From 18d3df5c1dd2b75db216f30699a4fdf1427a5cf6 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 15:20:29 +0100 Subject: [PATCH 01/12] Added first git differ version --- .tekton/pr-differ.yaml | 168 ++++++++++++++++++ README.md | 20 +-- .../cluster-scope/Proxy/cluster.yaml | 9 - .../isar/cluster-scope/Proxy/cluster.yaml | 9 - .../cluster-scope/Proxy/cluster.yaml | 9 - .../cluster-scope/Proxy/kustomization.yaml | 4 - gitops-differ.Containerfile | 8 + helper/differ.sh | 69 +++++++ helper/install-kustomize.sh | 24 +++ 9 files changed, 277 insertions(+), 43 deletions(-) create mode 100644 .tekton/pr-differ.yaml delete mode 100644 configuration/overlays/coe-cluster/cluster-scope/Proxy/cluster.yaml delete mode 100644 configuration/overlays/isar/cluster-scope/Proxy/cluster.yaml delete mode 100644 configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/cluster.yaml delete mode 100644 configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/kustomization.yaml create mode 100644 gitops-differ.Containerfile create mode 100755 helper/differ.sh create mode 100755 helper/install-kustomize.sh diff --git a/.tekton/pr-differ.yaml b/.tekton/pr-differ.yaml new file mode 100644 index 0000000..3d5db47 --- /dev/null +++ b/.tekton/pr-differ.yaml @@ -0,0 +1,168 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + name: check-and-test-deployment + annotations: + # The event we are targeting as seen from the webhook payload + # this can be an array too, i.e: [pull_request, push] + pipelinesascode.tekton.dev/on-event: "[pull_request]" + + # The branch or tag we are targeting (ie: main, refs/tags/*) + pipelinesascode.tekton.dev/on-target-branch: "[main,devel]" + + # Fetch the git-clone task from hub, we are able to reference later on it + # with taskRef and it will automatically be embedded into our pipeline. + pipelinesascode.tekton.dev/task: "git-clone" + + # Use maven task from hub + # pipelinesascode.tekton.dev/task-1: "[pre-commit]" + + # You can add more tasks in here to reuse, browse the one you like from here + # https://hub.tekton.dev/ + # example: + # pipelinesascode.tekton.dev/task-2: "[github-add-labels]" + + # How many runs we want to keep attached to this event + pipelinesascode.tekton.dev/max-keep-runs: "2" +spec: + params: + # The variable with brackets are special to Pipelines as Code + # They will automatically be expanded with the events from Github. + - name: repo_url + value: "{{ repo_url }}" + - name: revision + value: "{{ revision }}" + - name: pull_request_number + value: "{{ pull_request_number }}" + - name: git_auth_secret + value: "{{ git_auth_secret }}" + - name: source_branch + value: "{{source_branch}}" + - name: target_branch + value: "{{target_branch}}" + + podTemplate: + nodeSelector: + kubernetes.io/arch: amd64 + pipelineSpec: + params: + - name: repo_url + - name: revision + - name: pull_request_number + - name: git_auth_secret + workspaces: + - name: source + - name: basic-auth + tasks: + - name: fetch-repository-pr + taskRef: + resolver: cluster + params: + - name: kind + value: task + - name: name + value: git-clone + - name: namespace + value: openshift-pipelines + workspaces: + - name: output + workspace: source + - name: basic-auth + workspace: basic-auth + params: + - name: URL + value: $(params.repo_url) + - name: REVISION + value: $(params.revision) + - name: DEPTH + value: 0 + - name: SUBDIRECTORY + value: pr + + - name: fetch-repository-main + runAfter: + - fetch-repository-pr + taskRef: + resolver: cluster + params: + - name: kind + value: task + - name: name + value: git-clone + - name: namespace + value: openshift-pipelines + workspaces: + - name: output + workspace: source + - name: basic-auth + workspace: basic-auth + params: + - name: URL + value: $(params.repo_url) + - name: REVISION + value: 'main' + - name: DEPTH + value: 0 + - name: SUBDIRECTORY + value: main + + - name: differ + runAfter: + - fetch-repository-main + workspaces: + - name: source + workspace: source + taskSpec: + workspaces: + - name: source + steps: + - name: differ + image: quay.io/stormshift/gitops-differ:202501031515 + imagePullPolicy: Always + workingDir: $(workspaces.source.path) + securityContext: + runAsNonRoot: true + runAsUser: 65532 + env: + - name: WORKSPACE + value: $(workspaces.source.path) + script: | + set -euxo pipefail + + ./helper/differ.sh ${WORKSPACE}/pr ${WORKSPACE}/main + + + # finally: + # - name: notify-linter-on-failure + # workspaces: + # - name: comment-file + # workspace: source + # when: + # - input: $(tasks.pre-commit.status) + # operator: in + # values: ["Failed"] + # params: + # - name: REQUEST_URL + # value: "$(params.repo_url)/pull/$(params.pull_request_number)" + # - name: PAC_GITHUB_SECRET + # value: "$(params.git_auth_secret)" + # - name: COMMENT_OR_FILE + # value: "notify-linter-on-failure.txt" + # taskRef: + # name: github-add-comment + + workspaces: + - name: source + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + # This workspace will inject secret to help the git-clone task to be able to + # checkout the private repositories + # - name: basic-auth + # secret: + # secretName: "{{ git_auth_secret }}" diff --git a/README.md b/README.md index e4ce191..359c3ab 100644 --- a/README.md +++ b/README.md @@ -27,19 +27,15 @@ Rollout via OpenShift GitOps / ArgoCD and Red Hat Advances Cluster Manager. -## Seal secrets +# Build differ image ```bash -kubeseal \ - --controller-name sealed-secret-controller-sealed-secrets \ - --controller-namespace sealed-secrets \ - --fetch-cert +export VERSION=$(date +%Y%m%d%H%M) +export IMAGE="quay.io/stormshift/gitops-differ:${VERSION}" +podman build --platform linux/amd64,linux/arm64 \ + -f gitops-differ.Containerfile \ + --manifest ${IMAGE} . +podman manifest push ${IMAGE} -kubeseal \ - --controller-name sealed-secret-controller-sealed-secrets \ - --controller-namespace sealed-secrets \ - --format yaml \ - < <(oc create secret generic test --from-literal=key1=supersecret --dry-run=client -o yaml) - -``` +``` \ No newline at end of file diff --git a/configuration/overlays/coe-cluster/cluster-scope/Proxy/cluster.yaml b/configuration/overlays/coe-cluster/cluster-scope/Proxy/cluster.yaml deleted file mode 100644 index 4c80196..0000000 --- a/configuration/overlays/coe-cluster/cluster-scope/Proxy/cluster.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: Proxy -metadata: - annotations: - argocd.argoproj.io/sync-options: "ServerSideApply=true,Validate=false" - name: cluster -spec: - trustedCA: - name: user-ca-bundle-v1 \ No newline at end of file diff --git a/configuration/overlays/isar/cluster-scope/Proxy/cluster.yaml b/configuration/overlays/isar/cluster-scope/Proxy/cluster.yaml deleted file mode 100644 index 3b15d35..0000000 --- a/configuration/overlays/isar/cluster-scope/Proxy/cluster.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: Proxy -metadata: - annotations: - argocd.argoproj.io/sync-options: "ServerSideApply=true,Validate=false" - name: cluster -spec: - trustedCA: - name: redhat-current-it-root-cas diff --git a/configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/cluster.yaml b/configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/cluster.yaml deleted file mode 100644 index 3b15d35..0000000 --- a/configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/cluster.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: config.openshift.io/v1 -kind: Proxy -metadata: - annotations: - argocd.argoproj.io/sync-options: "ServerSideApply=true,Validate=false" - name: cluster -spec: - trustedCA: - name: redhat-current-it-root-cas diff --git a/configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/kustomization.yaml b/configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/kustomization.yaml deleted file mode 100644 index a589202..0000000 --- a/configuration/overlays/stormshift-ocp5/cluster-scope/Proxy/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- cluster.yaml diff --git a/gitops-differ.Containerfile b/gitops-differ.Containerfile new file mode 100644 index 0000000..9d371eb --- /dev/null +++ b/gitops-differ.Containerfile @@ -0,0 +1,8 @@ +FROM registry.redhat.io/ubi9/ubi-minimal:latest + +ADD helper/install-kustomize.sh /usr/local/bin/ + +RUN microdnf install -y diffutils tar gzip \ + && install-kustomize.sh + + diff --git a/helper/differ.sh b/helper/differ.sh new file mode 100755 index 0000000..5e87872 --- /dev/null +++ b/helper/differ.