CR-18322-validate-values (#51)

ATGardner · web-flow · commit 8e026559e6d4 · 2023-06-12T14:49:44.000+03:00
* cleanup dockerfile (no need for argocd, update cli-v2)
* added `installer.skipValidation`
* run pre-install only once, keep failed pod for 5m
* updated chart version to `0.2.10-alpha`
diff --git a/README.md b/README.md
@@ -7,3 +7,13 @@ See official documentation here: https://codefresh.io/docs/docs/installation/git
 
 1. Make sure kubectl is on the runtime cluster context
 2. Run scripts/adopt-crds.sh  [runtime Helm release name] [Runtime Namespace]
+
+## pre-install hook failure:
+
+run
+```shell
+kubectl logs jobs/validate-values -n ${NAMESPACE}
+```
+(use your selected namespace)  
+the output should help find the error in the values file.
+in order to install while skipping the values validation, install with `--set installer.skipValidation="true"` (or set it in values file)
diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 0.1.30
 description: A Helm chart for Codefresh gitops runtime
 name: gitops-runtime
-version: 0.2.9-alpha
+version: 0.2.10-alpha
 home: https://github.com/codefresh-io/gitops-runtime-helm
 icon: https://avatars1.githubusercontent.com/u/11412079?v=3
 keywords:
@@ -15,10 +15,8 @@ annotations:
   artifacthub.io/alternativeName: "codefresh-gitops-runtime"
   artifacthub.io/prerelease: "true"
   artifacthub.io/changes: |
-    - kind: changed
-      description: Updated `app-proxy` to `1.2268.0`
-    - kind: changed
-      description: updated default value of workflow-reporter SA to "codefresh-sa"
+    - kind: added
+      description: pre-install hook to valide values - fails installation quickly in case anything is wrong or missing
 dependencies:
 - name: argo-cd
   repository: https://codefresh-io.github.io/argo-helm
diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md
@@ -1,5 +1,5 @@
 ## Codefresh gitops runtime
-![Version: 0.2.9-alpha](https://img.shields.io/badge/Version-0.2.9--alpha-informational?style=flat-square) ![AppVersion: 0.1.30](https://img.shields.io/badge/AppVersion-0.1.30-informational?style=flat-square)
+![Version: 0.2.10-alpha](https://img.shields.io/badge/Version-0.2.10--alpha-informational?style=flat-square) ![AppVersion: 0.1.30](https://img.shields.io/badge/AppVersion-0.1.30-informational?style=flat-square)
 
 ## Codefresh official documentation:
 Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/
@@ -15,7 +15,7 @@ We have created a helper utility to resolve this issue:
 The utility is packaged in a container image. Below are instructions on executing the utility using Docker:
 
 ```
-docker run -v <output_dir>:/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.2.9-alpha <local_registry>
+docker run -v <output_dir>:/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.2.10-alpha <local_registry>
 ```
 `output_dir` - is a local directory where the utility will output files. <br>
 `local_registry` - is your local registry where you want to mirror the images to
@@ -157,7 +157,8 @@ The utility will output 4 files into the folder:
 | global.runtime.ingress.protocol | string | `"https"` | The protocol that Codefresh platform will use to access the runtime ingress. Can be http or https. |
 | global.runtime.ingressUrl | string | `""` | Explicit url for runtime ingress. Provide this value only if you don't want the chart to create and ingress (global.runtime.ingress.enabled=false) and tunnel-client is not used (tunnel-client.enabled=false) |
 | global.runtime.name | string | `nil` | Runtime name. Must be unique per platform account. |
-| installer | object | `{"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/codefresh/gitops-runtime-installer","tag":""}}` | Runtime installer used for running hooks and checks on the release |
+| installer | object | `{"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/codefresh/gitops-runtime-installer","tag":""},"skipValidation":false}` | Runtime installer used for running hooks and checks on the release |
+| installer.skipValidation | bool | `false` | if set to true, pre-install hook will *not* run |
 | internal-router.affinity | object | `{}` |  |
 | internal-router.env | object | `{}` | Environment variables - see values.yaml inside the chart for usage |
 | internal-router.fullnameOverride | string | `"internal-router"` |  |
diff --git a/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml b/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml
@@ -0,0 +1,43 @@
+{{- if  not .Values.installer.skipValidation }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: validate-values-cr
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "-10"
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - "*"
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: validate-values-crb
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "-10"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: validate-values-cr
+subjects:
+- kind: ServiceAccount
+  name: validate-values-sa
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: validate-values-sa
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "-10"
+{{- end }}
diff --git a/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml b/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml
@@ -0,0 +1,32 @@
+{{- if  not .Values.installer.skipValidation }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: validate-values
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      serviceAccount: validate-values-sa
+      restartPolicy: Never
+      containers:
+      - name: validate-values
+        image: "{{ .Values.installer.image.repository }}:{{ .Values.installer.image.tag | default .Chart.Version }}"
+        imagePullPolicy: {{ .Values.installer.image.pullPolicy }}
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: VERSION
+          value: {{ .Chart.Version }}
+        command: ["sh", "-c"]
+        args: 
+        - |
+          echo {{ .Values | toYaml | quote }} > values.yaml
+          cf helm validate --values values.yaml --namespace ${NAMESPACE} --version ${VERSION} --hook --log-level debug
+{{- end }}
diff --git a/charts/gitops-runtime/templates/hooks/pre-uninstall/cleanup-resources.yaml b/charts/gitops-runtime/templates/hooks/pre-uninstall/cleanup-resources.yaml
@@ -21,4 +21,4 @@ spec:
           kubectl patch EventBus $(kubectl get eventbus -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge && \
           kubectl patch Eventsource $(kubectl get EventSource -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge && \
           kubectl patch Sensor $(kubectl get Sensor -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge ;
-          return 0
+          return 0
diff --git a/charts/gitops-runtime/templates/hooks/pre-uninstall/rbac.yaml b/charts/gitops-runtime/templates/hooks/pre-uninstall/rbac.yaml
@@ -34,4 +34,4 @@ metadata:
   name: runtime-cleanup
   annotations:
     "helm.sh/hook": pre-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml
@@ -99,6 +99,8 @@ global:
 # -------------------------------------------------------------------------------------------------------------------------
 # -- Runtime installer used for running hooks and checks on the release
 installer:
+  # -- if set to true, pre-install hook will *not* run
+  skipValidation: false
   image:
     repository: quay.io/codefresh/gitops-runtime-installer
     tag: ""
diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile
@@ -1,8 +1,13 @@
 FROM --platform=$BUILDPLATFORM debian:bullseye-slim
-RUN apt-get update -y && apt-get install curl -y
-ARG CF_CLI_VERSION=v0.1.25
-ARG KUBECTL_VERSION=v1.26.0
+
+ARG CF_CLI_VERSION=v0.1.48
+ARG KUBECTL_VERSION=v1.27.2
 ARG TARGETARCH
+
+RUN apt-get update && apt-get install curl -y
 RUN curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/${CF_CLI_VERSION}/cf-linux-${TARGETARCH}.tar.gz | tar zx && mv ./cf-linux-${TARGETARCH} /usr/local/bin/cf
 RUN curl -LO https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl && chmod +x kubectl && mv ./kubectl /usr/local/bin/kubectl
-USER 1000
+
+RUN adduser --shell /bin/bash codefresh
+USER codefresh
+WORKDIR /home/codefresh
