fix: remove hard coding of chart repository in replication (!55) · Merge requests · kubernetes / automation / releases / kops-replication

Jack Charlie Munday requested to merge fix/hard-coded-chart-repo into master Oct 24, 2024

Repository is now pulled from the yaml file that defines the charts for replication.

As there is no ci I have added the generated templates below so it can be confirmed that the appropriate paths are being pulled through.

$ helm template  kops-workflows . -f values-k8s.yaml
# Source: kops-replication/templates/workflows-artifact-replication.yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: chart-replication-registry-cern-ch-kubernetes-charts-1855343165
spec:
  entrypoint: apply
  volumes:
  - name: replication-registry-cern-ch-kubernetes-charts
    configMap:
      name: replication-registry-cern-ch-kubernetes-charts
  - name: registry-cern-ch-kubernetes-charts-sign
    secret:
      secretName: registry-cern-ch-kubernetes-charts-sign
  templates:
  - name: apply
    activeDeadlineSeconds: 3600
    retryStrategy:
      limit: "0"
    script:
      image: registry.cern.ch/kubernetes/ops:0.5.0
      imagePullPolicy: Always
      command: [/bin/bash]
      volumeMounts:
      - name: replication-registry-cern-ch-kubernetes-charts
        mountPath: /data
      - name: registry-cern-ch-kubernetes-charts-sign
        mountPath: /etc/sign
      env:
      - name: COSIGN_PASSWORD
        value: ""
      envFrom:
      - secretRef:
          name: "registry-cern-ch-kubernetes-charts-creds"
      source: |
        set -e
        skopeo login registry.cern.ch/kubernetes/charts -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD
        cosign login $(echo "registry.cern.ch/kubernetes/charts" | sed 's#/.*##g') -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD
        helm registry login $(echo "registry.cern.ch/kubernetes/charts" | sed 's#/.*##g') -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD
        while read line
        do
          repochart=(${line// / })
          sourcerepo="${repochart[0]}"
          chart="${repochart[1]}"
          version="${repochart[2]}"
          source="${sourcerepo}/${chart}:${version}"
          dest="${repo}/${chart}:${version}"
          if ! skopeo inspect --raw docker://registry.cern.ch/kubernetes/charts/${chart}:${version} > /dev/null; then
            echo "replicating chart ${source} into ${dest}"
            helm pull --repo $sourcerepo ${chart} --version ${version}
            helm push $(ls ${chart}-*${version}.tgz) oci://registry.cern.ch/kubernetes/charts
            cosign sign -r --key /etc/sign/.sign.key -y $dest
          else
            echo "chart ${source} exists at ${dest} ... skipping replication."
          fi
          echo "verifying artifact signature: ${dest}"
          cosign verify --key /etc/sign/.sign.pub registry.cern.ch/kubernetes/charts/${chart}:${version}
        done < /data/replication-registry-cern-ch-kubernetes-charts

$ helm template kops-workflows . -f values-acc.yaml

# Source: kops-replication/templates/workflows-artifact-replication.yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  name: chart-replication-registry-cern-ch-acc-ksc-charts-131194430
spec:
  entrypoint: apply
  volumes:
  - name: replication-registry-cern-ch-acc-ksc-charts
    configMap:
      name: replication-registry-cern-ch-acc-ksc-charts
  - name: registry-cern-ch-acc-ksc-charts-sign
    secret:
      secretName: registry-cern-ch-acc-ksc-charts-sign
  templates:
  - name: apply
    activeDeadlineSeconds: 3600
    retryStrategy:
      limit: "0"
    script:
      image: registry.cern.ch/kubernetes/ops:0.5.0
      imagePullPolicy: Always
      command: [/bin/bash]
      volumeMounts:
      - name: replication-registry-cern-ch-acc-ksc-charts
        mountPath: /data
      - name: registry-cern-ch-acc-ksc-charts-sign
        mountPath: /etc/sign
      env:
      - name: COSIGN_PASSWORD
        value: ""
      envFrom:
      - secretRef:
          name: "registry-cern-ch-acc-ksc-charts-creds"
      source: |
        set -e
        skopeo login registry.cern.ch/acc/ksc/charts -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD
        cosign login $(echo "registry.cern.ch/acc/ksc/charts" | sed 's#/.*##g') -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD
        helm registry login $(echo "registry.cern.ch/acc/ksc/charts" | sed 's#/.*##g') -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD
        while read line
        do
          repochart=(${line// / })
          sourcerepo="${repochart[0]}"
          chart="${repochart[1]}"
          version="${repochart[2]}"
          source="${sourcerepo}/${chart}:${version}"
          dest="${repo}/${chart}:${version}"
          if ! skopeo inspect --raw docker://registry.cern.ch/acc/ksc/charts/${chart}:${version} > /dev/null; then
            echo "replicating chart ${source} into ${dest}"
            helm pull --repo $sourcerepo ${chart} --version ${version}
            helm push $(ls ${chart}-*${version}.tgz) oci://registry.cern.ch/acc/ksc/charts
            cosign sign -r --key /etc/sign/.sign.key -y $dest
          else
            echo "chart ${source} exists at ${dest} ... skipping replication."
          fi
          echo "verifying artifact signature: ${dest}"
          cosign verify --key /etc/sign/.sign.pub registry.cern.ch/acc/ksc/charts/${chart}:${version}
        done < /data/replication-registry-cern-ch-acc-ksc-charts

fix: remove hard coding of chart repository in replication

Merge request reports