Merge pull request #1073 from Azure/refactor-pko

janboll · web-flow · commit d2c4cc1da69b · 2025-01-20T10:54:41.000+01:00
Use helm for pko
diff --git a/.github/workflows/services-ci.yml b/.github/workflows/services-ci.yml
@@ -157,3 +157,30 @@
           run: |
             cd tooling/image-sync
             make push
+
+    build_push_package_operator:
+      permissions:
+        id-token: 'write'
+        contents: 'read'
+      runs-on: 'ubuntu-latest'
+      steps:
+        - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+          with:
+            fetch-depth: 1
+
+        - name: "install azure-cli"
+          if: inputs.push == true
+          uses: "Azure/ARO-HCP@main"
+
+        - name: 'Az CLI login'
+          if: inputs.push == true
+          uses: azure/login@v2
+          with:
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+        - name: Build package operator container image from git@github.com:package-operator/package-operator.git
+          run: |
+            cd pko
+            make image
diff --git a/config/config.schema.json b/config/config.schema.json
@@ -126,6 +126,26 @@
           "regionalSubdomain"
         ]
       },
+      "pko": {
+        "type": "object",
+        "properties": {
+          "image": {
+            "type": "string"
+          },
+          "imageManager": {
+            "type": "string"
+          },
+          "imageTag": {
+            "type": "string"
+          }
+        },
+        "additionalProperties": false,
+        "required": [
+          "image",
+          "imageManager",
+          "imageTag"
+        ]
+      },
       "clusterService": {
         "type": "object",
         "properties": {
diff --git a/config/config.yaml b/config/config.yaml
@@ -86,6 +86,11 @@ defaults:
     consumerName: hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }}
     imageBase: quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro
 
+  pko:
+    image: arohcpsvcdev.azurecr.io/package-operator/package-operator-package
+    imageManager: arohcpsvcdev.azurecr.io/package-operator/package-operator-manager
+    imageTag: v1.15.0
+
   # Cluster Service
   clusterService:
     acrRG: global
diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -187,6 +187,11 @@
   },
   "ocpAcrName": "arohcpocpdev",
   "oidcStorageAccountName": "arohcpoidccspr",
+  "pko": {
+    "image": "arohcpsvcdev.azurecr.io/package-operator/package-operator-package",
+    "imageManager": "arohcpsvcdev.azurecr.io/package-operator/package-operator-manager",
+    "imageTag": "v1.15.0"
+  },
   "region": "westus3",
   "regionRG": "hcp-underlay-cspr",
   "serviceKeyVault": {
diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -187,6 +187,11 @@
   },
   "ocpAcrName": "arohcpocpdev",
   "oidcStorageAccountName": "arohcpoidcdev",
+  "pko": {
+    "image": "arohcpsvcdev.azurecr.io/package-operator/package-operator-package",
+    "imageManager": "arohcpsvcdev.azurecr.io/package-operator/package-operator-manager",
+    "imageTag": "v1.15.0"
+  },
   "region": "westus3",
   "regionRG": "hcp-underlay-dev",
   "serviceKeyVault": {
diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -187,6 +187,11 @@
   },
   "ocpAcrName": "arohcpocpdev",
   "oidcStorageAccountName": "arohcpoidcusw3tst",
+  "pko": {
+    "image": "arohcpsvcdev.azurecr.io/package-operator/package-operator-package",
+    "imageManager": "arohcpsvcdev.azurecr.io/package-operator/package-operator-manager",
+    "imageTag": "v1.15.0"
+  },
   "region": "westus3",
   "regionRG": "hcp-underlay-usw3tst",
   "serviceKeyVault": {
diff --git a/pko/Makefile b/pko/Makefile
@@ -1,6 +1,37 @@
-SHELL = /bin/bash
+-include ../setup-env.mk
+-include ../helm-cmd.mk
+HELM_CMD ?= helm upgrade --install
+
+NAMESPACE ?= package-operator-system
+ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
+ARO_HCP_IMAGE_REPOSITORY ?= package-operator/package-operator-package
 
