From f47decd12334425a01cbdd5081c270e9e5b836d0 Mon Sep 17 00:00:00 2001 From: Sushanta Das Date: Tue, 2 Jan 2024 12:59:23 +0530 Subject: [PATCH 1/3] image-contoller and build-service layout change --- .../build-service/base/kustomization.yaml | 8 -------- .../development/kustomization.yaml | 11 +++++++++++ .../staging/base/kustomization.yaml | 11 +++++++++++ .../image-controller/base/kustomization.yaml | 9 --------- .../development/kustomization.yaml | 9 +++++++++ .../manager_resources_patch.yaml | 0 .../production/kustomization.yaml | 10 ++++++++++ .../production/manager_resources_patch.yaml | 18 ++++++++++++++++++ .../staging/kustomization.yaml | 11 +++++++++++ .../staging/manager_resources_patch.yaml | 18 ++++++++++++++++++ 10 files changed, 88 insertions(+), 17 deletions(-) rename components/image-controller/{base => development}/manager_resources_patch.yaml (100%) create mode 100644 components/image-controller/production/manager_resources_patch.yaml create mode 100644 components/image-controller/staging/manager_resources_patch.yaml diff --git a/components/build-service/base/kustomization.yaml b/components/build-service/base/kustomization.yaml index 25ab2b3a64..fd2f5a3b3c 100644 --- a/components/build-service/base/kustomization.yaml +++ b/components/build-service/base/kustomization.yaml @@ -1,6 +1,5 @@ resources: - allow-argocd-to-manage.yaml -- https://github.com/redhat-appstudio/build-service/config/default?ref=45e8fe7c3b036d1df3eee11c1d83e0633e451c07 - build-pipeline-selectors/build-pipeline-selector.yaml - monitoring.yaml - rbac @@ -11,12 +10,5 @@ resources: commonAnnotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -namespace: build-service - -images: -- name: quay.io/redhat-appstudio/build-service - newName: quay.io/redhat-appstudio/build-service - newTag: 45e8fe7c3b036d1df3eee11c1d83e0633e451c07 - apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/components/build-service/development/kustomization.yaml b/components/build-service/development/kustomization.yaml index 33253d7f95..ad662a9c9f 100644 --- a/components/build-service/development/kustomization.yaml +++ b/components/build-service/development/kustomization.yaml @@ -2,6 +2,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../base +- https://github.com/redhat-appstudio/build-service/config/default?ref=45e8fe7c3b036d1df3eee11c1d83e0633e451c07 + +namespace: build-service + +images: +- name: quay.io/redhat-appstudio/build-service + newName: quay.io/redhat-appstudio/build-service + newTag: 45e8fe7c3b036d1df3eee11c1d83e0633e451c07 + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true patches: - target: diff --git a/components/build-service/staging/base/kustomization.yaml b/components/build-service/staging/base/kustomization.yaml index 895e459025..02af01c9aa 100644 --- a/components/build-service/staging/base/kustomization.yaml +++ b/components/build-service/staging/base/kustomization.yaml @@ -3,3 +3,14 @@ kind: Kustomization resources: - ../../base - ../../base/external-secrets +- https://github.com/redhat-appstudio/build-service/config/default?ref=45e8fe7c3b036d1df3eee11c1d83e0633e451c07 + +namespace: build-service + +images: +- name: quay.io/redhat-appstudio/build-service + newName: quay.io/redhat-appstudio/build-service + newTag: 45e8fe7c3b036d1df3eee11c1d83e0633e451c07 + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true \ No newline at end of file diff --git a/components/image-controller/base/kustomization.yaml b/components/image-controller/base/kustomization.yaml index 34307a4061..303e846d4f 100644 --- a/components/image-controller/base/kustomization.yaml +++ b/components/image-controller/base/kustomization.yaml @@ -1,18 +1,9 @@ resources: - allow-argocd-to-manage.yaml -- https://github.com/redhat-appstudio/image-controller/config/default?ref=8208ff372b880773b911062dc828f050e45c5312 - rbac -images: -- name: quay.io/redhat-appstudio/image-controller - newName: quay.io/redhat-appstudio/image-controller - newTag: 8208ff372b880773b911062dc828f050e45c5312 - namespace: image-controller -patches: - - path: ./manager_resources_patch.yaml - apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/components/image-controller/development/kustomization.yaml b/components/image-controller/development/kustomization.yaml index a22b7f76bd..a4c51bccf1 100644 --- a/components/image-controller/development/kustomization.yaml +++ b/components/image-controller/development/kustomization.yaml @@ -2,8 +2,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../base +- https://github.com/redhat-appstudio/image-controller/config/default?ref=8208ff372b880773b911062dc828f050e45c5312 + +images: +- name: quay.io/redhat-appstudio/image-controller + newName: quay.io/redhat-appstudio/image-controller + newTag: 8208ff372b880773b911062dc828f050e45c5312 + +namespace: image-controller patches: + - path: ./manager_resources_patch.yaml - target: group: apps version: v1 diff --git a/components/image-controller/base/manager_resources_patch.yaml b/components/image-controller/development/manager_resources_patch.yaml similarity index 100% rename from components/image-controller/base/manager_resources_patch.yaml rename to components/image-controller/development/manager_resources_patch.yaml diff --git a/components/image-controller/production/kustomization.yaml b/components/image-controller/production/kustomization.yaml index 81fb17a56d..30d19f151c 100644 --- a/components/image-controller/production/kustomization.yaml +++ b/components/image-controller/production/kustomization.yaml @@ -3,7 +3,17 @@ kind: Kustomization resources: - ../base - ../base/external-secrets +- https://github.com/redhat-appstudio/image-controller/config/default?ref=8208ff372b880773b911062dc828f050e45c5312 + +images: +- name: quay.io/redhat-appstudio/image-controller + newName: quay.io/redhat-appstudio/image-controller + newTag: 8208ff372b880773b911062dc828f050e45c5312 + +namespace: image-controller + patches: + - path: ./manager_resources_patch.yaml - path: quaytoken.yaml target: name: quaytoken diff --git a/components/image-controller/production/manager_resources_patch.yaml b/components/image-controller/production/manager_resources_patch.yaml new file mode 100644 index 0000000000..972112ef47 --- /dev/null +++ b/components/image-controller/production/manager_resources_patch.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + resources: + limits: + cpu: 500m + memory: 2Gi + requests: + cpu: 100m + memory: 20Mi + diff --git a/components/image-controller/staging/kustomization.yaml b/components/image-controller/staging/kustomization.yaml index 479bc60076..c747c0f76d 100644 --- a/components/image-controller/staging/kustomization.yaml +++ b/components/image-controller/staging/kustomization.yaml @@ -3,3 +3,14 @@ kind: Kustomization resources: - ../base - ../base/external-secrets +- https://github.com/redhat-appstudio/image-controller/config/default?ref=8208ff372b880773b911062dc828f050e45c5312 + +images: +- name: quay.io/redhat-appstudio/image-controller + newName: quay.io/redhat-appstudio/image-controller + newTag: 8208ff372b880773b911062dc828f050e45c5312 + +namespace: image-controller + +patches: + - path: ./manager_resources_patch.yaml \ No newline at end of file diff --git a/components/image-controller/staging/manager_resources_patch.yaml b/components/image-controller/staging/manager_resources_patch.yaml new file mode 100644 index 0000000000..972112ef47 --- /dev/null +++ b/components/image-controller/staging/manager_resources_patch.