Merge remote-tracking branch 'origin/main' into feature/tekton-apps-k…

…ustomize-helm-plugin

CHANGELOG.md

@@ -7,6 +7,21 @@
 - [associated PR](https://github.com/saritasa-nest/saritasa-devops-helm-charts/pull/139)
 - Add option to select `kustomize-build-with-helm` plugin in tekton-apps
 
+## 2024-10-11
+
+[prod]
+
+- [associated PR](https://github.com/saritasa-nest/saritasa-devops-helm-charts/pull/138)
+- Breaking change(!): move EventListener definition from "tekton-apps" to "tekton" helm chart.
+  You must update both these charts for correct work.
+- Define triggers as standalone entity, not part as EventListener definition.
+  EventListener finds matching triggers by label selector.
+
+[prod]
+
+- [associated PR](https://github.com/saritasa-nest/saritasa-devops-helm-charts/pull/137)
+- Tekton pipeline prepare template fix
+
 ## 2024-10-08
 
 [prod]

charts/tekton-apps/Chart.yaml

@@ -12,7 +12,7 @@ appVersion: "v0.29.0"
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.23-dev.1
+version: 1.1.1
 
 maintainers:
   - url: https://www.saritasa.com/
@@ -79,8 +79,10 @@ description: |
           defaultRegistry: xxx.dkr.ecr.us-west-2.amazonaws.com
           argocd:
             server: deploy.staging.site.com
-          eventlistener:
+          trigger:
             enableWebhookSecret: true
+            labels:
+              builder: tekton
           apps:
             - project: vp
               enabled: true
@@ -335,7 +337,7 @@ description: |
             defaultRegistry: xxx.dkr.ecr.us-west-2.amazonaws.com
             argocd:
               server: deploy.staging.site.com
-            eventlistener:
+            trigger:
               enableWebhookSecret: true
             apps:
               - project: xxx

charts/tekton-apps/README.md

@@ -31,7 +31,7 @@ saritasa-tekton-apps
 
 ## `chart.version`
 
-![Version: 0.2.23-dev.1](https://img.shields.io/badge/Version-0.2.23--dev.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.29.0](https://img.shields.io/badge/AppVersion-v0.29.0-informational?style=flat-square)
+![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.29.0](https://img.shields.io/badge/AppVersion-v0.29.0-informational?style=flat-square)
 
 ## Maintainers
 
@@ -100,8 +100,10 @@ spec:
         defaultRegistry: xxx.dkr.ecr.us-west-2.amazonaws.com
         argocd:
           server: deploy.staging.site.com
-        eventlistener:
+        trigger:
           enableWebhookSecret: true
+          labels:
+            builder: tekton
         apps:
           - project: vp
             enabled: true
@@ -356,7 +358,7 @@ spec:
           defaultRegistry: xxx.dkr.ecr.us-west-2.amazonaws.com
           argocd:
             server: deploy.staging.site.com
-          eventlistener:
+          trigger:
             enableWebhookSecret: true
           apps:
             - project: xxx
@@ -1599,18 +1601,18 @@ whitelistIP: |
 | aws | object | `{}` | aws configuration |
 | defaultRegistry | string | `""` | default docker registry ex: XXX.dkr.ecr.us-west-2.amazonaws.com |
 | environment | string | `""` | environment these apps are handling possible values: dev, staging, prod |
-| eventlistener.enableWebhookSecret | bool | `true` | should we enable eventlistener for tekton triggers? |
-| eventlistener.extraOverlays | list | `[]` | should we add additional overlays for each app running under trigger? |
-| eventlistener.suffix | string | `""` | unique suffix (in case there are several eventlisteners in the cluster) |
 | gitBranchPrefixes[0] | string | `"develop"` |  |
-| nodeSelector | string | `""` | node selector for event listener pod |
+| nodeSelector | object | `{}` | node selector for event listener pod |
 | runPostInstallMountPvcJob | bool | `false` | run job that will mount created (but not bound) PVCs in order for argocd to mark the app as "healthy" |
-| serviceAccount.create | string | `"true"` |  |
 | serviceAccount.name | string | `"build-bot-sa"` |  |
+| serviceAccount.namespace | string | `""` |  |
 | slack.imagesLocation | string | `"https://saritasa-rocks-ci.s3.us-west-2.amazonaws.com"` | slack notification images (s3 bucket prefix) |
 | slack.prefix | string | `"client"` | channel prefix |
 | slack.suffix | string | `"ci"` | channel suffix |
-| storageClassName | string | `"gp2"` | storage class for PVCs associated with the apps |
+| storageClassName | string | `"gp3"` | storage class for PVCs associated with the apps |
+| trigger.enableWebhookSecret | bool | `true` | should tekton triggers check secret passed by GitHub webhook? |
+| trigger.extraOverlays | list | `[]` | should we add additional overlays for each app running under trigger? |
+| trigger.labels | object | `{"builder":"tekton"}` | labels to set on Triggers - for discovery by EventListener |
 | whitelistIP | string | `""` | Comma-separated list of IP masks to bypass access limitation (if applicable, ex. for legacy projects protected with basic authentication) |
 
