params.private_registry.ecr.role.arn // ""' < $payload) + role_session_name=$(jq -r '.params.private_registry.ecr.role.session_name // ""' < $payload) + echo "role_arn=${role_arn} role_session_name=${role_session_name}" + + if [ -z "${role_arn}" ]; then + echo "invalid role arn for AWS EKS" + exit 1 + fi + + $(printf "env AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \ + $(aws sts assume-role \ + --role-arn ${role_arn} \ + --role-session-name ${role_session_name:-ECRAssumeRoleSession} \ + --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ + --output text)) aws ecr get-login-password --region ${region} | helm registry login --username AWS --password-stdin ${account_id}.dkr.ecr.${region}.amazonaws.com + # assumed role credentail will **NOT** be persisted on the disk + elif [ "${use_user_base_auth}" = true ]; then + echo "use user credentials to authenticate with ECR." + + access_key_id=$(jq -r '.params.private_registry.ecr.user.access_key_id // ""' < $payload) + secret_access_key=$(jq -r '.params.private_registry.ecr.user.secret_access_key // ""' < $payload) + + if [ -z "$access_key_id" ] || [ -z "$secret_access_key" ]; then + echo "invalid user auth payload for AWS EKS, please pass all required params" + exit 1 + fi + + # user credentail will be persisted on the disk under a specific profile + mkdir -p ~/.aws + echo "[${profile:-default}] + aws_access_key_id=${access_key_id} + aws_secret_access_key=${secret_access_key} + region=${region}" > ~/.aws/credentials + + aws ecr get-login-password --region ${region} ${profile_opt} | helm registry login --username AWS --password-stdin ${account_id}.dkr.ecr.${region}.amazonaws.com + else + # defaults to use instance identity. + echo "no role or user specified. Fallback to use identity of the instance e.g. instance profile) to authenticate with ECR" + aws ecr get-login-password --region ${region} ${profile_opt} | helm registry login --username AWS --password-stdin ${account_id}.dkr.ecr.${region}.amazonaws.com + fi + echo "done logging in to ECR" + else + # implement support for other helm registry following a similar pattern + echo "unsupported private reigistry configuration" + exit 1 + fi +} + set_overridden_values() { while read -r -d '' key && read -r -d '' value && read -r -d '' path && read -r -d '' hidden && read -r -d '' type && read -r -d '' verbatim; do if [ "$type" == 'file' ]; then @@ -285,6 +358,12 @@ helm_test() { $helm_bin ${test_args[@]} | tee $logfile } +# support private registry +if [ "${private_registry}" = true ]; then + echo "private registry configured. proceeding with helm registry login" + helm_registry_login +fi + if [ "$uninstall" = true ]; then helm_uninstall From 9eec9b7201b230a5455da32dcfee686570194548 Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 10:11:36 -0400 Subject: [PATCH 21/34] Migration from Concourse to Github Actions (#109) * First try at building from GHA instead of concourse * Testing from PR before merging * Wrong path * Testing from PR before merging * Fixing triggers after tests * Testing tag workflow * Fixing triggers after tests * Add PR vbump check --- .github/workflows/build.yml | 40 ++++++++++++++++++++ .github/workflows/pr.yml | 74 +++++++++++++++++++++++++++++++++++++ .github/workflows/tag.yml | 25 +++++++++++++ 3 files changed, 139 insertions(+) create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/pr.yml create mode 100644 .github/workflows/tag.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..04816fc --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,40 @@ +name: Create and publish a Docker image + +on: + push: + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + workflow_dispatch: # Enable manual triggering + inputs: + tag: + description: 'Docker image tag' + required: false + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set Docker image tag + id: set_docker_tag + run: echo "tag=${{ github.event.inputs.tag || github.ref_name }}" >> $GITHUB_OUTPUT + continue-on-error: true + shell: bash + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: | + ghcr.io/typositoire/concourse-helm3-resource:${{ steps.set_docker_tag.outputs.tag }} + ghcr.io/typositoire/concourse-helm3-resource:latest \ No newline at end of file diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 0000000..0dbbe63 --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,74 @@ +name: Check PR + +on: + pull_request: + branches: + - main + +jobs: + check: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v44 + with: + files_ignore: | + README.md + ci/** + .github/** + - name: List all changed files + id: list_changed_files + env: + ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} + ALL_MODIFIED_FILES_COUNT: ${{ steps.changed-files.outputs.all_modified_files_count }} + run: | + echo "${ALL_MODIFIED_FILES_COUNT} files" + for file in ${ALL_CHANGED_FILES}; do + echo "$file was changed" + done + + echo "msg=Version bump not required." >> $GITHUB_OUTPUT + - name: auto_pass + if: steps.changed-files.outputs.all_modified_files_count == '0' + id: check_if_only_ignored + run: | + exit 0 + + - name: Get version from file + if: steps.changed-files.outputs.all_modified_files_count != '0' + id: get_version + run: echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT + + - name: 'Get Previous tag' + if: steps.changed-files.outputs.all_modified_files_count != '0' + id: previoustag + uses: "WyriHaximus/github-action-get-previous-tag@v1.4.0" + + - name: Checking for version bump + if: steps.changed-files.outputs.all_modified_files_count != '0' + id: check_vbump + run: | + LAST_TAG="${{ steps.previoustag.outputs.tag }}" + NEW_TAG="v${{ steps.get_version.outputs.version }}" + RESULT=$(ci/assets/checksemver.sh ${NEW_TAG} ${LAST_TAG}) + if [ "${RESULT}" == "1" ]; then + echo "msg=Version bump found." >> $GITHUB_OUTPUT + exit 0 + elif [ "${RESULT}" == "0" ]; then + echo "msg=Version bump did not happen. ${LAST_TAG} is the same as ${NEW_TAG}" >> $GITHUB_OUTPUT + exit 1 + else + echo "msg=Version bump did not happen. ${LAST_TAG} is higher than ${NEW_TAG}" >> $GITHUB_OUTPUT + exit 1 + fi + - uses: mshick/add-pr-comment@v2.8.2 + if: always() + with: + message: | + ${{ steps.list_changed_files.outputs.msg || steps.check_vbump.outputs.msg }} \ No newline at end of file diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml new file mode 100644 index 0000000..1ceca32 --- /dev/null +++ b/.github/workflows/tag.yml @@ -0,0 +1,25 @@ +name: Tag Main + +on: + push: + branches: + - main + workflow_dispatch: # Enable manual triggering + inputs: + tag: + description: 'Version to tag (without the prefix v)' + required: false +jobs: + tag: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Get version from file + id: get_version + run: echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT + - name: Create tag + id: create_tag + run: | + git tag -a v${{ github.event.inputs.tag || steps.get_version.outputs.version }} -m "Tagging version v${{ github.event.inputs.tag || steps.get_version.outputs.version }}" + git push origin v${{ github.event.inputs.tag || steps.get_version.outputs.version }} \ No newline at end of file From be3efb7af412eb73f7cc7a12d4a0c7e86c37aefd Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 11:08:29 -0400 Subject: [PATCH 22/34] Only pushes to VERSION (#110) --- .github/workflows/tag.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 1ceca32..03ded0d 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -4,6 +4,8 @@ on: push: branches: - main + paths: + - VERSION workflow_dispatch: # Enable manual triggering inputs: tag: From 0c4337fdc5b6cf806058b2cc50e138c87fdd6e18 Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 13:01:05 -0400 Subject: [PATCH 23/34] Prevent forks PR from failing due to messages not working (#112) --- .github/workflows/pr.