Skip to content

Commit

Permalink
Add a command to push to OCI registries (#362)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kubasobon
kubasobon authored Apr 21, 2022
1 parent e279cd2 commit bd819e6
Show file tree
Hide file tree
Showing 6 changed files with 279 additions and 19 deletions.
6 changes: 5 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added

- Add support for pushing to OCI-based App catalogs.

## [4.16.0] - 2022-04-13

### Changed
Expand Down Expand Up @@ -54,7 +58,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Update `architect` version to [`v6.3.0`](https://github.com/giantswarm/architect/releases/tag/v6.3.0).
- Updates Go version to 1.17.8.
- Update Go version used in `machine install` command to 1.17.8.
- Update Go version used in `machine install` command to 1.17.8.

## [4.13.0] - 2022-02-18

Expand Down
4 changes: 2 additions & 2 deletions src/commands/package-and-push-with-abs.yaml → ...mmands/package-and-push-git-with-abs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,14 @@ steps:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push: Determine target app catalog based on presence of tag"
name: "architect/package-and-push-git-with-abs: Determine target app catalog based on presence of tag"
command: |
[ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name
- unless:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push: Determine target app catalog based on branch name"
name: "architect/package-and-push-git-with-abs: Determine target app catalog based on branch name"
command: |
[[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name
- run:
Expand Down
4 changes: 2 additions & 2 deletions src/commands/package-and-push.yaml → src/commands/package-and-push-git.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,14 @@ steps:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push: Determine target app catalog based on presence of tag"
name: "architect/package-and-push-git: Determine target app catalog based on presence of tag"
command: |
[ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name
- unless:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push: Determine target app catalog based on branch name"
name: "architect/package-and-push-git: Determine target app catalog based on branch name"
command: |
[[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name
- unless:
Expand Down
101 changes: 101 additions & 0 deletions src/commands/package-and-push-oci-with-abs.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
parameters:
app_catalog:
type: "string"
app_catalog_test:
type: "string"
chart:
type: "string"
on_tag:
type: boolean
default: true
description: |
When this is `false`, commits to `master` will be pushed to `app_catalog` instead of `app_catalog_test`.
Set this to `false` for deployments that follow a a master branch for production releases rather than
using tags (the default).
skip_conftest_deprek8ion:
type: boolean
default: false
description: |
When this is `true`, checking for deprecated manifest versions will be skipped.
persist_chart_archive:
type: boolean
default: false
description: |
When this is `true`, the packaged chart archive will be persisted to the workspace.
Set this to `true`, if you're planning to execute tests using app-test-suite.
password_envar:
type: "string"
default: AZURE_CLIENTSECRET
username_envar:
type: "string"
default: AZURE_CLIENTID
registry_url:
type: "string"
default: "giantswarmpublic.azurecr.io"
steps:
- when:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push-oci-with-abs: Determine target app catalog based on presence of tag"
command: |
[ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name
echo -n ${CIRCLE_TAG} | tee .reference
- unless:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push-oci-with-abs: Determine target app catalog based on branch name"
command: |
[[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name
echo -n ${CIRCLE_SHA1} | tee .reference
- run:
name: Verify chart parameters
command: |
CHART_NAME="<< parameters.chart >>"
[[ ${CHART_NAME%-app} == ${CIRCLE_PROJECT_REPONAME%-app} ]] && exit 0 || echo "chart parameter value should match ${CIRCLE_PROJECT_REPONAME%-app} or ${CIRCLE_PROJECT_REPONAME%-app}-app" ; exit 1
- run:
name: Execute App Build Suite
command: |