 ----------------------------------------------

charts/tekton-apps/templates/_helpers.tpl

@@ -49,14 +49,3 @@ Selector labels
 app.kubernetes.io/name: {{ include "tekton-apps.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "tekton-apps.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "tekton-apps.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

charts/tekton-apps/templates/_snippets.tpl

@@ -64,78 +64,10 @@ body.ref.startsWith('refs/heads/{{- $prefix -}}'),
 {{- end -}}
 {{- end }}
 
-{{/*
-Create the name for eventlistener
-*/}}
-{{- define "tekton-apps.eventlistenerName" -}}
-{{ printf "build-pipeline-event-listener-%s" . | trimSuffix "-" }}
-{{ end -}}
-
 {{- define "tekton-apps.eventlistener.filter" -}}
 ({{ (join " || " (compact (splitList "," (include "tekton-apps.eventlistener._filter" $ )))) }})
 {{- end }}
 
-{{/*
-Create an element for eventlistener trigger array items
-*/}}
-{{- define "tekton-apps.eventlistener.trigger" -}}
-{{ $filter := ternary .component.eventlistener.filter (include "tekton-apps.eventlistener.filter" .gitBranchPrefixes)
-              (hasKey .component.eventlistener "filter") -}}
-{{- if and (.component).repository ((.component).eventlistener).template  }}
-- name: {{ include "tekton-apps.resourceName" (set $ "suffix" "listener") }}
-  serviceAccountName: {{ include "tekton-apps.resourceName" (set $ "suffix" "trigger-sa") }}
-  interceptors:
-  - ref:
-      kind: ClusterInterceptor
-      name: "cel"
-    params:
-      - name: "filter"
-        value: {{ $filter }} &&
-               body.head_commit.author.name != "tekton-kustomize" &&
-               body.repository.name == {{ .component.repository | quote }}
-      - name: "overlays"
-        value:
-        - key: truncated_sha
-          expression: "body.head_commit.id.truncate(7)"
-        - key: branch_name
-          expression: "body.ref.split('/')[2]"
-        {{- if .eventlistener.extraOverlays }}
-        {{- toYaml .eventlistener.extraOverlays | nindent 8 }}
-        {{ end }}
-        {{- if .component.eventlistener.extraOverlays }}
-        {{- toYaml .component.eventlistener.extraOverlays | nindent 8 }}
-        {{ end }}
-  - ref:
-      kind: ClusterInterceptor
-      name: "github"
-    params:
-      {{- if hasKey .component.eventlistener "enableWebhookSecret" | ternary .component.eventlistener.enableWebhookSecret .eventlistener.enableWebhookSecret }}
-      - name: "secretRef"
-        value:
-          secretName: {{ include "tekton-apps.resourceName" (set $ "suffix" "webhook-secret") }}
-          secretKey: secret-token
-      {{- end }}
-      - name: "eventTypes"
-        value:
-      {{- if .component.eventlistener.eventTypes }}
-        {{- toYaml .component.eventlistener.eventTypes | nindent 8 }}
-      {{- else }}
-        - "push"
-      {{- end }}
-  bindings:
-  - kind: TriggerBinding
-    name: sha
-    value: $(extensions.truncated_sha)
-  - kind: TriggerBinding
-    ref: {{ include "tekton-apps.resourceName" (set $ "suffix" "env") }}
-  - kind: TriggerBinding
-    ref: github-trigger-binding
-  template:
-    ref: {{ .component.eventlistener.template }}
-{{- end }}
-{{ end }}
-
-
 {{/*
 Create a name of the kubernetes secret containing project component's SSH deploy key
 */}}

charts/tekton-apps/templates/general/serviceaccounts.yaml

@@ -16,8 +16,6 @@
 {{ include "tekton-apps.service-account" (set (set $data "suffix" "build-pipeline-sa")           "secret" (include "tekton-apps.component-repo-deploy-key" $data)) }}
 # contains ssh key for kubernetes repo
 {{ include "tekton-apps.service-account" (set (set $data "suffix" "build-pipeline-kustomize-sa") "secret" (include "tekton-apps.kubernetes-repo-deploy-key" $data)) }}
-# contains webhook secret
-{{ include "tekton-apps.service-account" (set (set $data "suffix" "trigger-sa")                  "secret" (include "tekton-apps.component-repo-webhook-secret" $data)) }}
 
