diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c3a06f5..6ba2180d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- Add support for pushing to OCI-based App catalogs. + ## [4.16.0] - 2022-04-13 ### Changed @@ -54,7 +58,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update `architect` version to [`v6.3.0`](https://github.com/giantswarm/architect/releases/tag/v6.3.0). - Updates Go version to 1.17.8. -- Update Go version used in `machine install` command to 1.17.8. +- Update Go version used in `machine install` command to 1.17.8. ## [4.13.0] - 2022-02-18 diff --git a/src/commands/package-and-push-with-abs.yaml b/src/commands/package-and-push-git-with-abs.yaml similarity index 94% rename from src/commands/package-and-push-with-abs.yaml rename to src/commands/package-and-push-git-with-abs.yaml index f3b42d5e..07afa0b0 100644 --- a/src/commands/package-and-push-with-abs.yaml +++ b/src/commands/package-and-push-git-with-abs.yaml @@ -28,14 +28,14 @@ steps: condition: << parameters.on_tag >> steps: - run: - name: "architect/package-and-push: Determine target app catalog based on presence of tag" + name: "architect/package-and-push-git-with-abs: Determine target app catalog based on presence of tag" command: | [ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name - unless: condition: << parameters.on_tag >> steps: - run: - name: "architect/package-and-push: Determine target app catalog based on branch name" + name: "architect/package-and-push-git-with-abs: Determine target app catalog based on branch name" command: | [[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name - run: diff --git a/src/commands/package-and-push.yaml b/src/commands/package-and-push-git.yaml similarity index 95% rename from src/commands/package-and-push.yaml rename to src/commands/package-and-push-git.yaml index 4ece57cd..d0c5f4b3 100644 --- a/src/commands/package-and-push.yaml +++ b/src/commands/package-and-push-git.yaml @@ -30,14 +30,14 @@ steps: condition: << parameters.on_tag >> steps: - run: - name: "architect/package-and-push: Determine target app catalog based on presence of tag" + name: "architect/package-and-push-git: Determine target app catalog based on presence of tag" command: | [ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name - unless: condition: << parameters.on_tag >> steps: - run: - name: "architect/package-and-push: Determine target app catalog based on branch name" + name: "architect/package-and-push-git: Determine target app catalog based on branch name" command: | [[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name - unless: diff --git a/src/commands/package-and-push-oci-with-abs.yaml b/src/commands/package-and-push-oci-with-abs.yaml new file mode 100644 index 00000000..9c898f59 --- /dev/null +++ b/src/commands/package-and-push-oci-with-abs.yaml @@ -0,0 +1,101 @@ +parameters: + app_catalog: + type: "string" + app_catalog_test: + type: "string" + chart: + type: "string" + on_tag: + type: boolean + default: true + description: | + When this is `false`, commits to `master` will be pushed to `app_catalog` instead of `app_catalog_test`. + Set this to `false` for deployments that follow a a master branch for production releases rather than + using tags (the default). + skip_conftest_deprek8ion: + type: boolean + default: false + description: | + When this is `true`, checking for deprecated manifest versions will be skipped. + persist_chart_archive: + type: boolean + default: false + description: | + When this is `true`, the packaged chart archive will be persisted to the workspace. + Set this to `true`, if you're planning to execute tests using app-test-suite. + password_envar: + type: "string" + default: AZURE_CLIENTSECRET + username_envar: + type: "string" + default: AZURE_CLIENTID + registry_url: + type: "string" + default: "giantswarmpublic.azurecr.io" +steps: + - when: + condition: << parameters.on_tag >> + steps: + - run: + name: "architect/package-and-push-oci-with-abs: Determine target app catalog based on presence of tag" + command: | + [ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name + echo -n ${CIRCLE_TAG} | tee .reference + - unless: + condition: << parameters.on_tag >> + steps: + - run: + name: "architect/package-and-push-oci-with-abs: Determine target app catalog based on branch name" + command: | + [[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name + echo -n ${CIRCLE_SHA1} | tee .reference + - run: + name: Verify chart parameters + command: | + CHART_NAME="<< parameters.chart >>" + [[ ${CHART_NAME%-app} == ${CIRCLE_PROJECT_REPONAME%-app} ]] && exit 0 || echo "chart parameter value should match ${CIRCLE_PROJECT_REPONAME%-app} or ${CIRCLE_PROJECT_REPONAME%-app}-app" ; exit 1 + - run: + name: Execute App Build Suite + command: | + mkdir -p build && python -m app_build_suite --chart-dir ./helm/<< parameters.chart >> --destination build --generate-metadata --catalog-base-url "https://giantswarm.github.io/$(cat .app_catalog_name)/" --keep-chart-changes + - when: + condition: << parameters.persist_chart_archive >> + steps: + - persist_to_workspace: + root: build + paths: + - "<< parameters.chart >>*.tgz" + - unless: + condition: << parameters.skip_conftest_deprek8ion >> + steps: + - helm-conftest: + chart: "<< parameters.chart >>" + - run: + name: "architect/package-and-push-oci-with-abs: Authenticate to the OCI registry" + command: | + helm registry login << parameters.registry_url >> --username "${<< parameters.username_envar >>}" --password "${<< parameters.password_envar >>}" + - run: + name: Push chart archive to OCI registry app catalog + command: | + readonly app_catalog_name="oci://<< parameters.registry_url >>/$(cat .app_catalog_name)/" + readonly reference="$(cat .reference)" + + ret=1 + tries=4 + for i in $(seq 1 $tries) ; do + echo "====> Attempt $i: Running: helm push build/*.tgz $app_catalog_name" + set +e + helm push build/*.tgz $app_catalog_name + ret=$? + set -e + + [[ $ret -eq 0 ]] && exit $ret + + sleep 5 + done + + echo "Giving up after $tries failures." >&2 + echo "Error pushing changes. See known errors in:" >&2 + echo "https://github.com/giantswarm/architect-orb/blob/master/README.md#push-to-app-catalog" >&2 + + exit $ret diff --git a/src/commands/package-and-push-oci.yaml b/src/commands/package-and-push-oci.yaml new file mode 100644 index 00000000..873bfb69 --- /dev/null +++ b/src/commands/package-and-push-oci.yaml @@ -0,0 +1,101 @@ +parameters: + app_catalog: + type: "string" + app_catalog_test: + type: "string" + chart: + type: "string" + on_tag: + type: boolean + default: true + description: | + When this is `false`, commits to `master` will be pushed to `app_catalog` instead of `app_catalog_test`. + Set this to `false` for deployments that follow a a master branch for production releases rather than + using tags (the default). + explicit_allow_chart_name_mismatch: + type: boolean + default: false + description: | + If 'explicit_allow_chart_name_mismatch' is set to true, the name of the chart can be anything. + Otherwise the name set in the 'chart' parameter must start with the repository name and optionally continue with '-app'. + Does not have any effect for 'executor: app-build-suite'. + persist_chart_archive: + type: boolean + default: false + description: | + When this is `true`, the packaged chart archive will be persisted to the workspace. + Set this to `true`, if you're planning to execute tests using app-test-suite. + password_envar: + type: "string" + default: AZURE_CLIENTSECRET + username_envar: + type: "string" + default: AZURE_CLIENTID + registry_url: + type: "string" + default: "giantswarmpublic.azurecr.io" +steps: + - when: + condition: << parameters.on_tag >> + steps: + - run: + name: "architect/package-and-push-oci: Determine target app catalog based on presence of tag" + command: | + [ -z ${CIRCLE_TAG} ] && echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name + echo -n ${CIRCLE_TAG} | tee .reference + - unless: + condition: << parameters.on_tag >> + steps: + - run: + name: "architect/package-and-push-oci: Determine target app catalog based on branch name" + command: | + [[ ${CIRCLE_BRANCH} == master ]] && echo -n '<< parameters.app_catalog >>' | tee .app_catalog_name || echo -n '<< parameters.app_catalog_test >>' | tee .app_catalog_name + echo -n ${CIRCLE_SHA1} | tee .reference + - unless: + condition: << parameters.explicit_allow_chart_name_mismatch >> + steps: + - run: + name: Verify chart parameters + command: | + CHART_NAME="<< parameters.chart >>" + [[ ${CHART_NAME%-app} == ${CIRCLE_PROJECT_REPONAME%-app} ]] && exit 0 || echo "chart parameter value should match ${CIRCLE_PROJECT_REPONAME%-app} or ${CIRCLE_PROJECT_REPONAME%-app}-app" ; exit 1 + - run: + name: Package the chart archive + command: | + mkdir -p build && helm package ./helm/<< parameters.chart >> --destination ./build + - when: + condition: << parameters.persist_chart_archive >> + steps: + - persist_to_workspace: + root: build + paths: + - "<< parameters.chart >>*.tgz" + - run: + name: "architect/package-and-push-oci: Authenticate to the OCI registry" + command: | + helm registry login << parameters.registry_url >> --username "${<< parameters.username_envar >>}" --password "${<< parameters.password_envar >>}" + - run: + name: Push chart archive to OCI registry app catalog + command: | + readonly app_catalog_name="oci://<< parameters.registry_url >>/$(cat .app_catalog_name)/" + readonly reference="$(cat .reference)" + + ret=1 + tries=4 + for i in $(seq 1 $tries) ; do + echo "====> Attempt $i: Running: helm push build/*.tgz $app_catalog_name" + set +e + helm push build/*.tgz $app_catalog_name + ret=$? + set -e + + [[ $ret -eq 0 ]] && exit $ret + + sleep 5 + done + + echo "Giving up after $tries failures." >&2 + echo "Error pushing changes. See known errors in:" >&2 + echo "https://github.com/giantswarm/architect-orb/blob/master/README.md#push-to-app-catalog" >&2 + + exit $ret diff --git a/src/jobs/push-to-app-catalog.yaml b/src/jobs/push-to-app-catalog.yaml index b6c637c8..b96d8ec4 100644 --- a/src/jobs/push-to-app-catalog.yaml +++ b/src/jobs/push-to-app-catalog.yaml @@ -39,6 +39,16 @@ parameters: and packaging through https://github.com/giantswarm/app-build-suite The `app-build-suite` executor also enables metadata generation. Default: `architect` + push_to_appcatalog: + default: true + description: | + Push the chart to App Catalog git repository if this is `true`. + type: boolean + push_to_oci_registry: + default: false + description: | + Push the chart to OCI registry if this is `true`. + type: boolean resource_class: default: "small" description: | @@ -58,6 +68,16 @@ parameters: description: | When this is `true`, the packaged chart archive will be persisted to the workspace. Set this to `true`, if you're planning to execute tests using app-test-suite. + password_envar: + default: AZURE_CLIENTSECRET + description: | + Required if `push_to_oci_registry` is set to `true`. + type: "string" + username_envar: + default: AZURE_CLIENTID + description: | + Required if `push_to_oci_registry` is set to `true`. + type: "string" executor: "<< parameters.executor >>" resource_class: "<< parameters.resource_class >>" steps: @@ -85,13 +105,30 @@ steps: steps: - helm-conftest: chart: "<< parameters.chart >>" - - package-and-push: - app_catalog: << parameters.app_catalog >> - app_catalog_test: << parameters.app_catalog_test >> - chart: << parameters.chart >> - on_tag: << parameters.on_tag >> - explicit_allow_chart_name_mismatch: << parameters.explicit_allow_chart_name_mismatch >> - persist_chart_archive: << parameters.persist_chart_archive >> + - when: + condition: + equal: [<< parameters.push_to_appcatalog >>, true] + steps: + - package-and-push-git: + app_catalog: << parameters.app_catalog >> + app_catalog_test: << parameters.app_catalog_test >> + chart: << parameters.chart >> + on_tag: << parameters.on_tag >> + explicit_allow_chart_name_mismatch: << parameters.explicit_allow_chart_name_mismatch >> + persist_chart_archive: << parameters.persist_chart_archive >> + - when: + condition: + equal: [<< parameters.push_to_oci_registry >>, true] + steps: + - package-and-push-oci: + app_catalog: << parameters.app_catalog >> + app_catalog_test: << parameters.app_catalog_test >> + chart: << parameters.chart >> + on_tag: << parameters.on_tag >> + explicit_allow_chart_name_mismatch: << parameters.explicit_allow_chart_name_mismatch >> + persist_chart_archive: << parameters.persist_chart_archive >> + password_envar: << parameters.password_envar >> + username_envar: << parameters.username_envar >> - when: condition: equal: ["<< parameters.executor >>", "app-build-suite"] @@ -101,10 +138,27 @@ steps: show_go_version: false show_abs_version: true - prepare-catalogbot-git-ssh - - package-and-push-with-abs: - app_catalog: << parameters.app_catalog >> - app_catalog_test: << parameters.app_catalog_test >> - chart: << parameters.chart >> - on_tag: << parameters.on_tag >> - skip_conftest_deprek8ion: << parameters.skip_conftest_deprek8ion >> - persist_chart_archive: << parameters.persist_chart_archive >> + - when: + condition: + equal: [<< parameters.push_to_appcatalog >>, true] + steps: + - package-and-push-git-with-abs: + app_catalog: << parameters.app_catalog >> + app_catalog_test: << parameters.app_catalog_test >> + chart: << parameters.chart >> + on_tag: << parameters.on_tag >> + skip_conftest_deprek8ion: << parameters.skip_conftest_deprek8ion >> + persist_chart_archive: << parameters.persist_chart_archive >> + - when: + condition: + equal: [<< parameters.push_to_oci_registry >>, true] + steps: + - package-and-push-oci-with-abs: + app_catalog: << parameters.app_catalog >> + app_catalog_test: << parameters.app_catalog_test >> + chart: << parameters.chart >> + on_tag: << parameters.on_tag >> + skip_conftest_deprek8ion: << parameters.skip_conftest_deprek8ion >> + persist_chart_archive: << parameters.persist_chart_archive >> + password_envar: << parameters.password_envar >> + username_envar: << parameters.username_envar >>