From fc9354766731499fefbe5faa8e466b5c8f4eed70 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten-Lebbing Date: Sat, 5 Nov 2022 18:44:29 +0100 Subject: [PATCH] feat(common): add manifest updater and versioning logic (#277) * feat(common): add manifest updater and versioning logic * fix typo * typo2 * force int * install metallb * alles to disable manifest loading * skip manifest loading for unittests * move metallb version to values.yaml * give it all-access * more verbosity * no message * hmmm * remerge some stuff * caps --- charts/common/Chart.yaml | 3 +- .../templates/lib/util/_manifest-updater.tpl | 115 ++++++++++++++++++ charts/common/templates/loader/_apply.tpl | 2 + charts/common/templates/loader/_lists.tpl | 3 - charts/common/values.yaml | 6 + .../common-test/ci/manifest-values.yaml | 84 +++++++++++++ helper-charts/common-test/values.yaml | 3 + 7 files changed, 212 insertions(+), 4 deletions(-) create mode 100644 charts/common/templates/lib/util/_manifest-updater.tpl create mode 100644 helper-charts/common-test/ci/manifest-values.yaml diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 1d47e7d5..e6ee750a 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -15,4 +15,5 @@ maintainers: name: common sources: null type: library -version: 10.7.20 +version: 10.8.0 + diff --git a/charts/common/templates/lib/util/_manifest-updater.tpl b/charts/common/templates/lib/util/_manifest-updater.tpl new file mode 100644 index 00000000..56f7e396 --- /dev/null +++ b/charts/common/templates/lib/util/_manifest-updater.tpl @@ -0,0 +1,115 @@ +{{- define "tc.common.lib.util.manifest.update" -}} +{{- if .Values.manifests.enabled }} +{{- $fullName := include "tc.common.names.fullname" . -}} + +{{- $manifestprevious := lookup "v1" "ConfigMap" "tc-system" "manifestversion" }} +{{- $manifestVersionOld := 0 }} +{{- $manifestversion := .Values.manifests.version }} +{{- if $manifestprevious }} + {{- $manifestVersionOld = ( index $manifestprevious.data "manifestversion" )}} +{{- end }} +{{- if gt ( int $manifestversion ) ( int $manifestVersionOld ) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $fullName }}-manifests + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-7" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +data: + tcman.yaml: |- + apiVersion: v1 + kind: Namespace + metadata: + name: tc-system + --- + apiVersion: v1 + kind: ConfigMap + metadata: + namespace: tc-system + name: manifestversion + data: + manifestversion: "{{ .Values.manifests.version }}" + metalLBVersion: "{{ .Values.manifests.metalLBVersion }}" +--- +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $fullName }}-manifests + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-6" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + spec: + serviceAccountName: {{ $fullName }}-manifests + containers: + - name: {{ $fullName }}-manifests + image: {{ .Values.ubuntuImage.repository }}:{{ .Values.ubuntuImage.tag }} + volumeMounts: + - name: {{ $fullName }}-manifests + mountPath: /etc/manifests + readOnly: true + command: + - "/bin/sh" + - "-c" + - | + /bin/bash <<'EOF' + echo "installing metallb