Merge pull request #297 from mbaldessari/quick-fixes

Pipeline fixes

Makefile

@@ -1,8 +1,4 @@
 NAME=$(shell basename `pwd`)
-ARGO_TARGET_NAMESPACE=manuela-ci
-PATTERN=industrial-edge
-COMPONENT=datacenter
-SECRET_NAME="argocd-env"
 TARGET_BRANCH=$(shell git rev-parse --abbrev-ref HEAD)
 HUBCLUSTER_APPS_DOMAIN=$(shell oc get ingresses.config/cluster -o jsonpath={.spec.domain})
 TARGET_ORIGIN ?= origin
@@ -28,7 +24,6 @@ install: operator-deploy post-install ## installs the pattern, inits the vault a
 
 post-install: ## Post-install tasks
 	make load-secrets
-	make argosecret
 	@echo "Done"
 
 sleep: ## waits for all seed resources to be presents
@@ -40,15 +35,6 @@ sleep-seed: sleep seed ## waits for seed resources and calls seed-run
 seed: sleep ## waits for all seed resources
 	oc create -f charts/datacenter/pipelines/extra/seed-run.yaml
 
-#  Makefiles that use this target must provide:
-#  	PATTERN: The name of the pattern that is using it.  This will be used programmatically for the source namespace
-#  	TARGET_NAMESPACE: target namespace to install the secret into
-#  	COMPONENT: The component of the target namespace.  In industrial edge, factory or datacenter - and for the secret
-#  		it needs to be datacenter because that's where the CI components run.
-#  	SECRET_NAME: The name of the secret to manage
-argosecret: ## creates the argo secret
-	PATTERN="$(PATTERN)" TARGET_NAMESPACE="$(ARGO_TARGET_NAMESPACE)" COMPONENT="$(COMPONENT)" SECRET_NAME="$(SECRET_NAME)" scripts/secret.sh
-
 build-and-test: ## run a build and test pipeline
 	oc create -f charts/datacenter/pipelines/extra/build-and-test-run.yaml
 

charts/datacenter/pipelines/extra/stage-production-run.yaml

@@ -23,7 +23,7 @@ spec:
         secretName: argocd-env
     - name: github-secret
       secret:
-        secretName: git-repo-credentials
+        secretName: gitea-admin-secret
     - name: build-artifacts
       persistentVolumeClaim:
         claimName: build-artifacts-rwo

charts/datacenter/pipelines/templates/argocd-env-secret.yaml

@@ -0,0 +1,49 @@
+{{ $ns := printf "%s-%s" $.Values.global.pattern  $.Values.clusterGroup.name }}
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: push-secret-ie-namespaced-argocd
+  namespace: {{ $ns }}
+spec:
+  data:
+    - conversionStrategy: None
+      match:
+        remoteRef:
+          remoteKey: pushsecrets/namespaced-argo
+          property: password
+        secretKey: admin.password
+  deletionPolicy: Delete
+  refreshInterval: 10s
+  secretStoreRefs:
+    - kind: ClusterSecretStore
+      name: vault-backend
+  selector:
+    secret:
+      name: {{ $.Values.clusterGroup.name }}-gitops-cluster
+  updatePolicy: Replace
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: external-secret-ie-namespaced-argocd
+  namespace: manuela-ci
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ $.Values.secretStore.name }}
+    kind: {{ $.Values.secretStore.kind }}
+  target:
+    name: argocd-env
+    template:
+      type: Opaque
+      engineVersion: v2
+      metadata:
+      data:
+        ARGOCD_USERNAME: admin
+        ARGOCD_PASSWORD: "{{ `{{ .argo_admin_password }}` }}"
+  data:
+  - secretKey: argo_admin_password
+    remoteRef:
+      key: "pushsecrets/namespaced-argo"
+      property: "password"