 {{- end }} # if not component.wordpress
 {{- end }} # range component

charts/tekton-apps/templates/roles.yaml

@@ -15,7 +15,7 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "tekton-apps.resourceName" (set $data "suffix" "build-pipeline-role") }}
- namespace: {{ or ((.component).argocd).destinationNamespace $.Release.Namespace }}
+ namespace: {{ coalesce ((.component).argocd).destinationNamespace $.Release.Namespace }}
 rules:
   - apiGroups:  ["extensions", "apps", "batch", ""]
     resources:  ["services", "deployments", "pods", "jobs", "pods/log"]
@@ -27,34 +27,6 @@ rules:
     resources:  ["pipelineruns"]
     verbs:      ["get", "list", "create"]
 
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: {{ include "tekton-apps.resourceName" (set $data "suffix" "trigger-role") }}
- # We don't need to use the tekton-apps.set-namespace-from-component-or-project snippet here and below (like we do for wordpress) because these objects are not used in other namespaces
- namespace: {{ $.Release.Namespace }}
-rules:
-  - apiGroups:  ["triggers.tekton.dev"]
-    resources:  ["eventlisteners", "triggerbindings", "triggertemplates", "clusterinterceptors"]
-    verbs:      ["get", "list", "watch", "create", "update", "patch", "delete"]
-
-  - apiGroups:  ["triggers.tekton.dev"]
-    resources:  ["triggers", "clustertriggerbindings"]
-    verbs:      ["get", "list", "watch"]
-
-  - apiGroups:  ["tekton.dev"]
-    resources:  ["pipelineruns", "pipelineresources", "taskruns"]
-    verbs:      ["create"]
-
-  - apiGroups:  ["extensions"]
-    resources:  ["ingresses"]
-    verbs:      ["get", "list", "watch", "create", "update", "patch", "delete"]
-
-  - apiGroups:  [""]
-    resources:  ["configmaps", "secrets", "serviceaccounts"]
-    verbs:      ["get", "list", "watch", "impersonate"]
-
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -70,53 +42,8 @@ subjects:
   name: {{ include "tekton-apps.resourceName" (set $data "suffix" "build-pipeline-sa") }}
   namespace: {{ $.Release.Namespace }}
 - kind: ServiceAccount
-  name: build-bot-sa
-  namespace: {{ $.Release.Namespace }}
-
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "tekton-apps.resourceName" (set $data "suffix" "trigger-role-binding") }}
-  namespace: {{ $.Release.Namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "tekton-apps.resourceName" (set $data "suffix" "trigger-role") }}
-subjects:
-- kind: ServiceAccount
-  name: {{ include "tekton-apps.resourceName" (set $data "suffix" "trigger-sa") }}
-  namespace: {{ $.Release.Namespace }}
-- kind: ServiceAccount
-  name: build-bot-sa
-  namespace: {{ $.Release.Namespace }}
-
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: {{ include "tekton-apps.resourceName" (set $data "suffix" "triggger-cluster-role") }}
-rules:
-  - apiGroups: ["triggers.tekton.dev"]
-    resources: ["clustertriggerbindings", "clusterinterceptors"]
-    verbs: ["get", "list", "watch"]
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "tekton-apps.resourceName" (set $data "suffix" "triggger-cluster-role-binding") }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "tekton-apps.resourceName" (set $data "suffix" "triggger-cluster-role") }}
-subjects:
-- kind: ServiceAccount
-  name: {{ include "tekton-apps.resourceName" (set $data "suffix" "trigger-sa") }}
-  namespace: {{ $.Release.Namespace }}
-- kind: ServiceAccount
-  name: build-bot-sa
-  namespace: {{ $.Release.Namespace }}
+  name: {{ $.Values.serviceAccount.name }}
+  namespace: {{ $.Values.serviceAccount.namespace | default $.Release.Namespace }}
 
 ---