-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.2 Fixes #38
base: main
Are you sure you want to change the base?
1.2 Fixes #38
Changes from all commits
c99fb9a
1debf94
9560a6f
34d6a1d
afeb638
a08756a
3c4ca0b
2241af0
f9cb843
4e298cd
feda721
d18f0aa
0bdada7
a32d9e6
58008df
be0b1cf
9ddb8fc
3b46546
ed61ce9
df39c8d
2718b4a
1d7ece7
100554b
5733053
a40d904
4e3adbb
97e7a5b
76d59fd
661b88d
f0a8f39
6f18fed
1ace031
78d27e7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,8 +10,12 @@ _Note this action is written to specifically work with Helm repos in Artifactory | |
|
||
`action` - `[package, test, publish]` | ||
|
||
- `lint` - Runs helm linter along with dependency build. | ||
- `diff` - Runs helm diff using templates along with dependency build. | ||
- `audit` - Runs audit on helm files | ||
- `package` - Involves helm client only and does dependency build, lint and package chart | ||
- `publish` - Uses helm artifactory plugin to uploads the chart | ||
- `publish-artifactory` - Uses helm artifactory plugin to uploads the chart | ||
- `publish-chartmuseum` - Uses helm cm plugin to uploads the chart | ||
- `publish-gar` - Uses helm (helm 3.8 or greater), to push on Google Artifactory Registry using OCI | ||
|
||
## Required Environment variables | ||
|
@@ -60,6 +64,8 @@ GAR_JSON_KEY: "${{ secrets.GAR_DEV_RW_JSON_KEY }}" | |
# The chart prefix is used to distinguish from app container | ||
# images with the same name pushed on GAR. | ||
CHART_PREFIX: "YOURPREFIX" | ||
UPSTREAM_BRANCH: "main" | ||
CURRENT_BRANCH: "Add your current branch" | ||
``` | ||
|
||
## Optional Environment variables | ||
|
@@ -68,6 +74,7 @@ CHART_PREFIX: "YOURPREFIX" | |
HELM_VERSION: # Override helm version. Default "3.5.1" | ||
KUBECTL_VERSION: # Override kubectl version. Default "1.21.0" | ||
HELM_ARTIFACTORY_PLUGIN_VERSION: # Override helm artifactory plugin version. Default "v1.0.2" | ||
HELM_CHARTMUSEUM_PLUGIN_VERSION: # Override helm chartmuseum plugin version. Default "0.10.3" | ||
CHART_VERSION: # If defined, override version in Chart.yaml file. Default is unset | ||
DEBUG: # If defined will set debug in shell script. | ||
``` | ||
|
@@ -78,7 +85,7 @@ DEBUG: # If defined will set debug in shell script. | |
Never use `main` branch in your github workflows! | ||
|
||
```yaml | ||
name: Helm lint, test, package and publish | ||
name: Helm lint, test, package, publish, audit, diff | ||
|
||
on: pull_request | ||
|
||
|
@@ -91,8 +98,9 @@ jobs: | |
# - name: myOtherJob1 | ||
# run: | ||
|
||
|
||
- name: "Helm publish" | ||
uses: draios/[email protected] | ||
uses: rarchk/[email protected] | ||
Comment on lines
-95
to
+103
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please revert to the original repo |
||
with: | ||
action: "package" | ||
env: | ||
|
@@ -101,10 +109,10 @@ jobs: | |
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_HELM_USERNAME }} | ||
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_HELM_PASSWORD }} | ||
|
||
- name: "Helm publish" | ||
uses: draios/[email protected] | ||
- name: "Helm publish artifactory" | ||
uses: rarchk/[email protected] | ||
Comment on lines
+112
to
+113
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please revert to the original repo |
||
with: | ||
action: "publish" | ||
action: "publish-artifactory" | ||
Comment on lines
-107
to
+115
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. as before |
||
env: | ||
CHART_DIR: resources/helm/sdcadminoper | ||
ARTIFACTORY_URL: https://artifactory.internal.sysdig.com:443/artifactory/helm-local/ | ||
|
@@ -125,7 +133,7 @@ jobs: | |
steps: | ||
- uses: actions/checkout@v2 | ||
- name: "Helm Publish on GAR" | ||
uses: draios/[email protected] | ||
uses: rarchk/[email protected] | ||
Comment on lines
-128
to
+136
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ditto |
||
with: | ||
action: "publish-gar" | ||
env: | ||
|
@@ -140,3 +148,112 @@ jobs: | |
GAR_JSON_KEY: "${{ secrets.GAR_DEV_RW_JSON_KEY }}" | ||
CHART_PREFIX: "YOUR_PREFIX" | ||
``` | ||
## Addon for chart-museum | ||
```yaml | ||
name: Helm lint, test, package and publish | ||
on: pull_request | ||
|
||
jobs: | ||
helm-suite: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- name: "Helm publish artifactory" | ||
uses: rarchk/[email protected] | ||
with: | ||
action: "publish-chartmuseum" | ||
env: | ||
CHART_DIR: resources/helm/sdcadminoper | ||
ARTIFACTORY_URL: https://artifactory.internal.sysdig.com:443/artifactory/helm-local/ | ||
ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_HELM_USERNAME }} | ||
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_HELM_PASSWORD }} | ||
``` | ||
|
||
## Diff as a template | ||
Diff can be used to compute differences between complex helm distributions | ||
|
||
```mermaid | ||
graph TD | ||
subgraph ComplexHelmDistributions | ||
HelmFile --> ListOfHelmCharts | ||
CustomRelease --> ListOfHelmCharts | ||
end | ||
|
||
subgraph CD_Workflows | ||
ArgoCDApplication --> HelmChart | ||
end | ||
subgraph HELM_Repos | ||
B[HelmChart] | ||
end | ||
|
||
CD_Workflows --> D | ||
ComplexHelmDistributions -.-> D | ||
ComplexHelmDistributions -.-> D | ||
ComplexHelmDistributions -.-> D | ||
HELM_Repos --> D | ||
D[[Diff Action Template]] | ||
D --> C(fa:fa-genderless) | ||
``` | ||
### Algorithm | ||
1. We would need previous and next version | ||
2. We would need access to remote chart repository | ||
3. We can use this command to generate templates locally and remotely | ||
4. We take following inputs | ||
1. previous version | ||
2. current version[optional] or can be generated locally | ||
|
||
```bash | ||
# local templating | ||
helm template <chart_name>.tgz -f values.yaml | ||
|
||
# remote templating | ||
helm template <remote_repo>/chart_name --version 1.17.1 -f values.yaml | ||
|
||
# search for all versions | ||
helm search repo <remote_repo>/chart_name --versions | ||
``` | ||
4. Diff it | ||
|
||
|
||
### Workflow Example | ||
```yaml | ||
- run: sh -c "sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && sudo chmod +x /usr/bin/yq" | ||
name: setup yq | ||
|
||
- name: Get upstream chart version | ||
id: lookupChartVersion | ||
run: | | ||
sh -c "echo result=$(git fetch -a; git show origin/${{ steps.branch-name.outputs.base_ref_branch }}:${{ matrix.dir }}/Chart.yaml | yq .version) >> $GITHUB_OUTPUT" | ||
|
||
- name: Get upstream chart name | ||
id: lookupChartName | ||
run: | | ||
sh -c "echo result=$(yq .name < ${{ matrix.dir }}/Chart.yaml) >> $GITHUB_OUTPUT" | ||
|
||
|
||
- name: "Helm diff" | ||
id: diff | ||
uses: rarchk/[email protected] | ||
env: | ||
ACTION: "diff" | ||
FROM_CHART: "${{ steps.lookupChartVersion.outputs.result }}" | ||
TO_CHART: "" | ||
CHART_DIR: "${{ matrix.dir }}" #In case TO_CHART is not available | ||
CHART_NAME: "${{ steps.lookupChartName.outputs.result }}" | ||
OPTIONAL_VALUES: "app.ingress.enabled=false" | ||
ARTIFACTORY_URL: "" | ||
ARTIFACTORY_USERNAME: "" | ||
ARTIFACTORY_PASSWORD: "" | ||
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
``` | ||
|
||
## Audit example | ||
It statically audits k8s resources | ||
```yaml | ||
- name: "Helm audit" | ||
uses: rarchk/[email protected] | ||
env: | ||
Comment on lines
+251
to
+255
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The example should reflect the name of the repo |
||
ACTION: "audit" | ||
CHART_DIR: "${{ matrix.dir }}" | ||
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,16 @@ | ||
#!/bin/bash -l | ||
set -eo pipefail | ||
|
||
export HELM_VERSION=${HELM_VERSION:="3.5.1"} | ||
export KUBECTL_VERSION=${KUBECTL_VERSION:="1.21.0"} | ||
export HELM_VERSION=${HELM_VERSION:="v3.13.3"} | ||
export KUBECTL_VERSION=${KUBECTL_VERSION:="v1.28.0"} | ||
export HELM_ARTIFACTORY_PLUGIN_VERSION=${HELM_ARTIFACTORY_PLUGIN_VERSION:="v1.0.2"} | ||
export HELM_CHARTMUSEUM_PLUGIN_VERSION=${HELM_CHARTMUSEUM_PLUGIN_VERSION:="0.10.3"} | ||
export CHART_VERSION=${CHART_VERSION:=""} | ||
export CHART_APP_VERSION=${CHART_APP_VERSION:=""} | ||
export DYFF_VERSION=${DYFF_VERSION:="1.6.0"} | ||
export YQ_VERSION=${YQ_VERSION:="v4.40.5"} | ||
export POLARIS_VERSION=${POLARIS_VERSION:="8.5.3"} | ||
export KUBE_SCORE_VERSION=${KUBE_SCORE_VERSION:="1.17.0"} | ||
Comment on lines
-4
to
+13
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changing these version requires a full non-regression test run, it cannot be applied as 1.2 fixes, they need a new major version (especially true for kubectl and helm versions) |
||
|
||
export GCLOUD_PROJECT_CHECK=${GCLOUD_PROJECT_CHECK:="true"} | ||
|
||
|
@@ -47,10 +52,9 @@ get_chart_version(){ | |
} | ||
|
||
get_helm() { | ||
print_title "Get helm:${HELM_VERSION}" | ||
curl -L "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | tar xvz | ||
chmod +x linux-amd64/helm | ||
sudo mv linux-amd64/helm /usr/local/bin/helm | ||
print_title "Installing helm:${HELM_VERSION}" | ||
ark get helm --version "${HELM_VERSION}" --quiet | ||
helm version --short -c | ||
Comment on lines
+55
to
+57
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's nice to use arkade to install tooling but again this cannot be considered a minor fix |
||
} | ||
|
||
install_helm() { | ||
|
@@ -70,9 +74,17 @@ install_artifactory_plugin(){ | |
fi | ||
} | ||
|
||
install_cmpush_plugin(){ | ||
print_title "Install helm cm-push plugin" | ||
if ! (helm plugin list | grep -q cm-push); then | ||
helm plugin install https://github.com/chartmuseum/helm-push --version ${HELM_CHARTMUSEUM_PLUGIN_VERSION} | ||
fi | ||
} | ||
|
||
remove_helm(){ | ||
helm plugin uninstall push-artifactory | ||
sudo rm -rf /usr/local/bin/helm | ||
helm plugin uninstall cm-push | ||
# sudo rm -rf /usr/local/bin/helm | ||
} | ||
|
||
function version { | ||
|
@@ -86,3 +98,84 @@ check_helm_version_gte_3_8(){ | |
exit 1 | ||
fi | ||
} | ||
|
||
install_dyff() { | ||
if ! command -v dyff; then | ||
echo "dyff is missing" | ||
get_dyff | ||
elif ! [[ $(dyff version) == *${DYFF_VERSION}* ]]; then | ||
echo "dyfff $(dyff version) is not desired version" | ||
get_dyff | ||
fi | ||
} | ||
|
||
get_dyff() { | ||
print_title "Installing dyff:${DYFF_VERSION}" | ||
curl -L "https://github.com/homeport/dyff/releases/download/v${DYFF_VERSION}/dyff_${DYFF_VERSION}_linux_amd64.tar.gz" | tar xvz | ||
chmod +x dyff | ||
sudo mv dyff /usr/local/bin/dyff | ||
} | ||
|
||
install_polaris() { | ||
if ! command -v polaris; then | ||
print_title "Installing polaris:${POLARIS_VERSION}" | ||
ark get polaris --version "${POLARIS_VERSION}" --quiet | ||
fi | ||
polaris version | ||
if ! command -v kube-score; then | ||
print_title "Installing kube-score:${POLARIS_VERSION}" | ||
curl -L "https://github.com/zegl/kube-score/releases/download/v${KUBE_SCORE_VERSION}/kube-score_${KUBE_SCORE_VERSION}_linux_amd64.tar.gz" | tar xvz | ||
chmod +x kube-score | ||
sudo mv kube-score /usr/local/bin/kube-score | ||
fi | ||
kube-score version | ||
} | ||
Comment on lines
+102
to
+132
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This could be considered a change per se, adding new features |
||
|
||
install_yq() { | ||
if ! command -v yq; then | ||
print_title "Installing yq:${YQ_VERSION}" | ||
ark get yq --version "${YQ_VERSION}" --quiet | ||
fi | ||
yq --version | ||
} | ||
|
||
install_ark() { | ||
if ! command -v ark; then | ||
echo "ark is missing" | ||
curl -sLS https://get.arkade.dev | sudo sh | ||
fi | ||
export PATH=$PATH:$HOME/.arkade/bin/ | ||
} | ||
|
||
remove_ark() { | ||
rm -f $HOME/.arkade/bin/* | ||
} | ||
|
||
safe_exec(){ | ||
start=$(date +%s) | ||
$@ | ||
end=$(date +%s) | ||
echo "Elapsed time for executing $@: $(($end-$start)) seconds" | ||
} | ||
|
||
send_github_comments() { | ||
if [[ -z "${2}" ]]; then | ||
printf "No data passed. Skipping posting comments" | ||
exit 0 | ||
fi | ||
COMMENT="#### $1 Output | ||
<details> | ||
<summary>Details</summary> | ||
|
||
$2 | ||
</details>" | ||
|
||
PAYLOAD=$(echo '{}' | jq --arg body "$COMMENT" '.body = $body') | ||
COMMENTS_URL=$(cat "$GITHUB_EVENT_PATH" | jq -r .pull_request.comments_url) | ||
echo "Commenting on PR $COMMENTS_URL" | ||
curl --silent -X POST \ | ||
--header 'content-type: application/json' \ | ||
--header "Authorization: token $GITHUB_TOKEN" \ | ||
--data "$PAYLOAD" "$COMMENTS_URL" > /dev/null | ||
exit 0 | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a breaking change, it cannot be marked as 1.2 fixes