237 lines
12 KiB
YAML
237 lines
12 KiB
YAML
# Tekton Update GitOps Task for Bakery-IA CI/CD
|
|
# This task updates GitOps manifests with new image tags
|
|
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: update-gitops
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
|
app.kubernetes.io/component: gitops
|
|
spec:
|
|
workspaces:
|
|
- name: source
|
|
description: Workspace containing the source code
|
|
- name: git-credentials
|
|
description: Git credentials for pushing changes
|
|
params:
|
|
- name: services
|
|
type: string
|
|
description: Comma-separated list of services to update
|
|
- name: registry
|
|
type: string
|
|
description: Container registry URL
|
|
- name: git-revision
|
|
type: string
|
|
description: Git revision to tag images with
|
|
- name: git-branch
|
|
type: string
|
|
description: Git branch to push changes to
|
|
- name: dry-run
|
|
type: string
|
|
description: Dry run mode - don't push changes
|
|
default: "false"
|
|
steps:
|
|
- name: update-manifests
|
|
image: alpine/git:2.43.0
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
workingDir: $(workspaces.source.path)
|
|
env:
|
|
- name: HOME
|
|
value: /tekton/home
|
|
- name: GIT_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gitea-git-credentials
|
|
key: username
|
|
- name: GIT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gitea-git-credentials
|
|
key: password
|
|
script: |
|
|
#!/bin/sh
|
|
set -e
|
|
|
|
echo "============================================"
|
|
echo "Updating GitOps Manifests"
|
|
echo "Services: $(params.services)"
|
|
echo "Registry: $(params.registry)"
|
|
echo "Revision: $(params.git-revision)"
|
|
echo "Branch: $(params.git-branch)"
|
|
echo "Dry run: $(params.dry-run)"
|
|
echo "============================================"
|
|
|
|
# Configure git
|
|
git config --global user.email "ci@bakery-ia.local"
|
|
git config --global user.name "bakery-ia-ci"
|
|
# Mark directories as safe to avoid ownership issues
|
|
git config --global --add safe.directory /tmp/gitops
|
|
git config --global --add safe.directory "$(workspaces.source.path)"
|
|
|
|
# Clone the main repository (not a separate gitops repo)
|
|
# Use external HTTPS URL via ingress for reliable TLS connectivity
|
|
REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakewise.ai/bakery-admin/bakery-ia.git"
|
|
git clone "$REPO_URL" /tmp/gitops
|
|
|
|
cd /tmp/gitops
|
|
|
|
# Switch to target branch
|
|
git checkout "$(params.git-branch)" || git checkout -b "$(params.git-branch)"
|
|
|
|
# Update image tags in Kubernetes manifests
|
|
for service in $(echo "$(params.services)" | tr ',' '\n'); do
|
|
service=$(echo "$service" | xargs) # Trim whitespace
|
|
if [ -n "$service" ] && [ "$service" != "none" ] && [ "$service" != "infrastructure" ] && [ "$service" != "shared" ]; then
|
|
echo "Updating manifest for service: $service"
|
|
|
|
# Format service name for directory (convert from kebab-case to snake_case if needed)
|
|
# Handle special cases like demo-session -> demo_session, alert-processor -> alert_processor, etc.
|
|
formatted_service=$(echo "$service" | sed 's/-/_/g')
|
|
|
|
# For gateway and frontend, they have different directory structures
|
|
if [ "$service" = "gateway" ]; then
|
|
MANIFEST_PATH="infrastructure/platform/gateway/gateway-service.yaml"
|
|
IMAGE_NAME="gateway" # gateway image name is just "gateway"
|
|
elif [ "$service" = "frontend" ]; then
|
|
MANIFEST_PATH="infrastructure/services/microservices/frontend/frontend-service.yaml"
|
|
IMAGE_NAME="dashboard" # frontend service uses "dashboard" as image name
|
|
elif [ "$service" = "alert-processor" ]; then
|
|
MANIFEST_PATH="infrastructure/services/microservices/alert-processor/alert-processor.yaml"
|
|
IMAGE_NAME="alert-processor"