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + resources: + limits: + cpu: 500m + memory: 2Gi + requests: + cpu: 100m + memory: 20Mi + From 20338df484ab1ec5c0bda69ef4f1811871b53016 Mon Sep 17 00:00:00 2001 From: Sushanta Das Date: Fri, 5 Jan 2024 12:40:27 +0530 Subject: [PATCH 2/3] stage to prod promotion pipeline --- .../build-service-prod-overlay-update.yaml | 30 ++ .../image-controller-prod-overlay-update.yaml | 29 ++ .tekton/tasks/promote-component.yaml | 276 ++++++++++++++++++ 3 files changed, 335 insertions(+) create mode 100644 .tekton/build-service-prod-overlay-update.yaml create mode 100644 .tekton/image-controller-prod-overlay-update.yaml create mode 100644 .tekton/tasks/promote-component.yaml diff --git a/.tekton/build-service-prod-overlay-update.yaml b/.tekton/build-service-prod-overlay-update.yaml new file mode 100644 index 0000000000..67d71dfb48 --- /dev/null +++ b/.tekton/build-service-prod-overlay-update.yaml @@ -0,0 +1,30 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + name: build-service-prod-overlay-update + namespace: rhtap-promotion-staging + annotations: + pipelinesascode.tekton.dev/on-cel-expression: | + event == "push" && target_branch == "main" && "components/build-service/staging/base/kustomization.yaml".pathChanged() + pipelinesascode.tekton.dev/max-keep-runs: "5" + pipelinesascode.tekton.dev/task: "[.tekton/tasks/promote-component.yaml]" +spec: + pipelineSpec: + tasks: + - name: promote-component-from-stage-to-prod + params: + - name: BRANCH_NAME + value: stage-to-prod-build + - name: COMPONENT_NAME + value: build-service + - name: SCRIPT + value: | + STAGE_SHA=$(grep -oE '[0-9a-f]{40}' components/build-service/staging/base/kustomization.yaml -m1) + OLD_PROD_SHA=$(grep -oE '[0-9a-f]{40}' components/build-service/production/kustomization.yaml -m1) + echo "Changing prod sha from ${OLD_PROD_SHA} to ${STAGE_SHA}" + sed -i "s/$OLD_PROD_SHA/$STAGE_SHA/g" components/build-service/production/kustomization.yaml + sed -i "s/$OLD_PROD_SHA/$STAGE_SHA/g" components/monitoring/grafana/base/dashboards/build-service/kustomization.yaml + taskRef: + name: promote-component + + diff --git a/.tekton/image-controller-prod-overlay-update.yaml b/.tekton/image-controller-prod-overlay-update.yaml new file mode 100644 index 0000000000..07eb7eb5e1 --- /dev/null +++ b/.tekton/image-controller-prod-overlay-update.yaml @@ -0,0 +1,29 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + name: image-controller-prod-overlay-update + namespace: rhtap-promotion-staging + annotations: + pipelinesascode.tekton.dev/on-cel-expression: | + event == "push" && target_branch == "main" && "components/image-controller/staging/kustomization.yaml".pathChanged() + pipelinesascode.tekton.dev/max-keep-runs: "5" + pipelinesascode.tekton.dev/task: "[.tekton/tasks/promote-component.yaml]" +spec: + pipelineSpec: + tasks: + - name: promote-component-from-stage-to-prod + params: + - name: BRANCH_NAME + value: stage-to-prod-image-controller + - name: COMPONENT_NAME + value: image-controller + - name: SCRIPT + value: | + STAGE_SHA=$(grep -oE '[0-9a-f]{40}' components/image-controller/staging/kustomization.yaml -m1) + OLD_PROD_SHA=$(grep -oE '[0-9a-f]{40}' components/image-controller/production/kustomization.yaml -m1) + echo "Changing prod sha from ${OLD_PROD_SHA} to ${STAGE_SHA}" + sed -i "s/$OLD_PROD_SHA/$STAGE_SHA/g" components/image-controller/production/kustomization.yaml + taskRef: + name: promote-component + + diff --git a/.tekton/tasks/promote-component.yaml b/.tekton/tasks/promote-component.yaml new file mode 100644 index 0000000000..0d69d37dd3 --- /dev/null +++ b/.tekton/tasks/promote-component.yaml @@ -0,0 +1,276 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "appstudio, hacbs" + name: promote-component +spec: + description: | + Clones redhat-appstudio/infra-deployments repository, runs script in 'SCRIPT' parameter, generates pull-request for redhat-appstudio/infra-deployments repository. + params: + - name: SCRIPT + description: Bash script for changing the infra-deployments + - name: BRANCH_NAME + description: Source branch in infra-deployment repo + - name: COMPONENT_NAME + description: Component to promote + - name: GH_REPO + description: GitHub repository of the infra-deployments code + default: redhat-appstudio/infra-deployments + - name: GIT_IMAGE + description: Image reference containing the git command + default: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. + - name: SCRIPT_IMAGE + description: Image reference for SCRIPT execution + # this image is built using https://github.com/redhat-appstudio/build-tasks-dockerfiles/blob/main/update-infra-deployments-task-scripts-image/Dockerfile + default: quay.io/redhat-appstudio/update-infra-deployments-task-script-image@sha256:2748f1a4f1af4e35214745aed4e56a9d06f6bdbd30572e7ade13729e67f23cc9 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. + - name: shared-secret + default: infra-deployments-pr-creator + description: secret in the namespace which contains private key for the GitHub App + - name: GITHUB_APP_ID + description: ID of Github app used for updating PR + default: "305606" + - name: GITHUB_APP_INSTALLATION_ID + description: Installation ID of Github app in the organization + default: "35269675" + volumes: + - name: infra-deployments-pr-creator + secret: + # 'private-key' - private key for Github app + secretName: $(params.shared-secret) + - name: shared-dir + emptyDir: {} + + steps: + - name: git-clone-infra-deployments + image: $(params.GIT_IMAGE) + volumeMounts: + - name: shared-dir + mountPath: /shared + workingDir: /shared + env: + - name: GH_REPO + value: "$(params.GH_REPO)" + # - name: ORIGIN_REPO + # value: $(params.ORIGIN_REPO) + script: | + # REPO_NAME=$(echo $ORIGIN_REPO | cut -f5 -d/) + + git clone "https://github.com/${GH_REPO}.git" cloned + - name: run-update-script + image: $(params.SCRIPT_IMAGE) + volumeMounts: + - name: shared-dir + mountPath: /shared + workingDir: /shared + env: + - name: SCRIPT + value: $(params.SCRIPT) + script: | + cd cloned + echo "$SCRIPT" | sh + - name: get-diff-files + image: $(params.GIT_IMAGE) + volumeMounts: + - name: shared-dir + mountPath: /shared + workingDir: /shared + script: | + cd cloned + git status -s --porcelain | cut -c4- > ../updated_files.txt + # Based on https://github.com/tektoncd/catalog/tree/main/task/github-app-token/0.2/ + - name: create-mr + image: quay.io/redhat-appstudio/github-app-token@sha256:b4f2af12e9beea68055995ccdbdb86cfe1be97688c618117e5da2243dc1da18e + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. + volumeMounts: + - name: infra-deployments-pr-creator + mountPath: /secrets/deploy-key + - name: shared-dir + mountPath: /shared + workingDir: /shared + env: + - name: GITHUBAPP_KEY_PATH + value: /secrets/deploy-key/private-key + - name: GITHUBAPP_APP_ID + value: "$(params.GITHUB_APP_ID)" + - name: GITHUBAPP_INSTALLATION_ID + value: "$(params.GITHUB_APP_INSTALLATION_ID)" + - name: GITHUB_API_URL + value: https://api.github.com + - name: BRANCH_NAME + value: $(params.BRANCH_NAME) + - name: GH_REPO + value: "$(params.GH_REPO)" + - name: COMPONENT_NAME + value: "$(params.COMPONENT_NAME)" + script: | + #!/usr/bin/env python3 + import json + import logging + import os + import time + import base64 + + import requests + from jwcrypto import jwk, jwt + + logging.basicConfig(level=logging.DEBUG, format="%(asctime)s:%(name)s:%(levelname)s:%(message)s") + logger = logging.getLogger("updater") + + EXPIRE_MINUTES_AS_SECONDS = int(os.environ.get('GITHUBAPP_TOKEN_EXPIRATION_MINUTES', 10)) * 60 + # TODO support github enteprise + GITHUB_API_URL = os.environ["GITHUB_API_URL"] + + BRANCH_NAME = os.environ["BRANCH_NAME"] + GH_REPO = os.environ["GH_REPO"] + COMPONENT_NAME = os.environ["COMPONENT_NAME"] + + + class GitHub(): + token = None + + def __init__(self, private_key, app_id=None, installation_id=None): + if not isinstance(private_key, bytes): + raise ValueError(f'"{private_key}" parameter must be byte-string') + self._private_key = private_key + self.app_id = app_id + self.token = self._get_token(installation_id) + + def _load_private_key(self, pem_key_bytes): + return jwk.JWK.from_pem(pem_key_bytes) + + def _app_token(self, expire_in=EXPIRE_MINUTES_AS_SECONDS): + key = self._load_private_key(self._private_key) + now = int(time.time()) + token = jwt.JWT( + header={"alg": "RS256"}, + claims={ + "iat": now, + "exp": now + expire_in, + "iss": self.app_id + }, + algs=["RS256"], + ) + token.make_signed_token(key) + return token.serialize() + + def _get_token(self, installation_id=None): + app_token = self._app_token() + if not installation_id: + return app_token + + req = self._request( + "POST", + f"/app/installations/{installation_id}/access_tokens", + headers={ + "Authorization": f"Bearer {app_token}", + "Accept": "application/vnd.github.machine-man-preview+json" + }) + + ret = req.json() + if 'token' not in ret: + raise Exception(f"Authentication errors: {ret}") + + return ret['token'] + + def _request(self, method, url, headers={}, data={}): + if self.token and 'Authorization' not in headers: + headers.update({"Authorization": "Bearer " + self.token}) + if not url.startswith("http"): + url = f"{GITHUB_API_URL}{url}" + return requests.request(method, + url, + headers=headers, + data=json.dumps(data)) + + def create_mr(self, title, description): + logger.info("Create/update pull request, head: %s, base: main", BRANCH_NAME) + req = self._request( + "POST", + f"/repos/{GH_REPO}/pulls", + headers={ + "Authorization": f"Bearer {self.token}", + "Accept": "application/vnd.github.v3+json" + }, + data={ + "head": BRANCH_NAME, + "base": "main", + "title": title, + "body": description, + "maintainer_can_modify": False + }) + json_output = req.json() + print(json_output) + return json_output + + def create_reset_branch(self): + target_branch = self._request("GET", f"/repos/{GH_REPO}/git/refs/heads/{BRANCH_NAME}").json() + main_branch_sha = self._request("GET", f"/repos/{GH_REPO}/git/refs/heads/main").json()['object']['sha'] + if "ref" in target_branch: + logger.info("Update branch %s", BRANCH_NAME) + self._request( + "PATCH", + f"/repos/{GH_REPO}/git/refs/heads/{BRANCH_NAME}", + data={"sha": main_branch_sha, "force": True} + ) + else: + logger.info("Create branch %s", BRANCH_NAME) + self._request( + "POST", + f"/repos/{GH_REPO}/git/refs", + data={"sha": main_branch_sha, "ref": f"refs/heads/{BRANCH_NAME}"} + ) + + def upload_content(self): + for file in open('updated_files.txt').readlines(): + file = file.strip() + with open(f"cloned/{file}", "rb") as fd: + encoded_string = base64.b64encode(fd.read()).decode("utf-8") + old_sha = self._request("GET", f'/repos/{GH_REPO}/contents/{file}').json().get("sha") + if old_sha is None: + logger.info("Upload a new file %s", file) + self._request("PUT", f'/repos/{GH_REPO}/contents/{file}', data={"message": f"update {file}", "branch": BRANCH_NAME, "content": encoded_string}) + else: + logger.info("Update file %s", file) + self._request("PUT", f'/repos/{GH_REPO}/contents/{file}', data={"message": f"update {file}", "branch": BRANCH_NAME, "content": encoded_string, "sha": old_sha}) + + + def main(): + with open(os.environ['GITHUBAPP_KEY_PATH'], 'rb') as key_file: + key = key_file.read() + + if os.environ.get('GITHUBAPP_APP_ID'): + app_id = os.environ['GITHUBAPP_APP_ID'] + else: + raise Exception("application id is not set") + + print(f"Getting user token for application_id: {app_id}") + github_app = GitHub( + key, + app_id=app_id, + installation_id=os.environ.get('GITHUBAPP_INSTALLATION_ID')) + + github_app.create_reset_branch() + github_app.upload_content() + title = f"Promoting component {COMPONENT_NAME} from stage to prod" + description = f"Promote from stage to production" + github_app.create_mr(title, description) + + if __name__ == '__main__': + main() + + workspaces: + - name: artifacts + description: Workspace containing arbitrary artifacts used during the task run. + optional: true From 6704c4d205634feefb3b76ce9f8f3a93f0badb18 Mon Sep 17 00:00:00 2001 From: Sushanta Das Date: Mon, 8 Jan 2024 15:42:30 +0530 Subject: [PATCH 3/3] Addressed review comments and rebased on main --- .../build-service-prod-overlay-update.yaml | 4 +-- .tekton/tasks/promote-component.yaml | 25 +++++-------------- .../production/base/kustomization.yaml | 12 +++++++++ 3 files changed, 20 insertions(+), 21 deletions(-) diff --git a/.tekton/build-service-prod-overlay-update.yaml b/.tekton/build-service-prod-overlay-update.yaml index 67d71dfb48..14d8b7da75 100644 --- a/.tekton/build-service-prod-overlay-update.yaml +++ b/.tekton/build-service-prod-overlay-update.yaml @@ -20,9 +20,9 @@ spec: - name: SCRIPT value: | STAGE_SHA=$(grep -oE '[0-9a-f]{40}' components/build-service/staging/base/kustomization.yaml -m1) - OLD_PROD_SHA=$(grep -oE '[0-9a-f]{40}' components/build-service/production/kustomization.yaml -m1) + OLD_PROD_SHA=$(grep -oE '[0-9a-f]{40}' components/build-service/production/base/kustomization.yaml -m1) echo "Changing prod sha from ${OLD_PROD_SHA} to ${STAGE_SHA}" - sed -i "s/$OLD_PROD_SHA/$STAGE_SHA/g" components/build-service/production/kustomization.yaml + sed -i "s/$OLD_PROD_SHA/$STAGE_SHA/g" components/build-service/production/base/kustomization.yaml sed -i "s/$OLD_PROD_SHA/$STAGE_SHA/g" components/monitoring/grafana/base/dashboards/build-service/kustomization.yaml taskRef: name: promote-component diff --git a/.tekton/tasks/promote-component.yaml b/.tekton/tasks/promote-component.yaml index 0d69d37dd3..37fec1e6fc 100644 --- a/.tekton/tasks/promote-component.yaml +++ b/.tekton/tasks/promote-component.yaml @@ -20,19 +20,10 @@ spec: - name: GH_REPO description: GitHub repository of the infra-deployments code default: redhat-appstudio/infra-deployments - - name: GIT_IMAGE - description: Image reference containing the git command - default: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. - - name: SCRIPT_IMAGE - description: Image reference for SCRIPT execution - # this image is built using https://github.com/redhat-appstudio/build-tasks-dockerfiles/blob/main/update-infra-deployments-task-scripts-image/Dockerfile + - name: IMAGE + description: Image reference containing git and other utility required for executing the SCRIPT + # this image is built using https://github.com/redhat-appstudio/build-tasks-dockerfiles/blob/main/update-infra-deployments-task-scripts-image/Dockerfile default: quay.io/redhat-appstudio/update-infra-deployments-task-script-image@sha256:2748f1a4f1af4e35214745aed4e56a9d06f6bdbd30572e7ade13729e67f23cc9 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. - name: shared-secret default: infra-deployments-pr-creator description: secret in the namespace which contains private key for the GitHub App @@ -52,7 +43,7 @@ spec: steps: - name: git-clone-infra-deployments - image: $(params.GIT_IMAGE) + image: $(params.IMAGE) volumeMounts: - name: shared-dir mountPath: /shared @@ -60,14 +51,10 @@ spec: env: - name: GH_REPO value: "$(params.GH_REPO)" - # - name: ORIGIN_REPO - # value: $(params.ORIGIN_REPO) script: | - # REPO_NAME=$(echo $ORIGIN_REPO | cut -f5 -d/) - git clone "https://github.com/${GH_REPO}.git" cloned - name: run-update-script - image: $(params.SCRIPT_IMAGE) + image: $(params.IMAGE) volumeMounts: - name: shared-dir mountPath: /shared @@ -79,7 +66,7 @@ spec: cd cloned echo "$SCRIPT" | sh - name: get-diff-files - image: $(params.GIT_IMAGE) + image: $(params.IMAGE) volumeMounts: - name: shared-dir mountPath: /shared diff --git a/components/build-service/production/base/kustomization.yaml b/components/build-service/production/base/kustomization.yaml index b044ae2398..f2412af541 100644 --- a/components/build-service/production/base/kustomization.yaml +++ b/components/build-service/production/base/kustomization.yaml @@ -3,6 +3,18 @@ kind: Kustomization resources: - ../../base - ../../base/external-secrets +- https://github.com/redhat-appstudio/build-service/config/default?ref=45e8fe7c3b036d1df3eee11c1d83e0633e451c07 + +namespace: build-service + +images: +- name: quay.io/redhat-appstudio/build-service + newName: quay.io/redhat-appstudio/build-service + newTag: 45e8fe7c3b036d1df3eee11c1d83e0633e451c07 + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + patches: - path: pipelines-as-code-secret-patch.yaml target: