From 4759a9ac0b2fb1d4c97f591a5bdb440daeee23d4 Mon Sep 17 00:00:00 2001 From: abheda-crest <105624942+abheda-crest@users.noreply.github.com> Date: Tue, 11 Feb 2025 09:21:40 +0530 Subject: [PATCH] Added staging helm chart (#485) * added staging helm chart and added action to update them on release * reverted main chart and updated releasing.md * fixed revert version * updated the staging chart version --- .github/workflows/bump-chart-versions.yml | 173 ++++++++++++++++++ docs/releasing.md | 1 + .../Chart.yaml | 6 + .../templates/_helpers.tpl | 60 ++++++ .../templates/clusterrole.yaml | 19 ++ .../templates/clusterrolebinding.yaml | 14 ++ .../templates/daemonset.yaml | 87 +++++++++ .../templates/serviceaccount.yaml | 11 ++ .../values.yaml | 31 ++++ 9 files changed, 402 insertions(+) create mode 100644 .github/workflows/bump-chart-versions.yml create mode 100644 manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml create mode 100644 manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/_helpers.tpl create mode 100644 manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml create mode 100644 manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml create mode 100644 manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml create mode 100644 manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml create mode 100644 manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml diff --git a/.github/workflows/bump-chart-versions.yml b/.github/workflows/bump-chart-versions.yml new file mode 100644 index 00000000..7200487c --- /dev/null +++ b/.github/workflows/bump-chart-versions.yml @@ -0,0 +1,173 @@ +name: Bump Helm Charts Versions + +on: + pull_request: + types: + - closed # Trigger when the PR is closed (merged or declined) + branches: + - main # When merged branch is main + +jobs: + bump_charts_version: + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + + # Skip the job if the PR source branch does not start with 'release-' + if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release-') + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Extract latest version + run: | + # Extract the version from the branch name (e.g., release-1.2.3) + VERSION=$(echo "${{ github.event.pull_request.head.ref }}" | sed -E 's/^release-([0-9]+\.[0-9]+\.[0-9]+)$/\1/') + + # Check if the version matches the expected format + if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "The PR was merged from a release branch with version: $VERSION" + echo "VERSION=$VERSION" >> $GITHUB_ENV + else + echo "Invalid branch name format. The release branch must match 'release-X.X.X'." + exit 1 + fi + + - name: Validate version + run: | + if [[ -z "$VERSION" ]]; then + echo "Error: Version not found. Branch should follow 'release-' pattern." + exit 1 + fi + + - name: Fetch tags + run: git fetch --tags + + - name: Get second last release versions + id: second_last_release_version + run: | + # Extract Second last release TAG for update in Main Helm Chart + SECOND_LAST_RELEASE_TAG=$(git tag -l --sort=-creatordate | head -n 2 | tail -n 1) + SECOND_LAST_RELEASE_TAG=$(echo "$SECOND_LAST_RELEASE_TAG" | sed 's/^v//') + echo "Second last release version: $SECOND_LAST_RELEASE_TAG" + echo "SECOND_LAST_RELEASE_TAG=$SECOND_LAST_RELEASE_TAG" >> $GITHUB_ENV + + - name: Install yq + run: | + # Install yq to parse YAML files + wget https://github.com/mikefarah/yq/releases/download/v4.16.1/yq_linux_amd64 -O /usr/local/bin/yq + chmod +x /usr/local/bin/yq + + - name: Set up Git user identity + run: | + git config --global user.name "GitHub Actions" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + + - name: Update main helm chart with second last version + run: | + # Update the version in the /charts/secrets-store-csi-driver-provider-gcp/Chart.yaml file + VERSION_TO_UPDATE=$SECOND_LAST_RELEASE_TAG + if [[ -z "$SECOND_LAST_RELEASE_TAG" ]]; then + echo "No last release tag found. Skipping version update." + else + VERSION_TO_UPDATE=$SECOND_LAST_RELEASE_TAG + fi + + echo "Updating /charts/secrets-store-csi-driver-provider-gcp/Chart.yaml with version $VERSION_TO_UPDATE" + + yq e ".appVersion = \"$VERSION_TO_UPDATE\"" -i charts/secrets-store-csi-driver-provider-gcp/Chart.yaml + + git add charts/secrets-store-csi-driver-provider-gcp/Chart.yaml + git commit -m "Update Chart.yaml with version $VERSION_TO_UPDATE" + git push + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Update staging helm chart with latest version + run: | + # Update the version in the manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml file + LAST_VERSION_TO_UPDATE=$VERSION + if [[ -z "$VERSION" ]]; then + echo "No last release tag found. Skipping version update." + else + LAST_VERSION_TO_UPDATE=$VERSION + fi + + echo "Updating manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml with version $LAST_VERSION_TO_UPDATE" + + yq e ".appVersion = \"$LAST_VERSION_TO_UPDATE\"" -i manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml + + git add manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml + git commit -m "Update Staging Chart.yaml with version $LAST_VERSION_TO_UPDATE" + git push + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract latest release image digest + id: extract_latest_digest + run: | + # Extract the image digest from the `deploy/provider-gcp-plugin.yaml` file + IMAGE_PATH=$(yq e '.spec.template.spec.containers[].image' deploy/provider-gcp-plugin.yaml) + echo "Docker image with digest: $IMAGE_PATH" + + # Split the IMAGE_PATH to extract the digest part + # Example image format: 'gcr.io/my-project/my-image@sha256:' + DIGEST=$(echo $IMAGE_PATH | awk -F'@' '{print $2}') + echo "Extracted digest: $DIGEST" + + # Save the digest to an environment variable + echo "DIGEST=$DIGEST" >> $GITHUB_ENV + + - name: Extract second last release image digest + id: extract_second_last_digest + run: | + # Extracting last release image from staging chart as it should be pointing to last/latest release + file_path="manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml" + + image_hash=$(yq e '.image.hash' "$file_path" | xargs) + + if [[ -z "$image_hash" ]]; then + echo "Invalid/Empty digest found: $image_hash" + exit 1 + fi + + echo "Extracted second last release digest: $image_hash" + # Export the digest as an environment variable + echo "SECOND_LAST_RELEASE_DIGEST=$image_hash" >> $GITHUB_ENV + + - name: Update Main Helm Chart with Last Image digest value + run: | + # Ensure the SECOND_LAST_RELEASE_DIGEST environment variable is set + if [ -z "$SECOND_LAST_RELEASE_DIGEST" ]; then + echo "SECOND_LAST_RELEASE_DIGEST environment variable is not set" + exit 1 + fi + + # Use yq to update the image.hash field in values.yaml with the DIGEST value + yq eval ".image.hash = \"$SECOND_LAST_RELEASE_DIGEST\"" -i charts/secrets-store-csi-driver-provider-gcp/values.yaml + + git add charts/secrets-store-csi-driver-provider-gcp/values.yaml + git commit -m "Update Chart.yaml with DIGEST $SECOND_LAST_RELEASE_DIGEST" + git push + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Update Staging Helm Chart with New Image digest value + run: | + # Ensure the DIGEST environment variable is set + if [ -z "$DIGEST" ]; then + echo "DIGEST environment variable is not set" + exit 1 + fi + + # Use yq to update the image.hash field in values.yaml with the DIGEST value + yq eval ".image.hash = \"$DIGEST\"" -i manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml + + git add manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml + git commit -m "Update manifest_staging value.yaml with DIGEST $DIGEST" + git push + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/docs/releasing.md b/docs/releasing.md index 0760d019..dbccb901 100644 --- a/docs/releasing.md +++ b/docs/releasing.md @@ -20,6 +20,7 @@ Notes on building a release. 5. Manually test release image 6. Tag the commit from step 4 as `vX.X.X` by creating a new release 7. Merge changes from `release-X.X` into `main` +8. After the changes are merged, ensure the latest tag is updated for the `manifest_staging` Helm chart, along with the main Helm chart being updated with the previous release tag, once the `Bump Helm Charts Versions` job is completed. ## Release template diff --git a/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml new file mode 100644 index 00000000..8c7c4443 --- /dev/null +++ b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: secrets-store-csi-driver-provider-gcp +description: A Helm chart to install Google Secret Manager Provider for Secret Store CSI Driver inside a Kubernetes cluster. +type: application +version: 0.1.0 +appVersion: "1.7.0" diff --git a/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/_helpers.tpl b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/_helpers.tpl new file mode 100644 index 00000000..e2bdba6c --- /dev/null +++ b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.labels" -}} +helm.sh/chart: {{ include "secrets-store-csi-driver-provider-gcp.chart" . }} +{{ include "secrets-store-csi-driver-provider-gcp.