mkdir -p build && python -m app_build_suite --chart-dir ./helm/<< parameters.chart >> --destination build --generate-metadata --catalog-base-url "https://giantswarm.github.io/$(cat .app_catalog_name)/" --keep-chart-changes
- when:
condition: << parameters.persist_chart_archive >>
steps:
- persist_to_workspace:
root: build
paths:
- "<< parameters.chart >>*.tgz"
- unless:
condition: << parameters.skip_conftest_deprek8ion >>
steps:
- helm-conftest:
chart: "<< parameters.chart >>"
- run:
name: "architect/package-and-push-oci-with-abs: Authenticate to the OCI registry"
command: |
helm registry login << parameters.registry_url >> --username "${<< parameters.username_envar >>}" --password "${<< parameters.password_envar >>}"
- run:
name: Push chart archive to OCI registry app catalog
command: |
readonly app_catalog_name="oci://<< parameters.registry_url >>/$(cat .app_catalog_name)/"
readonly reference="$(cat .reference)"
ret=1
tries=4
for i in $(seq 1 $tries) ; do
echo "====> Attempt $i: Running: helm push build/*.tgz $app_catalog_name"
set +e
helm push build/*.tgz $app_catalog_name
ret=$?
set -e
[[ $ret -eq 0 ]] && exit $ret
sleep 5
done
echo "Giving up after $tries failures." >&2
echo "Error pushing changes. See known errors in:" >&2
echo "https://github.com/giantswarm/architect-orb/blob/master/README.md#push-to-app-catalog" >&2
exit $ret
101 changes: 101 additions & 0 deletions src/commands/package-and-push-oci.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
parameters:
app_catalog:
type: "string"
app_catalog_test:
type: "string"
chart:
type: "string"
on_tag:
type: boolean
default: true
description: |
When this is `false`, commits to `master` will be pushed to `app_catalog` instead of `app_catalog_test`.
Set this to `false` for deployments that follow a a master branch for production releases rather than
using tags (the default).
explicit_allow_chart_name_mismatch:
type: boolean
default: false
description: |
If 'explicit_allow_chart_name_mismatch' is set to true, the name of the chart can be anything.
Otherwise the name set in the 'chart' parameter must start with the repository name and optionally continue with '-app'.
Does not have any effect for 'executor: app-build-suite'.
persist_chart_archive:
type: boolean
default: false
description: |
When this is `true`, the packaged chart archive will be persisted to the workspace.
Set this to `true`, if you're planning to execute tests using app-test-suite.
password_envar:
type: "string"
default: AZURE_CLIENTSECRET
username_envar:
type: "string"
default: AZURE_CLIENTID
registry_url:
type: "string"
default: "giantswarmpublic.azurecr.io"
steps:
- when:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push-oci: Determine target app catalog based on presence of tag"
command: |
[ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name
echo -n ${CIRCLE_TAG} | tee .reference
- unless:
condition: << parameters.on_tag >>
steps:
- run:
name: "architect/package-and-push-oci: Determine target app catalog based on branch name"
command: |
[[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name
echo -n ${CIRCLE_SHA1} | tee .reference
- unless:
condition: << parameters.explicit_allow_chart_name_mismatch >>
steps:
- run:
name: Verify chart parameters
command: |
CHART_NAME="<< parameters.chart >>"
[[ ${CHART_NAME%-app} == ${CIRCLE_PROJECT_REPONAME%-app} ]] && exit 0 || echo "chart parameter value should match ${CIRCLE_PROJECT_REPONAME%-app} or ${CIRCLE_PROJECT_REPONAME%-app}-app" ; exit 1
- run:
name: Package the chart archive
command: |
mkdir -p build && helm package ./helm/<< parameters.chart >> --destination ./build
- when:
condition: << parameters.persist_chart_archive >>
steps:
- persist_to_workspace:
root: build
paths:
- "<< parameters.chart >>*.tgz"
- run:
name: "architect/package-and-push-oci: Authenticate to the OCI registry"
command: |
helm registry login << parameters.registry_url >> --username "${<< parameters.username_envar >>}" --password "${<< parameters.password_envar >>}"
- run:
name: Push chart archive to OCI registry app catalog
command: |
readonly app_catalog_name="oci://<< parameters.registry_url >>/$(cat .app_catalog_name)/"
readonly reference="$(cat .reference)"
ret=1
tries=4
for i in $(seq 1 $tries) ; do
echo "====> Attempt $i: Running: helm push build/*.tgz $app_catalog_name"
