Merge pull request #10 from jpopelka/import-images

Helm Chart for import-images cron job

.github/workflows/deploy-import-images.yml

@@ -0,0 +1,38 @@
+name: Deploy import-images cron job
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'helm-charts/import-images/**/*.yaml'
+      - 'values/import-images/*.yaml'
+
+jobs:
+  deploy:
+    # To not run in forks
+    if: github.repository_owner == 'packit'
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      OC_SERVER: https://api.auto-prod.gi0n.p1.openshiftapps.com:6443
+    strategy:
+      matrix:
+        project: [packit-prod, stream-prod, fedora-source-git-prod]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Deploy
+        run: |
+          if [ ${{ matrix.project }} == 'packit-prod' ]; then
+            TOKEN=${{ secrets.PACKIT_PROD_TOKEN }}
+          elif [ ${{ matrix.project }} == 'stream-prod' ]; then
+            TOKEN=${{ secrets.STREAM_PROD_TOKEN }}
+          elif [ ${{ matrix.project }} == 'fedora-source-git-prod' ]; then
+            TOKEN=${{ secrets.FEDORA_SOURCE_GIT_PROD_TOKEN }}
+          fi
+          oc login --token=$TOKEN --server=$OC_SERVER
+          make -C values/import-images/ install PROJECT=${{ matrix.project }}

.github/workflows/release.yml

@@ -7,10 +7,12 @@ on:
 
 jobs:
   release:
+    # To not run in forks
+    if: github.repository_owner == 'packit'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
@@ -19,14 +21,9 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "[email protected]"
 
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1
         with:
-          charts_dir: ocp-helm-charts
+          charts_dir: helm-charts
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.pre-commit-config.yaml

@@ -4,7 +4,7 @@
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: check-merge-conflict
       - id: check-symlinks
@@ -23,3 +23,7 @@ repos:
         args:
           - https://github.com/packit/udp.git
         stages: [manual, push]
+
+ci:
+  # requires helm binary
+  skip: [helmlint]

README.md

@@ -1,53 +1,19 @@
-# [Unified Openshift Deployment Process](https://docs.google.com/presentation/d/1MlLuuawzxJg6U15zbPby6JAtNNEWZAhfGEWNcpYSWeo)
+# Helm Charts
 
-for the [Packit Service Validation](https://github.com/packit/deployment/tree/main/cron-jobs/packit-service-validation).
+for
+* [Packit Service Validation cron job](https://github.com/packit/deployment/tree/main/cron-jobs/packit-service-validation)
+* [Import-images cron job](https://github.com/packit/deployment/tree/main/cron-jobs/import-images)
 
-To deploy the *Packit Service Validation* through *Helm* follow this steps:
+## Deployment
 
-### Setup deployment
+All charts are deployed automatically via GitHub/Gitlab CI/CI.
 
-Helm uses an **image** created through a GitHub action and pushed to Quay.io,
-the **tag** for this image is the first *7 digit for the commit SHA* of the packit/deployment repo.
+For instructions how to do it manually, see
+* [packit-service-validation/README.md](values/packit-service-validation/README.md)
+* [import-images/README.md](values/import-images/README.md)
 
-To use a new image update the referenced tag
-[here](https://github.com/packit/udp/blob/main/ocp-deployments/packit-service-validation-prod.yaml#L18).
+## Releases
 
-### Install Helm Chart
-
-Login to OpenShift cluster and switch to proper project. In case of packit-service validation
-it's `cyborg` project @ [PSI Cluster](https://ocp4.psi.redhat.com).
-
-    oc login --token=sha256~....  --server= ....
-    oc project cyborg
-
-Get secrets from Bitwarden.
-Sentry from `extra-vars.yml` in `secrets-packit-[prod|stg]` item and
-GitHub token from `Release/usercont bot` item.
-
-    export SENTRY=$( echo -n 'token from bitwarden' | base64 )
-    export GITHUB=$( echo -n 'token from bitwarden' | base64 )
-
-#### Install from this repo
-
-    make packit-service-validation-install DEPLOYMENT=[production|staging]
-
-#### Install from chart repository
-
-If you're going to use the chart from outside (without having this repo cloned),
-you can install the chart from our chart repository. You just need to have a file
-with keys overriding those defined in `values.yaml` with `~` value.
-
-    helm repo add packit https://helm.packit.dev
-    helm repo update
-    helm upgrade --install --cleanup-on-fail packit-service-validation packit/packit-service-validation --set secrets.sentry=${SENTRY} --set secrets.github=${GITHUB} --values your-values-file.yaml
-
-### Render templates
-
-If you just want to see how the rendered templates would look like:
-
-    make packit-service-validation-dryrun DEPLOYMENT=[production|staging]
-
-### Releases
 There's a [release workflow](https://github.com/packit/udp/blob/main/.github/workflows/release.yml)
 to automate releasing the Helm charts. It uses
 [Helm Chart Releaser Action](https://github.com/marketplace/actions/helm-chart-releaser)
@@ -57,3 +23,8 @@ and whenever there's a new chart version, creates a corresponding GitHub release
 named for the chart version, adds Helm chart artifacts to the release,
 and creates or updates an `index.yaml` file with metadata about those releases,
 which is then hosted on GitHub Pages at [helm.packit.dev](https://helm.packit.dev).
+
+## [Unified Openshift Deployment Process](https://docs.google.com/presentation/d/1MlLuuawzxJg6U15zbPby6JAtNNEWZAhfGEWNcpYSWeo)
+
+We use images created by a GitHub workflow and pushed to Quay.io,
+the **tag** for an image is the first *7 digit for the commit SHA*.

helm-charts/import-images/.helmignore

@@ -0,0 +1,17 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+# Common backup files
+*.swp
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm-charts/import-images/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+name: import-images
+description: A Helm chart for import-images CronJob
+type: application
+
+# Increment each time you make changes
+# to the chart and its templates.
+version: 0.1.0

helm-charts/import-images/templates/job-import-images.yaml

@@ -0,0 +1,31 @@
+# https://docs.openshift.com/container-platform/latest/rest_api/workloads_apis/cronjob-batch-v1.html
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  schedule: {{ .Values.cronjob.schedule | quote }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: import-images
+              image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
+              env:
+                - name: KUBECONFIG
+                  value: /tmp/.kube/config
+                - name: HOST
+                  value: {{ .Values.host }}
+                - name: TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ .Values.secret.name }}
+                      key: {{ .Values.secret.key }}
+                - name: SERVICE
+                  value: {{ .Values.service }}
+                - name: DEPLOYMENT
+                  value: {{ .Values.deployment }}
+              resources:
+                {{- toYaml .Values.resources | nindent 16 }}
+          restartPolicy: OnFailure

helm-charts/import-images/values.yaml

@@ -0,0 +1,34 @@
+# Cron job parameters
+cronjob:
+  # At 02:00 on Tuesday
+  schedule: "0 2 * * 2"
+
+# Container image
+image:
+  # Image repository without a tag
+  repo: quay.io/packit/import-images
+  # Image tag
+  tag: ~
+
+# Openshift cluster
+host: ~
+
+# name of the secret with token of a service account used to login to the cluster
+secret:
+  name: ~
+  key: token
+
+# packit / stream / fedora-source-git
+service: packit
+
+# prod / stg
+deployment: prod
+
+# Pod resources maximum
+resources:
+  limits:
+    cpu: "100m"
+    memory: "80Mi"
+  requests:
+    cpu: "100m"
+    memory: "80Mi"

ocp-helm-charts/packit-service-validation/templates/job-run-validation.yml → helm-charts/packit-service-validation/templates/job-run-validation.yml

@@ -1,4 +1,4 @@
-# https://docs.openshift.com/container-platform/4.11/rest_api/workloads_apis/cronjob-batch-v1.html
+# https://docs.openshift.com/container-platform/latest/rest_api/workloads_apis/cronjob-batch-v1.html
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -13,7 +13,6 @@ spec:
           containers:
           - name: run-validation
             image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
-            imagePullPolicy: IfNotPresent
             env:
             - name: GITHUB_TOKEN
               valueFrom:

values/import-images/Makefile

@@ -0,0 +1,8 @@
+PROJECT ?= packit-prod
+
+install:
+	oc project $(PROJECT)
+	helm upgrade $(EXTRA_OPTIONS) --install --cleanup-on-fail import-images ../../helm-charts/import-images/ --values $(PROJECT).yaml
+
+dryrun:
+	make install EXTRA_OPTIONS="--debug --dry-run"

values/import-images/README.md

@@ -0,0 +1,25 @@
+## Install
+
+Login to the Openshift cluster:
+
+    oc login --token=sha256~....  --server= ....
+
+### Install from this repo
+
+    make install PROJECT=packit-prod
+
+### Install from chart repository
+
+If you're going to use the chart from outside (without having this repo cloned),
+you can install the chart from our chart repository. You just need to have a file
+with keys overriding those defined in `values.yaml` with `~` value.
+
+    helm repo add packit https://helm.packit.dev
+    helm repo update
+    helm upgrade --install --cleanup-on-fail import-images packit/import-images --values your-values-file.yaml
+
+### Render templates
+
+If you just want to see how the rendered templates would look like:
+
+    make dryrun PROJECT=packit-prod

values/import-images/fedora-source-git-prod.yaml

@@ -0,0 +1,9 @@
+image:
+  tag: "4050635"
+
+host: https://api.auto-prod.gi0n.p1.openshiftapps.com:6443
+
+secret:
+  name: pipeline-token-m8z9n
+
+service: fedora-source-git

values/import-images/packit-prod.yaml

@@ -0,0 +1,9 @@
+image:
+  tag: "4050635"
+
+host: https://api.auto-prod.gi0n.p1.openshiftapps.com:6443
+
+secret:
+  name: pipeline-token-6mc7z
+
+service: packit

values/import-images/stream-prod.yaml

@@ -0,0 +1,9 @@
+image:
+  tag: "4050635"
+
+host: https://api.auto-prod.gi0n.p1.openshiftapps.com:6443
+
+secret:
+  name: pipeline-token-dw46p
+
+service: stream

values/packit-service-validation/Makefile

@@ -0,0 +1,7 @@
+DEPLOYMENT ?= production
+
+install:
+	helm upgrade $(EXTRA_OPTIONS) --install --cleanup-on-fail packit-$(DEPLOYMENT)-validation ../../helm-charts/packit-service-validation/ --set secrets.sentry=${SENTRY} --set secrets.github=${GITHUB} --values $(DEPLOYMENT).yaml
+
+dryrun:
+	make install EXTRA_OPTIONS="--debug --dry-run"

values/packit-service-validation/README.md

@@ -0,0 +1,33 @@
+## Install
+
+Login to [PSI](https://ocp4.psi.redhat.com) and switch to `cyborg` project.
+
+    oc login --token=sha256~....  --server= ....
+    oc project cyborg
+
+Get secrets from Bitwarden.
+Sentry from `extra-vars.yml` in `secrets-packit-[prod|stg]` item and
+GitHub token from `Release/usercont bot` item.
+
+    export SENTRY=$( echo -n 'token from bitwarden' | base64 )
+    export GITHUB=$( echo -n 'token from bitwarden' | base64 )
+
+### Install from this repo
+
+    make install DEPLOYMENT=[production|staging]
+
+### Install from chart repository
+
+If you're going to use the chart from outside (without having this repo cloned),
+you can install the chart from our chart repository. You just need to have a file
+with keys overriding those defined in `values.yaml` with `~` value.
+
+    helm repo add packit https://helm.packit.dev
+    helm repo update
+    helm upgrade --install --cleanup-on-fail packit-service-validation packit/packit-service-validation --set secrets.sentry=${SENTRY} --set secrets.github=${GITHUB} --values your-values-file.yaml
+
+### Render templates
+
+If you just want to see how the rendered templates would look like:
+
+    make dryrun DEPLOYMENT=[production|staging]