249 lines
11 KiB
YAML
249 lines
11 KiB
YAML
# Tekton Update GitOps Task for Bakery-IA CI/CD
|
|
# This task updates GitOps manifests with new image tags
|
|
|
|
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: update-gitops
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
|
app.kubernetes.io/component: gitops
|
|
spec:
|
|
workspaces:
|
|
- name: source
|
|
description: Workspace containing the source code
|
|
- name: git-credentials
|
|
description: Git credentials for pushing changes
|
|
params:
|
|
- name: services
|
|
type: string
|
|
description: Comma-separated list of services to update
|
|
- name: registry
|
|
type: string
|
|
description: Container registry URL
|
|
- name: git-revision
|
|
type: string
|
|
description: Git revision to tag images with
|
|
- name: git-branch
|
|
type: string
|
|
description: Git branch to push changes to
|
|
- name: dry-run
|
|
type: string
|
|
description: Dry run mode - don't push changes
|
|
default: "false"
|
|
steps:
|
|
- name: update-manifests
|
|
image: alpine/git:2.43.0
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
workingDir: $(workspaces.source.path)
|
|
env:
|
|
- name: HOME
|
|
value: /tekton/home
|
|
- name: GIT_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gitea-git-credentials
|
|
key: username
|
|
- name: GIT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gitea-git-credentials
|
|
key: password
|
|
script: |
|
|
#!/bin/sh
|
|
set -e
|
|
|
|
echo "============================================"
|
|
echo "Updating GitOps Manifests"
|
|
echo "Services: $(params.services)"
|
|
echo "Registry: $(params.registry)"
|
|
echo "Revision: $(params.git-revision)"
|
|
echo "Branch: $(params.git-branch)"
|
|
echo "Dry run: $(params.dry-run)"
|
|
echo "============================================"
|
|
|
|
# Configure git
|
|
git config --global user.email "ci@bakery-ia.local"
|
|
git config --global user.name "bakery-ia-ci"
|
|
# Mark directories as safe to avoid ownership issues
|
|
git config --global --add safe.directory /tmp/gitops
|
|
git config --global --add safe.directory "$(workspaces.source.path)"
|
|
|
|
# Clone the main repository (not a separate gitops repo)
|
|
# Use external HTTPS URL via ingress for reliable TLS connectivity
|
|
REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakewise.ai/bakery-admin/bakery-ia.git"
|
|
git clone "$REPO_URL" /tmp/gitops
|
|
|
|
cd /tmp/gitops
|
|
|
|
# Switch to target branch
|
|
# The git-branch param may come as "refs/heads/main" from webhook, extract just the branch name
|
|
BRANCH_NAME=$(echo "$(params.git-branch)" | sed 's|refs/heads/||')
|
|
echo "Target branch: $BRANCH_NAME"
|
|
git checkout "$BRANCH_NAME" || git checkout -b "$BRANCH_NAME"
|
|
|
|
# Compute short hash once for job name updates
|
|
SHORT_HASH=$(echo "$(params.git-revision)" | cut -c 1-8)
|
|
|
|
# Handle special cases for service discovery
|
|
# "all" = all services + gateway + frontend
|
|
# "services-and-gateway" = all services + gateway (no frontend) - used when shared/ changes
|
|
SERVICES_PARAM=$(echo "$(params.services)" | tr -d '\n' | tr -d ' ')
|
|
WORKSPACE="$(workspaces.source.path)"
|
|
|
|
if [ "$SERVICES_PARAM" = "all" ] || [ "$SERVICES_PARAM" = "services-and-gateway" ]; then
|
|
echo "Expanding '$SERVICES_PARAM' to actual service list..."
|
|
SERVICES=""
|
|
# Find all services with Dockerfiles
|
|
if [ -d "$WORKSPACE/services" ]; then
|
|
for svc_name in $(ls "$WORKSPACE/services/"); do
|
|
if [ -f "$WORKSPACE/services/$svc_name/Dockerfile" ]; then
|
|
if [ -z "$SERVICES" ]; then
|
|
SERVICES="$svc_name"
|
|
else
|
|
SERVICES="$SERVICES,$svc_name"
|
|
fi
|
|
fi
|
|
done
|
|
fi
|
|
# Add gateway
|
|
if [ -d "$WORKSPACE/gateway" ]; then
|
|
if [ -z "$SERVICES" ]; then
|
|
SERVICES="gateway"
|
|
else
|
|
SERVICES="$SERVICES,gateway"
|
|
fi
|
|
fi
|
|
# Add frontend ONLY for "all" (not for "services-and-gateway")
|
|
if [ "$SERVICES_PARAM" = "all" ] && [ -d "$WORKSPACE/frontend" ]; then
|
|
if [ -z "$SERVICES" ]; then
|
|
SERVICES="frontend"
|
|
else
|
|
SERVICES="$SERVICES,frontend"
|
|
fi
|
|
fi
|
|
echo "Expanded services: $SERVICES"
|
|
else
|
|
SERVICES="$SERVICES_PARAM"
|
|
fi
|
|
|
|
# Update image tags in Kubernetes manifests
|
|
# Service names come from detect-changes task as folder names: auth, tenant, ai_insights, etc.
|
|
for service in $(echo "$SERVICES" | tr ',' '\n'); do
|
|
service=$(echo "$service" | xargs) # Trim whitespace
|
|
if [ -n "$service" ] && [ "$service" != "none" ] && [ "$service" != "infrastructure" ] && [ "$service" != "shared" ]; then
|
|
echo ""
|
|
echo "============================================"
|
|
echo "Updating manifest for service: $service"
|
|
echo "============================================"
|
|
|
|
# IMAGE_NAME is the same as the service folder name (matching Kaniko output)
|
|
# This ensures consistency: folder name = image name = manifest reference
|
|
IMAGE_NAME="$service"
|
|
|
|
# Determine manifest paths based on service
|
|
# Directory structure uses hyphens: ai-insights, alert-processor, demo-session
|
|
# But image names use underscores: ai_insights, alert_processor, demo_session
|
|
service_dir=$(echo "$service" | sed 's/_/-/g')
|
|
|
|
if [ "$service" = "gateway" ]; then
|
|
MANIFEST_PATH="infrastructure/platform/gateway/gateway-service.yaml"
|
|
elif [ "$service" = "frontend" ]; then
|
|
MANIFEST_PATH="infrastructure/services/microservices/frontend/frontend-service.yaml"
|
|
elif [ "$service" = "alert_processor" ]; then
|
|
MANIFEST_PATH="infrastructure/services/microservices/alert-processor/alert-processor.yaml"
|
|
elif [ "$service" = "demo_session" ]; then
|
|
# demo-session uses deployment.yaml instead of demo-session-service.yaml
|
|
MANIFEST_PATH="infrastructure/services/microservices/demo-session/deployment.yaml"
|
|
else
|
|
# Standard services: auth, tenant, orders, inventory, etc.
|
|
# Also handles: ai_insights -> ai-insights, external -> external
|
|
MANIFEST_PATH="infrastructure/services/microservices/${service_dir}/${service_dir}-service.yaml"
|
|
fi
|
|
|
|
# Update the image tag in the deployment YAML
|
|
if [ -f "$MANIFEST_PATH" ]; then
|
|
# Update image reference - match the exact image name pattern used in manifests
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MANIFEST_PATH"
|
|
echo "Updated: $MANIFEST_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
|
|
else
|
|
echo "Warning: Manifest not found: $MANIFEST_PATH"
|
|
fi
|
|
|
|
# Update migration job if it exists
|
|
# Migration jobs use the hyphenated directory name
|
|
MIGRATION_JOB_PATH="infrastructure/services/microservices/${service_dir}/migrations/${service_dir}-migration-job.yaml"
|
|
if [ -f "$MIGRATION_JOB_PATH" ]; then
|
|
# Update migration job image reference
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MIGRATION_JOB_PATH"
|
|
# Update job name to include short commit hash (makes it unique for K8s)
|
|
sed -i "s|name: ${service_dir}-migration-[a-f0-9]*|name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
|
|
# Also update labels to match
|
|
sed -i "s|app.kubernetes.io/name: ${service_dir}-migration-[a-f0-9]*|app.kubernetes.io/name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
|
|
echo "Updated migration: $MIGRATION_JOB_PATH"
|
|
fi
|
|
|
|
# Special case: external service has additional jobs
|
|
if [ "$service" = "external" ]; then
|
|
# Update external-data-init job
|
|
EXTERNAL_DATA_INIT_JOB="infrastructure/services/microservices/external/migrations/external-data-init-job.yaml"
|
|
if [ -f "$EXTERNAL_DATA_INIT_JOB" ]; then
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/external:.*|image: $(params.registry)/external:$(params.git-revision)|g" "$EXTERNAL_DATA_INIT_JOB"
|
|
sed -i "s|name: external-data-init-[a-f0-9]*|name: external-data-init-${SHORT_HASH}|g" "$EXTERNAL_DATA_INIT_JOB"
|
|
echo "Updated external-data-init job: $EXTERNAL_DATA_INIT_JOB"
|
|
fi
|
|
|
|
# Update external-data-rotation cronjob
|
|
EXTERNAL_DATA_ROTATION_JOB="infrastructure/services/microservices/external/cronjobs/external-data-rotation-cronjob.yaml"
|
|
if [ -f "$EXTERNAL_DATA_ROTATION_JOB" ]; then
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/external:.*|image: $(params.registry)/external:$(params.git-revision)|g" "$EXTERNAL_DATA_ROTATION_JOB"
|
|
sed -i "s|name: external-data-rotation-[a-f0-9]*|name: external-data-rotation-${SHORT_HASH}|g" "$EXTERNAL_DATA_ROTATION_JOB"
|
|
echo "Updated external-data-rotation cronjob: $EXTERNAL_DATA_ROTATION_JOB"
|
|
fi
|
|
fi
|
|
|
|
# Special case: demo_session service has cleanup worker
|
|
if [ "$service" = "demo_session" ]; then
|
|
DEMO_CLEANUP_WORKER="infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml"
|
|
if [ -f "$DEMO_CLEANUP_WORKER" ]; then
|
|
sed -i "s|image: registry.bakewise.ai/bakery-admin/demo_session:.*|image: $(params.registry)/demo_session:$(params.git-revision)|g" "$DEMO_CLEANUP_WORKER"
|
|
sed -i "s|name: demo-cleanup-worker-[a-f0-9]*|name: demo-cleanup-worker-${SHORT_HASH}|g" "$DEMO_CLEANUP_WORKER"
|
|
echo "Updated demo-cleanup-worker: $DEMO_CLEANUP_WORKER"
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# Commit and push changes (unless dry-run)
|
|
if [ "$(params.dry-run)" != "true" ]; then
|
|
git add .
|
|
git status
|
|
if ! git diff --cached --quiet; then
|
|
git commit -m "Update images for services: $SERVICES [skip ci]"
|
|
echo "Pushing to branch: $BRANCH_NAME"
|
|
git push origin "HEAD:$BRANCH_NAME"
|
|
echo "GitOps manifests updated successfully"
|
|
else
|
|
echo "No changes to commit"
|
|
fi
|
|
else
|
|
echo "Dry run mode - changes not pushed"
|
|
git status
|
|
git diff
|
|
fi
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi |