-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add helm chart #273
base: add-helm-chart
Are you sure you want to change the base?
Add helm chart #273
Changes from 21 commits
3799449
f8deca8
c4933dc
43ccd5a
fda1008
f3595d3
1827c55
29f62d1
885426c
e12e42b
01c7cd9
076279c
fd86509
88396a6
7b4245a
aaadfcb
4023393
334468b
ab22de2
18fe1ef
5a2b060
87c45d1
f3c021f
71f8e8f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
FROM gcr.io/cloud-builders/gcloud | ||
|
||
ARG HELM_VERSION=v3.12.0 | ||
ENV HELM_VERSION=$HELM_VERSION | ||
ENV USE_GKE_GCLOUD_AUTH_PLUGIN=True | ||
|
||
COPY helm.bash /builder/helm.bash | ||
|
||
RUN chmod +x /builder/helm.bash && \ | ||
mkdir -p /builder/helm && \ | ||
apt-get update && \ | ||
apt-get install -y --no-install-recommends curl && \ | ||
curl -SL https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz -o helm.tar.gz && \ | ||
tar zxvf helm.tar.gz --strip-components=1 -C /builder/helm linux-amd64 && \ | ||
rm helm.tar.gz && \ | ||
apt-get --purge -y autoremove && \ | ||
apt-get clean && \ | ||
rm -rf /var/lib/apt/lists/* | ||
|
||
RUN gcloud -q components install gke-gcloud-auth-plugin | ||
|
||
ENV PATH=/builder/helm/:$PATH | ||
|
||
ENTRYPOINT ["/builder/helm.bash"] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
#!/bin/bash -e | ||
|
||
# If there is no current context, get one. | ||
if [[ $(kubectl config current-context 2> /dev/null) == "" && "$SKIP_CLUSTER_CONFIG" != true ]]; then | ||
# This tries to read environment variables. If not set, it grabs from gcloud | ||
cluster=${CLOUDSDK_CONTAINER_CLUSTER:-$(gcloud config get-value container/cluster 2> /dev/null)} | ||
region=${CLOUDSDK_COMPUTE_REGION:-$(gcloud config get-value compute/region 2> /dev/null)} | ||
zone=${CLOUDSDK_COMPUTE_ZONE:-$(gcloud config get-value compute/zone 2> /dev/null)} | ||
project=${GCLOUD_PROJECT:-$(gcloud config get-value core/project 2> /dev/null)} | ||
|
||
function var_usage() { | ||
cat <<EOF | ||
No cluster is set. To set the cluster (and the region/zone where it is found), set the environment variables | ||
CLOUDSDK_COMPUTE_REGION=<cluster region> (regional clusters) | ||
CLOUDSDK_COMPUTE_ZONE=<cluster zone> (zonal clusters) | ||
CLOUDSDK_CONTAINER_CLUSTER=<cluster name> | ||
EOF | ||
exit 1 | ||
} | ||
|
||
[[ -z "$cluster" ]] && var_usage | ||
[ ! "$zone" -o "$region" ] && var_usage | ||
|
||
if [ -n "$region" ]; then | ||
echo "Running: gcloud container clusters get-credentials --project=\"$project\" --region=\"$region\" \"$cluster\"" | ||
gcloud container clusters get-credentials --project="$project" --region="$region" "$cluster" | ||
else | ||
echo "Running: gcloud container clusters get-credentials --project=\"$project\" --zone=\"$zone\" \"$cluster\"" | ||
gcloud container clusters get-credentials --project="$project" --zone="$zone" "$cluster" | ||
fi | ||
fi | ||
|
||
# if GCS_PLUGIN_VERSION is set, install the plugin | ||
if [[ -n $GCS_PLUGIN_VERSION ]]; then | ||
echo "Installing helm GCS plugin version $GCS_PLUGIN_VERSION " | ||
helm plugin install https://github.com/nouney/helm-gcs --version $GCS_PLUGIN_VERSION | ||
fi | ||
|
||
# if DIFF_PLUGIN_VERSION is set, install the plugin | ||
if [[ -n $DIFF_PLUGIN_VERSION ]]; then | ||
echo "Installing helm DIFF plugin version $DIFF_PLUGIN_VERSION " | ||
helm plugin install https://github.com/databus23/helm-diff --version $DIFF_PLUGIN_VERSION | ||
fi | ||
|
||
# if HELMFILE_VERSION is set, install Helmfile | ||
if [[ -n $HELMFILE_VERSION ]]; then | ||
echo "Installing Helmfile version $HELMFILE_VERSION " | ||
curl -SsL https://github.com/helmfile/helmfile/releases/download/$HELMFILE_VERSION/helmfile_linux_amd64 > helmfile | ||
chmod 700 helmfile | ||
fi | ||
|
||
# check if repo values provided then add that repo | ||
if [[ -n $HELM_REPO_NAME && -n $HELM_REPO_URL ]]; then | ||
echo "Adding chart helm repo $HELM_REPO_URL" | ||
helm repo add $HELM_REPO_NAME $HELM_REPO_URL | ||
fi | ||
|
||
echo "Running: helm repo update" | ||
helm repo list && helm repo update || true | ||
|
||
if [ "$DEBUG" = true ]; then | ||
echo "Running: helm $@" | ||
fi | ||
helm "$@" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,10 +15,37 @@ | |
# Usage: from the root directory run: | ||
# | ||
# $ gcloud builds submit --config scripts/cloudbuild-dev.yaml | ||
timeout: 1200s | ||
timeout: 3600s | ||
options: | ||
machineType: N1_HIGHCPU_8 | ||
steps: | ||
- name: 'gcr.io/cloud-builders/docker' | ||
args: ['buildx', 'build', | ||
'--build-arg', | ||
'VERSION=$TAG_NAME', | ||
'-t', | ||
'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is this change required? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To create helm docker image, As there are no publicaly available helm image. Used Artifact Registry for Repo. |
||
'--push', | ||
'./helm'] | ||
- name: 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME' | ||
args: ['dependency', | ||
'update', | ||
'./charts/secrets-store-csi-driver-provider-gcp'] | ||
env: | ||
- SKIP_CLUSTER_CONFIG=true | ||
- name: 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME' | ||
args: ['package', | ||
'./charts/secrets-store-csi-driver-provider-gcp', | ||
'--version', | ||
'1.2.0-$TAG_NAME'] | ||
env: | ||
- SKIP_CLUSTER_CONFIG=true | ||
- name: 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME' | ||
args: ['push', | ||
'secrets-store-csi-driver-provider-gcp-1.2.0-$TAG_NAME.tgz', | ||
'oci://asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp' ] | ||
env: | ||
- SKIP_CLUSTER_CONFIG=true | ||
- name: 'gcr.io/cloud-builders/docker' | ||
args: ['buildx', 'create', '--use'] | ||
- name: 'gcr.io/cloud-builders/docker' | ||
|
@@ -27,6 +54,7 @@ steps: | |
'--build-arg', | ||
'VERSION=$TAG_NAME', | ||
'-t', | ||
'gcr.io/$PROJECT_ID/secrets-store-csi-driver-provider-gcp:$TAG_NAME', | ||
'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/provider-image:$TAG_NAME', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is this change required? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As Container Registry is Depreciating, Made helm image repo, helm chart repo and provider image in the Artifact registry |
||
'--push', | ||
'.'] | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,6 +25,7 @@ import ( | |
"strings" | ||
"testing" | ||
"time" | ||
"regexp" | ||
) | ||
|
||
// zone to set up test cluster in | ||
|
@@ -136,19 +137,38 @@ func setupTestSuite() { | |
gcloudCmd.Env = append(os.Environ(), "KUBECONFIG="+f.kubeconfigFile) | ||
check(execCmd(gcloudCmd)) | ||
|
||
// Install Secret Store | ||
check(execCmd(exec.Command("kubectl", "apply", "--kubeconfig", f.kubeconfigFile, | ||
"-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/rbac-secretproviderclass.yaml", f.secretStoreVersion), | ||
"-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/rbac-secretprovidersyncing.yaml", f.secretStoreVersion), | ||
"-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/csidriver.yaml", f.secretStoreVersion), | ||
"-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml", f.secretStoreVersion), | ||
"-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml", f.secretStoreVersion), | ||
"-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/secrets-store-csi-driver.yaml", f.secretStoreVersion), | ||