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 0dbbe63..b20868c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -32,12 +32,11 @@ jobs: for file in ${ALL_CHANGED_FILES}; do echo "$file was changed" done - - echo "msg=Version bump not required." >> $GITHUB_OUTPUT - name: auto_pass if: steps.changed-files.outputs.all_modified_files_count == '0' id: check_if_only_ignored run: | + echo "msg=Version bump not required." >> $GITHUB_OUTPUT exit 0 - name: Get version from file @@ -69,6 +68,7 @@ jobs: fi - uses: mshick/add-pr-comment@v2.8.2 if: always() + continue-on-error: true # Currently this resource doesn't work as is with forks with: message: | - ${{ steps.list_changed_files.outputs.msg || steps.check_vbump.outputs.msg }} \ No newline at end of file + ${{ steps.check_if_only_ignored.outputs.msg || steps.check_vbump.outputs.msg }} \ No newline at end of file From 8fb9d007ab8d5d9030d486dc6dac83300100d8f6 Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 14:43:17 -0400 Subject: [PATCH 24/34] Using secret with only issues write (#114) --- .github/workflows/pr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index b20868c..55bdab5 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -70,5 +70,6 @@ jobs: if: always() continue-on-error: true # Currently this resource doesn't work as is with forks with: + GITHUB_TOKEN: ${{ secrets.TOKENFORCOMMENT }} message: | ${{ steps.check_if_only_ignored.outputs.msg || steps.check_vbump.outputs.msg }} \ No newline at end of file From bd377e78b7d3e5608a9f36f186ad4428363874db Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 18:06:29 -0400 Subject: [PATCH 25/34] Wrong place for token (#115) --- .github/workflows/pr.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 55bdab5..d32c23e 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -69,7 +69,8 @@ jobs: - uses: mshick/add-pr-comment@v2.8.2 if: always() continue-on-error: true # Currently this resource doesn't work as is with forks - with: + env: GITHUB_TOKEN: ${{ secrets.TOKENFORCOMMENT }} + with: message: | ${{ steps.check_if_only_ignored.outputs.msg || steps.check_vbump.outputs.msg }} \ No newline at end of file From 56a4b2e160ba1eaef3bafca0f55308ede32b9c4a Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 18:25:21 -0400 Subject: [PATCH 26/34] Trying another way to get Comment for PR from forks... (#116) * More trying... * Trying pull_request_target instead --- .github/workflows/pr.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d32c23e..d630365 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,13 +1,15 @@ name: Check PR on: - pull_request: + pull_request_target: branches: - main jobs: check: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v4 @@ -69,8 +71,6 @@ jobs: - uses: mshick/add-pr-comment@v2.8.2 if: always() continue-on-error: true # Currently this resource doesn't work as is with forks - env: - GITHUB_TOKEN: ${{ secrets.TOKENFORCOMMENT }} with: message: | ${{ steps.check_if_only_ignored.outputs.msg || steps.check_vbump.outputs.msg }} \ No newline at end of file From 9f31a577467a1e464dea4a2be07b6392faef3d73 Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 18:47:57 -0400 Subject: [PATCH 27/34] Trying something off stackoverflow (#118) * Trying something off stackoverflow * Missing permissions --- .github/workflows/comment.yml | 21 +++++++++++++++++++++ .github/workflows/pr.yml | 29 ++++++++++++++++++----------- 2 files changed, 39 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/comment.yml diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml new file mode 100644 index 0000000..c7d737a --- /dev/null +++ b/.github/workflows/comment.yml @@ -0,0 +1,21 @@ +name: Comment on pull request + +on: + repository_dispatch: + types: [pr-comment] + +jobs: + comment: + runs-on: ubuntu-latest + steps: + - uses: actions/download-artifact@v4 + with: + name: CommentMsg + path: tmp/ + - name: Display structure of downloaded files + run: ls -R tmp/ + - name: PR comment with html diff 💬 + uses: thollander/actions-comment-pull-request@v2.5.0 + with: + pr_number: ${{ github.event.client_payload.pr_number }} + filePath: tmp/comment.txt \ No newline at end of file diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d630365..24b31d0 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,7 +1,7 @@ name: Check PR on: - pull_request_target: + pull_request: branches: - main @@ -9,7 +9,7 @@ jobs: check: runs-on: ubuntu-latest permissions: - pull-requests: write + contents: write steps: - name: Checkout repository uses: actions/checkout@v4 @@ -38,7 +38,7 @@ jobs: if: steps.changed-files.outputs.all_modified_files_count == '0' id: check_if_only_ignored run: | - echo "msg=Version bump not required." >> $GITHUB_OUTPUT + echo "Version bump not required." > comment.txt exit 0 - name: Get version from file @@ -59,18 +59,25 @@ jobs: NEW_TAG="v${{ steps.get_version.outputs.version }}" RESULT=$(ci/assets/checksemver.sh ${NEW_TAG} ${LAST_TAG}) if [ "${RESULT}" == "1" ]; then - echo "msg=Version bump found." >> $GITHUB_OUTPUT + echo "Version bump found." > comment.txt exit 0 elif [ "${RESULT}" == "0" ]; then - echo "msg=Version bump did not happen. ${LAST_TAG} is the same as ${NEW_TAG}" >> $GITHUB_OUTPUT + echo "Version bump did not happen. ${LAST_TAG} is the same as ${NEW_TAG}" > comment.txt exit 1 else - echo "msg=Version bump did not happen. ${LAST_TAG} is higher than ${NEW_TAG}" >> $GITHUB_OUTPUT + echo "Version bump did not happen. ${LAST_TAG} is higher than ${NEW_TAG}" > comment.txt exit 1 fi - - uses: mshick/add-pr-comment@v2.8.2 - if: always() - continue-on-error: true # Currently this resource doesn't work as is with forks + - name: Upload html diff ⬆️ + id: artifact-upload + uses: actions/upload-artifact@v4 with: - message: | - ${{ steps.check_if_only_ignored.outputs.msg || steps.check_vbump.outputs.msg }} \ No newline at end of file + name: CommentMsg + path: comment.txt + retention-days: 7 + - name: Dispatch information to repository 🗣️ + uses: peter-evans/repository-dispatch@v2 + with: + event-type: pr-comment + client-payload: '{"pr_number": "${{ github.event.number }}", "artifact_url": "${{ steps.artifact-upload.outputs.artifact-url }}", "run_id": "${{ github.run_id }}"}' + \ No newline at end of file From 5d9c7dd3bbe053693404af45c9d1397fa3fbb8f8 Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 18:55:57 -0400 Subject: [PATCH 28/34] Using PAT with limited scope (#119) * Using PAT with limited scope * Missing repo name --- .github/workflows/pr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 24b31d0..df07193 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -78,6 +78,8 @@ jobs: - name: Dispatch information to repository 🗣️ uses: peter-evans/repository-dispatch@v2 with: + token: ${{ secrets.TOKENFORCOMMENT }} + repository: typositoire/concourse-helm3-resource event-type: pr-comment client-payload: '{"pr_number": "${{ github.event.number }}", "artifact_url": "${{ steps.artifact-upload.outputs.artifact-url }}", "run_id": "${{ github.run_id }}"}' \ No newline at end of file From ae184565f10c8176a2d06d75cfb74ab18edad2ad Mon Sep 17 00:00:00 2001 From: Yann David Date: Thu, 28 Mar 2024 19:09:04 -0400 Subject: [PATCH 29/34] GHA, won. I can't comment from forks... (#120) * GHA, won. I can't comment from forks... * Rename action --- .../{pr.yml => check-version-bump.yml} | 29 +++++-------------- .github/workflows/comment.yml | 21 -------------- 2 files changed, 7 insertions(+), 43 deletions(-) rename .github/workflows/{pr.yml => check-version-bump.yml} (71%) delete mode 100644 .github/workflows/comment.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/check-version-bump.yml similarity index 71% rename from .github/workflows/pr.yml rename to .github/workflows/check-version-bump.yml index df07193..fdf3990 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/check-version-bump.yml @@ -1,4 +1,4 @@ -name: Check PR +name: Check for version Bump on: pull_request: @@ -6,10 +6,8 @@ on: - main jobs: - check: + verify-version-bump: runs-on: ubuntu-latest - permissions: - contents: write steps: - name: Checkout repository uses: actions/checkout@v4 @@ -58,28 +56,15 @@ jobs: LAST_TAG="${{ steps.previoustag.outputs.tag }}" NEW_TAG="v${{ steps.get_version.outputs.version }}" RESULT=$(ci/assets/checksemver.sh ${NEW_TAG} ${LAST_TAG}) + echo "============================================" if [ "${RESULT}" == "1" ]; then - echo "Version bump found." > comment.txt + echo "Version bump found." exit 0 elif [ "${RESULT}" == "0" ]; then - echo "Version bump did not happen. ${LAST_TAG} is the same as ${NEW_TAG}" > comment.txt + echo "Version bump did not happen. ${LAST_TAG} is the same as ${NEW_TAG}" exit 1 else - echo "Version bump did not happen. ${LAST_TAG} is higher than ${NEW_TAG}" > comment.txt + echo "Version bump did not happen. ${LAST_TAG} is higher than ${NEW_TAG}" exit 1 fi - - name: Upload html diff ⬆️ - id: artifact-upload - uses: actions/upload-artifact@v4 - with: - name: CommentMsg - path: comment.txt - retention-days: 7 - - name: Dispatch information to repository 🗣️ - uses: peter-evans/repository-dispatch@v2 - with: - token: ${{ secrets.TOKENFORCOMMENT }} - repository: typositoire/concourse-helm3-resource - event-type: pr-comment - client-payload: '{"pr_number": "${{ github.event.number }}", "artifact_url": "${{ steps.artifact-upload.outputs.artifact-url }}", "run_id": "${{ github.run_id }}"}' - \ No newline at end of file + echo "============================================" \ No newline at end of file diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml deleted file mode 100644 index c7d737a..0000000 --- a/.github/workflows/comment.