Update helm charts #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update helm charts | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: | | |
| version: | |
| Version of the release that triggered the workflow | |
| required: true | |
| type: string | |
| oldVersion: | |
| description: | | |
| oldVersion: | |
| Previous version of the release, already shipped in helm-charts | |
| required: true | |
| type: string | |
| repository: | |
| description: | | |
| repository: | |
| Repository of the release that triggered the workflow | |
| required: true | |
| type: string | |
| default: kubewarden/kubewarden-controller | |
| crds_asset_id: | |
| description: | | |
| crds_asset_id: | |
| When repository is `kubewarden/kubewarden-controller` or | |
| `kubewarden/audit-scanner`, asset_id of CRDs artifact in the GH | |
| release job. This can be found on the release job run, step "trigger | |
| chart update". Example: `144582472`. | |
| required: false | |
| type: string | |
| repository_dispatch: | |
| types: [update-chart] | |
| jobs: | |
| setvariables: | |
| name: Read variables from dispatch | |
| # read variables from either the repository_dispatch or the | |
| # workflow_dispatch, and create job outputs to reuse in other jobs. | |
| # It is not enough with env vars. We need job outputs, as they are shared | |
| # between jobs, since each job runs in a different VM instance. | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.version || steps.from_workflow_dispatch.outputs.version }} | |
| old_version: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.old_version || steps.from_workflow_dispatch.outputs.old_version }} | |
| repository: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.repository || steps.from_workflow_dispatch.outputs.repository }} | |
| crds_asset_id: ${{ github.event_name == 'repository_dispatch' && steps.from_repository_dispatch.outputs.crds_asset_id || steps.from_workflow_dispatch.outputs.crds_asset_id }} | |
| steps: | |
| - name: Validate payload | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| if: github.event_name == 'repository_dispatch' | |
| with: | |
| script: | | |
| let repository = context.payload.client_payload.repository | |
| if (!repository.endsWith("kubewarden-controller") && !repository.endsWith("policy-server") && !repository.endsWith("kwctl") && !repository.endsWith("audit-scanner")) { | |
| core.setFailed("Invalid repository") | |
| } | |
| - name: Set job output vars from repository_dispatch payload | |
| id: from_repository_dispatch | |
| if: github.event_name == 'repository_dispatch' | |
| run: | | |
| echo "old_version=${{ github.event.client_payload.oldVersion }}" >> $GITHUB_OUTPUT | |
| echo "version=${{ github.event.client_payload.version }}" >> $GITHUB_OUTPUT | |
| echo "repository=${{ github.event.client_payload.repository }}" >> $GITHUB_OUTPUT | |
| echo "crds_asset_id=${{ github.event.client_payload.crds_asset_id }}" >> $GITHUB_OUTPUT | |
| - name: Set job output vars from workflow_dispatch input | |
| id: from_workflow_dispatch | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| echo "old_version=${{ inputs.oldVersion }}" >> $GITHUB_OUTPUT | |
| echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT | |
| echo "repository=${{ inputs.repository }}" >> $GITHUB_OUTPUT | |
| echo "crds_asset_id=${{ inputs.crds_asset_id }}" >> $GITHUB_OUTPUT | |
| check-update-type: | |
| name: Detect update type | |
| runs-on: ubuntu-latest | |
| needs: setvariables | |
| outputs: | |
| update_type: ${{ steps.check_update_type.outputs.update_type }} | |
| repository: ${{ steps.check_update_type.outputs.repository }} | |
| prerelease: ${{ steps.check_update_type.outputs.prerelease }} | |
| steps: | |
| - name: Install semver comparison tool | |
| run: | | |
| INSTALL_DIR=$HOME/.semver | |
| mkdir -p $INSTALL_DIR | |
| wget -O $INSTALL_DIR/semver https://github.com/fsaintjacques/semver-tool/raw/3.4.0/src/semver | |
| chmod +x $INSTALL_DIR/semver | |
| echo $INSTALL_DIR >> $GITHUB_PATH | |
| - name: Check if it is a patch update | |
| id: check_update_type | |
| run: | | |
| OLDVERSION=${{ needs.setvariables.outputs.old_version }} | |
| NEWVERSION=${{ needs.setvariables.outputs.version }} | |
| REPOSITORY=${{ needs.setvariables.outputs.repository }} | |
| VALID=$(semver validate $OLDVERSION) | |
| if [[ $VALID == "invalid" ]]; then | |
| exit 1 | |
| fi | |
| VALID=$(semver validate $NEWVERSION) | |
| if [[ $VALID == "invalid" ]]; then | |
| exit 1 | |