))) | ||
// Helm authentication | ||
gcloudCmd := exec.Command("gcloud", "auth", "application-default", "print-access-token") | ||
|
||
// Capture the output of the gcloud command | ||
gcloudOutput, err := gcloudCmd.Output() | ||
|
||
if err != nil { | ||
fmt.Printf("Error running gcloud command: %s\n", err.Error()) | ||
os.Exit(1) | ||
} | ||
// Create the helm registry login command | ||
helmCmd := exec.Command("helm", "registry", "login", "-u", "oauth2accesstoken", "--password-stdin", "https://asia-east1-docker.pkg.dev") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you confirm if the usage of asia-east1 across this commit is just a choice of region & it can be substituted with a different supported region if required? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. +1, we should use gcr.io instead of regional endpoints wherever possible. |
||
|
||
// Set the access token as the input for the helm command | ||
helmCmd.Stdin = strings.NewReader(string(gcloudOutput)) | ||
|
||
// Run the helm command | ||
check(execCmd(helmCmd)) | ||
//get the hash value of the repository | ||
describe_command := exec.Command("gcloud", "artifacts", "docker", "images", "describe", fmt.Sprintf("asia-east1-docker.pkg.dev/%s/secrets-store-csi-driver-provider-gcp/provider-image:%s", f.testProjectID, f.gcpProviderBranch)) | ||
full_describe, err := describe_command.CombinedOutput() | ||
fmt.Println(string(full_describe)) | ||
regex := regexp.MustCompile(`sha256:[a-fA-F0-9]+`) | ||
digest := regex.FindStringSubmatch(string(full_describe))[0] | ||
fmt.Println(digest) | ||
|
||
// Install GCP Plugin and Workload Identity bindings | ||
check(execCmd(exec.Command("kubectl", "apply", "--kubeconfig", f.kubeconfigFile, | ||
"-f", pluginFile))) | ||
// set: drive image to oci://asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/provider-image with tag GCP_PROVIDER_SHA | ||
// set: audience token to PROJECT_ID.svc.id.goog | ||
check(execCmd(exec.Command("helm", "install", "provider-chart", fmt.Sprintf("oci://asia-east1-docker.pkg.dev/%s/secrets-store-csi-driver-provider-gcp/secrets-store-csi-driver-provider-gcp", f.testProjectID), | ||
"--version", fmt.Sprintf("1.2.0-%s", f.gcpProviderBranch), "--set", fmt.Sprintf("image.repository=asia-east1-docker.pkg.dev/%s/secrets-store-csi-driver-provider-gcp/provider-image", f.testProjectID), | ||
"--set", fmt.Sprintf("image.hash=%s", digest), "--set", fmt.Sprintf("secrets-store-csi-driver.tokenRequests[0].audience=%s.svc.id.goog", f.testProjectID), "--namespace", "kube-system"))) | ||
|
||
// Create test secret | ||
secretFile := filepath.Join(f.tempDir, "secretValue") | ||
|
@@ -494,3 +514,4 @@ func TestMountRotateSecret(t *testing.T) { | |
t.Fatalf("Secret value is %v, want: %v", got, secretB) | ||
} | ||
} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -86,7 +86,7 @@ spec: | |
serviceAccountName: secrets-store-csi-driver-provider-gcp | ||
containers: | ||
- name: provider | ||
image: gcr.io/$PROJECT_ID/secrets-store-csi-driver-provider-gcp:$GCP_PROVIDER_SHA | ||
image: asia-east1-dev.pkg/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/provider-image:$GCP_PROVIDER_SHA | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why has the name of the image changed? |
||
args: | ||
- "-v=5" | ||
imagePullPolicy: Always | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: inconsistent spacing between keywords, is that intended (2 files)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made the space consistent between the keywords in both the files