set +e
helm push build/*.tgz $app_catalog_name
ret=$?
set -e
[[ $ret -eq 0 ]] && exit $ret
sleep 5
done
echo "Giving up after $tries failures." >&2
echo "Error pushing changes. See known errors in:" >&2
echo "https://github.com/giantswarm/architect-orb/blob/master/README.md#push-to-app-catalog" >&2
exit $ret
82 changes: 68 additions & 14 deletions src/jobs/push-to-app-catalog.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,16 @@ parameters:
and packaging through https://github.com/giantswarm/app-build-suite
The `app-build-suite` executor also enables metadata generation.
Default: `architect`
push_to_appcatalog:
default: true
description: |
Push the chart to App Catalog git repository if this is `true`.
type: boolean
push_to_oci_registry:
default: false
description: |
Push the chart to OCI registry if this is `true`.
type: boolean
resource_class:
default: "small"
description: |
Expand All @@ -58,6 +68,16 @@ parameters:
description: |
When this is `true`, the packaged chart archive will be persisted to the workspace.
Set this to `true`, if you're planning to execute tests using app-test-suite.
password_envar:
default: AZURE_CLIENTSECRET
description: |
Required if `push_to_oci_registry` is set to `true`.
type: "string"
username_envar:
default: AZURE_CLIENTID
description: |
Required if `push_to_oci_registry` is set to `true`.
type: "string"
executor: "<< parameters.executor >>"
resource_class: "<< parameters.resource_class >>"
steps:
Expand Down Expand Up @@ -85,13 +105,30 @@ steps:
steps:
- helm-conftest:
chart: "<< parameters.chart >>"
- package-and-push:
app_catalog: << parameters.app_catalog >>
app_catalog_test: << parameters.app_catalog_test >>
chart: << parameters.chart >>
on_tag: << parameters.on_tag >>
explicit_allow_chart_name_mismatch: << parameters.explicit_allow_chart_name_mismatch >>
persist_chart_archive: << parameters.persist_chart_archive >>
- when:
condition:
equal: [<< parameters.push_to_appcatalog >>, true]
steps:
- package-and-push-git:
app_catalog: << parameters.app_catalog >>
app_catalog_test: << parameters.app_catalog_test >>
chart: << parameters.chart >>
on_tag: << parameters.on_tag >>
explicit_allow_chart_name_mismatch: << parameters.explicit_allow_chart_name_mismatch >>
persist_chart_archive: << parameters.persist_chart_archive >>
- when:
condition:
equal: [<< parameters.push_to_oci_registry >>, true]
steps:
- package-and-push-oci:
app_catalog: << parameters.app_catalog >>
app_catalog_test: << parameters.app_catalog_test >>
chart: << parameters.chart >>
on_tag: << parameters.on_tag >>
explicit_allow_chart_name_mismatch: << parameters.explicit_allow_chart_name_mismatch >>
persist_chart_archive: << parameters.persist_chart_archive >>
password_envar: << parameters.password_envar >>
username_envar: << parameters.username_envar >>
- when:
condition:
equal: ["<< parameters.executor >>", "app-build-suite"]
Expand All @@ -101,10 +138,27 @@ steps:
show_go_version: false
show_abs_version: true
- prepare-catalogbot-git-ssh
- package-and-push-with-abs:
app_catalog: << parameters.app_catalog >>
app_catalog_test: << parameters.app_catalog_test >>
chart: << parameters.chart >>
on_tag: << parameters.on_tag >>
skip_conftest_deprek8ion: << parameters.skip_conftest_deprek8ion >>
persist_chart_archive: << parameters.persist_chart_archive >>
- when:
condition:
equal: [<< parameters.push_to_appcatalog >>, true]
steps:
- package-and-push-git-with-abs:
app_catalog: << parameters.app_catalog >>
app_catalog_test: << parameters.app_catalog_test >>
chart: << parameters.chart >>
on_tag: << parameters.on_tag >>
skip_conftest_deprek8ion: << parameters.skip_conftest_deprek8ion >>
persist_chart_archive: << parameters.persist_chart_archive >>
- when:
condition:
equal: [<< parameters.push_to_oci_registry >>, true]
steps:
- package-and-push-oci-with-abs:
app_catalog: << parameters.app_catalog >>
app_catalog_test: << parameters.app_catalog_test >>
chart: << parameters.chart >>
on_tag: << parameters.on_tag >>
skip_conftest_deprek8ion: << parameters.skip_conftest_deprek8ion >>
persist_chart_archive: << parameters.persist_chart_archive >>
password_envar: << parameters.password_envar >>
username_envar: << parameters.username_envar >>

0 comments on commit bd819e6

Please sign in to comment.