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.selectorLabels" -}} +app: {{ default "default" .Values.app }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.serviceAccountName" -}} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} + +{{/* +Create the name of the daemon set to use +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.daemonSetName" -}} +{{- default "default" .Values.app }} +{{- end }} + +{{/* +Create the name of the cluster role to use +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.clusterRoleName" -}} +{{- .Chart.Name }}-role +{{- end }} + +{{/* +Create the name of the cluster role binding to use +*/}} +{{- define "secrets-store-csi-driver-provider-gcp.clusterRoleBindingName" -}} +{{- .Chart.Name }}-rolebinding +{{- end }} diff --git a/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml new file mode 100644 index 00000000..551ee08f --- /dev/null +++ b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "secrets-store-csi-driver-provider-gcp.clusterRoleName" . }} + labels: + {{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get diff --git a/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..d715a7f2 --- /dev/null +++ b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "secrets-store-csi-driver-provider-gcp.clusterRoleBindingName" . }} + labels: + {{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "secrets-store-csi-driver-provider-gcp.clusterRoleName" . }} +subjects: + - kind: ServiceAccount + name: {{ include "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }} + namespace: kube-system diff --git a/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml new file mode 100644 index 00000000..bb48c980 --- /dev/null +++ b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "secrets-store-csi-driver-provider-gcp.daemonSetName" . }} + namespace: kube-system + labels: + {{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }} +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + {{- include "secrets-store-csi-driver-provider-gcp.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "secrets-store-csi-driver-provider-gcp.selectorLabels" . | nindent 8 }} + spec: + serviceAccountName: {{ include "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }} + initContainers: + - name: chown-provider-mount + image: busybox + command: + - chown + - "1000:1000" + - /etc/kubernetes/secrets-store-csi-providers + volumeMounts: + - mountPath: "/etc/kubernetes/secrets-store-csi-providers" + name: providervol + hostNetwork: false + hostPID: false + hostIPC: false + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + containers: + - name: provider + image: "{{ .Values.image.repository }}@{{ .Values.image.hash }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + resources: + {{- toYaml .Values.resources | nindent 12 }} + env: + - name: TARGET_DIR + value: "/etc/kubernetes/secrets-store-csi-providers" + volumeMounts: + - mountPath: "/etc/kubernetes/secrets-store-csi-providers" + name: providervol + mountPropagation: None + readOnly: false + livenessProbe: + failureThreshold: 3 + httpGet: + path: /live + port: 8095 + initialDelaySeconds: 5 + timeoutSeconds: 10 + periodSeconds: 30 + volumes: + - name: providervol + hostPath: + path: /etc/kubernetes/secrets-store-csi-providers + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml new file mode 100644 index 00000000..b1c8be2c --- /dev/null +++ b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }} + namespace: kube-system + labels: + {{- include "secrets-store-csi-driver-provider-gcp.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml new file mode 100644 index 00000000..9a926340 --- /dev/null +++ b/manifest_staging/charts/secrets-store-csi-driver-provider-gcp/values.yaml @@ -0,0 +1,31 @@ +nameOverride: "" + +serviceAccount: + annotations: {} + name: secrets-store-csi-driver-provider-gcp + +image: + repository: us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin + pullPolicy: IfNotPresent + hash: sha256:16206089381c7f9b70442b4ed97e65bc34daec1ee26a5c5de7453a24f0f1de13 + +app: csi-secrets-store-provider-gcp + +podAnnotations: {} + +resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi + +priorityClassName: "" + +nodeSelector: + kubernetes.io/os: linux + +tolerations: [] + +affinity: {}