-
Notifications
You must be signed in to change notification settings - Fork 20
/
Makefile
246 lines (211 loc) · 10.8 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
NAME ?= $(shell basename "`pwd`")
ifneq ($(origin TARGET_SITE), undefined)
TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE)
endif
# This variable can be set in order to pass additional helm arguments from the
# the command line. I.e. we can set things without having to tweak values files
EXTRA_HELM_OPTS ?=
# INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248
# or
# INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248,registry-proxy.engineering.redhat.com/rh-osbs/iib:394249
INDEX_IMAGES ?=
TARGET_ORIGIN ?= origin
# This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL
# This is because we expect to use tokens for repo authentication as opposed to SSH keys
TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e 's/.*URL:[[:space:]]*//' -e 's%^git@%%' -e 's%^https://%%' -e 's%:%/%' -e 's%^%https://%')
# git branch --show-current is also available as of git 2.22, but we will use this for compatibility
TARGET_BRANCH=$(shell git rev-parse --abbrev-ref HEAD)
UUID_FILE ?= ~/.config/validated-patterns/pattern-uuid
UUID_HELM_OPTS ?=
# --set values always take precedence over the contents of -f
ifneq ("$(wildcard $(UUID_FILE))","")
UUID := $(shell cat $(UUID_FILE))
UUID_HELM_OPTS := --set main.analyticsUUID=$(UUID)
endif
# Set the secret name *and* its namespace when deploying from private repositories
# The format of said secret is documented here: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories
TOKEN_SECRET ?=
TOKEN_NAMESPACE ?=
ifeq ($(TOKEN_SECRET),)
HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS)
else
# When we are working with a private repository we do not escape the git URL as it might be using an ssh secret which does not use https://
TARGET_CLEAN_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN))
HELM_OPTS=-f values-global.yaml --set main.tokenSecret=$(TOKEN_SECRET) --set main.tokenSecretNamespace=$(TOKEN_NAMESPACE) --set main.git.repoURL="$(TARGET_CLEAN_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS)
endif
# Helm does the right thing and fetches all the tags and detects the newest one
PATTERN_INSTALL_CHART ?= oci://quay.io/hybridcloudpatterns/pattern-install
##@ Pattern Common Tasks
.PHONY: help
help: ## This help message
@echo "Pattern: $(NAME)"
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf " \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
# Makefiles in the individual patterns should call these targets explicitly
# e.g. from industrial-edge: make -f common/Makefile show
.PHONY: show
show: ## show the starting template without installing it
helm template $(PATTERN_INSTALL_CHART) --name-template $(NAME) $(HELM_OPTS)
preview-all: ## (EXPERIMENTAL) Previews all applications on hub and managed clusters
@echo "NOTE: This is just a tentative approximation of rendering all hub and managed clusters templates"
@common/scripts/preview-all.sh $(TARGET_REPO) $(TARGET_BRANCH)
preview-%:
$(eval CLUSTERGROUP ?= $(shell yq ".main.clusterGroupName" values-global.yaml))
@common/scripts/preview.sh $(CLUSTERGROUP) $* $(TARGET_REPO) $(TARGET_BRANCH)
.PHONY: operator-deploy
operator-deploy operator-upgrade: validate-prereq validate-origin validate-cluster ## runs helm install
@common/scripts/deploy-pattern.sh $(NAME) $(PATTERN_INSTALL_CHART) $(HELM_OPTS)
