From 2991291309dd56f01d678ee8afe070ccc6d60d7b Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Fri, 29 Sep 2023 08:34:49 +0200 Subject: [PATCH 01/10] Use lowercase variable names in bash script --- deploy/install.sh | 178 +++++++++++++++++++++++----------------------- 1 file changed, 89 insertions(+), 89 deletions(-) diff --git a/deploy/install.sh b/deploy/install.sh index 7137c993..157bf359 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -1,35 +1,35 @@ #!/usr/bin/env bash set -ue -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -VERBOSE="false" -DRY_RUN="false" -DIFF="true" -NAMESPACE="" -RELEASE_NAME="ods-pipeline" -SERVICEACCOUNT="pipeline" -VALUES_FILE="values.yaml" -CHART_DIR="./chart" +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +verbose="false" +dry_run="false" +diff="true" +namespace="" +release_name="ods-pipeline" +serviceaccount="pipeline" +values_file="values.yaml" +chart_dir="./chart" # Secrets -AUTH_SEPARATOR=":" -BITBUCKET_AUTH="" -BITBUCKET_WEBHOOK_SECRET="" -NEXUS_AUTH="" -PRIVATE_CERT="" +auth_separator=":" +bitbucket_auth="" +bitbucket_webhook_secret="" +nexus_auth="" +private_cert="" # Check prerequisites. -KUBECTL_BIN="" +kubectl_bin="" if command -v oc &> /dev/null; then - KUBECTL_BIN="oc" + kubectl_bin="oc" elif command -v kubectl &> /dev/null; then - KUBECTL_BIN="kubectl" + kubectl_bin="kubectl" else echo "ERROR: Neither oc nor kubectl in \$PATH"; exit 1 fi -HELM_BIN="" +helm_bin="" if command -v helm &> /dev/null; then - HELM_BIN="helm" + helm_bin="helm" else echo "ERROR: helm is not in \$PATH"; exit 1 fi @@ -39,14 +39,14 @@ function usage { printf "\t-h|--help\t\t\tPrints this usage information.\n" printf "\t-v|--verbose\t\t\tTurn on verbose output.\n" printf "\t-n|--namespace\t\t\tK8s namespace to target.\n" - printf "\t-f|--values\t\t\tValues file to supply to Helm (defaults to '%s'). Multiple files can be specified comma-separated.\n" "$VALUES_FILE" - printf "\t-s|--serviceaccount\t\tServiceaccount to use (defaults to '%s').\n" "$SERVICEACCOUNT" + printf "\t-f|--values\t\t\tValues file to supply to Helm (defaults to '%s'). Multiple files can be specified comma-separated.\n" "$values_file" + printf "\t-s|--serviceaccount\t\tServiceaccount to use (defaults to '%s').\n" "$serviceaccount" printf "\t--no-diff\t\t\tDo not run Helm diff before running Helm upgrade.\n" printf "\t--dry-run\t\t\tDo not apply any changes, instead just print what the script would do.\n" - printf "\t--auth-separator\t\tCharacter to use as a separator for basic auth flags (defaults to '%s')\n" "$AUTH_SEPARATOR" + printf "\t--auth-separator\t\tCharacter to use as a separator for basic auth flags (defaults to '%s')\n" "$auth_separator" printf "\t--bitbucket-auth\t\tAccess token of a Bitbucket user (if not given, script will prompt for this).\n" printf "\t--bitbucket-webhook-secret\tSecret to protect webhook endpoint with (if not given, script will generate this).\n" - printf "\t--nexus-auth\t\t\tUsername and password (separated by '%s') of a Nexus user (if not given, script will prompt for this).\n" "$AUTH_SEPARATOR" + printf "\t--nexus-auth\t\t\tUsername and password (separated by '%s') of a Nexus user (if not given, script will prompt for this).\n" "$auth_separator" printf "\t--private-cert\t\t\tHost from which to download private certificate (if not given, script will skip this).\n" printf "\nExample:\n\n" printf "\t%s \ \ @@ -61,52 +61,52 @@ while [ "$#" -gt 0 ]; do -h|--help) shift; usage; exit 0;; - -v|--verbose) VERBOSE="true";; + -v|--verbose) verbose="true";; - -n|--namespace) NAMESPACE="$2"; shift;; - -n=*|--namespace=*) NAMESPACE="${1#*=}";; + -n|--namespace) namespace="$2"; shift;; + -n=*|--namespace=*) namespace="${1#*=}";; - -f|--values) VALUES_FILE="$2"; shift;; - -f=*|--values=*) VALUES_FILE="${1#*=}";; + -f|--values) values_file="$2"; shift;; + -f=*|--values=*) values_file="${1#*=}";; - -s|--serviceaccount) SERVICEACCOUNT="$2"; shift;; - -s=*|--serviceaccount=*) SERVICEACCOUNT="${1#*=}";; + -s|--serviceaccount) serviceaccount="$2"; shift;; + -s=*|--serviceaccount=*) serviceaccount="${1#*=}";; - --no-diff) DIFF="false";; + --no-diff) diff="false";; - --dry-run) DRY_RUN="true";; + --dry-run) dry_run="true";; - --auth-separator) AUTH_SEPARATOR="$2"; shift;; - --auth-separator=*) AUTH_SEPARATOR="${1#*=}";; + --auth-separator) auth_separator="$2"; shift;; + --auth-separator=*) auth_separator="${1#*=}";; - --bitbucket-auth) BITBUCKET_AUTH="$2"; shift;; - --bitbucket-auth=*) BITBUCKET_AUTH="${1#*=}";; + --bitbucket-auth) bitbucket_auth="$2"; shift;; + --bitbucket-auth=*) bitbucket_auth="${1#*=}";; - --bitbucket-webhook-secret) BITBUCKET_WEBHOOK_SECRET="$2"; shift;; - --bitbucket-webhook-secret=*) BITBUCKET_WEBHOOK_SECRET="${1#*=}";; + --bitbucket-webhook-secret) bitbucket_webhook_secret="$2"; shift;; + --bitbucket-webhook-secret=*) bitbucket_webhook_secret="${1#*=}";; - --nexus-auth) NEXUS_AUTH="$2"; shift;; - --nexus-auth=*) NEXUS_AUTH="${1#*=}";; + --nexus-auth) nexus_auth="$2"; shift;; + --nexus-auth=*) nexus_auth="${1#*=}";; - --private-cert) PRIVATE_CERT="$2"; shift;; - --private-cert=*) PRIVATE_CERT="${1#*=}";; + --private-cert) private_cert="$2"; shift;; + --private-cert=*) private_cert="${1#*=}";; *) echo "Unknown parameter passed: $1"; exit 1;; esac; shift; done -cd "${SCRIPT_DIR}" +cd "${script_dir}" -VALUES_FILES=$(echo "$VALUES_FILE" | tr "," "\n") -VALUES_ARGS=() -for valueFile in ${VALUES_FILES}; do - VALUES_ARGS+=(--values="${valueFile}") +values_fileS=$(echo "$values_file" | tr "," "\n") +values_args=() +for valueFile in ${values_fileS}; do + values_args+=(--values="${valueFile}") done -if [ "${VERBOSE}" == "true" ]; then +if [ "${verbose}" == "true" ]; then set -x fi -if [ -z "${NAMESPACE}" ]; then +if [ -z "${namespace}" ]; then echo "--namespace is required" exit 1 fi @@ -120,7 +120,7 @@ kubectlApplySecret () { # To avoid forward slashes messing up sed, escape forward slashes first. # See https://tldp.org/LDP/abs/html/string-manipulation.html. # shellcheck disable=SC2002 - cat "${secretTemplate}" | sed "s/{{name}}/${secretName}/" | sed "s/{{username}}/${username//\//\\/}/" | sed "s/{{password}}/${password//\//\\/}/" | "${KUBECTL_BIN}" -n "${NAMESPACE}" apply -f - + cat "${secretTemplate}" | sed "s/{{name}}/${secretName}/" | sed "s/{{username}}/${username//\//\\/}/" | sed "s/{{password}}/${password//\//\\/}/" | "${kubectl_bin}" -n "${namespace}" apply -f - } installSecret () { @@ -131,14 +131,14 @@ installSecret () { local passwordPrompt="$5" # Split flag value on first occurence of auth separator. - local authUser="${flagValue%%"${AUTH_SEPARATOR}"*}" - local authPassword="${flagValue#*"${AUTH_SEPARATOR}"}" + local authUser="${flagValue%%"${auth_separator}"*}" + local authPassword="${flagValue#*"${auth_separator}"}" # If the secret exists and the flag is present, update the secret. - if "${KUBECTL_BIN}" -n "${NAMESPACE}" get "secret/${secretName}" &> /dev/null; then + if "${kubectl_bin}" -n "${namespace}" get "secret/${secretName}" &> /dev/null; then # In case the secret was previously managed by Helm, we want to instruct Helm # to keep the resource during helm upgrade. - "${KUBECTL_BIN}" -n "${NAMESPACE}" annotate --overwrite secret "${secretName}" "helm.sh/resource-policy=keep" + "${kubectl_bin}" -n "${namespace}" annotate --overwrite secret "${secretName}" "helm.sh/resource-policy=keep" if [ -n "${flagValue}" ]; then echo "Updating secret ${secretName} ..." kubectlApplySecret "${secretName}" "${secretTemplate}" "${authUser}" "${authPassword}" @@ -181,43 +181,43 @@ installTLSSecret () { openssl s_client -showcerts -connect "${privateCert}" "${certFile}" fi - if "${KUBECTL_BIN}" -n "${NAMESPACE}" get "secret/${secretName}" &> /dev/null; then + if "${kubectl_bin}" -n "${namespace}" get "secret/${secretName}" &> /dev/null; then echo "Re-creating secret ${secretName} ..." - "${KUBECTL_BIN}" -n "${NAMESPACE}" delete secret "${secretName}" + "${kubectl_bin}" -n "${namespace}" delete secret "${secretName}" else echo "Creating secret ${secretName} ..." fi - "${KUBECTL_BIN}" -n "${NAMESPACE}" create secret generic "${secretName}" \ + "${kubectl_bin}" -n "${namespace}" create secret generic "${secretName}" \ --from-file=tls.crt="${certFile}" rm private-cert.pem.tmp &>/dev/null || true fi } # Manage serviceaccount ... -if "${KUBECTL_BIN}" -n "${NAMESPACE}" get serviceaccount/"${SERVICEACCOUNT}" &> /dev/null; then +if "${kubectl_bin}" -n "${namespace}" get serviceaccount/"${serviceaccount}" &> /dev/null; then echo "Serviceaccount exists already ..." else echo "Creating serviceaccount ..." - if [ "${DRY_RUN}" == "true" ]; then + if [ "${dry_run}" == "true" ]; then echo "(skipping in dry-run)" else - "${KUBECTL_BIN}" -n "${NAMESPACE}" create serviceaccount "${SERVICEACCOUNT}" + "${kubectl_bin}" -n "${namespace}" create serviceaccount "${serviceaccount}" - "${KUBECTL_BIN}" -n "${NAMESPACE}" \ - create rolebinding "${SERVICEACCOUNT}-edit" \ + "${kubectl_bin}" -n "${namespace}" \ + create rolebinding "${serviceaccount}-edit" \ --clusterrole edit \ - --serviceaccount "${NAMESPACE}:${SERVICEACCOUNT}" + --serviceaccount "${namespace}:${serviceaccount}" fi fi echo "Installing secrets ..." -if [ "${DRY_RUN}" == "true" ]; then +if [ "${dry_run}" == "true" ]; then echo "(skipping in dry-run)" else # Bitbucket username is not required as PAT alone is enough. installSecret "ods-bitbucket-auth" \ "basic-auth-secret.yaml.tmpl" \ - "${BITBUCKET_AUTH}" \ + "${bitbucket_auth}" \ "Please enter the username of Bitbucket user with write permission." \ "Please enter a personal access token of this Bitbucket user (input will be hidden):" @@ -225,60 +225,60 @@ else # No prompts -> password will be auto-generated if not given. installSecret "ods-bitbucket-webhook" \ "opaque-secret.yaml.tmpl" \ - "${BITBUCKET_WEBHOOK_SECRET}" \ + "${bitbucket_webhook_secret}" \ "" "" installSecret "ods-nexus-auth" \ "basic-auth-secret.yaml.tmpl" \ - "${NEXUS_AUTH}" \ + "${nexus_auth}" \ "Please enter the username of a Nexus user with write permission:" \ "Please enter the password of this Nexus user (input will be hidden):" - installTLSSecret "ods-private-cert" "${PRIVATE_CERT}" + installTLSSecret "ods-private-cert" "${private_cert}" fi -echo "Installing Helm release ${RELEASE_NAME} ..." -if [ "${DIFF}" == "true" ]; then - if "${HELM_BIN}" -n "${NAMESPACE}" \ +echo "Installing Helm release ${release_name} ..." +if [ "${diff}" == "true" ]; then + if "${helm_bin}" -n "${namespace}" \ diff upgrade --install --detailed-exitcode --three-way-merge --normalize-manifests \ - "${VALUES_ARGS[@]}" \ - ${RELEASE_NAME} ${CHART_DIR}; then + "${values_args[@]}" \ + ${release_name} ${chart_dir}; then echo "Helm release already up-to-date." else - if [ "${DRY_RUN}" == "true" ]; then + if [ "${dry_run}" == "true" ]; then echo "(skipping in dry-run)" else - "${HELM_BIN}" -n "${NAMESPACE}" \ + "${helm_bin}" -n "${namespace}" \ upgrade --install \ - "${VALUES_ARGS[@]}" \ - ${RELEASE_NAME} ${CHART_DIR} + "${values_args[@]}" \ + ${release_name} ${chart_dir} fi fi else - if [ "${DRY_RUN}" == "true" ]; then + if [ "${dry_run}" == "true" ]; then echo "(skipping in dry-run)" else - "${HELM_BIN}" -n "${NAMESPACE}" \ + "${helm_bin}" -n "${namespace}" \ upgrade --install \ - "${VALUES_ARGS[@]}" \ - ${RELEASE_NAME} ${CHART_DIR} + "${values_args[@]}" \ + ${release_name} ${chart_dir} fi fi echo "Adding Tekton annotation to ods-bitbucket-auth secret ..." -if [ "${DRY_RUN}" == "true" ]; then +if [ "${dry_run}" == "true" ]; then echo "(skipping in dry-run)" else - bitbucketUrl=$("${KUBECTL_BIN}" -n "${NAMESPACE}" get cm/ods-bitbucket -ojsonpath='{.data.url}') - "${KUBECTL_BIN}" -n "${NAMESPACE}" annotate --overwrite secret ods-bitbucket-auth "tekton.dev/git-0=${bitbucketUrl}" + bitbucketUrl=$("${kubectl_bin}" -n "${namespace}" get cm/ods-bitbucket -ojsonpath='{.data.url}') + "${kubectl_bin}" -n "${namespace}" annotate --overwrite secret ods-bitbucket-auth "tekton.dev/git-0=${bitbucketUrl}" fi -echo "Adding ods-bitbucket-auth secret to ${SERVICEACCOUNT} serviceaccount ..." -if [ "${DRY_RUN}" == "true" ]; then +echo "Adding ods-bitbucket-auth secret to ${serviceaccount} serviceaccount ..." +if [ "${dry_run}" == "true" ]; then echo "(skipping in dry-run)" else - "${KUBECTL_BIN}" -n "${NAMESPACE}" \ - patch sa "${SERVICEACCOUNT}" \ + "${kubectl_bin}" -n "${namespace}" \ + patch sa "${serviceaccount}" \ --type json \ -p '[{"op": "add", "path": "/secrets", "value":[{"name": "ods-bitbucket-auth"}]}]' fi From eb0f775de2e1eca8ee81eb3758d85f42efc81223 Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Fri, 29 Sep 2023 08:38:57 +0200 Subject: [PATCH 02/10] Move secret templates into script --- deploy/basic-auth-secret.yaml.tmpl | 10 ---------- deploy/install.sh | 28 ++++++++++++++++++++++++---- deploy/opaque-secret.yaml.tmpl | 9 --------- 3 files changed, 24 insertions(+), 23 deletions(-) delete mode 100644 deploy/basic-auth-secret.yaml.tmpl delete mode 100644 deploy/opaque-secret.yaml.tmpl diff --git a/deploy/basic-auth-secret.yaml.tmpl b/deploy/basic-auth-secret.yaml.tmpl deleted file mode 100644 index 9f2b9240..00000000 --- a/deploy/basic-auth-secret.yaml.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: '{{name}}' - labels: - app.kubernetes.io/name: ods-pipeline -stringData: - password: '{{password}}' - username: '{{username}}' -type: kubernetes.io/basic-auth diff --git a/deploy/install.sh b/deploy/install.sh index 157bf359..e09551bf 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -17,6 +17,26 @@ bitbucket_auth="" bitbucket_webhook_secret="" nexus_auth="" private_cert="" +# Templates +basicAuthSecretTemplate="apiVersion: v1 +kind: Secret +metadata: + name: '{{name}}' + labels: + app.kubernetes.io/name: ods-pipeline +stringData: + password: '{{password}}' + username: '{{username}}' +type: kubernetes.io/basic-auth" +opaqueSecretTemplate="apiVersion: v1 +kind: Secret +metadata: + name: '{{name}}' + labels: + app.kubernetes.io/name: ods-pipeline +stringData: + secret: '{{password}}' +type: Opaque" # Check prerequisites. kubectl_bin="" @@ -120,7 +140,7 @@ kubectlApplySecret () { # To avoid forward slashes messing up sed, escape forward slashes first. # See https://tldp.org/LDP/abs/html/string-manipulation.html. # shellcheck disable=SC2002 - cat "${secretTemplate}" | sed "s/{{name}}/${secretName}/" | sed "s/{{username}}/${username//\//\\/}/" | sed "s/{{password}}/${password//\//\\/}/" | "${kubectl_bin}" -n "${namespace}" apply -f - + echo "${secretTemplate}" | sed "s/{{name}}/${secretName}/" | sed "s/{{username}}/${username//\//\\/}/" | sed "s/{{password}}/${password//\//\\/}/" | "${kubectl_bin}" -n "${namespace}" apply -f - } installSecret () { @@ -216,7 +236,7 @@ if [ "${dry_run}" == "true" ]; then else # Bitbucket username is not required as PAT alone is enough. installSecret "ods-bitbucket-auth" \ - "basic-auth-secret.yaml.tmpl" \ + "${basicAuthSecretTemplate}" \ "${bitbucket_auth}" \ "Please enter the username of Bitbucket user with write permission." \ "Please enter a personal access token of this Bitbucket user (input will be hidden):" @@ -224,12 +244,12 @@ else # Webhook secret is a special case, as we do not want the user to set it. # No prompts -> password will be auto-generated if not given. installSecret "ods-bitbucket-webhook" \ - "opaque-secret.yaml.tmpl" \ + "${opaqueSecretTemplate}" \ "${bitbucket_webhook_secret}" \ "" "" installSecret "ods-nexus-auth" \ - "basic-auth-secret.yaml.tmpl" \ + "${basicAuthSecretTemplate}" \ "${nexus_auth}" \ "Please enter the username of a Nexus user with write permission:" \ "Please enter the password of this Nexus user (input will be hidden):" diff --git a/deploy/opaque-secret.yaml.tmpl b/deploy/opaque-secret.yaml.tmpl deleted file mode 100644 index 554b26fd..00000000 --- a/deploy/opaque-secret.yaml.tmpl +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: '{{name}}' - labels: - app.kubernetes.io/name: ods-pipeline -stringData: - secret: '{{password}}' -type: Opaque From d1333c6a7c0c4e88a8776f3ad3a5ca943766a2fa Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Fri, 29 Sep 2023 08:51:55 +0200 Subject: [PATCH 03/10] Add chart release action --- .github/workflows/chart.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/chart.yaml diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml new file mode 100644 index 00000000..43adec8c --- /dev/null +++ b/.github/workflows/chart.yaml @@ -0,0 +1,25 @@ +name: Release Charts + +on: + push: + branches: + - featre/easy-install + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.5.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 481040ce3290934dc842681852b875ab2bdd8e0e Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Fri, 29 Sep 2023 09:01:37 +0200 Subject: [PATCH 04/10] Publish Helm chart to GitHub Pages Closes #728. --- .github/workflows/chart.yaml | 4 +- deploy/install.sh | 10 ++++- docs/installation.adoc | 79 +++++++++++------------------------- 3 files changed, 35 insertions(+), 58 deletions(-) diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index 43adec8c..0be0a3bc 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -3,7 +3,7 @@ name: Release Charts on: push: branches: - - featre/easy-install + - feature/easy-install jobs: release: @@ -21,5 +21,7 @@ jobs: - name: Run chart-releaser uses: helm/chart-releaser-action@v1.5.0 + with: + charts_dir: deploy env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/deploy/install.sh b/deploy/install.sh index e09551bf..0a9744b9 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -257,12 +257,18 @@ else installTLSSecret "ods-private-cert" "${private_cert}" fi +echo "Discovering Helm repository ..." +helm_repo_alias="ods-pipeline" +chart_name="ods-pipeline" +"${helm_bin}" repo add "${helm_repo_alias}" https://opendevstack.github.io/ods-pipeline +"${helm_bin}" repo update "${helm_repo_alias}" + echo "Installing Helm release ${release_name} ..." if [ "${diff}" == "true" ]; then if "${helm_bin}" -n "${namespace}" \ diff upgrade --install --detailed-exitcode --three-way-merge --normalize-manifests \ "${values_args[@]}" \ - ${release_name} ${chart_dir}; then + "${release_name}" "${helm_repo_alias}/${chart_name}"; then echo "Helm release already up-to-date." else if [ "${dry_run}" == "true" ]; then @@ -281,7 +287,7 @@ else "${helm_bin}" -n "${namespace}" \ upgrade --install \ "${values_args[@]}" \ - ${release_name} ${chart_dir} + "${release_name}" "${helm_repo_alias}/${chart_name}" fi fi diff --git a/docs/installation.adoc b/docs/installation.adoc index 4d9ab43a..26d48c95 100644 --- a/docs/installation.adoc +++ b/docs/installation.adoc @@ -5,50 +5,42 @@ This guide will show how to install ODS Pipeline in an existing ODS project. It An ODS Pipeline installation consists of the following resources: -* `Task` resources -* `ConfigMap` and `Secret` resources, e.g. holding credentials of centrally installed tools such as Nexus and SonarQube * A pipeline manager, which is creating pipeline runs in response to Bitbucket webhook requests +* A start and finish task which will get injected into every pipeline run +* `ConfigMap` and `Secret` resources, e.g. holding credentials of centrally installed tools such as Nexus and Bitbucket + == Prerequisites You'll need: -* A namespace in an OpenShift cluster (such as `foo-cd` from an existing ODS project) and a project in Bitbucket (such as `FOO`). +* A namespace in an OpenShift/Kubernetes cluster (such as `foo-cd` from an existing ODS project) and