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash + +# set -euo pipefail +# set -x +PR_FOLDER=$1 +MAIN_FOLDER=$2 + +kustomize_folders=( + "configuration/overlays/isar" + "configuration/overlays/coe-cluster" + "configuration/overlays/stormshift-ocp1" + "configuration/overlays/stormshift-ocp2" + "configuration/overlays/stormshift-ocp3" + "configuration/overlays/stormshift-ocp4" + "configuration/overlays/stormshift-ocp5" + "configuration/overlays/stormshift-ocp6" + "configuration/overlays/stormshift-ocp7" + "configuration/overlays/stormshift-ocp8" + "configuration/overlays/stormshift-rhacm" +) + +declare -a kustomize_folders_with_changes + +echo -e "# Diff overview \n\n" > /tmp/diff-overview.md + +echo -e "|Environment|Amount of diff lines|" >> /tmp/diff-overview.md +echo -e "|---|---|" >> /tmp/diff-overview.md + + +for folder in ${kustomize_folders[@]}; do + + env_name=$(basename $folder) + echo "Let's check $folder" + + kustomize build \ + ${PR_FOLDER}/$folder \ + > /tmp/${env_name}.pr.yaml + + kustomize build \ + ${MAIN_FOLDER}/$folder \ + > /tmp/${env_name}.main.yaml + + diff -Nuar \ + /tmp/${env_name}.main.yaml \ + /tmp/${env_name}.pr.yaml \ + > /tmp/${env_name}.diff + + echo "Created /tmp/${env_name}.diff" + amount_of_diff_lines=$(cat /tmp/${env_name}.diff | wc -l) + if [ "$amount_of_diff_lines" -gt "0" ]; then + kustomize_folders_with_changes+=($folder) + fi + echo -e "|\`$folder\`| $amount_of_diff_lines" >> /tmp/diff-overview.md +done; + + +for folder in ${kustomize_folders_with_changes[@]}; do + env_name=$(basename $folder) + echo "Dump diff $folder ($env_name)"; + echo -e "\n\n" >> /tmp/diff-overview.md + echo "
" >> /tmp/diff-overview.md + echo -e "Diff $folder\n\n" >> /tmp/diff-overview.md + echo '```diff' >> /tmp/diff-overview.md + cat /tmp/${env_name}.diff >> /tmp/diff-overview.md + echo '```' >> /tmp/diff-overview.md + echo '
' >> /tmp/diff-overview.md + echo -e "\n\n" >> /tmp/diff-overview.md + +done; diff --git a/helper/install-kustomize.sh b/helper/install-kustomize.sh new file mode 100755 index 0000000..6e70651 --- /dev/null +++ b/helper/install-kustomize.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +ARCH=$(uname -i) + + +case $ARCH in + + aarch64) + GO_ARCH=arm64 + ;; + + x86_64) + GO_ARCH=amd64 + ;; + *) + exit 99 + ;; +esac + +echo "Download kustomize_v5.5.0_linux_${GO_ARCH}.tar.gz" +curl -# -L -O https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.5.0/kustomize_v5.5.0_linux_${GO_ARCH}.tar.gz +tar xzf kustomize_v5.5.0_linux_${GO_ARCH}.tar.gz +mv -v kustomize /usr/local/bin/ +rm -v kustomize_v5.5.0_linux_${GO_ARCH}.tar.gz From 2c36aef55715a5a01e80663a0b6d595b2fc22c8f Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 15:21:27 +0100 Subject: [PATCH 02/12] Fix name --- .tekton/pr-differ.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/pr-differ.yaml b/.tekton/pr-differ.yaml index 3d5db47..a163879 100644 --- a/.tekton/pr-differ.yaml +++ b/.tekton/pr-differ.yaml @@ -2,7 +2,7 @@ apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: - name: check-and-test-deployment + name: pr-differ annotations: # The event we are targeting as seen from the webhook payload # this can be an array too, i.e: [pull_request, push] From 411de3b68359fb20f5cc7f27ee1f25bad25a6c5e Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 15:22:31 +0100 Subject: [PATCH 03/12] Disable basic auth --- .tekton/pr-differ.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.tekton/pr-differ.yaml b/.tekton/pr-differ.yaml index a163879..1cbe5fb 100644 --- a/.tekton/pr-differ.yaml +++ b/.tekton/pr-differ.yaml @@ -53,7 +53,7 @@ spec: - name: git_auth_secret workspaces: - name: source - - name: basic-auth + # - name: basic-auth tasks: - name: fetch-repository-pr taskRef: @@ -68,8 +68,8 @@ spec: workspaces: - name: output workspace: source - - name: basic-auth - workspace: basic-auth + # - name: basic-auth + # workspace: basic-auth params: - name: URL value: $(params.repo_url) @@ -95,8 +95,8 @@ spec: workspaces: - name: output workspace: source - - name: basic-auth - workspace: basic-auth + # - name: basic-auth + # workspace: basic-auth params: - name: URL value: $(params.repo_url) From 475184548dc7f9b6997976aeb992a55379176c37 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 15:25:28 +0100 Subject: [PATCH 04/12] Remove basic auth not needed --- .tekton/pr-differ.