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Comment on pull request - -on: - repository_dispatch: - types: [pr-comment] - -jobs: - comment: - runs-on: ubuntu-latest - steps: - - uses: actions/download-artifact@v4 - with: - name: CommentMsg - path: tmp/ - - name: Display structure of downloaded files - run: ls -R tmp/ - - name: PR comment with html diff 💬 - uses: thollander/actions-comment-pull-request@v2.5.0 - with: - pr_number: ${{ github.event.client_payload.pr_number }} - filePath: tmp/comment.txt \ No newline at end of file From cdb7f1112d00d74418e435ddea3cdefe807bc0d2 Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Thu, 28 Mar 2024 18:19:57 -0500 Subject: [PATCH 30/34] Upgrading K8s (#111) * Upgrade to 1.28. * Bump Version. --- Dockerfile | 2 +- VERSION | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 00951bb..b88aff9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ LABEL maintainer="Yann David (@Typositoire) " # Versions for gcloud, kubectl, doctl, awscli # K8 versions: https://kubernetes.io/releases/ -ARG KUBERNETES_VERSION=1.27.11 +ARG KUBERNETES_VERSION=1.28.7 ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 ARG AWSCLI_VERSION=2.13.25-r0 diff --git a/VERSION b/VERSION index 2aeaa11..39fc130 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.35.0 +1.36.0 From 8fb453f5b411fdb21e3e5bdb08ff50d7c73f3b6e Mon Sep 17 00:00:00 2001 From: Yann David Date: Tue, 2 Apr 2024 18:22:16 -0400 Subject: [PATCH 31/34] Fixing git user for GHA (#121) --- .github/workflows/tag.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml index 03ded0d..c7f5b67 100644 --- a/.github/workflows/tag.yml +++ b/.github/workflows/tag.yml @@ -23,5 +23,7 @@ jobs: - name: Create tag id: create_tag run: | + git config user.name "GitHub Actions" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git tag -a v${{ github.event.inputs.tag || steps.get_version.outputs.version }} -m "Tagging version v${{ github.event.inputs.tag || steps.get_version.outputs.version }}" git push origin v${{ github.event.inputs.tag || steps.get_version.outputs.version }} \ No newline at end of file From 807806e982381531ef41f483860ceb3dbe75acec Mon Sep 17 00:00:00 2001 From: Yann David Date: Tue, 2 Apr 2024 18:42:01 -0400 Subject: [PATCH 32/34] Glob not regex (#122) --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 04816fc..1b3e4af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,7 +3,7 @@ name: Create and publish a Docker image on: push: tags: - - 'v[0-9]+.[0-9]+.[0-9]+' + - 'v*.*.*' workflow_dispatch: # Enable manual triggering inputs: tag: From e113625938c0cf4c1dd56b28fc9038e503d69bea Mon Sep 17 00:00:00 2001 From: Robin Tang Date: Wed, 3 Jul 2024 08:24:49 -1000 Subject: [PATCH 33/34] Supporting environment variables (#124) * Supporting environment variables (#3) * Update Makefile * Update README. --- Dockerfile | 3 ++- README.md | 15 +++++++-------- VERSION | 2 +- assets/common.sh | 11 +++++++++-- 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index b88aff9..c965aaa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,9 +8,10 @@ LABEL maintainer="Yann David (@Typositoire) " ARG KUBERNETES_VERSION=1.28.7 ARG GCLOUD_VERSION=416.0.0 ARG DOCTL_VERSION=1.57.0 -ARG AWSCLI_VERSION=2.13.25-r0 +ARG AWSCLI_VERSION=2.15.14-r0 ARG HELM_PLUGINS_TO_INSTALL="https://github.com/databus23/helm-diff" + #gcloud path ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin diff --git a/README.md b/README.md index 0c60bd6..7cd3670 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,10 @@ -# IMPORTANT - -https://github.com/Typositoire/concourse-helm3-resource/issues/102 - # Helm Resource for Concourse ![CI Build](https://concourse.pubb-it.com/api/v1/teams/main/pipelines/concourse-helm3-resource/jobs/build-image-tag/badge) Deploy [Helm Charts](https://github.com/helm/helm) from [Concourse](https://concourse-ci.org/). -Heavily based on the work of [`linkyard/concourse-helm-resource`][linkyard]. - -[linkyard]: https://github.com/linkyard/concourse-helm-resource +Heavily based on the work of [`linkyard/concourse-helm-resource`](https://github.com/linkyard/concourse-helm-resource). ## IMPORTANT NOTES @@ -23,6 +17,7 @@ Heavily based on the work of [`linkyard/concourse-helm-resource`][linkyard]. - Most of those have been fixed with v1.25.0 available in GHCR only ## Docker Image + You can pull the resource image from [`typositoire/concourse-helm3-resource`][dockerhub]. !["Dockerhub Pull Badge"](https://img.shields.io/docker/pulls/typositoire/concourse-helm3-resource.svg "Dockerhub Pull Badge") [dockerhub]: https://hub.docker.com/repository/docker/typositoire/concourse-helm3-resource @@ -31,7 +26,7 @@ You can pull the resource image from [`typositoire/concourse-helm3-resource`][do Starting with version 1.25.0, can you can no longer pull this resource from Docker Hub. -Starting with version 1.19.1, you can pull the resource from Github [`ghcr.io/typositoire/concourse-helm3-resource`][github packages]. Docker hub will eventually stop receiving new images. +Starting with version 1.19.1, you can pull the resource from GitHub [`ghcr.io/typositoire/concourse-helm3-resource`][github packages]. Docker hub will eventually stop receiving new images. [github packages]: https://github.com/Typositoire/concourse-helm3-resource/pkgs/container/concourse-helm3-resource @@ -64,6 +59,7 @@ resource_types: - `stable_repo`: _Optional_ A `"false"` (must be "string" not boolean) value will disable using a default Helm stable repo. Any other value will be used to Override default Helm stable repo URL . Useful if running helm deploys without internet access. - `tracing_enabled`: _Optional._ Enable extremely verbose tracing for this resource. Useful when developing the resource itself. May allow secrets to be displayed. (Default: false) - `helm_setup_purge_all`: _Optional._ Uninstalls and purge every helm release. Use with extreme caution. (Default: false) + - `env_vars`: _Optional._ A key/value pair of environment variables that will be set before running the helm command. This is useful for using different Helm storage options. ## Source options for Google Cloud @@ -169,6 +165,9 @@ resources: repos: - name: some_repo url: https://somerepo.github.io/charts + env_vars: + HELM_DRIVER: sql + HELM_DRIVER_SQL_CONNECTION_STRING: postgresql://helm-postgres:5432/helm?user=helm&password=changeme ``` DigitalOcean diff --git a/VERSION b/VERSION index 39fc130..bf50e91 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.36.0 +1.37.0 diff --git a/assets/common.sh b/assets/common.sh index 046ce61..40beb1c 100755 --- a/assets/common.sh +++ b/assets/common.sh @@ -205,14 +205,21 @@ setup_gcp_kubernetes() { setup_helm() { # $1 is the name of the payload file # $2 is the name of the source directory - - history_max=$(jq -r '.source.helm_history_max // "10"' < $1) helm_bin="helm" $helm_bin version + # Are there any environment variables? If so, let's iterate over and them set it. + env_vars=$(jq -c '.source.env_vars // {}' < "$1") + if [ "$env_vars" != "{}" ]; then + for key in $(echo "$env_vars" | jq -r 'keys[]'); do + value=$(echo "$env_vars" | jq -r --arg key "$key" '.[$key]') + export "$key"="$value" + done + fi + helm_setup_purge_all=$(jq -r '.source.helm_setup_purge_all // "false"' <$1) if [ "$helm_setup_purge_all" = "true" ]; then local release From 693a050eadb3ccfeb3eee4aaefbe54157fd18d19 Mon Sep 17 00:00:00 2001 From: Ulrich GIRAUD Date: Fri, 12 Jul 2024 10:19:28 +0200 Subject: [PATCH 34/34] build(docker): build and push image on merge --- .github/workflows/build.yml | 24 ++------ .github/workflows/check-version-bump.yml | 70 ------------------------ .github/workflows/tag.yml | 29 ---------- 3 files changed, 6 insertions(+), 117 deletions(-) delete mode 100644 .github/workflows/check-version-bump.yml delete mode 100644 .github/workflows/tag.