 deploy:
-	kubectl apply -f https://github.com/package-operator/package-operator/releases/download/v1.15.0/self-bootstrap-job.yaml
+	@kubectl create namespace ${NAMESPACE} --dry-run=client -o json | kubectl apply -f -
+	IMAGE_PULLER_MI_CLIENT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n image-puller \
+			--query clientId -o tsv) && \
+	IMAGE_PULLER_MI_TENANT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n image-puller \
+			--query tenantId -o tsv) && \
+	${HELM_CMD} package-operator ./helm \
+	--namespace ${NAMESPACE} \
+	--set pkoImage=${PKO_IMAGE} \
+	--set pkoImageManager=${PKO_IMAGE_MANAGER} \
+	--set pkoImageTag=${PKO_IMAGE_TAG} \
+	--set pullBinding.workloadIdentityClientId="$${IMAGE_PULLER_MI_CLIENT_ID}" \
+	--set pullBinding.workloadIdentityTenantId="$${IMAGE_PULLER_MI_TENANT_ID}" \
+	--set pullBinding.registry=${ARO_HCP_IMAGE_REGISTRY} \
+	--set pullBinding.scope='repository:*:pull' 
+
+image:
+	az acr login --name ${ARO_HCP_IMAGE_ACR} && \
+	cd $$(mktemp -d) && \
+	git clone https://github.com/package-operator/package-operator.git && \
+	cd package-operator && \
+	git checkout ${PKO_IMAGE_TAG} && \
+	IMAGE_REGISTRY=${ARO_HCP_IMAGE_REGISTRY}/package-operator ./do ci:release
 
 .PHONY: deploy
diff --git a/pko/helm/Chart.yaml b/pko/helm/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: package-operator
+description: A Helm chart for package-operator
+type: application
+
+version: 0.1.0
+appVersion: "1.0.0"
diff --git a/pko/helm/templates/acrpullbinding.yaml b/pko/helm/templates/acrpullbinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: acrpull.microsoft.com/v1beta2
+kind: AcrPullBinding
+metadata:
+  name: pull-binding
+spec:
+  acr:
+    environment: PublicCloud
+    server: {{ .Values.pullBinding.registry }}
+    scope: {{ .Values.pullBinding.scope }}
+  auth:
+    workloadIdentity:
+      serviceAccountRef: package-operator
+      clientID: {{ .Values.pullBinding.workloadIdentityClientId }}
+      tenantID: {{ .Values.pullBinding.workloadIdentityTenantId }}
+  serviceAccountName: package-operator
diff --git a/pko/helm/templates/clusterrolebinding.yaml b/pko/helm/templates/clusterrolebinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: package-operator
+  labels:
+    package-operator.run/cache: "True"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: package-operator
+  namespace: package-operator-system
diff --git a/pko/helm/templates/job.yaml b/pko/helm/templates/job.yaml
@@ -0,0 +1,37 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: package-operator-bootstrap
+  namespace: package-operator-system
+spec:
+  # delete right after completion
+  ttlSecondsAfterFinished: 0
+  # set deadline to 30min
+  activeDeadlineSeconds: 1800
+  template:
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: package-operator
+      containers:
+      - name: package-operator
+        image: "{{ .Values.pkoImageManager }}:{{ .Values.pkoImageTag }}"
+        args: ["-self-bootstrap={{ .Values.pkoImage }}:{{ .Values.pkoImageTag }}"]
+        imagePullPolicy: Always
+        env:
+        - name: PKO_REGISTRY_HOST_OVERRIDES
+          value: ''
+        - name: PKO_CONFIG
+          value: ''
+        - name: PKO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: PKO_SERVICE_ACCOUNT_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: PKO_SERVICE_ACCOUNT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+  backoffLimit: 3
diff --git a/pko/helm/templates/serviceaccount.yaml b/pko/helm/templates/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: package-operator
+  namespace: package-operator-system
+  labels:
+    package-operator.run/cache: "True"
diff --git a/pko/helm/values.yaml b/pko/helm/values.yaml
@@ -0,0 +1,8 @@
+pkoImage: ""
+pkoImageManager: ""
+pkoImageTag: ""
+pullBinding:
+  registry: ""
+  scope: ""
+  workloadIdentityClientId: ""
+  workloadIdentityTenantId: ""
diff --git a/pko/pipeline.yaml b/pko/pipeline.yaml
@@ -0,0 +1,26 @@
+$schema: "pipeline.schema.v1"
+serviceGroup: Microsoft.Azure.ARO.HCP.RP.PKO
+rolloutName: RP PKO Rollout
+resourceGroups:
+- name: {{ .mgmt.rg }}
+  subscription: {{ .svc.subscription }}
+  aksCluster: {{ .aksName }}
+  steps:
+  - name: deploy
+    action: Shell
+    command: make deploy
+    dryRun:
+      variables:
+        - name: DRY_RUN
+          value: "true"
+    variables:
+    - name: ARO_HCP_IMAGE_ACR
+      configRef: svcAcrName
+    - name: PKO_IMAGE
+      configRef: pko.image
+    - name: PKO_IMAGE_MANAGER
+      configRef: pko.imageManager
+    - name: PKO_IMAGE_TAG
+      configRef: pko.imageTag
+    - name: RESOURCEGROUP
+      configRef: mgmt.rg
