Switch to ABS, bump architect-orb and remove PSP support (#1310)

Author: uvegla

.abs/main.yaml

@@ -0,0 +1,8 @@
+replace-app-version-with-git: true
+replace-chart-version-with-git: true
+generate-metadata: true
+chart-dir: ./helm/app-operator
+destination: ./build
+
+# CI overwrites this, check .circleci/config.yaml
+catalog-base-url: https://giantswarm.github.io/control-plane-catalog/

.circleci/config.yml

@@ -1,6 +1,6 @@
 version: 2.1
 orbs:
-  architect: giantswarm/architect@5.9.0
+  architect: giantswarm/architect@5.11.1
 
 workflows:
   build:
@@ -28,6 +28,7 @@ workflows:
             - master
     - architect/push-to-app-catalog:
         context: architect
+        executor: app-build-suite
         name: push-app-operator-to-control-plane-app-catalog
         app_catalog: control-plane-catalog
         app_catalog_test: control-plane-test-catalog

CHANGELOG.md

@@ -7,6 +7,26 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Removed
+
+- Removed PSP support and thus support for pre v1.25 Kubernetes clusters.
+  - Removed `.global.podSecurityStandards.enforced` Helm value.
+- Removed `.project.branch` and `project.commit` Helm values.
+
+### Changed
+
+- Bump `architect-orb` to `v5.11.1`.
+- Updated build pipeline to use `app-build-suite`.
+  - Changed value for `application.giantswarm.io/branch` label to point to `.Chart.AppVersion` instead as ABS does not support mangling the templates anymore.
+  - Changed value for `application.giantswarm.io/commit` label to point to `.Chart.AppVersion` instead as ABS does not support mangling the templates anymore.
+- Defaulted `.image.tag` to be an empty string and default that to `.Chart.AppVersion` in the deployment.
+- Bumped `chart-operator` version to `v3.3.0` in integration tests.
+- Bumped `test-app` version to `v1.0.0` in integration tests.
+
+### Added
+
+- Added `ignore-check.kube-linter.io/no-read-only-root-fs` annotation to the deployment to inform `kubelinter` and describe why the write access to the root FS is needed.
+
 ## [6.11.2] - 2024-10-22
 
 ## [6.11.1] - 2024-10-08

helm/app-operator/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v1
 description: A Helm chart for the app-operator
 home: https://github.com/giantswarm/app-operator
 name: app-operator
-appVersion: [[ .AppVersion ]]
-version: [[ .Version ]]
+appVersion: 6.11.3-dev
+version: 6.11.3-dev
 icon: https://s.giantswarm.io/app-icons/giantswarm/1/dark.svg
 annotations:
   application.giantswarm.io/team: "honeybadger"

helm/app-operator/templates/_helpers.tpl

@@ -19,8 +19,8 @@ Common labels
 {{- define "labels.common" -}}
 app: {{ include "name" . | quote }}
 {{ include "labels.selector" . }}
-application.giantswarm.io/branch: {{ .Values.project.branch | replace "#" "-" | replace "/" "-" | replace "." "-" | trunc 63 | trimSuffix "-" | quote }}
-application.giantswarm.io/commit: {{ .Values.project.commit | quote }}
+application.giantswarm.io/branch: {{ .Chart.AppVersion | replace "#" "-" | replace "/" "-" | replace "." "-" | trunc 63 | trimSuffix "-" | quote }}
+application.giantswarm.io/commit: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
 app.kubernetes.io/version: {{ include "resource.app.version" . | quote }}
 application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
@@ -34,3 +34,14 @@ Selector labels
 app.kubernetes.io/name: {{ include "name" . | quote }}
 app.kubernetes.io/instance: {{ .Release.Name | quote }}
 {{- end -}}
+
+{{/*
+Define image tag.
+*/}}
+{{- define "image.tag" -}}
+{{- if .Values.image.tag }}
+{{- .Values.image.tag }}
+{{- else }}
+{{- .Chart.AppVersion }}
+{{- end }}
+{{- end }}

helm/app-operator/templates/deployment.yaml

@@ -5,6 +5,8 @@ metadata:
   namespace: {{ include "resource.default.namespace" . }}
   labels:
     {{- include "labels.common" . | nindent 4 }}
+  annotations:
+    ignore-check.kube-linter.io/no-read-only-root-fs: "This deployment needs write access to root file system to download artifacts."
 spec:
   selector:
     matchLabels:
@@ -49,7 +51,7 @@ spec:
         {{- end }}
       containers:
       - name: {{ include "name" . }}
-        image: "{{ .Values.registry.domain }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        image: "{{ .Values.registry.domain }}/{{ .Values.image.repository }}:{{ include "image.tag" . }}"
         volumeMounts:
         - name: {{ include "name" . }}-configmap
           mountPath: /var/run/{{ include "name" . }}/configmap/

helm/app-operator/templates/psp.yaml

@@ -230,36 +230,3 @@ roleRef:
   kind: Role
   name: {{ include "resource.default.name" . }}-catalog
   apiGroup: rbac.authorization.k8s.io
----
-{{- if not (((.Values.global).podSecurityStandards).enforced) }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "resource.psp.name" . }}
-  labels:
-    {{- include "labels.common" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - policy
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-    resourceNames:
-      - {{ include  "resource.psp.name" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "resource.psp.name" . }}
-  labels:
-    {{- include "labels.common" . | nindent 4 }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "resource.default.name" . }}
-    namespace: {{ include "resource.default.namespace" . }}
-roleRef:
-  kind: ClusterRole
-  name: {{ include "resource.psp.name" . }}
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}

