diff --git a/.github/workflows/services-ci.yml b/.github/workflows/services-ci.yml index 1029f627f..aebf90460 100644 --- a/.github/workflows/services-ci.yml +++ b/.github/workflows/services-ci.yml @@ -157,3 +157,30 @@ run: | cd tooling/image-sync make push + + build_push_package_operator: + permissions: + id-token: 'write' + contents: 'read' + runs-on: 'ubuntu-latest' + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 1 + + - name: "install azure-cli" + if: inputs.push == true + uses: "Azure/ARO-HCP@main" + + - name: 'Az CLI login' + if: inputs.push == true + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Build package operator container image from git@github.com:package-operator/package-operator.git + run: | + cd pko + make image diff --git a/config/config.schema.json b/config/config.schema.json index 165c705cc..c208ac31f 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -126,6 +126,26 @@ "regionalSubdomain" ] }, + "pko": { + "type": "object", + "properties": { + "image": { + "type": "string" + }, + "imageManager": { + "type": "string" + }, + "imageTag": { + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "image", + "imageManager", + "imageTag" + ] + }, "clusterService": { "type": "object", "properties": { diff --git a/config/config.yaml b/config/config.yaml index aed8dea96..d22494c3f 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -86,6 +86,11 @@ defaults: consumerName: hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }} imageBase: quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro + pko: + image: arohcpsvcdev.azurecr.io/package-operator/package-operator-package + imageManager: arohcpsvcdev.azurecr.io/package-operator/package-operator-manager + imageTag: v1.15.0 + # Cluster Service clusterService: acrRG: global diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 81ae056dd..3055dab45 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -187,6 +187,11 @@ }, "ocpAcrName": "arohcpocpdev", "oidcStorageAccountName": "arohcpoidccspr", + "pko": { + "image": "arohcpsvcdev.azurecr.io/package-operator/package-operator-package", + "imageManager": "arohcpsvcdev.azurecr.io/package-operator/package-operator-manager", + "imageTag": "v1.15.0" + }, "region": "westus3", "regionRG": "hcp-underlay-cspr", "serviceKeyVault": { diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index 292e9895a..d6727c5af 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -187,6 +187,11 @@ }, "ocpAcrName": "arohcpocpdev", "oidcStorageAccountName": "arohcpoidcdev", + "pko": { + "image": "arohcpsvcdev.azurecr.io/package-operator/package-operator-package", + "imageManager": "arohcpsvcdev.azurecr.io/package-operator/package-operator-manager", + "imageTag": "v1.15.0" + }, "region": "westus3", "regionRG": "hcp-underlay-dev", "serviceKeyVault": { diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index 40d5cd986..592654d80 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -187,6 +187,11 @@ }, "ocpAcrName": "arohcpocpdev", "oidcStorageAccountName": "arohcpoidcusw3tst", + "pko": { + "image": "arohcpsvcdev.azurecr.io/package-operator/package-operator-package", + "imageManager": "arohcpsvcdev.azurecr.io/package-operator/package-operator-manager", + "imageTag": "v1.15.0" + }, "region": "westus3", "regionRG": "hcp-underlay-usw3tst", "serviceKeyVault": { diff --git a/pko/Makefile b/pko/Makefile index 920b20add..939927fec 100644 --- a/pko/Makefile +++ b/pko/Makefile @@ -1,6 +1,37 @@ -SHELL = /bin/bash +-include ../setup-env.mk +-include ../helm-cmd.mk +HELM_CMD ?= helm upgrade --install + +NAMESPACE ?= package-operator-system +ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io +ARO_HCP_IMAGE_REPOSITORY ?= package-operator/package-operator-package deploy: - kubectl apply -f https://github.com/package-operator/package-operator/releases/download/v1.15.0/self-bootstrap-job.yaml + @kubectl create namespace ${NAMESPACE} --dry-run=client -o json | kubectl apply -f - + IMAGE_PULLER_MI_CLIENT_ID=$$(az identity show \ + -g ${RESOURCEGROUP} \ + -n image-puller \ + --query clientId -o tsv) && \ + IMAGE_PULLER_MI_TENANT_ID=$$(az identity show \ + -g ${RESOURCEGROUP} \ + -n image-puller \ + --query tenantId -o tsv) && \ + ${HELM_CMD} package-operator ./helm \ + --namespace ${NAMESPACE} \ + --set pkoImage=${PKO_IMAGE} \ + --set pkoImageManager=${PKO_IMAGE_MANAGER} \ + --set pkoImageTag=${PKO_IMAGE_TAG} \ + --set pullBinding.workloadIdentityClientId="$${IMAGE_PULLER_MI_CLIENT_ID}" \ + --set pullBinding.workloadIdentityTenantId="$${IMAGE_PULLER_MI_TENANT_ID}" \ + --set pullBinding.registry=${ARO_HCP_IMAGE_REGISTRY} \ + --set pullBinding.scope='repository:*:pull' + +image: + az acr login --name ${ARO_HCP_IMAGE_ACR} && \ + cd $$(mktemp -d) && \ + git clone https://github.com/package-operator/package-operator.git && \ + cd package-operator && \ + git checkout ${PKO_IMAGE_TAG} && \ + IMAGE_REGISTRY=${ARO_HCP_IMAGE_REGISTRY}/package-operator ./do ci:release .PHONY: deploy diff --git a/pko/helm/Chart.yaml b/pko/helm/Chart.yaml new file mode 100644 index 000000000..1c2dbeb91 --- /dev/null +++ b/pko/helm/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: package-operator +description: A Helm chart for package-operator +type: application + +version: 0.1.0 +appVersion: "1.0.0" diff --git a/pko/helm/templates/acrpullbinding.yaml b/pko/helm/templates/acrpullbinding.yaml new file mode 100644 index 000000000..2bbc27f6c --- /dev/null +++ b/pko/helm/templates/acrpullbinding.yaml @@ -0,0 +1,15 @@ +apiVersion: acrpull.microsoft.com/v1beta2 +kind: AcrPullBinding +metadata: + name: pull-binding +spec: + acr: + environment: PublicCloud + server: {{ .Values.pullBinding.registry }} + scope: {{ .Values.pullBinding.scope }} + auth: + workloadIdentity: + serviceAccountRef: package-operator + clientID: {{ .Values.pullBinding.workloadIdentityClientId }} + tenantID: {{ .Values.pullBinding.workloadIdentityTenantId }} + serviceAccountName: package-operator diff --git a/pko/helm/templates/clusterrolebinding.yaml b/pko/helm/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cb88410f5 --- /dev/null +++ b/pko/helm/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: package-operator + labels: + package-operator.run/cache: "True" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: package-operator + namespace: package-operator-system diff --git a/pko/helm/templates/job.yaml b/pko/helm/templates/job.yaml new file mode 100644 index 000000000..c1f21a6c4 --- /dev/null +++ b/pko/helm/templates/job.yaml @@ -0,0 +1,37 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: package-operator-bootstrap + namespace: package-operator-system +spec: + # delete right after completion + ttlSecondsAfterFinished: 0 + # set deadline to 30min + activeDeadlineSeconds: 1800 + template: + spec: + restartPolicy: OnFailure + serviceAccountName: package-operator + containers: + - name: package-operator + image: "{{ .Values.pkoImageManager }}:{{ .Values.pkoImageTag }}" + args: ["-self-bootstrap={{ .Values.pkoImage }}:{{ .Values.pkoImageTag }}"] + imagePullPolicy: Always + env: + - name: PKO_REGISTRY_HOST_OVERRIDES + value: '' + - name: PKO_CONFIG + value: '' + - name: PKO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PKO_SERVICE_ACCOUNT_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PKO_SERVICE_ACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + backoffLimit: 3 diff --git a/pko/helm/templates/serviceaccount.yaml b/pko/helm/templates/serviceaccount.yaml new file mode 100644 index 000000000..555b9c2a6 --- /dev/null +++ b/pko/helm/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: package-operator + namespace: package-operator-system + labels: + package-operator.run/cache: "True" diff --git a/pko/helm/values.yaml b/pko/helm/values.yaml new file mode 100644 index 000000000..5f787db42 --- /dev/null +++ b/pko/helm/values.yaml @@ -0,0 +1,8 @@ +pkoImage: "" +pkoImageManager: "" +pkoImageTag: "" +pullBinding: + registry: "" + scope: "" + workloadIdentityClientId: "" + workloadIdentityTenantId: "" diff --git a/pko/pipeline.yaml b/pko/pipeline.yaml new file mode 100644 index 000000000..69062c076 --- /dev/null +++ b/pko/pipeline.yaml @@ -0,0 +1,26 @@ +$schema: "pipeline.schema.v1" +serviceGroup: Microsoft.Azure.ARO.HCP.RP.PKO +rolloutName: RP PKO Rollout +resourceGroups: +- name: {{ .mgmt.rg }} + subscription: {{ .svc.subscription }} + aksCluster: {{ .aksName }} + steps: + - name: deploy + action: Shell + command: make deploy + dryRun: + variables: + - name: DRY_RUN + value: "true" + variables: + - name: ARO_HCP_IMAGE_ACR + configRef: svcAcrName + - name: PKO_IMAGE + configRef: pko.image + - name: PKO_IMAGE_MANAGER + configRef: pko.imageManager + - name: PKO_IMAGE_TAG + configRef: pko.imageTag + - name: RESOURCEGROUP + configRef: mgmt.rg