| fi | |
| UPDATE_TYPE=$(semver diff $OLDVERSION $NEWVERSION) | |
| PRERELEASE_SUFFIX="-$(semver get prerelease $NEWVERSION)" | |
| if [[ $PRERELEASE_SUFFIX == "-" ]];then | |
| PRERELEASE_SUFFIX=" " | |
| fi | |
| echo "update_type=$UPDATE_TYPE" >> $GITHUB_OUTPUT | |
| echo "repository=$REPOSITORY" >> $GITHUB_OUTPUT | |
| echo "prerelease=$PRERELEASE_SUFFIX" >> $GITHUB_OUTPUT | |
| patch-update: | |
| name: Patch release updates | |
| runs-on: ubuntu-latest | |
| needs: | |
| - check-update-type | |
| - setvariables | |
| if: needs.check-update-type.outputs.update_type == 'patch' && !endsWith(needs.check-update-type.outputs.repository, 'kwctl') | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Set environment variables | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| core.exportVariable("UPDATECLI_GITHUB_OWNER", context.repo["owner"]) | |
| core.exportVariable("UPDATECLI_CHART_VERSION", needs.setvariables.outputs.version ) | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Download CRDS controller | |
| if: endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| let repository = needs.setvariables.outputs.repository | |
| if (repository.endsWith("kubewarden-controller")) { | |
| let crds_asset_id = needs.setvariables.outputs.crds_asset_id | |
| console.log(`Fetching asset ID: ${crds_asset_id}`) | |
| let repository_split = repository.split("/") | |
| let owner = repository_split[0] | |
| let repository = repository_split[1] | |
| let asset = await github.rest.repos.getReleaseAsset({ | |
| owner: owner, repo: repository, asset_id: crds_asset_id, headers:{ | |
| accept: "application/octet-stream"}, | |
| }) | |
| let fs = require('fs'); | |
| fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data)) | |
| } | |
| - name: Download CRDS audit-scanner | |
| if: endsWith(needs.setvariables.outputs.repository, 'audit-scanner') | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| let repository = needs.setvariables.outputs.repository | |
| if (repository.endsWith("audit-scanner")) { | |
| let crds_asset_id = needs.setvariables.outputs.crds_asset_id | |
| console.log(`Fetching asset ID: ${crds_asset_id}`) | |
| let repository_split = repository.split("/") | |
| let owner = repository_split[0] | |
| let repository = repository_split[1] | |
| let asset = await github.rest.repos.getReleaseAsset({ | |
| owner: owner, repo: repository, asset_id: crds_asset_id, headers:{ | |
| accept: "application/octet-stream"}, | |
| }) | |
| let fs = require('fs'); | |
| fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data)) | |
| } | |
| - name: Update CRDs | |
| if: endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner') | |
| id: update_crds | |
| run: | | |
| # The next commands are use in the updatecli/scripts/install_crds.sh as well. | |
| # Here the commands are used to detect CRDs changes. In the script they are used | |
| # to install the CRDs | |
| if [ -f "/tmp/crds-controller.tar.gz" ]; then | |
| tar -xvf /tmp/crds-controller.tar.gz | |
| find . -maxdepth 1 -name "*_policyserver*" -exec mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \; | |
| find . -maxdepth 1 -name "*_admissionpolicies*" -exec mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \; | |
| find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \; | |
| fi | |
| if [ -f "/tmp/crds-audit-scanner.tar.gz" ]; then | |
| tar -xvf /tmp/crds-audit-scanner.tar.gz | |
| find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \; | |
| find . -maxdepth 1 -name "*_policyreports*" -exec mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \; | |
| fi | |
| set +e | |
| git diff --exit-code --no-patch charts/kubewarden-crds | |
| echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT | |
| - name: Install Updatecli in the runner | |
| uses: updatecli/updatecli-action@ecfc21fd2d9e91be2af8b706ea10aea5154f6d5d # v2.54.0 | |
| - name: Update kubewarden-defaults Helm chart | |
| if: endsWith(needs.setvariables.outputs.repository, 'policy-server') | |
| env: | |
| UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-defaults.yaml --values updatecli/values.yaml" | |
| - name: Update kubewarden-controller Helm chart with no CRDs update | |
| if: (endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner')) && steps.update_crds.outputs.must_update_crds_chart==0 | |
| env: | |
| UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller.yaml --values updatecli/values.yaml" | |
| - name: Update kubewarden-controller Helm chart with CRDs update | |