.PHONY: uninstall
uninstall: ## runs helm uninstall
$(eval CSV := $(shell oc get subscriptions -n openshift-operators openshift-gitops-operator -ojsonpath={.status.currentCSV}))
helm uninstall $(NAME)
@oc delete csv -n openshift-operators $(CSV)
.PHONY: load-secrets
load-secrets: ## loads the secrets into the backend determined by values-global setting
common/scripts/process-secrets.sh $(NAME)
.PHONY: legacy-load-secrets
legacy-load-secrets: ## loads the secrets into vault (only)
common/scripts/vault-utils.sh push_secrets $(NAME)
.PHONY: secrets-backend-vault
secrets-backend-vault: ## Edits values files to use default Vault+ESO secrets config
common/scripts/set-secret-backend.sh vault
common/scripts/manage-secret-app.sh vault present
common/scripts/manage-secret-app.sh golang-external-secrets present
common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent
@git diff --exit-code || echo "Secrets backend set to vault, please review changes, commit, and push to activate in the pattern"
.PHONY: secrets-backend-kubernetes
secrets-backend-kubernetes: ## Edits values file to use Kubernetes+ESO secrets config
common/scripts/set-secret-backend.sh kubernetes
common/scripts/manage-secret-namespace.sh validated-patterns-secrets present
common/scripts/manage-secret-app.sh vault absent
common/scripts/manage-secret-app.sh golang-external-secrets present
@git diff --exit-code || echo "Secrets backend set to kubernetes, please review changes, commit, and push to activate in the pattern"
.PHONY: secrets-backend-none
secrets-backend-none: ## Edits values files to remove secrets manager + ESO
common/scripts/set-secret-backend.sh none
common/scripts/manage-secret-app.sh vault absent
common/scripts/manage-secret-app.sh golang-external-secrets absent
common/scripts/manage-secret-namespace.sh validated-patterns-secrets absent
@git diff --exit-code || echo "Secrets backend set to none, please review changes, commit, and push to activate in the pattern"
.PHONY: load-iib
load-iib: ## CI target to install Index Image Bundles
@set -e; if [ x$(INDEX_IMAGES) != x ]; then \
ansible-playbook rhvp.cluster_utils.iib_ci; \
else \
echo "No INDEX_IMAGES defined. Bailing out"; \
exit 1; \
fi
.PHONY: token-kubeconfig
token-kubeconfig: ## Create a local ~/.kube/config with password (not usually needed)
common/scripts/write-token-kubeconfig.sh
##@ Validation Tasks
# We only check the remote ssh git branch's existance if we're not running inside a container
# as getting ssh auth working inside a container seems a bit brittle
# If the main repoUpstreamURL field is set, then we need to check against
# that and not target_repo
.PHONY: validate-origin
validate-origin: ## verify the git origin is available
@echo "Checking repository:"
$(eval UPSTREAMURL := $(shell yq -r '.main.git.repoUpstreamURL // (.main.git.repoUpstreamURL = "")' values-global.yaml))
@if [ -z "$(UPSTREAMURL)" ]; then\
echo -n " $(TARGET_REPO) - branch '$(TARGET_BRANCH)': ";\
git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\
echo "OK" || (echo "NOT FOUND"; exit 1);\
else\
echo "Upstream URL set to: $(UPSTREAMURL)";\
echo -n " $(UPSTREAMURL) - branch '$(TARGET_BRANCH)': ";\
git ls-remote --exit-code --heads $(UPSTREAMURL) $(TARGET_BRANCH) >/dev/null &&\
echo "OK" || (echo "NOT FOUND"; exit 1);\
fi
.PHONY: validate-cluster
validate-cluster: ## Do some cluster validations before installing
@echo "Checking cluster:"