charts/datacenter/pipelines/templates/configmaps/environment.yaml

@@ -1,3 +1,6 @@
+{{- $giturl := coalesce .Values.global.git.hostname (printf "gitea-route-vp-gitea.%s" .Values.global.localClusterDomain) }}
+{{- $full_giturl := printf "https://%s/%s/manuela-dev.git" $giturl .Values.global.git.account }}
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -7,7 +10,7 @@ data:
   IMAGE_PROVIDER: {{ .Values.global.imageregistry.hostname }}
   IMAGE_ACCOUNT: {{ .Values.global.imageregistry.account }}
   GIT_EMAIL: {{ .Values.global.git.email }}
-  GIT_DEV_REPO_URL: https://{{ .Values.global.git.hostname }}/{{ .Values.global.git.account }}/manuela-dev.git
+  GIT_DEV_REPO_URL: {{ $full_giturl }}
   GIT_DEV_REPO_REVISION: {{ .Values.global.git.dev_revision }}
   GIT_OPS_REPO_TEST_URL: {{ .Values.global.repoURL }}
   GIT_OPS_REPO_TEST_REVISION: {{ .Values.global.targetRevision }}

charts/datacenter/pipelines/templates/gitea-admin-secret.yaml

@@ -1,6 +1,9 @@
 # The push secret fetches the randomly generated gitea-admin-secret username+password to vault
 # The External Secret will fetch those credentials from vault and place them in the gitea-admin-external-secret
 # in the manuela-ci namespace
+{{- $giturl := coalesce .Values.global.git.hostname (printf "gitea-route-vp-gitea.%s" .Values.global.localClusterDomain) }}
+{{- $full_giturl := printf "https://%s/%s/" $giturl .Values.global.git.account }}
+
 {{- if .Values.clusterGroup.isHubCluster }}
 {{- if .Values.global.originURL }}
 ---
@@ -47,12 +50,15 @@ spec:
   target:
     name: gitea-admin-secret
     template:
-      type: Opaque
+      metadata:
+        annotations:
+          # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/
+          tekton.dev/git-0: {{ $full_giturl }}
+      type: kubernetes.io/basic-auth
       engineVersion: v2
       data:
         username: "{{ `{{ .gitea_admin_user }}` }}"
         password: "{{ `{{ .gitea_admin_password }}` }}"
-        branch: {{ $.Values.global.targetRevision }}
   data:
   - secretKey: gitea_admin_user
     remoteRef:
@@ -66,3 +72,6 @@ spec:
 {{- end }}{{/* range $i := list manuela-ci ml-development */}}
 {{- end }}
 {{- end }}
+
+# TODO: We used to have a branch field we need to circle back and expose that differently
+# branch: 

charts/datacenter/pipelines/templates/serviceaccount.yaml

@@ -8,7 +8,7 @@ metadata:
   name: pipeline
   namespace: manuela-ci
 secrets:
-- name: git-repo-credentials
+- name: gitea-admin-secret
 {{-   if eq .Values.global.imageregistry.type "quay" }}
 - name: image-registry-credentials
 {{-   end }}

charts/datacenter/pipelines/templates/tasks/bumpversion.yaml

@@ -24,7 +24,7 @@ spec:
     description: the new build version based on the last tags and VERSION file
   steps:
   - name: current-tag
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       VERSION_GLOB="build-$(params.component_name)-$(cat $(params.version_file_path))-*"
 
@@ -70,7 +70,7 @@ spec:
       name: scratch
     workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory)
   - name: tag-repo
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       VERSION=$(cat /scratch/VERSION)
       git tag $VERSION

charts/datacenter/pipelines/templates/tasks/cleanup.yaml

@@ -33,7 +33,7 @@ spec:
   #   type: string
   steps:
   - name: cleanup-git-tags
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       #list build tags for component in repo
       BUILD_TAG_GLOB="build-$(params.COMPONENT_NAME)-*"

charts/datacenter/pipelines/templates/tasks/fail.yaml

@@ -5,6 +5,6 @@ metadata:
 spec:
   steps:
   - name: fail
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       exit 1

charts/datacenter/pipelines/templates/tasks/git-checkout.yaml

@@ -19,7 +19,7 @@ spec:
     description: The precise commit SHA that is HEAD of the checked out branch
   steps:
   - name: checkout
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       BRANCH=$(params.BRANCH)
       git checkout -q --track -b $BRANCH origin/$BRANCH 2>&1 || git checkout -q -b $BRANCH 2>&1

charts/datacenter/pipelines/templates/tasks/git-clone-with-tags.yaml

@@ -27,7 +27,7 @@ spec:
   - name: sslVerify
     description: defines if http.sslVerify should be set to true or false in the global git config
     type: string
-    default: "true"
+    default: "false"
   - name: subdirectory
     description: subdirectory inside the "gitrepos" workspace to clone the git repo into
     type: string
@@ -41,7 +41,7 @@ spec:
     description: The precise commit SHA that was fetched by this Task
   steps:
   - name: clone
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       CHECKOUT_DIR="$(workspaces.gitrepos.path)/$(params.subdirectory)"
 

charts/datacenter/pipelines/templates/tasks/git-commit.yaml

@@ -21,7 +21,7 @@ spec:
     type: string
   steps:
   - name: commit
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       git diff
       git config --global user.email "$(cat $(workspaces.config.path)/$(params.GIT_EMAIL_CONFIGMAPKEY))"

charts/datacenter/pipelines/templates/tasks/github-push.yaml

@@ -1,3 +1,6 @@
+{{- $giturl := coalesce .Values.global.git.hostname (printf "gitea-route-vp-gitea.%s" .Values.global.localClusterDomain) }}
+{{- $full_giturl := printf "https://%s/%s/manuela-dev.git" $giturl .Values.global.git.account }}
+---
 apiVersion: tekton.dev/v1beta1
 kind: Task
 metadata:
@@ -15,13 +18,16 @@ spec:
     description: additional flags for git push
     type: string
     default: ""
+  - name: sslVerify
+    default: "false"
   steps:
   - name: push
-    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.24.3
+    image: gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.44.5
     script: |
       git remote -v
       git branch
-      git branch -r | grep -q origin/$(git rev-parse --abbrev-ref HEAD) && git pull --ff-only --no-edit
+      git branch -r | grep -q origin/$(git rev-parse --abbrev-ref HEAD) && git -c http.sslVerify=$(params.sslVerify) pull --ff-only --no-edit
       git log -n 2
-      git push -v $(params.PUSH_FLAGS)
+      git -c http.sslVerify=$(params.sslVerify) push -v $(params.PUSH_FLAGS)
+      echo "github push task completed"
     workingDir: $(workspaces.gitrepos.path)/$(params.subdirectory)

charts/datacenter/pipelines/templates/templates/stage-production-pipelinerun.yaml

@@ -26,7 +26,7 @@ objects:
         secretName: argocd-env
     - name: github-secret
       secret:
-        secretName: git-repo-credentials
+        secretName: gitea-admin-secret
     - name: gitrepos
       volumeClaimTemplate:
         spec:

charts/datacenter/pipelines/values.yaml

@@ -14,12 +14,12 @@ imageregistrysecret:
 global:
   pattern: industrial-edge
   repoURL: "https://github.com/pattern-clone/industrial-edge"
+  localClusterDomain: apps.localcluster.domain
   targetRevision: main
 
   git:
-    hostname: github.com
-    account: PLAINTEXT
-    username: PLAINTEXT
+    #hostname: ""
+    account: gitea_admin
     email: [email protected]
     dev_revision: main
 

scripts/sleep-seed.sh

@@ -4,7 +4,7 @@ while [ 1 ]; do
 	echo "Waiting for seed resources to be ready in manuela-ci"
 	oc get -n manuela-ci pipeline seed 1>/dev/null 2>/dev/null && \
 	oc get -n manuela-ci task tkn 1>/dev/null 2>/dev/null && \
-	oc get -n manuela-ci secret git-repo-credentials 1>/dev/null 2>/dev/null && \
+	oc get -n manuela-ci secret gitea-admin-secret 1>/dev/null 2>/dev/null && \
 	oc get -n manuela-ci secret image-registry-credentials 1>/dev/null 2>/dev/null && \
 	echo "Bootstrap seed now running" && break;
 	sleep 5;

values-global.yaml

@@ -15,13 +15,12 @@ global:
     installPlanApproval: Automatic
 
   imageregistry:
-    account: PLAINTEXT
+    account: rhn_support_mbaldess
     hostname: quay.io
     type: quay
 
   git:
-    hostname: github.com
-    account: PLAINTEXT
+    account: gitea_admin
     #username: PLAINTEXT
     email: [email protected]
     dev_revision: main