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1b3e4af..c264d36 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,13 +2,8 @@ name: Create and publish a Docker image on: push: - tags: - - 'v*.*.*' - workflow_dispatch: # Enable manual triggering - inputs: - tag: - description: 'Docker image tag' - required: false + branches: + - main jobs: build-and-push-image: @@ -19,22 +14,15 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Log in to the Container registry + - name: Login to Docker registry uses: docker/login-action@v3 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Set Docker image tag - id: set_docker_tag - run: echo "tag=${{ github.event.inputs.tag || github.ref_name }}" >> $GITHUB_OUTPUT - continue-on-error: true - shell: bash + username: ${{ secrets.DOCKER__USERNAME }} + password: ${{ secrets.DOCKER__TOKEN }} - name: Build and push Docker image uses: docker/build-push-action@v5 with: context: . push: true tags: | - ghcr.io/typositoire/concourse-helm3-resource:${{ steps.set_docker_tag.outputs.tag }} - ghcr.io/typositoire/concourse-helm3-resource:latest \ No newline at end of file + evaneos/concourse-helm3-resource:latest \ No newline at end of file diff --git a/.github/workflows/check-version-bump.yml b/.github/workflows/check-version-bump.yml deleted file mode 100644 index fdf3990..0000000 --- a/.github/workflows/check-version-bump.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Check for version Bump - -on: - pull_request: - branches: - - main - -jobs: - verify-version-bump: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v44 - with: - files_ignore: | - README.md - ci/** - .github/** - - name: List all changed files - id: list_changed_files - env: - ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} - ALL_MODIFIED_FILES_COUNT: ${{ steps.changed-files.outputs.all_modified_files_count }} - run: | - echo "${ALL_MODIFIED_FILES_COUNT} files" - for file in ${ALL_CHANGED_FILES}; do - echo "$file was changed" - done - - name: auto_pass - if: steps.changed-files.outputs.all_modified_files_count == '0' - id: check_if_only_ignored - run: | - echo "Version bump not required." > comment.txt - exit 0 - - - name: Get version from file - if: steps.changed-files.outputs.all_modified_files_count != '0' - id: get_version - run: echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT - - - name: 'Get Previous tag' - if: steps.changed-files.outputs.all_modified_files_count != '0' - id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@v1.4.0" - - - name: Checking for version bump - if: steps.changed-files.outputs.all_modified_files_count != '0' - id: check_vbump - run: | - LAST_TAG="${{ steps.previoustag.outputs.tag }}" - NEW_TAG="v${{ steps.get_version.outputs.version }}" - RESULT=$(ci/assets/checksemver.sh ${NEW_TAG} ${LAST_TAG}) - echo "============================================" - if [ "${RESULT}" == "1" ]; then - echo "Version bump found." - exit 0 - elif [ "${RESULT}" == "0" ]; then - echo "Version bump did not happen. ${LAST_TAG} is the same as ${NEW_TAG}" - exit 1 - else - echo "Version bump did not happen. ${LAST_TAG} is higher than ${NEW_TAG}" - exit 1 - fi - echo "============================================" \ No newline at end of file diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml deleted file mode 100644 index c7f5b67..0000000 --- a/.github/workflows/tag.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: Tag Main - -on: - push: - branches: - - main - paths: - - VERSION - workflow_dispatch: # Enable manual triggering - inputs: - tag: - description: 'Version to tag (without the prefix v)' - required: false -jobs: - tag: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Get version from file - id: get_version - run: echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT - - name: Create tag - id: create_tag - run: | - git config user.name "GitHub Actions" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git tag -a v${{ github.event.inputs.tag || steps.get_version.outputs.version }} -m "Tagging version v${{ github.event.inputs.tag || steps.get_version.outputs.version }}" - git push origin v${{ github.event.inputs.tag || steps.get_version.outputs.version }} \ No newline at end of file