@echo -n " cluster-info: "
@oc cluster-info >/dev/null && echo "OK" || (echo "Error"; exit 1)
@echo -n " storageclass: "
@if [ `oc get storageclass -o go-template='{{printf "%d\n" (len .items)}}'` -eq 0 ]; then\
echo "WARNING: No storageclass found";\
else\
echo "OK";\
fi
.PHONY: validate-schema
validate-schema: ## validates values files against schema in common/clustergroup
$(eval VAL_PARAMS := $(shell for i in ./values-*.yaml; do echo -n "$${i} "; done))
@echo -n "Validating clustergroup schema of: "
@set -e; for i in $(VAL_PARAMS); do echo -n " $$i"; helm template common/clustergroup $(HELM_OPTS) -f "$${i}" >/dev/null; done
@echo
.PHONY: validate-prereq
validate-prereq: ## verify pre-requisites
@if [ ! -f /run/.containerenv ]; then\
echo "Checking prerequisites:";\
for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done;\
echo " Check for '$(EXECUTABLES)': OK";\
echo -n " Check for python-kubernetes: ";\
if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\
echo "OK";\
echo -n " Check for kubernetes.core collection: ";\
if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi;\
echo "OK";\
else\
if [ -f values-global.yaml ]; then\
OUT=`yq -r '.main.multiSourceConfig.enabled // (.main.multiSourceConfig.enabled = "false")' values-global.yaml`;\
if [ "$${OUT,,}" = "false" ]; then\
echo "You must set \".main.multiSourceConfig.enabled: true\" in your 'values-global.yaml' file";\
echo "because your common subfolder is the slimmed down version with no helm charts in it";\
exit 1;\
fi;\
fi;\
fi
.PHONY: argo-healthcheck
argo-healthcheck: ## Checks if all argo applications are synced
@echo "Checking argo applications"
$(eval APPS := $(shell oc get applications -A -o jsonpath='{range .items[*]}{@.metadata.namespace}{","}{@.metadata.name}{"\n"}{end}'))
@NOTOK=0; \
for i in $(APPS); do\
n=`echo "$${i}" | cut -f1 -d,`;\
a=`echo "$${i}" | cut -f2 -d,`;\
STATUS=`oc get -n "$${n}" application/"$${a}" -o jsonpath='{.status.sync.status}'`;\
if [[ $$STATUS != "Synced" ]]; then\
NOTOK=$$(( $${NOTOK} + 1));\
fi;\
HEALTH=`oc get -n "$${n}" application/"$${a}" -o jsonpath='{.status.health.status}'`;\
if [[ $$HEALTH != "Healthy" ]]; then\
NOTOK=$$(( $${NOTOK} + 1));\
fi;\
echo "$${n} $${a} -> Sync: $${STATUS} - Health: $${HEALTH}";\
done;\
if [ $${NOTOK} -gt 0 ]; then\
echo "Some applications are not synced or are unhealthy";\
exit 1;\
fi
##@ Test and Linters Tasks
.PHONY: qe-tests
qe-tests: ## Runs the tests that QE runs
@set -e; if [ -f ./tests/interop/run_tests.sh ]; then \
./tests/interop/run_tests.sh; \
else \
echo "No ./tests/interop/run_tests.sh found skipping"; \
fi
.PHONY: super-linter
super-linter: ## Runs super linter locally
rm -rf .mypy_cache
podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
-e VALIDATE_ANSIBLE=false \
-e VALIDATE_BASH=false \
-e VALIDATE_CHECKOV=false \
-e VALIDATE_DOCKERFILE_HADOLINT=false \
-e VALIDATE_JSCPD=false \
-e VALIDATE_JSON_PRETTIER=false \
-e VALIDATE_MARKDOWN_PRETTIER=false \
-e VALIDATE_KUBERNETES_KUBECONFORM=false \
-e VALIDATE_PYTHON_PYLINT=false \
-e VALIDATE_SHELL_SHFMT=false \
-e VALIDATE_TEKTON=false \
-e VALIDATE_YAML=false \
-e VALIDATE_YAML_PRETTIER=false \
$(DISABLE_LINTERS) \
-v $(PWD):/tmp/lint:rw,z \
-w /tmp/lint \
ghcr.io/super-linter/super-linter:slim-v7
.PHONY: deploy upgrade legacy-deploy legacy-upgrade
deploy upgrade legacy-deploy legacy-upgrade:
@echo "UNSUPPORTED TARGET: please switch to 'operator-deploy'"; exit 1