| if: (endsWith(needs.setvariables.outputs.repository, 'kubewarden-controller') || endsWith(needs.setvariables.outputs.repository, 'audit-scanner')) && steps.update_crds.outputs.must_update_crds_chart!=0 | |
| env: | |
| UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: "updatecli apply --config ./updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml --values updatecli/values.yaml" | |
| major-minor-prerelease-update: | |
| name: Major or minor release updates | |
| runs-on: ubuntu-latest | |
| needs: | |
| - check-update-type | |
| - setvariables | |
| if: needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor' || needs.check-update-type.outputs.update_type == 'prerelease' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Check if all components has a release with the same tag | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| let needs = ${{ toJSON(needs) }} | |
| console.log('NEEDS: ', needs); | |
| let repository = context.needs.setvariables.outputs.repository | |
| let repository_split = repository.split("/") | |
| let owner = repository_split[0] | |
| const version = needs.setvariables.outputs.version | |
| let repos = ['kubewarden-controller', 'policy-server', 'kwctl', 'audit-scanner'] | |
| for (const repo of repos) { | |
| try { | |
| await github.rest.repos.getReleaseByTag({owner: owner, repo: repo, tag: version,}) | |
| } catch (e) { | |
| core.setFailed(`${repo} is missing a release for the tag ${version}`) | |
| } | |
| } | |
| - name: Check if CRD are available in the Kubewarden controller | |
| id: download_crds_controller | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| let repository_split = needs.setvariables.outputs.repository.split("/") | |
| let owner = repository_split[0] | |
| let repository = repository_split[1] | |
| let crds_asset_id = null | |
| const controller_repo = "kubewarden-controller" | |
| const version = needs.setvariables.outputs.version | |
| const crds_tarball = "CRDS.tar.gz" | |
| if (repository === controller_repo) { | |
| crds_asset_id = needs.setvariables.outputs.crds_asset_id | |
| } else { | |
| crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: controller_repo, tag: version,}).then((response) => { | |
| for (const file of response.data.assets) { | |
| if (file.name == crds_tarball) { | |
| return file.id; | |
| } | |
| } | |
| return null; | |
| }, (failedResponse) => { | |
| consolog.log("FAILED") | |
| return null; | |
| }); | |
| } | |
| console.log(`Fetching asset ID: ${crds_asset_id}`) | |
| if (typeof(crds_asset_id) === "number") { | |
| let asset = await github.rest.repos.getReleaseAsset({ | |
| owner: owner, repo: controller_repo, asset_id: crds_asset_id, headers:{ | |
| accept: "application/octet-stream"}, | |
| }) | |
| let fs = require('fs'); | |
| fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data)) | |
| console.log(`${crds_tarball} downloaded successfully`) | |
| } else { | |
| core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the controller repository is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`) | |
| core.setFailed("No CRDs tarball found") | |
| } | |
| - name: Check if CRD are available in the audit scanner | |
| id: download_crds_audit_scanner | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| let repository_split = needs.setvariables.outputs.repository.split("/") | |
| let owner = repository_split[0] | |
| let repository = repository_split[1] | |
| let crds_asset_id = null | |
| const audit_scanner_repo = "audit-scanner" | |
| const version = needs.setvariables.outputs.version | |
| const crds_tarball = "CRDS.tar.gz" | |
| if (repository === audit_scanner_repo) { | |
| crds_asset_id = needs.setvariables.outputs.crds_asset_id | |
| } else { | |
| crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo: audit_scanner_repo, tag: version,}).then((response) => { | |
| for (const file of response.data.assets) { | |
| if (file.name == crds_tarball) { | |
| return file.id; | |
| } | |
| } | |
| return null; | |
| }, (failedResponse) => { | |
| consolog.log("FAILED") | |
| return null; | |
| }); | |
| } | |
| console.log(`Fetching asset ID: ${crds_asset_id}`) | |
| if (typeof(crds_asset_id) === "number") { | |
| let asset = await github.rest.repos.getReleaseAsset({ | |
| owner: owner, repo: audit_scanner_repo, asset_id: crds_asset_id, headers:{ | |
| accept: "application/octet-stream"}, | |
| }) | |
| let fs = require('fs'); | |
| fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data)) | |