backend..." + kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v{{ .Values.manifests.metalLBVersion}}/config/manifests/metallb-native.yaml + echo "installing other manifests..." + kubectl apply -f /etc/manifests + EOF + volumes: + - name: {{ $fullName }}-manifests + configMap: + name: {{ $fullName }}-manifests + restartPolicy: Never +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $fullName }}-manifests + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-7" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $fullName }}-manifests + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-7" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $fullName }}-manifests +subjects: + - kind: ServiceAccount + name: {{ $fullName }}-manifests + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $fullName }}-manifests + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-7" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/common/templates/loader/_apply.tpl b/charts/common/templates/loader/_apply.tpl index e0f7b8c4..519f9a82 100644 --- a/charts/common/templates/loader/_apply.tpl +++ b/charts/common/templates/loader/_apply.tpl @@ -61,4 +61,6 @@ Secondary entrypoint and primary loader for the common chart {{ include "tc.common.spawner.networkpolicy" . | nindent 0 }} {{ include "tc.common.lib.util.crd.update" . | nindent 0 }} + + {{ include "tc.common.lib.util.manifest.update" . | nindent 0 }} {{- end -}} diff --git a/charts/common/templates/loader/_lists.tpl b/charts/common/templates/loader/_lists.tpl index 810e88ef..2cd8d794 100644 --- a/charts/common/templates/loader/_lists.tpl +++ b/charts/common/templates/loader/_lists.tpl @@ -1,7 +1,6 @@ {{/* load all list to dict injectors */}} {{- define "tc.common.loader.lists" -}} - {{ include "tc.common.lib.values.controller.label.list" . }} {{ include "tc.common.lib.values.controller.annotations.list" . }} @@ -19,6 +18,4 @@ {{ include "tc.common.lib.values.ingress.label.list" . }} {{ include "tc.common.lib.values.ingress.annotations.list" . }} - - {{- end -}} diff --git a/charts/common/values.yaml b/charts/common/values.yaml index ac22385e..10313e34 100644 --- a/charts/common/values.yaml +++ b/charts/common/values.yaml @@ -66,6 +66,12 @@ ubuntuImage: # -- Specify the redis image pull policy pullPolicy: IfNotPresent +# -- Used to inject our own operator manifests into SCALE +manifests: + enabled: true + version: 1 + metalLBVersion: "0.13.7" + global: # -- Set an override for the prefix of the fullname nameOverride: diff --git a/helper-charts/common-test/ci/manifest-values.yaml b/helper-charts/common-test/ci/manifest-values.yaml new file mode 100644 index 00000000..263bd5f4 --- /dev/null +++ b/helper-charts/common-test/ci/manifest-values.yaml @@ -0,0 +1,84 @@ +image: + repository: ghcr.io/truecharts/whoami + pullPolicy: IfNotPresent + tag: 1.8.7@sha256:8c61f0ca92fd806fcb4ed1465cb793c05443f37951554b105b0f2dc686a95772 + +service: + main: + ports: + main: + port: 8080 + +args: + - --port + - '8080' + +manifests: + enabled: true + +ingress: + main: + enabled: true + +probes: + liveness: + enabled: true + readiness: + enabled: true + startup: + enabled: true + + +"ixCertificateAuthorities": {} +"ixCertificates": + "1": + "CA_type_existing": false + "CA_type_intermediate": false + "CA_type_internal": false + "CSR": "" + "DN": "/C=US/O=iXsystems/CN=localhost/emailAddress=info@ixsystems.com/ST=Tennessee/L=Maryville/subjectAltName=DNS:localhost" + "cert_type": "CERTIFICATE" + "cert_type_CSR": false + "cert_type_existing": true + "cert_type_internal": false + "certificate": "-----BEGIN CERTIFICATE-----\nMIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMx\nEjAQBgNVBAoMCWlYc3lzdGVtczESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZI\nhvcNAQkBFhJpbmZvQGl4c3lzdGVtcy5jb20xEjAQBgNVBAgMCVRlbm5lc3NlZTES\nMBAGA1UEBwwJTWFyeXZpbGxlMB4XDTIwMDkyNTE0MDUzOFoXDTIyMTIyOTE0MDUz\nOFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlpWHN5c3RlbXMxEjAQBgNVBAMM\nCWxvY2FsaG9zdDEhMB8GCSqGSIb3DQEJARYSaW5mb0BpeHN5c3RlbXMuY29tMRIw\nEAYDVQQIDAlUZW5uZXNzZWUxEjAQBgNVBAcMCU1hcnl2aWxsZTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALpoGliii6X8DeoFdLcR7jjsfJIn3nC8f1pT\nLQ3RURHUOEyhPT3Z6TkhaHeHoj8D6kiXROhyJJq3kw5OeqGZisfpGQhkxjpxkfh9\nfAhlvhuLwCWHaMvSh1TaT+h9+eHfcx3un5CIaH8b1KYRBMH+jmKFpr7jkPNkBXLS\nMA7jKIIa8pD9R6lF4gAsbqJafCbT3R7bqkd9xp3n3j2YhqQzETU2lmu4fra3BPio\nofK47kSkguUC6mtk6VrDf2+QtCKlY0dtbF3e2ZBNWo1aj86sjCtoEmqOCMsPRLc/\nXwQcfEqHY4XfafXwqk0G0UxV2ce18xKoR/pN3MpLBZ65NzPnpn0CAwEAAaMtMCsw\nFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG\nSIb3DQEBCwUAA4IBAQBFW1R037y7wllg/gRk9p2T1stiG8iIXosblmL4Ak1YToTQ\n/0to5GY2ZYW29+rbA4SDTS5eeu2YqZ0A/fF3wey7ggzMS7KyNBOvx5QBJRw3PJGn\n+THfhXvdfkOyeUC6KWRGLgl+/zBFvgh6vFDq3jmv0NI4ehVBTBMCJn7r6577S16T\nwtgKMCooizII0Odu5HIF10gTieFIH3PQYm9JBji9iyemb9Ht3wn7fXQptfGadz/l\nWz/Dv9+a6IOr7JVJMHnqAIvPzpkav4efuVPOX1zbhjg4K5g+nRYfjr5F5upOd0Y3\nznWTUBUyI7CXRkpHtSDXfEqKgnk/8uv7GWw+hyKr\n-----END CERTIFICATE-----\n" + "certificate_path": "/etc/certificates/freenas_default.crt" + "chain": false + "chain_list": [ + "-----BEGIN CERTIFICATE-----\nMIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMx\nEjAQBgNVBAoMCWlYc3lzdGVtczESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZI\nhvcNAQkBFhJpbmZvQGl4c3lzdGVtcy5jb20xEjAQBgNVBAgMCVRlbm5lc3NlZTES\nMBAGA1UEBwwJTWFyeXZpbGxlMB4XDTIwMDkyNTE0MDUzOFoXDTIyMTIyOTE0MDUz\nOFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlpWHN5c3RlbXMxEjAQBgNVBAMM\nCWxvY2FsaG9zdDEhMB8GCSqGSIb3DQEJARYSaW5mb0BpeHN5c3RlbXMuY29tMRIw\nEAYDVQQIDAlUZW5uZXNzZWUxEjAQBgNVBAcMCU1hcnl2aWxsZTCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALpoGliii6X8DeoFdLcR7jjsfJIn3nC8f1pT\nLQ3RURHUOEyhPT3Z6TkhaHeHoj8D6kiXROhyJJq3kw5OeqGZisfpGQhkxjpxkfh9\nfAhlvhuLwCWHaMvSh1TaT+h9+eHfcx3un5CIaH8b1KYRBMH+jmKFpr7jkPNkBXLS\nMA7jKIIa8pD9R6lF4gAsbqJafCbT3R7bqkd9xp3n3j2YhqQzETU2lmu4fra3BPio\nofK47kSkguUC6mtk6VrDf2+QtCKlY0dtbF3e2ZBNWo1aj86sjCtoEmqOCMsPRLc/\nXwQcfEqHY4XfafXwqk0G0UxV2ce18xKoR/pN3MpLBZ65NzPnpn0CAwEAAaMtMCsw\nFAYDVR0RBA0wC4IJbG9jYWxob3N0MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqG\nSIb3DQEBCwUAA4IBAQBFW1R037y7wllg/gRk9p2T1stiG8iIXosblmL4Ak1YToTQ\n/0to5GY2ZYW29+rbA4SDTS5eeu2YqZ0A/fF3wey7ggzMS7KyNBOvx5QBJRw3PJGn\n+THfhXvdfkOyeUC6KWRGLgl+/zBFvgh6vFDq3jmv0NI4ehVBTBMCJn7r6577S16T\nwtgKMCooizII0Odu5HIF10gTieFIH3PQYm9JBji9iyemb9Ht3wn7fXQptfGadz/l\nWz/Dv9+a6IOr7JVJMHnqAIvPzpkav4efuVPOX1zbhjg4K5g+nRYfjr5F5upOd0Y3\nznWTUBUyI7CXRkpHtSDXfEqKgnk/8uv7GWw+hyKr\n-----END CERTIFICATE-----\n" + ] + "city": "Maryville" + "common": "localhost" + "country": "US" + "csr_path": "/etc/certificates/freenas_default.csr" + "digest_algorithm": "SHA256" + "email": "info@ixsystems.com" + "extensions": + "ExtendedKeyUsage": "TLS Web Server Authentication" + "SubjectAltName": "DNS:localhost" + "fingerprint": "9C:5A:1D:1B:E7:9E:0B:89:2B:37:F4:19:83:ED:3C:6B:D8:14:0D:9B" + "from": "Fri Sep 25 16:05:38 2020" + "id": 1 + "internal": "NO" + "issuer": "external" + "key_length": 2048 + "key_type": "RSA" + "lifetime": 825 + "name": "freenas_default" + "organization": "iXsystems" + "organizational_unit": "" + "parsed": true + "privatekey": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6aBpYooul/A3q\nBXS3Ee447HySJ95wvH9aUy0N0VER1DhMoT092ek5IWh3h6I/A+pIl0TociSat5MO\nTnqhmYrH6RkIZMY6cZH4fXwIZb4bi8Alh2jL0odU2k/offnh33Md7p+QiGh/G9Sm\nEQTB/o5ihaa+45DzZAVy0jAO4yiCGvKQ/UepReIALG6iWnwm090e26pHfcad5949\nmIakMxE1NpZruH62twT4qKHyuO5EpILlAuprZOlaw39vkLQipWNHbWxd3tmQTVqN\nWo/OrIwraBJqjgjLD0S3P18EHHxKh2OF32n18KpNBtFMVdnHtfMSqEf6TdzKSwWe\nuTcz56Z9AgMBAAECggEARwcb4uIs7BZbBu0FSCyg5TfXT6m5bKOmszg2VqmHho+i\n1DAsMcEyyP4d3E3mWLSZNQfOzfOQVxPUCQOGXsUuyHXdgAFGN0bHJDRMara59a0O\njj5GhEO4JXD6OdCmwpZuOt2OF3iiuKxWHuElOvZQMuJSYzI7LULTgKjufv23lbsf\nxMO/v9yi57c5EGgnQ8siLKOy/FQZapn4Z9qKn+lVyk5gfaKP0pDsvV4d7nGYMDD2\nYijfkSyNecApFdtWiLE5zLUlvF6oNj8o66z3YrVNKrCPzhA/5Rkkwwk32SNxvKU3\nVZFSNPeOZ60BicxYcWO+b2aAa0WF+uazJAZ4q52gUQKBgQDu88R+0wm76secYkzE\nQglteLNZKFcvth0kI5xH42Hmk9IXkGimFoDJCIrLAuopyGnfNmqmh2is3QUMUPdR\n/wDLnKc4MCezEidNoD2RBC+bzM1hB9oye/b5sOZUDFXSa0k4XSLu1UEuy1yWhkuS\n6JjY1KQfc4FN0K0Fjqqo7UCTCwKBgQDHtKQh/NvMJ2ok4YW+/QAsus4mEK9eCyUy\nOuyDszQYrGvjkS7STKJVNxGLhWb0XKSIAxMZ66b1MwOt+71h7xNn6pcancfVdK7F\n1Xl5J+76SwbXSgQwTZuoMDxPIvZn7v/2ep5Ni/BcOhMcPIcobWb/OmXrFN1brBvo\nlFNQyWWhlwKBgFDAyPMjVvLO0U6kWdUpjA4W8GV9IJnbLdX8wt/4lClcY2/bOcKH\ncFaAMIeTIJemR0FMHpbQxCtHNmGHK03mo9orwsdWXtRBmk69jJDpnT1F5VKZWMAe\n7MRNaEmXMZm+8CvALgIQx8qMp2mnUPsA6Ea+9gg6/MPTdeWe5UXZiC0pAoGAGtSt\nPJfBXBNrklruYjORo3DRo5GYThVHQRFjl2orNKltsVxfIwgCw1ortEgPBgOwY0mu\ndkwP2V+qPeTVk+PQAqUk+gF6yLXtiUzeDiYMWHpeB+y81VSH9jfM0oELA/m7T/03\naYnEmE+BI8kKC6dvMBlDeisKdneQJFZRP0hfrC8CgYEAgYIyCGwcydKpe2Nkj0Fz\nKTtCMC/k4DvJfd5Kb9AbmrPUfKgA9Xj4GT6yPG6uBMi8r5etvLCKJ2x2NtN024a8\nQJLATYPrSsaZkE+9zM0j5nYAgbKpxBhlDzDAzn//3ByVzfgJ25S80XhTI2lfbLH/\nU07ssxdZaQCo+WuD82OvNcg=\n-----END PRIVATE KEY-----\n" + "privatekey_path": "/etc/certificates/freenas_default.key" + "revoked": false + "revoked_date": "" + "root_path": "/etc/certificates" + "san": [ + "DNS:localhost" + ] + "serial": 1 + "signedby": "" + "state": "Tennessee" + "subject_name_hash": 3193428416 + "type": 8 + "until": "Thu Dec 29 15:05:38 2022" diff --git a/helper-charts/common-test/values.yaml b/helper-charts/common-test/values.yaml index c429d33d..29f25149 100644 --- a/helper-charts/common-test/values.yaml +++ b/helper-charts/common-test/values.yaml @@ -8,3 +8,6 @@ service: ports: main: port: 8080 + +manifests: + enabled: false