From 231805e22b1ac2e47c9485512d7f3b3fc97b0d32 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Sat, 6 Jan 2024 11:05:18 -0500 Subject: [PATCH 1/7] fix(k8s): enable sentry to use sensitive values --- ci/channels/prod.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ci/channels/prod.yaml b/ci/channels/prod.yaml index faf422769f..06e4a05535 100644 --- a/ci/channels/prod.yaml +++ b/ci/channels/prod.yaml @@ -99,6 +99,8 @@ calitp: namespace: sentry helm_name: sentry helm_chart: kubernetes/apps/charts/sentry + secret_helm_values: + - sentry_sentry-sensitive-helm-values secrets: - sentry_sentry-secret - sentry_sentry-sentry-postgresql From 8741cccc989777aba2fc02de81dcf6297d9bc143 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Sat, 6 Jan 2024 11:05:34 -0500 Subject: [PATCH 2/7] fix(k8s): use --reset-values when applying Helm charts --- ci/tasks.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/tasks.py b/ci/tasks.py index 4a4badb343..9e351a03bb 100644 --- a/ci/tasks.py +++ b/ci/tasks.py @@ -220,6 +220,7 @@ def diff( values_str, "-C 5", # only include 5 lines of context "--no-hooks", # exclude hooks that get recreated every upgrade from diff + "--reset-values", # prevent use of stored value overrides from previous releases ] ), warn=True, From 542297faa04ca2a887240b7c649673a75a4f6b43 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Sat, 6 Jan 2024 13:03:51 -0500 Subject: [PATCH 3/7] fix(ci): join basic and secret helm values together --- ci/tasks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/tasks.py b/ci/tasks.py index 9e351a03bb..db0e7a5995 100644 --- a/ci/tasks.py +++ b/ci/tasks.py @@ -201,7 +201,7 @@ def diff( f"--values={c.calitp_config.git_root / Path(values_file)}" for values_file in release.helm_values ] - ).join( + + [ f"--values={secret_path}" for secret_path in secret_helm_value_paths From f94629a3474a44703809f117676265217f27996c Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Sat, 6 Jan 2024 13:05:24 -0500 Subject: [PATCH 4/7] fix(ci): use upgrade --install and skip extra logic --- ci/tasks.py | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/ci/tasks.py b/ci/tasks.py index db0e7a5995..7d0e399b4d 100644 --- a/ci/tasks.py +++ b/ci/tasks.py @@ -275,26 +275,20 @@ def release( c.run(f"helm dependency update {chart_path}", warn=True) values_str = " ".join( [ - f"--values {c.calitp_config.git_root / Path(values_file)}" + f"--values={c.calitp_config.git_root / Path(values_file)}" for values_file in release.helm_values ] ) - result: Result = c.run(f"kubectl get ns {release.namespace}") - verb = "upgrade" - - if result.exited != 0: - # namespace does not exist yet - c.run(f"kubectl create ns {release.namespace}") - verb = "install" assert release.helm_name is not None c.run( " ".join( [ "helm", - verb, + "upgrade", release.helm_name, str(chart_path), + "--install", f"--namespace {release.namespace}", values_str, f"--timeout {release.timeout}" if release.timeout else "", From 9bfc509ecf212a2c37d52e3115e8cd158ed0a000 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Sat, 6 Jan 2024 13:06:10 -0500 Subject: [PATCH 5/7] fix(ci): reset helm values during upgrade/install to mirror diff --- ci/tasks.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/tasks.py b/ci/tasks.py index 7d0e399b4d..525b8e95f8 100644 --- a/ci/tasks.py +++ b/ci/tasks.py @@ -291,6 +291,7 @@ def release( "--install", f"--namespace {release.namespace}", values_str, + "--reset-values", # prevent use of stored value overrides from previous releases f"--timeout {release.timeout}" if release.timeout else "", ] ) From 5e62c629167bbd33d44b0fcfb193df4fc856e963 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Sat, 6 Jan 2024 13:06:45 -0500 Subject: [PATCH 6/7] fix(ci): include secret values when upgrading/installing Helm charts too --- ci/tasks.py | 63 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 43 insertions(+), 20 deletions(-) diff --git a/ci/tasks.py b/ci/tasks.py index 525b8e95f8..0a590e4e51 100644 --- a/ci/tasks.py +++ b/ci/tasks.py @@ -264,6 +264,8 @@ def release( assert c.calitp_config.git_root is not None actual_driver = ReleaseDriver[driver] if driver else None + secrets_client = secretmanager.SecretManagerServiceClient() + for release in get_releases(c, driver=actual_driver, app=app): if release.driver == ReleaseDriver.kustomize: assert release.kustomize_dir is not None @@ -273,28 +275,49 @@ def release( assert release.helm_chart is not None chart_path = c.calitp_config.git_root / Path(release.helm_chart) c.run(f"helm dependency update {chart_path}", warn=True) - values_str = " ".join( - [ - f"--values={c.calitp_config.git_root / Path(values_file)}" - for values_file in release.helm_values - ] - ) - - assert release.helm_name is not None - c.run( - " ".join( + + with tempfile.TemporaryDirectory() as tmpdir: + secret_helm_value_paths = [] + for secret_helm_values in release.secret_helm_values: + secret_path = Path(tmpdir) / Path(f"{secret_helm_values}.yaml") + name = f"projects/1005246706141/secrets/{secret_helm_values}/versions/latest" + secret_contents = secrets_client.access_secret_version( + request={"name": name} + ).payload.data.decode("UTF-8") + + with open(secret_path, "w") as f: + f.write(secret_contents) + + secret_helm_value_paths.append(secret_path) + print(f"Downloaded secret helm values: {secret_path}", flush=True) + + values_str = " ".join( [ - "helm", - "upgrade", - release.helm_name, - str(chart_path), - "--install", - f"--namespace {release.namespace}", - values_str, - "--reset-values", # prevent use of stored value overrides from previous releases - f"--timeout {release.timeout}" if release.timeout else "", + f"--values={c.calitp_config.git_root / Path(values_file)}" + for values_file in release.helm_values + ] + + + [ + f"--values={secret_path}" + for secret_path in secret_helm_value_paths ] ) - ) + + assert release.helm_name is not None + c.run( + " ".join( + [ + "helm", + "upgrade", + release.helm_name, + str(chart_path), + "--install", + f"--namespace {release.namespace}", + values_str, + "--reset-values", # prevent use of stored value overrides from previous releases + f"--timeout {release.timeout}" if release.timeout else "", + ] + ) + ) else: _assert_never(release.driver) From 0c6618c0bc5574a124039e3eff25941be468b052 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Sat, 6 Jan 2024 14:23:03 -0500 Subject: [PATCH 7/7] style(ci): format array addition like linter wants --- ci/tasks.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ci/tasks.py b/ci/tasks.py index 0a590e4e51..de223cc933 100644 --- a/ci/tasks.py +++ b/ci/tasks.py @@ -201,8 +201,7 @@ def diff( f"--values={c.calitp_config.git_root / Path(values_file)}" for values_file in release.helm_values ] - + - [ + + [ f"--values={secret_path}" for secret_path in secret_helm_value_paths ] @@ -296,8 +295,7 @@ def release( f"--values={c.calitp_config.git_root / Path(values_file)}" for values_file in release.helm_values ] - + - [ + + [ f"--values={secret_path}" for secret_path in secret_helm_value_paths ]