feat: system runtimes in git (#586)

Author: mikhail-klimko

charts/cf-runtime/.ci/values-system-runtime.yaml

@@ -0,0 +1,43 @@
+global:
+  runtimeName: system/test-ci-runtime
+
+runtime:
+  agent: false
+  inCluster: false
+  description: "Test runtime created by venona-helm-chart-ci pipeline"
+  kubeconfigFilePath: /opt/codefresh/kubeconfigs/prod-ue1-runtime-free-1/kubeconfig
+  kubeconfigName: prod-ue1-runtime-free-1
+  dind:
+    pvcs:
+      dind:
+        storageClassName: dind-ebs-csi-us-east-1a-workflows
+    nodeSelector:
+      node-type: dind
+      topology.kubernetes.io/zone: us-east-1a
+    tolerations:
+    - key: codefresh.io
+      operator: Equal
+      value: dinds
+      effect: NoSchedule
+    schedulerName: default-scheduler
+  engine:
+    nodeSelector:
+      node-type: engine
+      topology.kubernetes.io/zone: us-east-1a
+    tolerations:
+    - key: codefresh.io
+      operator: Equal
+      value: engines
+      effect: NoSchedule
+    schedulerName: default-scheduler
+  accounts:
+    - 5672d8deb6724b6e359adf62 # codefresh-inc
+
+volumeProvisioner:
+  enabled: false
+
+monitor:
+  enabled: false
+
+appProxy:
+  enabled: false

charts/cf-runtime/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 7.7.4
+version: 7.8.0
 keywords:
   - codefresh
   - runner
@@ -17,14 +17,16 @@ annotations:
   artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: security
-      description: "updated pikolo with security fixes"
-    - kind: security
-      description: "updated compose with security fixes"
-    - kind: security
-      description: "updated cf-docker-pusher with security fixes"
-    - kind: security
-      description: "updated cf-cosign-image-signer with security fixes"
+    - kind: changed
+      description: "(on-premise) Fix kubeconfigFilePath for agentless runtime"
+    - kind: added
+      description: "(on-premise) Add option to create extra agentless runtimes"
+    - kind: added
+      description: "Add cronjob to continuously patch runtime spec"
+    - kind: fixed
+      description: "Fix missing codefresh-dind-config ConfigMap in runtime spec"
+    - kind: changed
+      description: "Misc templates renaming"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts

charts/cf-runtime/README.md

@@ -17,7 +17,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [To 4.x](#to-4-x)
   - [To 5.x](#to-5-x)
   - [To 6.x](#to-6-x)
-  - [To 7.x](#to-7-x)  
+  - [To 7.x](#to-7-x)
 - [Architecture](#architecture)
 - [Configuration](#configuration)
   - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
@@ -272,7 +272,7 @@ runtime:
       digest: sha256:d547c2044c1488e911ff726462cc417adf2dda731cafd736493c4de4eb9e357b
 ```
 
-Which means any overrides for tags won't be used and underlying Kubernetes runtime will pull the image by the digest. 
+Which means any overrides for tags won't be used and underlying Kubernetes runtime will pull the image by the digest.
 
 See [Pull an image by digest (immutable identifier)](https://docs.docker.com/reference/cli/docker/image/pull/#pull-an-image-by-digest-immutable-identifier)
 
@@ -957,7 +957,7 @@ NAMESPACE=cf-runtime
 CLUSTER_NAME=prod-ue1-some-cluster-name
 CURRENT_CONTEXT=$(kubectl config current-context)
 
-USER_TOKEN_VALUE=$(kubectl -n cf-runtime get secret/codefresh-runtime-user-token -o=go-template='{{ `{{.data.token}}` }}' | base64 --decode)
+USER_TOKEN_VALUE=$(kubectl -n $NAMESPACE get secret/codefresh-runtime-user-token -o=go-template='{{ `{{.data.token}}` }}' | base64 --decode)
 CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{ `{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}` }}')
 CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}` }}')
 CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}` }}')
@@ -984,7 +984,7 @@ clusters:
     certificate-authority-data: ${CLUSTER_CA}
     server: ${CLUSTER_SERVER}
 users:
-- name: ${CLUSTER_NAME}
+- name: codefresh-runtime-user
   user:
     token: ${USER_TOKEN_VALUE}
 EOF

charts/cf-runtime/README.md.gotmpl

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -x
+
+NAMESPACE=$1
+if [ -z "$NAMESPACE" ]; then
+  echo "Usage: $0 <namespace> <cluster-name>"
+  exit 1
+fi
+CLUSTER_NAME=$2
+if [ -z "$CLUSTER_NAME" ]; then
+  echo "Usage: $0 <namespace> <cluster-name>"
+  exit 1
+fi
+CURRENT_CONTEXT=$(kubectl config current-context)
+
+USER_TOKEN_VALUE=$(kubectl -n $NAMESPACE get secret/codefresh-runtime-user-token -o=go-template='{{.data.token}}' | base64 --decode)
+CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
+CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
+CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')
+
+export -p USER_TOKEN_VALUE CURRENT_CONTEXT CURRENT_CLUSTER CLUSTER_CA CLUSTER_SERVER CLUSTER_NAME
+
+cat << EOF > $CLUSTER_NAME-kubeconfig
+apiVersion: v1
+kind: Config
+current-context: ${CLUSTER_NAME}
+contexts:
+- name: ${CLUSTER_NAME}
+  context:
+    cluster: ${CLUSTER_NAME}
+    user: codefresh-runtime-user
+    namespace: ${NAMESPACE}
+clusters:
+- name: ${CLUSTER_NAME}
+  cluster:
+    certificate-authority-data: ${CLUSTER_CA}
+    server: ${CLUSTER_SERVER}
+users:
+- name: codefresh-runtime-user
+  user:
+    token: ${USER_TOKEN_VALUE}
+EOF

charts/cf-runtime/files/configure-dind-certs.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -x
+
+AGENT=${AGENT:-true}
+API_HOST=${API_HOST:-""}
+API_KEY=${API_KEY:-""}
+
+(set +x; codefresh auth create-context --api-key $API_KEY --url $API_HOST)
+
+if [[ "$AGENT" == "true" ]]; then
+    patch_type="re"
+else
+    patch_type="sys-re"
+fi
+
+modify_accounts() {
+    local runtime_name_encoded
+    runtime_name_encoded=$(yq '.metadata.name' "$1" | jq -r @uri)
+    local accounts
+    accounts=$(yq '.accounts' "$1")
+
+    if [[ -n $accounts ]]; then
+        local payload
+        payload=$(echo "$accounts" | jq '{accounts: .}')
+        set +x
+        curl -X PUT \
+            -H "Content-Type: application/json" \
+            -H "Authorization: $API_KEY" \
+            -d "$payload" \
+            "$API_HOST/api/admin/runtime-environments/account/modify/$runtime_name_encoded"
+    else
+        echo "No accounts to add for $1"
+    fi
+}
+
+for runtime in /opt/codefresh/*.yaml; do
+    if [[ -f $runtime ]]; then
+        codefresh patch $patch_type -f $runtime
+        modify_accounts "$runtime"
+    fi
+done
+
+for runtime in /opt/codefresh/runtime.d/system/*.yaml; do
+    if [[ -f $runtime ]]; then
+        codefresh patch sys-re -f $runtime
+        modify_accounts "$runtime"
+    fi
+done

charts/cf-runtime/files/create-kubeconfig.sh

@@ -11,7 +11,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "event-exporter.fullname" -}}
-    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+    {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-") }}
 {{- end }}
 
 {{/*

charts/cf-runtime/files/patch-runtime.sh

@@ -11,7 +11,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "runner.fullname" -}}
-  {{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }}
+  {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-") }}
 {{- end }}
 
 {{/*

charts/cf-runtime/templates/_components/event-exporter/_helpers.tpl

@@ -11,15 +11,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "dind-volume-provisioner.fullname" -}}
-    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+    {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-") }}
 {{- end }}
 
 {{- define "dind-volume-cleanup.fullname" -}}
-    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }}
+    {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-") }}
 {{- end }}
 
 {{- define "dind-lv-monitor.fullname" -}}
-    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }}
+    {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-") }}
 {{- end }}
 
 {{/*
@@ -89,5 +89,5 @@ Create the name of the service account to use
 {{- end }}
 
 {{- define "dind-volume-provisioner.storageClassName" }}
-{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }}
-{{- end }}
+{{- coalesce .Values.storage.fullnameOverride (printf "dind-local-volumes-runner-%s" .Release.Namespace) }}
+{{- end }}