a project in Bitbucket (such as `FOO`). * `git`, link:https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html[`oc`] (or link:https://kubernetes.io/docs/reference/kubectl/[`kubectl`]) and link:https://helm.sh[`helm`] installed locally. The plugin link:https://github.com/databus23/helm-diff[`helm-diff`] is optional but recommended. == Installation Instructions -The installation procedure consists of two steps: - -1. Creating a Git repository defining the configuration of the ODS Pipeline installation -2. Using Helm to install from this Git repository +ODS Pipeline is packaged as a Helm chart. The installation procedure consists of three quick steps: -=== Creating a Git repository +1. Configuring the chart values +2. Running the install script (which will deploy the Helm chart) +3. Exposing a route to the pipeline manager -Create a new repository in Bitbucket, e.g. `foo-cd`. The name can be anything, but since the repository will define the K8s resources of namespace `foo-cd` in code, it makes sense to mirror the namespace name. Clone the repository locally and make an initial commit, e.g. by adding a readme file. +=== Step 1: Configuring the chart values -IMPORTANT: The following commands will fail in an empty Git repository, so make sure you have made at least one commit in this repository. - -Now use `git subtree` to get the required source files. The following commands may look a bit complicated, but in a nutshell, they are simply adding one folder (`deploy/`) from the `opendevstack/ods-pipeline` repository at the given revision (e.g. `master`) into your new local repository at the path `deploy`. The benefit of this approach is that it'll make updating ODS Pipeline simple. +Download the template and fill in the values according to the comments in that file. [source] ---- -pipelineGitRef=v0.13.2 # Pick the version you want to install - -git fetch --depth=1 https://github.com/opendevstack/ods-pipeline.git $pipelineGitRef:ods-pipeline-$pipelineGitRef && \ -git checkout ods-pipeline-$pipelineGitRef && \ -git subtree split --prefix=deploy -b subtree-split-branch-$pipelineGitRef && \ -git checkout - && \ -git subtree add --squash --prefix=deploy subtree-split-branch-$pipelineGitRef +curl -L https://raw.githubusercontent.com/opendevstack/ods-pipeline/master/deploy/values.yaml.tmpl -o values.yaml ---- -Once this is done, change to the new folder `deploy` to configure the values of the Helm Chart. Run `cp values.yaml.tmpl values.yaml`, then edit `values.yaml` as described in the comments in that file. Commit and push before proceeding to the next step. +TIP: It is recommended to keep this file around after the installation so that it can be reused when updating ODS Pipeline to future versions. -=== Using Helm to install from the Git repository +=== Step 2: Running the install script ==== Option 1: With external API access -If you have access to the OpenShift API from your local machine, you can simply login to the OpenShift cluster, then install ODS Pipeline by running: +If you have access to the OpenShift API from your local machine, simply login to the OpenShift cluster and install ODS Pipeline by running: [source] ---- @@ -61,8 +53,6 @@ IMPORTANT: If tasks need to trust a private certificate, pass `--private-cert > section. - ==== Option 2: Without external API access If you do not have access to the OpenShift API from your local machine, you can use the https://docs.openshift.com/container-platform/latest/web_console/odc-about-web-terminal.html[OpenShift Web Terminal] to install ODS Pipeline. Open a web terminal in your `*-cd` namespace, then run: @@ -72,48 +62,33 @@ If you do not have access to the OpenShift API from your local machine, you can curl -L https://raw.githubusercontent.com/opendevstack/ods-pipeline/master/scripts/web-terminal-install.sh | bash ---- -This will install all prerequisites automatically. Then you can clone the repository and run `./install.sh -n ` in the terminal. +This will install all prerequisites automatically. Then you can clone the repository and run `./install.sh -n `. `./install.sh` will interactively ask for credentials (such as Bitbucket access token) and will create corresponding K8s secrets. If you prefer to pass these secrets via flags, see `./install.sh --help` for all options. -After you ran the install script, continue with the <> section. - -==== Finishing the installation +=== Step 3: Exposing a route to the pipeline manager Create an HTTPS route to expose the `ods-pipeline` service. You'll need the exposed URL (together with the webhook secret that is stored in the `ods-bitbucket-webhook` K8s secret) when you create webhooks in Bitbucket repositories later. +Done, now you are ready to link:add-to-repository.adoc[enable your repositories to use ODS pipeline]! + IMPORTANT: The `pipeline` serviceaccount needs `admin` permissions in the Kubernetes namespaces it deploys to (e.g. `foo-dev` and `foo-test`). You must create rolebindings for this manually. CAUTION: An important feature of ODS Pipeline is to retain pipeline run artifacts in Nexus and re-use them future pipeline runs (e.g. to promote built container images to another environment). For this purpose, you should create a few `raw` repositories in Nexus. These repositories should not allow re-deployment of artifacts. For example, you might want to have `ods-pipeline-dev`, `ods-pipeline-qa` and `ods-pipeline-prod` repositories, each with a different cleanup policy as fitting your needs. You can then use these repositories from your pipeline to store artifacts and enforce a progression of artifacts from DEV > QA > PROD. -Now you are ready to link:add-to-repository.adoc[enable your repositories to use ODS pipeline]! == Update Instructions -The update procedure consists of two steps: +The update procedure consists of two quick steps: -1. Updating the Git repository defining the configuration of the ODS Pipeline installation -2. Using Helm to install from the Git repository +1. Updating the chart values if required +2. Running the install script (which will deploy the Helm chart) -=== Updating the Git repository +=== Step 1: Updating the chart values -You may fetch updates (e.g. new versions) of `ods-pipeline` like this: +Check if any new values have been introduced in `values.yaml.tmpl` and update your `values.yaml` (which you hopefully retained from the installation) accordingly. -[source] ----- -pipelineGitRef=v0.13.2 # Pick the version you want to update to - -git branch -D ods-pipeline-$pipelineGitRef subtree-split-branch-$pipelineGitRef || true && \ -git fetch --depth=1 https://github.com/opendevstack/ods-pipeline.git $pipelineGitRef:ods-pipeline-$pipelineGitRef && \ -git checkout ods-pipeline-$pipelineGitRef && \ -git subtree split --prefix=deploy -b subtree-split-branch-$pipelineGitRef && \ -git checkout - && \ -git subtree merge --prefix=deploy subtree-split-branch-$pipelineGitRef --squash ----- - -Afterwards, check if any new values have been introduced in `values.yaml.tmpl` and update `values.yaml` accordingly. Commit and push the result. - -=== Using Helm to install from the Git repository +=== Step 2: Running the install script ==== Option 1: With external API access @@ -126,8 +101,6 @@ If you have access to the OpenShift API from your local machine, you can simply TIP: You may also use `--dry-run` to see the changes first. -After you ran the script, continue with the <> section. - TIP: By default, the credentials stored in the K8s secrets will not be updated. If you want to make a change, pass any new values as flags to `install.sh` (see `./install.sh --help` for all options) or update the secrets manually. ==== Option 2: Without external API access @@ -142,7 +115,3 @@ curl -L https://raw.githubusercontent.com/opendevstack/ods-pipeline/master/scrip This will install all prerequisites automatically and update your ODS Pipeline installation to the latest state of your Git repository. TIP: The credentials stored in the K8s secrets will not be updated. If you need to change those, update them manually. - -==== Finishing the update - -Once the resources in your namespace are updated, you likely have to update the `ods.yaml` files in your repository to point to the new tasks, e.g. changing `ods-build-go-v0-12-0` to `ods-build-go-v0-13-2`. From 2648fe5eca43d595969d83bfd98a9a18ffa218c9 Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Fri, 29 Sep 2023 16:51:28 +0200 Subject: [PATCH 05/10] Fix chart version / appVersion --- deploy/chart/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/chart/Chart.yaml b/deploy/chart/Chart.yaml index e8197bba..b8bb298d 100644 --- a/deploy/chart/Chart.yaml +++ b/deploy/chart/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.13.2 +version: 0.14.0-preview.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.13.2" +appVersion: "0.14.0-preview.1" From 5df9faf8561ec6e7f4c7915ec487aa5a71a508cb Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Mon, 2 Oct 2023 08:31:14 +0200 Subject: [PATCH 06/10] Adjust install script to use remote chart by default --- deploy/install.sh | 59 ++++++++++++++++++++-------------- scripts/install-inside-kind.sh | 1 + 2 files changed, 36 insertions(+), 24 deletions(-) diff --git a/deploy/install.sh b/deploy/install.sh index 0a9744b9..36f602c1 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -3,14 +3,16 @@ set -ue script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -verbose="false" -dry_run="false" +verbose=false +dry_run=false +use_local_chart=false diff="true" namespace="" release_name="ods-pipeline" serviceaccount="pipeline" values_file="values.yaml" chart_dir="./chart" +chart_version="0.14.0-preview.1" # Secrets auth_separator=":" bitbucket_auth="" @@ -59,6 +61,7 @@ function usage { printf "\t-h|--help\t\t\tPrints this usage information.\n" printf "\t-v|--verbose\t\t\tTurn on verbose output.\n" printf "\t-n|--namespace\t\t\tK8s namespace to target.\n" + printf "\t--local-chart\t\t\tUse local chart instead of remote, versioned chart.\n" printf "\t-f|--values\t\t\tValues file to supply to Helm (defaults to '%s'). Multiple files can be specified comma-separated.\n" "$values_file" printf "\t-s|--serviceaccount\t\tServiceaccount to use (defaults to '%s').\n" "$serviceaccount" printf "\t--no-diff\t\t\tDo not run Helm diff before running Helm upgrade.\n" @@ -68,6 +71,7 @@ function usage { printf "\t--bitbucket-webhook-secret\tSecret to protect webhook endpoint with (if not given, script will generate this).\n" printf "\t--nexus-auth\t\t\tUsername and password (separated by '%s') of a Nexus user (if not given, script will prompt for this).\n" "$auth_separator" printf "\t--private-cert\t\t\tHost from which to download private certificate (if not given, script will skip this).\n" + printf "\t--chart-version\t\t\tOverwrite chart version (defaults to '%s').\n" "$chart_version" printf "\nExample:\n\n" printf "\t%s \ \ \n\t\t--namespace foo \ \ @@ -81,7 +85,13 @@ while [ "$#" -gt 0 ]; do -h|--help) shift; usage; exit 0;; - -v|--verbose) verbose="true";; + -v|--verbose) verbose=true;; + + --no-diff) diff=false;; + + --dry-run) dry_run=true;; + + --local-chart) use_local_chart=true;; -n|--namespace) namespace="$2"; shift;; -n=*|--namespace=*) namespace="${1#*=}";; @@ -92,10 +102,6 @@ while [ "$#" -gt 0 ]; do -s|--serviceaccount) serviceaccount="$2"; shift;; -s=*|--serviceaccount=*) serviceaccount="${1#*=}";; - --no-diff) diff="false";; - - --dry-run) dry_run="true";; - --auth-separator) auth_separator="$2"; shift;; --auth-separator=*) auth_separator="${1#*=}";; @@ -111,6 +117,9 @@ while [ "$#" -gt 0 ]; do --private-cert) private_cert="$2"; shift;; --private-cert=*) private_cert="${1#*=}";; + --chart-version) chart_version="$2"; shift;; + --chart-version=*) chart_version="${1#*=}";; + *) echo "Unknown parameter passed: $1"; exit 1;; esac; shift; done @@ -122,7 +131,7 @@ for valueFile in ${values_fileS}; do values_args+=(--values="${valueFile}") done -if [ "${verbose}" == "true" ]; then +if [ "${verbose}" = true ]; then set -x fi @@ -218,7 +227,7 @@ if "${kubectl_bin}" -n "${namespace}" get serviceaccount/"${serviceaccount}" &> echo "Serviceaccount exists already ..." else echo "Creating serviceaccount ..." - if [ "${dry_run}" == "true" ]; then + if [ "${dry_run}" = true ]; then echo "(skipping in dry-run)" else "${kubectl_bin}" -n "${namespace}" create serviceaccount "${serviceaccount}" @@ -231,7 +240,7 @@ else fi echo "Installing secrets ..." -if [ "${dry_run}" == "true" ]; then +if [ "${dry_run}" = true ]; then echo "(skipping in dry-run)" else # Bitbucket username is not required as PAT alone is enough. @@ -257,42 +266,44 @@ else installTLSSecret "ods-private-cert" "${private_cert}" fi -echo "Discovering Helm repository ..." -helm_repo_alias="ods-pipeline" -chart_name="ods-pipeline" -"${helm_bin}" repo add "${helm_repo_alias}" https://opendevstack.github.io/ods-pipeline -"${helm_bin}" repo update "${helm_repo_alias}" +chart_location="" +if [ "${use_local_chart}" = true ]; then + chart_name="ods-pipeline" + chart_location="https://github.com/opendevstack/ods-pipeline/releases/download/${chart_name}-${chart_version}/${chart_name}-${chart_version}.tgz" +else + chart_location="${chart_dir}" +fi -echo "Installing Helm release ${release_name} ..." -if [ "${diff}" == "true" ]; then +echo "Installing Helm release ${release_name} from ${chart_location} ..." +if [ "${diff}" = true ]; then if "${helm_bin}" -n "${namespace}" \ diff upgrade --install --detailed-exitcode --three-way-merge --normalize-manifests \ "${values_args[@]}" \ - "${release_name}" "${helm_repo_alias}/${chart_name}"; then + "${release_name}" "${chart_location}"; then echo "Helm release already up-to-date." else - if [ "${dry_run}" == "true" ]; then + if [ "${dry_run}" = true ]; then echo "(skipping in dry-run)" else "${helm_bin}" -n "${namespace}" \ upgrade --install \ "${values_args[@]}" \ - ${release_name} ${chart_dir} + ${release_name} ${chart_location} fi fi else - if [ "${dry_run}" == "true" ]; then + if [ "${dry_run}" = true ]; then echo "(skipping in dry-run)" else "${helm_bin}" -n "${namespace}" \ upgrade --install \ "${values_args[@]}" \ - "${release_name}" "${helm_repo_alias}/${chart_name}" + "${release_name}" "${chart_url}" fi fi echo "Adding Tekton annotation to ods-bitbucket-auth secret ..." -if [ "${dry_run}" == "true" ]; then +if [ "${dry_run}" = true ]; then echo "(skipping in dry-run)" else bitbucketUrl=$("${kubectl_bin}" -n "${namespace}" get cm/ods-bitbucket -ojsonpath='{.data.url}') @@ -300,7 +311,7 @@ else fi echo "Adding ods-bitbucket-auth secret to ${serviceaccount} serviceaccount ..." -if [ "${dry_run}" == "true" ]; then +if [ "${dry_run}" = true ]; then echo "(skipping in dry-run)" else "${kubectl_bin}" -n "${namespace}" \ diff --git a/scripts/install-inside-kind.sh b/scripts/install-inside-kind.sh index 308b46ea..1e206140 100755 --- a/scripts/install-inside-kind.sh +++ b/scripts/install-inside-kind.sh @@ -46,6 +46,7 @@ fi cd "${kind_deploy_path}" bash ./install.sh \ + --local-chart \ --bitbucket-auth "${bitbucket_auth}" \ --nexus-auth "${nexus_auth}" \ -f "${values_arg}" "$@" From 103b0f053908861aa60f2e89b8afa691d9f7d8c9 Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Mon, 2 Oct 2023 08:53:27 +0200 Subject: [PATCH 07/10] Fix shellcheck issues --- Makefile | 2 +- deploy/install.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 22b2af66..271cb729 100644 --- a/Makefile +++ b/Makefile @@ -33,7 +33,7 @@ lint-go: ## Run golangci-lint. .PHONY: lint-go lint-shell: ## Run shellcheck. - shellcheck scripts/*.sh build/package/scripts/* deploy/*.sh + shellcheck scripts/*.sh build/images/scripts/* deploy/*.sh .PHONY: lint-shell docs: ## Render documentation for tasks. diff --git a/deploy/install.sh b/deploy/install.sh index 36f602c1..bcce221b 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -288,7 +288,7 @@ if [ "${diff}" = true ]; then "${helm_bin}" -n "${namespace}" \ upgrade --install \ "${values_args[@]}" \ - ${release_name} ${chart_location} + "${release_name}" "${chart_location}" fi fi else @@ -298,7 +298,7 @@ else "${helm_bin}" -n "${namespace}" \ upgrade --install \ "${values_args[@]}" \ - "${release_name}" "${chart_url}" + "${release_name}" "${chart_location}" fi fi From dc103631b8b083a9ddd6a5eb45b162005883a75a Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Mon, 2 Oct 2023 09:37:52 +0200 Subject: [PATCH 08/10] Adjust GitHub workflows --- .github/workflows/chart.yaml | 27 --------------------- .github/workflows/main.yaml | 43 +++++++++++++++++----------------- .github/workflows/release.yaml | 30 +++++++++++++++++++----- 3 files changed, 46 insertions(+), 54 deletions(-) delete mode 100644 .github/workflows/chart.yaml diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml deleted file mode 100644 index 0be0a3bc..00000000 --- a/.github/workflows/chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Release Charts - -on: - push: - branches: - - feature/easy-install - -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.5.0 - with: - charts_dir: deploy - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 7100f699..f673d7bb 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -7,7 +7,6 @@ on: pull_request: env: - # github.repository as / IMAGE_BASE: ${{ github.repository }} jobs: @@ -32,23 +31,25 @@ jobs: name: Run tests run: | make test - # - - # name: Log into ghcr.io - # if: ${{ github.event_name != 'pull_request' }} - # uses: docker/login-action@v1 - # with: - # registry: ghcr.io - # username: ${{ github.actor }} - # password: ${{ secrets.GITHUB_TOKEN }} - # - - # name: Push images to ghcr.io - # if: ${{ github.event_name != 'pull_request' }} - # run: | - # images=(${{ env.IMAGES }}) - # for image in ${images[*]} - # do - # echo "::group::Push ods-$image to ghcr.io" - # docker tag localhost:5000/ods/ods-$image:latest ghcr.io/${{ env.IMAGE_BASE }}/ods-$image:latest - # docker push ghcr.io/${{ env.IMAGE_BASE }}/ods-$image:latest - # echo "::endgroup::" - # done + - + name: Log into ghcr.io + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Push images to ghcr.io + if: ${{ github.event_name != 'pull_request' }} + env: + IMAGES: finish pipeline-manager start + run: | + images=(${{ env.IMAGES }}) + for image in ${images[*]} + do + echo "::group::Push $image to ghcr.io" + docker tag localhost:5000/ods-pipeline/$image:latest ghcr.io/${{ env.IMAGE_BASE }}/$image:latest + docker push ghcr.io/${{ env.IMAGE_BASE }}/$image:latest + echo "::endgroup::" + done diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0da1ffa2..1a137ef6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,13 +1,11 @@ -name: Release images +name: Release images and chart on: release: types: - released env: - # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io - # github.repository as / IMAGE_BASE: ${{ github.repository }} jobs: @@ -23,7 +21,7 @@ jobs: outputs: imageTag: ${{ steps.createImageTag.outputs.imageTag }} - build: + release-images: name: Build and release images needs: setup runs-on: ubuntu-latest @@ -37,8 +35,8 @@ jobs: id-token: write steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@v4 # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx @@ -63,3 +61,23 @@ jobs: file: build/package/Dockerfile.${{ matrix.image }} push: true tags: ${{ env.REGISTRY }}/${{ env.IMAGE_BASE }}/ods-${{ matrix.image }}:${{ needs.setup.outputs.imageTag }} + + release-chart: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.5.0 + with: + charts_dir: deploy + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From fe73cf4aa1ef5095d07ee9c2c265d2ca8f825d75 Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Mon, 2 Oct 2023 09:41:50 +0200 Subject: [PATCH 09/10] Add change to changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 117c049a..1fee0d23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,7 +20,9 @@ listed in the changelog. - Move pipeline tasks to separate repositories. This is a huge change with many implications. Instead of providing build, package and deploy taks as part of the `ods-pipeline` repository, the tasks are no provided by separate repositories, such as `ods-pipeline-go`, `ods-pipeline-sonar`, `ods-pipeline-image`, `ods-pipeline-helm` and so on. The only tasks that are provided by `ods-pipeline` are the start and finish tasks automatically injected into each pipeline. This change allows to have a different lifecycle for each task (or set of tasks). It also benefits maintenance greatly: running the tests for this repository is much faster now (around 10 minutes compared to 35+ minutes earlier). This repository facilitates task creation, maintenance and testing by providing a few Go packages that can be used by task repositories such as `ods-pipeline-helm`. For more information, see [#722](https://github.com/opendevstack/ods-pipeline/pull/722). -- Build tasks streamlining and avoidance of file copies (#678 fixed by [#710](https://github.com/opendevstack/ods-pipeline/pull/710)). This is an incompatible change. Build tasks were adjusted to (mostly) no longer copy build files in a dedicated location. Instead one should adjust the Dockerfile (or other downstream tasks) to directly consume the build outputs from their natural locations. In addition build task skipping now supports parameter `build-extra-inputs`. The package-image task `dockerfile` and `docker-dir` parameters have been changed to assume that the docker context and file are at the repository root. See the PR for further information and the issue for more context. +- Publish Helm chart and adjust install script to install from there. Instead of requiring users to create a local repository, using `git subtree`` to include the `deploy`` folder, and installing from the local chart, the install script now uses the published chart. This greatly simplifies the installation and upgrade procedure. See [#730](https://github.com/opendevstack/ods-pipeline/pull/730). + +- Build tasks streamlining and avoidance of file copies (#678 fixed by [#710](https://github.com/opendevstack/ods-pipeline/pull/710)). This is an incompatible change. Build tasks were adjusted to (mostly) no longer copy build files in a dedicated location. Instead one should adjust the Dockerfile (or other downstream tasks) to directly consume the build outputs from their natural locations. In addition build task skipping now supports parameter `build-extra-inputs`. The package-image task `dockerfile` and `docker-dir` parameters have been changed to assume that the docker context and file are at the repository root. See the PR for further information and the issue for more context. Note that these changes affect the extracted tasks, as described above. ## [0.13.2] - 2023-07-18 From 8ff845eec1e36a1588d7e7fe821c64a1fe93218e Mon Sep 17 00:00:00 2001 From: Michael Sauter Date: Mon, 2 Oct 2023 10:18:20 +0200 Subject: [PATCH 10/10] Remove separate web-terminal-install script --- deploy/install.sh | 4 --- docs/installation.adoc | 54 +++++++++---------------------- scripts/web-terminal-install.sh | 56 --------------------------------- 3 files changed, 15 insertions(+), 99 deletions(-) delete mode 100755 scripts/web-terminal-install.sh diff --git a/deploy/install.sh b/deploy/install.sh index bcce221b..dc70121d 100755 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -1,8 +1,6 @@ #!/usr/bin/env bash set -ue -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - verbose=false dry_run=false use_local_chart=false @@ -123,8 +121,6 @@ while [ "$#" -gt 0 ]; do *) echo "Unknown parameter passed: $1"; exit 1;; esac; shift; done -cd "${script_dir}" - values_fileS=$(echo "$values_file" | tr "," "\n") values_args=() for valueFile in ${values_fileS}; do diff --git a/docs/installation.adoc b/docs/installation.adoc index 26d48c95..959f1b1e 100644 --- a/docs/installation.adoc +++ b/docs/installation.adoc @@ -31,40 +31,27 @@ Download the template and fill in the values according to the comments in that f [source] ---- -curl -L https://raw.githubusercontent.com/opendevstack/ods-pipeline/master/deploy/values.yaml.tmpl -o values.yaml +curl -fsSL https://raw.githubusercontent.com/opendevstack/ods-pipeline/v0.14.0-preview.1/deploy/values.yaml.tmpl -o values.yaml ---- TIP: It is recommended to keep this file around after the installation so that it can be reused when updating ODS Pipeline to future versions. === Step 2: Running the install script -==== Option 1: With external API access - -If you have access to the OpenShift API from your local machine, simply login to the OpenShift cluster and install ODS Pipeline by running: +Login to the OpenShift cluster in your terminal, then run: [source] ---- -./install.sh -n +curl -fsSL https://raw.githubusercontent.com/opendevstack/ods-pipeline/v0.14.0-preview.1/deploy/install.sh | bash -s -- -n= ---- -The script will interactively ask for credentials (such as Bitbucket access token) and will create corresponding K8s secrets. If you prefer to pass these secrets via flags, see `./install.sh --help` for all options. - -IMPORTANT: If tasks need to trust a private certificate, pass `--private-cert `. This will create a K8s secret containing the certificate from the specified host, which will then be mounted in pods during task runs. +The script will interactively ask for credentials (such as Bitbucket access token) and will create corresponding K8s secrets. If you prefer to pass these secrets via flags, use `--help` to see all options. -TIP: You may pass `--dry-run` to review what `install.sh` will do before actually running the script. +IMPORTANT: If tasks need to trust a private certificate, pass `--private-cert=`. This will create a K8s secret containing the certificate from the specified host, which will then be mounted in pods during task runs. -==== Option 2: Without external API access +TIP: If you want to review the changes first before applying them, supply `--dry-run`. -If you do not have access to the OpenShift API from your local machine, you