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.tekton/pr-differ.yaml b/.tekton/pr-differ.yaml index 1cbe5fb..5782f7f 100644 --- a/.tekton/pr-differ.yaml +++ b/.tekton/pr-differ.yaml @@ -53,7 +53,6 @@ spec: - name: git_auth_secret workspaces: - name: source - # - name: basic-auth tasks: - name: fetch-repository-pr taskRef: @@ -68,8 +67,6 @@ spec: workspaces: - name: output workspace: source - # - name: basic-auth - # workspace: basic-auth params: - name: URL value: $(params.repo_url) @@ -95,8 +92,6 @@ spec: workspaces: - name: output workspace: source - # - name: basic-auth - # workspace: basic-auth params: - name: URL value: $(params.repo_url) @@ -163,6 +158,4 @@ spec: storage: 1Gi # This workspace will inject secret to help the git-clone task to be able to # checkout the private repositories - # - name: basic-auth - # secret: - # secretName: "{{ git_auth_secret }}" + From 2e1d5a9be01cb81b501ea2df95bbc1e1a5620af4 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 15:59:53 +0100 Subject: [PATCH 05/12] Update differ --- .tekton/pr-differ.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.tekton/pr-differ.yaml b/.tekton/pr-differ.yaml index 5782f7f..9331eaa 100644 --- a/.tekton/pr-differ.yaml +++ b/.tekton/pr-differ.yaml @@ -125,9 +125,25 @@ spec: script: | set -euxo pipefail - ./helper/differ.sh ${WORKSPACE}/pr ${WORKSPACE}/main + ${WORKSPACE}/pr/helper/differ.sh ${WORKSPACE}/pr ${WORKSPACE}/main + cp -v /tmp/diff-overview.md ${WORKSPACE}/diff-overview.md + - name: notify-deployment + runAfter: + - differ + workspaces: + - name: comment-file + workspace: source + params: + - name: REQUEST_URL + value: "$(params.repo_url)/pull/$(params.pull_request_number)" + - name: PAC_GITHUB_SECRET + value: "$(params.git_auth_secret)" + - name: COMMENT_OR_FILE + value: "diff-overview.md" + taskRef: + name: github-add-comment # finally: # - name: notify-linter-on-failure # workspaces: From a8ceb95f6b633c7fae03e43acf18c7ae23851d84 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 16:01:38 +0100 Subject: [PATCH 06/12] Move trustbundle configuration to base instead for each cluster --- configuration/base/cluster-scope/Proxy/cluster.yaml | 9 +++++++++ .../base/cluster-scope/Proxy/kustomization.yaml | 4 ++++ configuration/base/cluster-scope/kustomization.yaml | 4 ++++ configuration/base/kustomization.yaml | 1 + configuration/overlays/coe-cluster/kustomization.yaml | 1 - .../overlays/isar/cluster-scope/kustomization.yaml | 1 - .../stormshift-ocp5/cluster-scope/kustomization.yaml | 1 - 7 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 configuration/base/cluster-scope/Proxy/cluster.yaml create mode 100644 configuration/base/cluster-scope/Proxy/kustomization.yaml create mode 100644 configuration/base/cluster-scope/kustomization.yaml diff --git a/configuration/base/cluster-scope/Proxy/cluster.yaml b/configuration/base/cluster-scope/Proxy/cluster.yaml new file mode 100644 index 0000000..3b15d35 --- /dev/null +++ b/configuration/base/cluster-scope/Proxy/cluster.yaml @@ -0,0 +1,9 @@ +apiVersion: config.openshift.io/v1 +kind: Proxy +metadata: + annotations: + argocd.argoproj.io/sync-options: "ServerSideApply=true,Validate=false" + name: cluster +spec: + trustedCA: + name: redhat-current-it-root-cas diff --git a/configuration/base/cluster-scope/Proxy/kustomization.yaml b/configuration/base/cluster-scope/Proxy/kustomization.yaml new file mode 100644 index 0000000..a589202 --- /dev/null +++ b/configuration/base/cluster-scope/Proxy/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster.yaml diff --git a/configuration/base/cluster-scope/kustomization.yaml b/configuration/base/cluster-scope/kustomization.yaml new file mode 100644 index 0000000..6f746f2 --- /dev/null +++ b/configuration/base/cluster-scope/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- Proxy/ diff --git a/configuration/base/kustomization.yaml b/configuration/base/kustomization.yaml index 3d2393a..fb8aeb8 100644 --- a/configuration/base/kustomization.yaml +++ b/configuration/base/kustomization.yaml @@ -4,3 +4,4 @@ kind: Kustomization resources: - namespace/openshift-config/ + - cluster-scope/ diff --git a/configuration/overlays/coe-cluster/kustomization.yaml b/configuration/overlays/coe-cluster/kustomization.yaml index 2767c38..fac6ee7 100644 --- a/configuration/overlays/coe-cluster/kustomization.yaml +++ b/configuration/overlays/coe-cluster/kustomization.yaml @@ -12,7 +12,6 @@ resources: # subject=C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@redhat.com # issuer=C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@redhat.com - namespace/openshift-config/ConfigMap/user-ca-bundle-v1.yaml - - cluster-scope/Proxy/cluster.yaml - namespace/openshift-config/ExternalSecret/ocp-coe-cert.yaml - cluster-scope/APIServer/cluster.yaml diff --git a/configuration/overlays/isar/cluster-scope/kustomization.yaml b/configuration/overlays/isar/cluster-scope/kustomization.yaml index ca9fffd..58898a7 100644 --- a/configuration/overlays/isar/cluster-scope/kustomization.yaml +++ b/configuration/overlays/isar/cluster-scope/kustomization.yaml @@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - Proxy/cluster.yaml - Console/cluster.yaml - ConsoleNotification/ - OAuth/cluster.yaml diff --git a/configuration/overlays/stormshift-ocp5/cluster-scope/kustomization.yaml b/configuration/overlays/stormshift-ocp5/cluster-scope/kustomization.yaml index 3a54f2b..1eeb2e0 100644 --- a/configuration/overlays/stormshift-ocp5/cluster-scope/kustomization.yaml +++ b/configuration/overlays/stormshift-ocp5/cluster-scope/kustomization.yaml @@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - MachineConfig/ -- Proxy/ From 08d24e2caf76bbc31d78e6fba437f1fc01e50eb4 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 16:03:27 +0100 Subject: [PATCH 07/12] Add missing task --- .tekton/pr-differ.yaml | 1 + .tekton/task/github-add-comment.yaml | 200 +++++++++++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 .tekton/task/github-add-comment.yaml diff --git a/.tekton/pr-differ.yaml b/.tekton/pr-differ.yaml index 9331eaa..8aa8c68 100644 --- a/.tekton/pr-differ.yaml +++ b/.tekton/pr-differ.yaml @@ -22,6 +22,7 @@ metadata: # https://hub.tekton.dev/ # example: # pipelinesascode.tekton.dev/task-2: "[github-add-labels]" + pipelinesascode.tekton.dev/task-1: "[.tekton/task/github-add-comment.yaml]" # How many runs we want to keep attached to this event pipelinesascode.tekton.dev/max-keep-runs: "2" diff --git a/.tekton/task/github-add-comment.yaml b/.tekton/task/github-add-comment.yaml new file mode 100644 index 0000000..8330f43 --- /dev/null +++ b/.tekton/task/github-add-comment.yaml @@ -0,0 +1,200 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: github-add-comment + labels: + app.kubernetes.io/version: "0.7" + annotations: + tekton.dev/categories: Git + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/tags: github + tekton.dev/displayName: "add github comment" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le" +spec: + description: >- + This Task will add a comment to a pull request or an issue. + + It can take either a filename or a comment as input and can + post the comment back to GitHub accordingly. + + workspaces: + - name: comment-file + optional: true + description: The optional workspace containing comment file to be posted. + + results: + - name: OLD_COMMENT + description: The old text of the comment, if any. + + - name: NEW_COMMENT + description: The new text of the comment, if any. + + params: + - name: GITHUB_HOST_URL + description: | + The GitHub host, adjust this if you run a GitHub enteprise. + default: "api.github.com" + type: string + + - name: API_PATH_PREFIX + description: | + The API path prefix, GitHub Enterprise has a prefix e.g. /api/v3 + default: "" + type: string + + - name: REQUEST_URL + description: | + The GitHub issue or pull request URL where we want to add a new + comment. + type: string + + - name: COMMENT_OR_FILE + description: | + The actual comment to add or the filename containing comment to post. + type: string + + - name: PAC_GITHUB_SECRET + description: | + The name of the Kubernetes