Deploy Helm charts.
This tasks will install / upgrade a Helm chart into your Kubernetes / OpenShift cluster using Helm.
Helm has the plugins helm-diff and helm-secrets installed. A diff is
performed before an upgrade is attempted. helm-secrets can be used to
encrypt sensitive values in the underlying Git repository using
age. Secrets are decrypted on the fly if the
secret identified by the age-key-secret parameter exists and contains an
age secret key which corresponding public key was used as one of the
recipients to encrypt.
Based on the target environment, some values files are added automatically
to the invocation of the helm command if they are present in the chart
directory:
-
values.yaml: the values file (automatically considered by Helm). -
secrets.yaml: a secrets file. -
values.<NAMESPACE>.yaml: a values file named after the target namespace. -
secrets.<NAMESPACE>.yaml: a secrets file named after the target namespace.
Further, the task automatically sets the image.tag value on the CLI which
equals the Git commit SHA being built. This value can be used in your Helm
templates to refer to images built via ods-package-image.
Before the Helm chart is applied, it is packaged, setting the appVersion
to the checked out Git commit SHA.
If the pipeline runs for a repository defining subrepos in its ods.y(a)ml
file, then any charts in those subrepos are packaged as well, and added as
dependencies to the top-most chart under charts/. Note that values and
secrets files are only collected from the repository for which the pipeline
runs. Therefore, if you use an umbrella repository to promote an
application consisting of multiple repositories, the umbrella repository
needs to define the environment specific values for the subcomponents
for instead of having those files in the subrepo.
In order to produce correct image.tag values for subcomponents, the task
automatically sets <subcomponent>.image.tag equal to the Git commit SHA of
the subcomponent. Further, if no release name is explicitly configured, the
task also sets <subcomponent>.fullnameOverride equal to the respective
subcomponent to avoid resources being prefixed with the umbrella repository
component name (assuming your resources are named using the chart.fullname
helper).
If you do not have an existing Helm chart yet, you can use the provided sample chart as a starting point. It is setup in a way that works with this task out of the box.
The following artifacts are generated by the task and placed into .ods/artifacts/
-
deployments/-
diff-<namespace>.txt -
release-<namespace>.txt
-
| Parameter | Default | Description |
|---|---|---|
chart-dir |
./chart |
Helm chart directory that will be deployed |
release-name |
The Helm release name. If empty, the release name is simply the name of the chart. When this task is used in a repository which defines subcharts, and the parameter is not set,
then the task sets |
|
diff-flags |
--three-way-merge |
Flags to pass to |
upgrade-flags |
--install --wait |
Flags to pass to |
age-key-secret |
helm-secrets-age-key |
Name of the secret containing the age key to use for helm-secrets.
If the secret exists, it is expected to have a field named |
api-server |
API server of the target cluster, including scheme. Only required if the target namespace is outside the cluster in which the pipeline runs. |
|
api-credentials-secret |
Name of the Secret resource holding the token of a serviceaccount (in field |
|
namespace |
Target K8s namespace (or OpenShift project) to deploy into. If empty, the task will be a no-op. |
|
registry-host |
Hostname of the target registry to push images to. If not given, the registy host of the source image is used. |
|
diff-only |
false |
If set to true, the task will only perform a diff, and then stop. No images will be promoted or upgrades attempted. |
gather-status |
true |
If set to true, the task will query for the Helm release status and write the result to an artifact file. |