Release 0.1.37 (#292)

* CR-20911-app-proxy (#284)

* bump app-proxy with security fixes

* update app-proxy with security fix in autopilot

* CR-20910 -- Fix gitops vulns (#285)

Fix gitops vulns

* feat: csdp-add-cluster chart templates update (#286)

* appVersions (#288)

* bump app-proxy (#289)

Update kustomization.yaml

* fix: argocd-manager sa token for openshift (#290)

* Bump app-proxy (#291)

Update kustomization.yaml

* release 0.1.37

---------

Co-authored-by: Oleksandr Saulyak <oleksandr.saulyak@codefresh.io>
Co-authored-by: Yaroslav Drachenko <yaroslav@codefresh.io>
Co-authored-by: mikhail-klimko <mikhail.klimko@codefresh.io>
Co-authored-by: Andrii Shaforostov <andrii@codefresh.io>
Co-authored-by: Daniel Maizel <daniel.maizel@codefresh.io>

Author: 6 people

Makefile

@@ -1,11 +1,12 @@
 VERSION=$(shell cat VERSION)
 KUST_VERSION_FILE="./csdp/base_components/bootstrap/kustomization.yaml"
 RUNTIME_YAML_FILE="./csdp/hybrid/basic/runtime.yaml"
+YQ_BINARY := /usr/local/bin/yq
 
 BUMP_CHECK_MSG="Error: git working tree is not clean, make sure that you ran 'make bump' locally and commit the changes!"
 
 .PHONY: bump
-bump: /usr/local/bin/yq
+bump: $(YQ_BINARY)
 	@echo "bumping version ${VERSION}"
 
 	@echo "--> updating file: ${KUST_VERSION_FILE}"
@@ -22,8 +23,13 @@ check-bump: bump
 	@git status --short && git diff --quiet || (echo "\n${BUMP_CHECK_MSG}" && exit 1)
 
 
-/usr/local/bin/yq:
-	@echo "Downloading yq..."
-	@curl -L https://github.com/mikefarah/yq/releases/latest/download/yq_$(shell go env GOOS)_$(shell go env GOARCH) -o /usr/local/bin/yq &&\
-		chmod +x /usr/local/bin/yq
-	@yq --version
+$(YQ_BINARY):
+	@echo "Checking if yq is installed..."
+	@if command -v yq > /dev/null ; then \
+		echo "yq is already installed"; \
+	else \
+		@echo "Downloading yq..." \
+		@curl -L https://github.com/mikefarah/yq/releases/latest/download/yq_$(shell go env GOOS)_$(shell go env GOARCH) -o $(YQ_BINARY) &&\
+		chmod +x $(YQ_BINARY); \
+		@yq --version; \
+	fi

VERSION

@@ -1 +1 @@
-0.1.36
+0.1.37

add-cluster/add-cluster.sh

@@ -9,6 +9,10 @@
 # CSDP_TOKEN_SECRET
 # SKIP_TLS_VALIDATION (cm - optional)
 
+if $DEBUG; then
+  set -eou xtrace
+fi
+
 SECRET_NAME=""
 
 function get_service_account_secret_name() {

add-cluster/helm/Chart.yaml

@@ -1,9 +1,17 @@
 apiVersion: v2
 name: csdp-add-cluster
 description: This helm chart adds a remote cluster to an existing Codefresh runtime
-
 type: application
-
-version: 0.2.0
-
-appVersion: 0.7.0
+version: 0.4.0
+appVersion: 0.8.0
+home: https://codefresh.io/
+icon: https://avatars1.githubusercontent.com/u/11412079?v=3
+sources:
+  - https://github.com/codefresh-io/csdp-official/tree/main/add-cluster/helm
+maintainers:
+  - name: codefresh
+    url: https://codefresh-io.github.io/
+dependencies:
+  - name: cf-common
+    repository: oci://quay.io/codefresh/charts
+    version: 0.16.0

add-cluster/helm/templates/_helpers.tpl

@@ -45,14 +45,28 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 Creates the ServiceAccount name (used for the *Role and *RoleBinding as well)
 Based on the "argocd-manager" unless explicitly set
 */}}
-{{- define "csdp-add-cluster.serviceAccount" -}}
-{{- if .Values.serviceAccount }}
-{{- .Values.serviceAccount | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- if contains "argocd-manager" .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name "argocd-manager" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
+{{- define "csdp-add-cluster.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create }}
+    {{- default (include "csdp-add-cluster.fullname" .) .Values.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.serviceAccount.name }}
+  {{- end }}
 {{- end }}
+
+{{/*
+Environment variable value of Codefresh installation token
+*/}}
+{{- define "csdp-add-cluster.token-env-var-value" -}}
+  {{- if .Values.codefresh.userToken.token }}
+valueFrom:
+  secretKeyRef:
+    name: {{ include "csdp-add-cluster.fullname" . }}-secret
+    key: codefresh-api-token
+  {{- else if .Values.codefresh.userToken.secretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.codefresh.userToken.secretKeyRef | toYaml | nindent 4 }}
+  {{- else }}
+{{ fail ".Values.codefresh.userToken OR .Values.codefresh.userToken.secretKeyRef is required!" }}
+  {{- end }}
+{{- end }}

add-cluster/helm/templates/clusterrole.yaml

@@ -1,7 +1,8 @@
+{{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "csdp-add-cluster.serviceAccount" . }}-role
+  name: {{ include "csdp-add-cluster.serviceAccountName" . }}-role
   labels:
     {{- include "csdp-add-cluster.labels" . | nindent 4 }}
 rules:
@@ -15,3 +16,4 @@ rules:
       - '*'
     verbs:
       - '*'
+{{- end }}