Secret that contains the GitHub token. + type: string + + - name: PAC_GITHUB_SECRET_KEY + description: | + The key within the Kubernetes Secret that contains the GitHub token. + type: string + default: .git-credentials + + - name: AUTH_TYPE + description: | + The type of authentication to use. You could use the less secure "Basic" for example + type: string + default: Bearer + + - name: COMMENT_TAG + description: | + An invisible tag to be added into the comment. The tag is made + invisible by embedding in an an HTML comment. The tag allows for later + retrieval of the comment, and it allows replacing an existing comment. + type: string + default: "" + + - name: REPLACE + description: | + When a tag is specified, and `REPLACE` is `true`, look for a comment + with a matching tag and replace it with the new comment. + type: string + default: "false" # Alternative value: "true" + + steps: + - name: post-comment + workingDir: $(workspaces.comment-file.path) + env: + - name: GIT_CREDENTIALS + valueFrom: + secretKeyRef: + name: $(params.PAC_GITHUB_SECRET) + key: $(params.PAC_GITHUB_SECRET_KEY) + + image: registry.access.redhat.com/ubi8/ubi-minimal:8.2 + script: | + #!/usr/libexec/platform-python + import json + import os + import http.client + import sys + import urllib.parse + + bearer = urllib.parse.urlparse(os.environ["GIT_CREDENTIALS"]) + + authHeader = "$(params.AUTH_TYPE) " + bearer.password + + split_url = urllib.parse.urlparse( + "$(params.REQUEST_URL)").path.split("/") + + # This will convert https://github.com/foo/bar/pull/202 to + # api url path /repos/foo/issues/ + api_url = "{base}/repos/{package}/issues/{id}".format( + base="$(params.API_PATH_PREFIX)", package="/".join(split_url[1:3]), id=split_url[-1]) + + # Only support FILE on my case + commentParamValue = """$(params.COMMENT_OR_FILE)""" + + # check if workspace is bound and parameter passed is a filename or not + if "$(workspaces.comment-file.bound)" == "true" and os.path.exists(commentParamValue): + commentParamValue = open(commentParamValue, "r").read() + + else: + commentParamValue = """ 😱 An unexpected error has occurred, please check log files.""" + + # If a tag was specified, append it to the comment + if "$(params.COMMENT_TAG)": + commentParamValue += "".format(tag="$(params.COMMENT_TAG)") + + data = { + "body": commentParamValue, + } + + # This is for our fake github server + if "$(params.GITHUB_HOST_URL)".startswith("http://"): + conn = http.client.HTTPConnection("$(params.GITHUB_HOST_URL)".replace("http://", "")) + else: + conn = http.client.HTTPSConnection("$(params.GITHUB_HOST_URL)") + + # If REPLACE is true, we need to search for comments first + matching_comment = "" + if "$(params.REPLACE)" == "true": + if not "$(params.COMMENT_TAG)": + print("REPLACE requested but no COMMENT_TAG specified") + sys.exit(1) + r = conn.request( + "GET", + api_url + "/comments", + headers={ + "User-Agent": "TektonCD, the peaceful cat", + "Authorization": authHeader, + }) + + resp = conn.getresponse() + if not str(resp.status).startswith("2"): + print("Error: %d" % (resp.status)) + print(resp.read()) + sys.exit(1) + print(resp.status) + + comments = json.loads(resp.read()) + print(comments) + # If more than one comment is found take the last one + matching_comment = [x for x in comments if '$(params.COMMENT_TAG)' in x['body']][-1:] + if matching_comment: + with open("$(results.OLD_COMMENT.path)", "w") as result_old: + result_old.write(str(matching_comment[0])) + matching_comment = matching_comment[0]['url'] + + if matching_comment: + method = "PATCH" + target_url = urllib.parse.urlparse(matching_comment).path + else: + method = "POST" + target_url = api_url + "/comments" + + print("Sending this data to GitHub with {}: ".format(method)) + print(data) + r = conn.request( + method, + target_url, + body=json.dumps(data), + headers={ + "User-Agent": "TektonCD, the peaceful cat", + "Authorization": authHeader, + }) + resp = conn.getresponse() + if not str(resp.status).startswith("2"): + print("Error: %d" % (resp.status)) + print(resp.read()) + sys.exit(1) + else: + with open("$(results.NEW_COMMENT.path)", "wb") as result_new: + result_new.write(resp.read()) + print("a GitHub comment has been {} to $(params.REQUEST_URL)".format( + "updated" if matching_comment else "added")) From 863e43ac6d657a2a5e0aa4c636046cb12c54d68c Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 16:09:38 +0100 Subject: [PATCH 08/12] Remove clusters there are not gitops managed --- helper/differ.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/helper/differ.sh b/helper/differ.sh index 5e87872..df905dd 100755 --- a/helper/differ.sh +++ b/helper/differ.sh @@ -7,16 +7,16 @@ MAIN_FOLDER=$2 kustomize_folders=( "configuration/overlays/isar" - "configuration/overlays/coe-cluster" +# "configuration/overlays/coe-cluster" "configuration/overlays/stormshift-ocp1" - "configuration/overlays/stormshift-ocp2" - "configuration/overlays/stormshift-ocp3" +# "configuration/overlays/stormshift-ocp2" +# "configuration/overlays/stormshift-ocp3" "configuration/overlays/stormshift-ocp4" "configuration/overlays/stormshift-ocp5" - "configuration/overlays/stormshift-ocp6" - "configuration/overlays/stormshift-ocp7" - "configuration/overlays/stormshift-ocp8" - "configuration/overlays/stormshift-rhacm" +# "configuration/overlays/stormshift-ocp6" +# "configuration/overlays/stormshift-ocp7" +# "configuration/overlays/stormshift-ocp8" +# "configuration/overlays/stormshift-rhacm" ) declare -a kustomize_folders_with_changes From a1a66f540a40ac2f6f5a910cf268863e1e0a30a3 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 16:09:52 +0100 Subject: [PATCH 09/12] Try to pull in parallel --- .tekton/pr-differ.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.tekton/pr-differ.yaml b/.tekton/pr-differ.yaml index 8aa8c68..ccc9441 100644 --- a/.tekton/pr-differ.yaml +++ b/.tekton/pr-differ.yaml @@ -79,8 +79,6 @@ spec: value: pr - name: fetch-repository-main - runAfter: - - fetch-repository-pr taskRef: resolver: cluster params: @@ -106,6 +104,7 @@ spec: - name: differ runAfter: - fetch-repository-main + - fetch-repository-pr workspaces: - name: source workspace: source @@ -169,7 +168,7 @@ spec: volumeClaimTemplate: spec: accessModes: - - ReadWriteOnce + - ReadWriteMany resources: requests: storage: 1Gi From 49aff99c1889db12ecaffb85d1d5a640e6b6387f Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 16:16:07 +0100 Subject: [PATCH 10/12] Do not print body anymore --- .tekton/task/github-add-comment.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.tekton/task/github-add-comment.yaml b/.tekton/task/github-add-comment.yaml index 8330f43..83e5f2b 100644 --- a/.tekton/task/github-add-comment.yaml +++ b/.tekton/task/github-add-comment.yaml @@ -178,8 +178,9 @@ spec: method = "POST" target_url = api_url + "/comments" - print("Sending this data to GitHub with {}: ".format(method)) - print(data) + print("Sending data to GitHub with {} ".format(method)) + # Don't print anymore... + # print(data) r = conn.request( method, target_url, From e43f4c96d36191d15a0c01fea08a4314ca03d5f1 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 16:19:12 +0100 Subject: [PATCH 11/12] Disable results --- .tekton/task/github-add-comment.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.tekton/task/github-add-comment.yaml b/.tekton/task/github-add-comment.yaml index 83e5f2b..2e67183 100644 --- a/.tekton/task/github-add-comment.yaml +++ b/.tekton/task/github-add-comment.yaml @@ -23,13 +23,6 @@ spec: optional: true description: The optional workspace containing comment file to be posted. - results: - - name: OLD_COMMENT - description: The old text of the comment, if any. - - - name: NEW_COMMENT - description: The new text of the comment, if any. - params: - name: GITHUB_HOST_URL description: | @@ -167,8 +160,6 @@ spec: # If more than one comment is found take the last one matching_comment = [x for x in comments if '$(params.COMMENT_TAG)' in x['body']][-1:] if matching_comment: - with open("$(results.OLD_COMMENT.path)", "w") as result_old: - result_old.write(str(matching_comment[0])) matching_comment = matching_comment[0]['url'] if matching_comment: @@ -195,7 +186,5 @@ spec: print(resp.read()) sys.exit(1) else: - with open("$(results.NEW_COMMENT.path)", "wb") as result_new: - result_new.write(resp.read()) print("a GitHub comment