helm/app-operator/templates/rbac.yaml

@@ -86,19 +86,6 @@
                 }
             }
         },
-        "global": {
-            "type": "object",
-            "properties": {
-                "podSecurityStandards": {
-                    "type": "object",
-                    "properties": {
-                        "enforced": {
-                            "type": "boolean"
-                        }
-                    }
-                }
-            }
-        },
         "groupID": {
             "type": "integer"
         },

helm/app-operator/values.schema.json

@@ -32,15 +32,11 @@ registry:
 
 image:
   repository: giantswarm/app-operator
-  tag: "[[ .Version ]]"
+  tag: ""
 
 operatorkit:
   resyncPeriod: "5m"
 
-project:
-  branch: "[[ .Branch ]]"
-  commit: "[[ .SHA ]]"
-
 deployment:
   management:
     requests:
@@ -97,9 +93,5 @@ serviceMonitor:
   # -- (duration) Prometheus scrape timeout.
   scrapeTimeout: "45s"
 
-global:
-  podSecurityStandards:
-    enforced: false
-
 kyvernoPolicyExceptions:
   enabled: true

helm/app-operator/values.yaml

@@ -44,7 +44,7 @@ func ChartOperatorUniqueName() string {
 }
 
 func ChartOperatorVersion() string {
-	return "2.24.0"
+	return "3.3.0"
 }
 
 func ControlPlaneCatalogName() string {
@@ -83,6 +83,14 @@ func TestAppName() string {
 	return "test-app"
 }
 
+func TestAppVersion() string {
+	return "1.0.0"
+}
+
+func TestAppTarballUrl() string {
+	return fmt.Sprintf("%s/%s-%s.tgz", DefaultCatalogStorageURL(), TestAppName(), TestAppVersion())
+}
+
 func UniqueAppVersion() string {
 	return "0.0.0"
 }

integration/key/key.go

@@ -13,4 +13,9 @@ helm:
     waitTimeout: "180s"
 
 registry:
-  domain: "quay.io"`
+  domain: "quay.io"
+
+global:
+  podSecurityStandards:
+    enforced: true
+`

integration/templates/chart_operator_values.go

@@ -101,7 +101,7 @@ func TestAppLifecycle(t *testing.T) {
 				CatalogName:   key.DefaultCatalogName(),
 				Name:          key.TestAppName(),
 				Namespace:     key.GiantSwarmNamespace(),
-				Version:       "0.1.0",
+				Version:       key.TestAppVersion(),
 				WaitForDeploy: true,
 			},
 		}
@@ -114,7 +114,7 @@ func TestAppLifecycle(t *testing.T) {
 	{
 		config.Logger.Debugf(ctx, "checking tarball URL in chart spec")
 
-		tarballURL := "https://giantswarm.github.io/default-catalog/test-app-0.1.0.tgz"
+		tarballURL := key.TestAppTarballUrl()
 		err = config.K8sClients.CtrlClient().Get(
 			ctx,
 			types.NamespacedName{Name: key.TestAppName(), Namespace: key.GiantSwarmNamespace()},
@@ -157,7 +157,7 @@ func TestAppLifecycle(t *testing.T) {
 	{
 		config.Logger.Debugf(ctx, "checking tarball URL in chart spec")
 
-		err = config.Release.WaitForReleaseVersion(ctx, key.GiantSwarmNamespace(), key.TestAppName(), "0.1.1")
+		err = config.Release.WaitForReleaseVersion(ctx, key.GiantSwarmNamespace(), key.TestAppName(), key.TestAppVersion())
 		if err != nil {
 			t.Fatalf("expected %#v got %#v", nil, err)
 		}
@@ -171,7 +171,7 @@ func TestAppLifecycle(t *testing.T) {
 			t.Fatalf("expected %#v got %#v", nil, err)
 		}
 
-		tarballURL := "https://giantswarm.github.io/default-catalog/test-app-0.1.1.tgz"
+		tarballURL := key.TestAppTarballUrl()
 		if chart.Spec.TarballURL != tarballURL {
 			t.Fatalf("expected tarballURL: %#v got %#v", tarballURL, chart.Spec.TarballURL)
 		}

integration/test/app/basic/basic_test.go

@@ -123,7 +123,7 @@ func TestWorkloadCluster(t *testing.T) {
 				KubeConfig:         kubeConfig,
 				Name:               key.TestAppName(),
 				Namespace:          metav1.NamespaceDefault,
-				Version:            "0.1.0",
+				Version:            key.TestAppVersion(),
 				WaitForDeploy:      true,
 			},
 		}

integration/test/app/workload/workload_cluster_test.go

@@ -146,7 +146,7 @@ func TestWatchingConfigMap(t *testing.T) {
 						Namespace: key.GiantSwarmNamespace(),
 					},
 				},
-				Version: "0.1.0",
+				Version: key.TestAppVersion(),
 			},
 		}