add-cluster/helm/templates/clusterrolebinding.yaml

@@ -1,14 +1,16 @@
+{{- if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "csdp-add-cluster.serviceAccount" . }}-role-binding
+  name: {{ include "csdp-add-cluster.serviceAccountName" . }}-role-binding
   labels:
     {{- include "csdp-add-cluster.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "csdp-add-cluster.serviceAccount" . }}-role
+  name: {{ include "csdp-add-cluster.serviceAccountName" . }}-role
 subjects:
   - kind: ServiceAccount
-    name: {{ include "csdp-add-cluster.serviceAccount" . }}
+    name: {{ include "csdp-add-cluster.serviceAccountName" . }}
     namespace: {{ .Values.systemNamespace | default "kube-system" }}
+{{- end }}

add-cluster/helm/templates/configmap.yaml

@@ -2,12 +2,12 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "csdp-add-cluster.fullname" . }}-cm
-  namespace: kube-system
+  namespace: {{ .Values.systemNamespace | default "kube-system" }}
   labels:
     {{- include "csdp-add-cluster.labels" . | nindent 4 }}
 data:
-  ingressUrl: {{ .Values.ingressUrl | quote }}
-  contextName: {{ .Values.contextName | quote }}
-  server: {{ .Values.server | quote }}
+  ingressUrl: {{ required ".Values.ingressUrl is required!" .Values.ingressUrl | quote }}
+  contextName: {{ required ".Values.contextName is required!" .Values.contextName | quote }}
+  server: {{ required ".Values.server is required!" .Values.server | quote }}
   labels: {{ .Values.labels | quote }}
   annotations: {{ .Values.annotations | quote }}

add-cluster/helm/templates/job.yaml

@@ -1,3 +1,4 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -6,64 +7,87 @@ metadata:
   labels:
     {{- include "csdp-add-cluster.labels" . | nindent 4 }}
 spec:
-  ttlSecondsAfterFinished: 600 # stick around for 10m
+  {{- with .Values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with .Values.backoffLimit }}
+  backoffLimit: {{ .}}
+  {{- end }}
   template:
     metadata:
       name: {{ include "csdp-add-cluster.fullname" . }}-pod
+      labels:
+        {{- include "csdp-add-cluster.labels" . | nindent 8 }}
     spec:
-      serviceAccount: {{ include "csdp-add-cluster.serviceAccount" . }}
-      restartPolicy: Never
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccount: {{ include "csdp-add-cluster.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: main
-          image: "quay.io/codefresh/csdp-add-cluster:{{ .Chart.AppVersion }}"
-          imagePullPolicy: Always
+          image: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" (include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .)) "context" .) }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
           command:
             - bash
           args:
             - ./add-cluster.sh
           env:
-            - name: SERVICE_ACCOUNT_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.serviceAccountName
-            - name: INGRESS_URL
-              valueFrom:
-                configMapKeyRef:
-                  name: {{ include "csdp-add-cluster.fullname" . }}-cm
-                  key: ingressUrl
-            - name: CSDP_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "csdp-add-cluster.fullname" . }}-secret
-                  key: csdpToken
-            - name: CONTEXT_NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: {{ include "csdp-add-cluster.fullname" . }}-cm
-                  key: contextName
-            - name: SERVER
-              valueFrom:
-                configMapKeyRef:
-                  name: {{ include "csdp-add-cluster.fullname" . }}-cm
-                  key: server
-            - name: CSDP_TOKEN_SECRET
-              value: {{ include "csdp-add-cluster.fullname" . }}-secret
+          - name: SERVICE_ACCOUNT_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.serviceAccountName
+          - name: INGRESS_URL
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "csdp-add-cluster.fullname" . }}-cm
+                key: ingressUrl
+          - name: CSDP_TOKEN
+            {{- include "csdp-add-cluster.token-env-var-value" . | indent 12 }}
+          - name: CONTEXT_NAME
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "csdp-add-cluster.fullname" . }}-cm
+                key: contextName
+          - name: SERVER
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "csdp-add-cluster.fullname" . }}-cm
+                key: server
+          - name: CSDP_TOKEN_SECRET
+            value: {{ include "csdp-add-cluster.fullname" . }}-secret
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }}
           volumeMounts:
-            - name: config-volume
-              mountPath: /etc/config
+          - name: config-volume
+            mountPath: /etc/config
+          {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.resources }}
           resources:
-            limits:
-              memory: 512Mi
-              cpu: '1'
-            requests:
-              memory: 256Mi
-              cpu: '0.2'
+            {{- toYaml . | nindent 12  }}
+          {{- end }}
       volumes:
-        - name: config-volume
-          configMap:
-            name: {{ include "csdp-add-cluster.fullname" . }}-cm
-            items:
-              - key: annotations
-                path: annotations.yaml
-              - key: labels
-                path: labels.yaml
+      - name: config-volume
+        configMap:
+          name: {{ include "csdp-add-cluster.fullname" . }}-cm
+          items:
+            - key: annotations
+              path: annotations.yaml
+            - key: labels
+              path: labels.yaml
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure

add-cluster/helm/templates/secret.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.codefresh.userToken.token }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,4 +8,5 @@ metadata:
     {{- include "csdp-add-cluster.labels" . | nindent 4 }}
 type: Opaque
 data:
-  csdpToken: {{ .Values.csdpToken | b64enc | quote }}
+  codefresh-api-token: {{ .Values.codefresh.userToken.token | b64enc | quote }}
+{{- end }}