has been {} to $(params.REQUEST_URL)".format( "updated" if matching_comment else "added")) From fa8164701060ba5e534c8a2e127e8bf15f3fa995 Mon Sep 17 00:00:00 2001 From: Robert Bohne Date: Fri, 3 Jan 2025 16:27:54 +0100 Subject: [PATCH 12/12] Rollout cert Part of * https://github.com/stormshift/support/issues/227 --- .../stormshift-ocp4/kustomization.yaml | 1 + .../namespace/kustomization.yaml | 5 ++++ .../IngressController/default.yaml | 10 ++++++++ .../kustomization.yaml | 5 ++++ .../ExternalSecret/ocp-coe-cert.yaml | 24 +++++++++++++++++++ .../openshift-ingress/kustomization.yaml | 7 ++++++ 6 files changed, 52 insertions(+) create mode 100644 configuration/overlays/stormshift-ocp4/namespace/kustomization.yaml create mode 100644 configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/IngressController/default.yaml create mode 100644 configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/kustomization.yaml create mode 100644 configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/ExternalSecret/ocp-coe-cert.yaml create mode 100644 configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/kustomization.yaml diff --git a/configuration/overlays/stormshift-ocp4/kustomization.yaml b/configuration/overlays/stormshift-ocp4/kustomization.yaml index ae5a161..8a1a2ea 100644 --- a/configuration/overlays/stormshift-ocp4/kustomization.yaml +++ b/configuration/overlays/stormshift-ocp4/kustomization.yaml @@ -5,6 +5,7 @@ kind: Kustomization resources: - ../common/ - cluster-scope/ + - namespace/ - ../../../apps/astra-trident/overlays/stormshift-ocp4/ # Custom logo diff --git a/configuration/overlays/stormshift-ocp4/namespace/kustomization.yaml b/configuration/overlays/stormshift-ocp4/namespace/kustomization.yaml new file mode 100644 index 0000000..c16f0a3 --- /dev/null +++ b/configuration/overlays/stormshift-ocp4/namespace/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - openshift-ingress/ + - openshift-ingress-operator/ diff --git a/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/IngressController/default.yaml b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/IngressController/default.yaml new file mode 100644 index 0000000..c21c732 --- /dev/null +++ b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/IngressController/default.yaml @@ -0,0 +1,10 @@ +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + argocd.argoproj.io/sync-options: "ServerSideApply=true,Validate=false" +spec: + defaultCertificate: + name: ocp-coe-cert diff --git a/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/kustomization.yaml b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/kustomization.yaml new file mode 100644 index 0000000..335a0eb --- /dev/null +++ b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress-operator/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - IngressController/default.yaml diff --git a/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/ExternalSecret/ocp-coe-cert.yaml b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/ExternalSecret/ocp-coe-cert.yaml new file mode 100644 index 0000000..10f7f23 --- /dev/null +++ b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/ExternalSecret/ocp-coe-cert.yaml @@ -0,0 +1,24 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ocp-coe-cert +spec: + data: + - remoteRef: + key: coe-lab/certificate/api.ocp4.stormshift.coe.muc.redhat.com + property: cert_and_intermediate_pem + secretKey: tls.crt + - remoteRef: + key: coe-lab/certificate/api.ocp4.stormshift.coe.muc.redhat.com + property: key + secretKey: tls.key + refreshInterval: 12h + secretStoreRef: + kind: ClusterSecretStore + name: redhat-vault + target: + creationPolicy: Owner + deletionPolicy: Retain + name: ocp-coe-cert + template: + type: kubernetes.io/tls diff --git a/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/kustomization.yaml b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/kustomization.yaml new file mode 100644 index 0000000..dd7c805 --- /dev/null +++ b/configuration/overlays/stormshift-ocp4/namespace/openshift-ingress/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: openshift-ingress + +resources: +- ExternalSecret/ocp-coe-cert.yaml