can use the https://docs.openshift.com/container-platform/latest/web_console/odc-about-web-terminal.html[OpenShift Web Terminal] to install ODS Pipeline. Open a web terminal in your `*-cd` namespace, then run: - -[source] ----- -curl -L https://raw.githubusercontent.com/opendevstack/ods-pipeline/master/scripts/web-terminal-install.sh | bash ----- - -This will install all prerequisites automatically. Then you can clone the repository and run `./install.sh -n `. - -`./install.sh` will interactively ask for credentials (such as Bitbucket access token) and will create corresponding K8s secrets. If you prefer to pass these secrets via flags, see `./install.sh --help` for all options. +TIP: If you do not have access to the OpenShift API from your local machine, you can use the https://docs.openshift.com/container-platform/latest/web_console/odc-about-web-terminal.html[OpenShift Web Terminal]. Open a web terminal in the target namespace and make sure the `values.yaml` file is present in the working directory there. Then run the installation script as described above. Note that you must either install the `helm-diff` plugin using `helm plugin install https://github.com/databus23/helm-diff --version "v3.3.2"` beforehand or supply `--no-diff` when running the install script. === Step 3: Exposing a route to the pipeline manager @@ -86,32 +73,21 @@ The update procedure consists of two quick steps: === Step 1: Updating the chart values -Check if any new values have been introduced in `values.yaml.tmpl` and update your `values.yaml` (which you hopefully retained from the installation) accordingly. +Ensure that the `values.yaml` file you used during installation is located in the working directory. Then check if any new values have been introduced in link:https://raw.githubusercontent.com/opendevstack/ods-pipeline/v0.14.0-preview.1/deploy/values.yaml.tmpl[`values.yaml.tmpl`] and update `values.yaml` accordingly. -=== Step 2: Running the install script +TIP: If you cannot find the `values.yaml` file from the installation, create it again using the values found in the current Helm installation. -==== Option 1: With external API access +=== Step 2: Running the install script -If you have access to the OpenShift API from your local machine, you can simply login to the OpenShift cluster in your terminal, then update the ODS Pipeline installation by running: +Login to the OpenShift cluster in your terminal, then run: [source] ---- -./install.sh -n +curl -fsSL https://raw.githubusercontent.com/opendevstack/ods-pipeline/v0.14.0-preview.1/deploy/install.sh | bash -s -- -n= ---- -TIP: You may also use `--dry-run` to see the changes first. - -TIP: By default, the credentials stored in the K8s secrets will not be updated. If you want to make a change, pass any new values as flags to `install.sh` (see `./install.sh --help` for all options) or update the secrets manually. - -==== Option 2: Without external API access - -If you do not have access to the OpenShift API from your local machine, you can use the https://docs.openshift.com/container-platform/latest/web_console/odc-about-web-terminal.html[OpenShift Web Terminal] to install ODS Pipeline. Open a web terminal in your `*-cd` namespace, then run: - -[source] ----- -curl -L https://raw.githubusercontent.com/opendevstack/ods-pipeline/master/scripts/web-terminal-install.sh | bash ----- +TIP: If you want to review the changes first before applying them, supply `--dry-run`. -This will install all prerequisites automatically and update your ODS Pipeline installation to the latest state of your Git repository. +TIP: By default, the credentials stored in the K8s secrets will not be updated. If you want to make a change, pass any new values as flags to the install script (supply `--help` to see all options) or update the secrets manually. -TIP: The credentials stored in the K8s secrets will not be updated. If you need to change those, update them manually. +TIP: If you do not have access to the OpenShift API from your local machine, you can use the https://docs.openshift.com/container-platform/latest/web_console/odc-about-web-terminal.html[OpenShift Web Terminal]. Open a web terminal in the target namespace and make sure the `values.yaml` file is present in the working directory there. Then run the installation script as described above. Note that you must either install the `helm-diff` plugin using `helm plugin install https://github.com/databus23/helm-diff --version "v3.3.2"` beforehand or supply `--no-diff` when running the install script. diff --git a/scripts/web-terminal-install.sh b/scripts/web-terminal-install.sh deleted file mode 100755 index dbd0bac5..00000000 --- a/scripts/web-terminal-install.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -set -eu - -HELM_PLUGIN_DIFF_VERSION=3.3.2 -REPOSITORY="" -NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) - -while [ "$#" -gt 0 ]; do - # shellcheck disable=SC2034 - case $1 in - - -v|--verbose) VERBOSE="true";; - - -r|--repository) REPOSITORY="$2"; shift;; - -r=*|--repository=*) REPOSITORY="${1#*=}";; - - *) echo "Unknown parameter passed: $1"; exit 1;; -esac; shift; done - -echo "Extending PATH to user-writable location ..." -mkdir -p bin -export PATH=/home/user/bin:$PATH - -echo "Installing Helm plugins ..." -NO_DIFF_FLAG="" -if [ "$(helm plugin list | grep ^diff)" != "" ]; then - echo "Plugin helm-diff is already installed." -else - if command -v tar; then - helm plugin install https://github.com/databus23/helm-diff --version "v${HELM_PLUGIN_DIFF_VERSION}" - else - NO_DIFF_FLAG="--no-diff" - fi -fi - -echo "Cloning Git repository ..." -if oc -n "${NAMESPACE}" get secrets/ods-bitbucket-auth &> /dev/null; then - repoBase=$(oc -n "${NAMESPACE}" get configmaps/ods-bitbucket -o jsonpath='{.data.repoBase}') - authToken=$(oc -n "${NAMESPACE}" get secrets/ods-bitbucket-auth -o jsonpath='{.data.password}' | base64 --decode) - if [ -z "${REPOSITORY}" ]; then - REPOSITORY="${repoBase}/${NAMESPACE%-cd}/${NAMESPACE}.git" - fi - repoName="${REPOSITORY##*/}" - rm -rf "${repoName%.git}" || true - git clone -c http.extraHeader="Authorization: Bearer ${authToken}" "${REPOSITORY}" -else - echo 'No secret ods-bitbucket-auth found.' - echo 'Most likely, there is no ODS Pipeline installation yet.' - echo 'Clone the Git repository and run install.sh manually.' - exit 1 -fi - -echo "Installing ..." -repoName="${REPOSITORY##*/}" -cd "${repoName%.git}/deploy" -./install.sh -n "${NAMESPACE}" ${NO_DIFF_FLAG}