| console.log(`${crds_tarball} downloaded successfully`) | |
| } else { | |
| core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the audit-scanner repository is still running. Otherwise, check why the release does not contains the CRDs tarball`) | |
| core.setFailed("No CRDs tarball found") | |
| } | |
| - name: Update CRDS | |
| id: update_crds | |
| run: | | |
| # The next commands are used in the updatecli/scripts/install_crds.sh as well. | |
| # Here the commands are used to detect CRDs changes. In the script they are used | |
| # to install the CRDs | |
| if [ -f "/tmp/crds-controller.tar.gz" ]; then | |
| tar -xvf /tmp/crds-controller.tar.gz | |
| find . -maxdepth 1 -name "*_policyserver*" -exec mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \; | |
| find . -maxdepth 1 -name "*_admissionpolicies*" -exec mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \; | |
| find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \; | |
| fi | |
| if [ -f "/tmp/crds-audit-scanner.tar.gz" ]; then | |
| tar -xvf /tmp/crds-audit-scanner.tar.gz | |
| find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \; | |
| find . -maxdepth 1 -name "*_policyreports*" -exec mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \; | |
| # add the if statement to allow users to skip the reports CRDs installation | |
| sed -i '1 i {{- if or .Values.installPolicyReportCRDs (not (hasKey .Values "installPolicyReportCRDs")) }}' charts/kubewarden-crds/templates/clusterpolicyreports.yaml | |
| sed -i '$ a {{ end }}' charts/kubewarden-crds/templates/clusterpolicyreports.yaml | |
| sed -i '1 i {{- if or .Values.installPolicyReportCRDs (not (hasKey .Values "installPolicyReportCRDs")) }}' charts/kubewarden-crds/templates/policyreports.yaml | |
| sed -i '$ a {{ end }}' charts/kubewarden-crds/templates/policyreports.yaml | |
| fi | |
| set +e | |
| git diff --exit-code --no-patch charts/kubewarden-crds | |
| echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT | |
| - name: Install Updatecli in the runner | |
| uses: updatecli/updatecli-action@ecfc21fd2d9e91be2af8b706ea10aea5154f6d5d # v2.54.0 | |
| - name: Major or minor update Kubewarden charts with NO CRDs update | |
| if: steps.update_crds.outputs.must_update_crds_chart==0 && (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor') | |
| env: | |
| UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
| UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
| UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
| UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
| run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update.yaml --values updatecli/values.yaml" | |
| - name: Major or minor update Kubewarden charts WITH CRDs update | |
| if: steps.update_crds.outputs.must_update_crds_chart==1 && (needs.check-update-type.outputs.update_type == 'major' || needs.check-update-type.outputs.update_type == 'minor') | |
| env: | |
| UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
| UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
| UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
| UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
| run: "updatecli apply --config ./updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml" | |
| - name: Prerelease update Kubewarden charts with NO CRDs update | |
| if: steps.update_crds.outputs.must_update_crds_chart==0 && needs.check-update-type.outputs.update_type == 'prerelease' | |
| env: | |
| UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
| UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
| UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
| UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
| run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update.yaml --values updatecli/values.yaml" | |
| - name: Prerelease update Kubewarden charts WITH CRDs update | |
| if: steps.update_crds.outputs.must_update_crds_chart==1 && needs.check-update-type.outputs.update_type == 'prerelease' | |
| env: | |
| UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| UPDATECLI_SEMVERINC_UPDATE: ${{ needs.check-update-type.outputs.update_type }} | |
| UPDATECLI_PRERELEASE_SUFFIX: ${{ needs.check-update-type.outputs.prerelease }} | |
| UPDATECLI_GITHUB_OWNER: ${{ github.repository_owner }} | |
| UPDATECLI_CHART_VERSION: ${{ needs.setvariables.outputs.version }} | |
| run: "updatecli apply --config ./updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml --values updatecli/values.yaml" |