|
|
else
|
|
# For microservices, convert service name to directory format
|
|
# Service names come in as "auth-service", "tenant-service", etc.
|
|
# Directory names are "auth", "tenant", etc. (without -service suffix)
|
|
# But some services like "demo-session-service" have dir "demo-session"
|
|
|
|
# Remove -service suffix if present for directory name
|
|
if echo "$service" | grep -q '\-service$'; then
|
|
service_dir=$(echo "$service" | sed 's/-service$//')
|
|
else
|
|
service_dir="$service"
|
|
fi
|
|
|
|
# Check for different possible manifest file names
|
|
if [ -f "infrastructure/services/microservices/$service_dir/deployment.yaml" ]; then
|
|
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/deployment.yaml"
|
|
elif [ -f "infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml" ]; then
|
|
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml"
|
|
elif [ -f "infrastructure/services/microservices/$service_dir/${service}.yaml" ]; then
|
|
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service}.yaml"
|
|
else
|
|
# Default to the standard naming pattern
|
|
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml"
|
|
fi
|
|
|
|
# Image name is the service name as-is (e.g., auth-service, tenant-service)
|
|
IMAGE_NAME="$service"
|
|
fi
|
|
|
|
# Update the image tag in the deployment YAML
|
|
if [ -f "$MANIFEST_PATH" ]; then
|
|
# Update image reference from registry.bakewise.ai/bakery-admin/image_name:tag to registry/image_name:git_revision
|
|
# Use a broad pattern to match any existing tag (including sha256 hashes)
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MANIFEST_PATH"
|
|
|
|
echo "Updated image in: $MANIFEST_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
|
|
else
|
|
echo "Warning: Manifest file not found: $MANIFEST_PATH"
|
|
echo " Tried: $MANIFEST_PATH"
|
|
echo " Service: $service, service_dir: $service_dir, IMAGE_NAME: $IMAGE_NAME"
|
|
fi
|
|
|
|
# Also update migration job if it exists
|
|
MIGRATION_JOB_PATH="infrastructure/services/microservices/$service_dir/migrations/${service_dir}-migration-job.yaml"
|
|
if [ -f "$MIGRATION_JOB_PATH" ]; then
|
|
# Update migration job image reference
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MIGRATION_JOB_PATH"
|
|
# Update job name to include short commit hash (makes it unique and avoids immutable field issues)
|
|
# Use first 7 characters to stay under 63 character limit
|
|
SHORT_HASH=$(echo "$(params.git-revision)" | cut -c 1-7)
|
|
sed -i "s|name: ${service_dir}-migration|name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
|
|
# Also update labels to match the short hash
|
|
sed -i "s|app.kubernetes.io/name: ${service_dir}-migration-.*|app.kubernetes.io/name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
|
|
echo "Updated migration job: $MIGRATION_JOB_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
|
|
echo "Updated job name and labels to include short commit hash for immutability"
|
|
else
|
|
# Try alternative migration job naming patterns
|
|
if [ -f "infrastructure/services/microservices/$service_dir/migrations/${service}-migration-job.yaml" ]; then
|
|
MIGRATION_JOB_PATH="infrastructure/services/microservices/$service_dir/migrations/${service}-migration-job.yaml"
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MIGRATION_JOB_PATH"
|
|
# Update job name to include short commit hash (makes it unique and avoids immutable field issues)
|
|
# Use first 7 characters to stay under 63 character limit
|
|
SHORT_HASH=$(echo "$(params.git-revision)" | cut -c 1-7)
|
|
sed -i "s|name: ${service}-migration|name: ${service}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
|
|
# Also update labels to match the short hash
|
|
sed -i "s|app.kubernetes.io/name: ${service}-migration-.*|app.kubernetes.io/name: ${service}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
|
|
echo "Updated migration job: $MIGRATION_JOB_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
|
|
echo "Updated job name and labels to include short commit hash for immutability"
|
|
else
|
|
echo "Info: No migration job found for $service"
|
|
fi
|
|
fi
|
|
|
|
# Special case: external-data-init job
|
|
if [ "$service" = "external" ]; then
|
|
EXTERNAL_DATA_INIT_JOB="infrastructure/services/microservices/external/migrations/external-data-init-job.yaml"
|
|
if [ -f "$EXTERNAL_DATA_INIT_JOB" ]; then
|
|
# Update external-data-init job image and name
|
|
sed -i "s|image: bakery/external-service:.*|image: $(params.registry)/external:$(params.git-revision)|g" "$EXTERNAL_DATA_INIT_JOB"
|
|
sed -i "s|name: external-data-init|name: external-data-init-${SHORT_HASH}|g" "$EXTERNAL_DATA_INIT_JOB"
|
|
echo "Updated external-data-init job: $EXTERNAL_DATA_INIT_JOB"
|
|
fi
|
|
|
|
# Update external-data-rotation cronjob
|
|
EXTERNAL_DATA_ROTATION_JOB="infrastructure/services/microservices/external/cronjobs/external-data-rotation-cronjob.yaml"
|
|
if [ -f "$EXTERNAL_DATA_ROTATION_JOB" ]; then
|
|
sed -i "s|image: bakery/external-service:.*|image: $(params.registry)/external:$(params.git-revision)|g" "$EXTERNAL_DATA_ROTATION_JOB"
|
|
sed -i "s|name: external-data-rotation|name: external-data-rotation-${SHORT_HASH}|g" "$EXTERNAL_DATA_ROTATION_JOB"
|
|
echo "Updated external-data-rotation cronjob: $EXTERNAL_DATA_ROTATION_JOB"
|
|
fi
|
|
fi
|
|
|
|
# Special case: demo-cleanup-worker
|
|
if [ "$service" = "demo-session" ]; then
|
|
DEMO_CLEANUP_WORKER="infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml"
|
|
if [ -f "$DEMO_CLEANUP_WORKER" ]; then
|
|
sed -i "s|image: bakery/demo-session-service:.*|image: $(params.registry)/demo_session:$(params.git-revision)|g" "$DEMO_CLEANUP_WORKER"
|
|
sed -i "s|name: demo-cleanup-worker|name: demo-cleanup-worker-${SHORT_HASH}|g" "$DEMO_CLEANUP_WORKER"
|
|
echo "Updated demo-cleanup-worker: $DEMO_CLEANUP_WORKER"
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# Commit and push changes (unless dry-run)
|
|
if [ "$(params.dry-run)" != "true" ]; then
|
|
git add .
|
|
git status
|
|
if ! git diff --cached --quiet; then
|
|
git commit -m "Update images for services: $(params.services) [skip ci]"
|
|
git push origin "$(params.git-branch)"
|
|
echo "GitOps manifests updated successfully"
|
|
else
|
|
echo "No changes to commit"
|
|
fi
|
|
else
|
|
echo "Dry run mode - changes not pushed"
|
|
git status
|
|
git diff
|
|
fi
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi |