From f877ab09509dcc0461c4ecba7fd9d0ce57ac7c1e Mon Sep 17 00:00:00 2001 From: Aaron Siddhartha Mondal Date: Sat, 2 Nov 2024 02:35:47 +0100 Subject: [PATCH] Move custom tekton resources to flux (#1446) --- .github/workflows/lre.yaml | 7 ++ .../components/operator/flux-config.yaml | 19 +++ .../tekton-resources}/cosign-verify.yaml | 0 .../tekton-resources}/kustomization.yaml | 12 +- .../nix2container-copyto.yaml | 0 .../nix2container-image-info.yaml | 0 .../tekton-resources}/rebuild-nativelink.yaml | 0 .../skopeo-check-hashlocked-url.yaml | 0 .../tekton-resources}/skopeo-copy.yaml | 0 .../components/tekton-resources}/trigger.yaml | 0 .../tekton-resources}/update-image-tags.yaml | 0 native-cli/components/capacitor.go | 40 +++++++ native-cli/components/rebuild-nativelink.go | 109 ------------------ native-cli/default.nix | 4 +- native-cli/programs/local.go | 41 +++---- 15 files changed, 88 insertions(+), 144 deletions(-) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/cosign-verify.yaml (100%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/kustomization.yaml (59%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/nix2container-copyto.yaml (100%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/nix2container-image-info.yaml (100%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/rebuild-nativelink.yaml (100%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/skopeo-check-hashlocked-url.yaml (100%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/skopeo-copy.yaml (100%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/trigger.yaml (100%) rename {native-cli/components/embedded => kubernetes/components/tekton-resources}/update-image-tags.yaml (100%) create mode 100644 native-cli/components/capacitor.go delete mode 100644 native-cli/components/rebuild-nativelink.go diff --git a/.github/workflows/lre.yaml b/.github/workflows/lre.yaml index 4be52f1b3..36c40a406 100644 --- a/.github/workflows/lre.yaml +++ b/.github/workflows/lre.yaml @@ -144,6 +144,13 @@ jobs: kubectl apply -k . && rm kustomization.yaml' + - name: Wait for Tekton resources + run: > + nix develop --impure --command + bash -c "flux reconcile kustomization -n default \ + --timeout=15m \ + nativelink-tekton-resources" + - name: Wait for Tekton pipelines run: > nix develop --impure --command diff --git a/kubernetes/components/operator/flux-config.yaml b/kubernetes/components/operator/flux-config.yaml index c016867f5..cd6305a9a 100644 --- a/kubernetes/components/operator/flux-config.yaml +++ b/kubernetes/components/operator/flux-config.yaml @@ -108,3 +108,22 @@ spec: name: nativelink-image-tags dependsOn: - name: nativelink-configmaps + - name: nativelink-tekton-resources +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: nativelink-tekton-resources + namespace: default +spec: + interval: 2m + path: "./kubernetes/components/tekton-resources" + prune: true + force: true + retryInterval: 20s + targetNamespace: default + wait: true + sourceRef: + kind: GitRepository + name: nativelink + namespace: default diff --git a/native-cli/components/embedded/cosign-verify.yaml b/kubernetes/components/tekton-resources/cosign-verify.yaml similarity index 100% rename from native-cli/components/embedded/cosign-verify.yaml rename to kubernetes/components/tekton-resources/cosign-verify.yaml diff --git a/native-cli/components/embedded/kustomization.yaml b/kubernetes/components/tekton-resources/kustomization.yaml similarity index 59% rename from native-cli/components/embedded/kustomization.yaml rename to kubernetes/components/tekton-resources/kustomization.yaml index ee9687080..01ed69030 100644 --- a/native-cli/components/embedded/kustomization.yaml +++ b/kubernetes/components/tekton-resources/kustomization.yaml @@ -1,13 +1,13 @@ --- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + resources: + - cosign-verify.yaml - nix2container-copyto.yaml + - nix2container-image-info.yaml - rebuild-nativelink.yaml - - skopeo-copy.yaml - - cosign-verify.yaml - skopeo-check-hashlocked-url.yaml - - nix2container-image-info.yaml + - skopeo-copy.yaml - trigger.yaml - update-image-tags.yaml - - capacitor.yaml - # - nativelink-gateways.yaml # Gateways are handled in Pulumi via the - # NativeLinkGateways resource. diff --git a/native-cli/components/embedded/nix2container-copyto.yaml b/kubernetes/components/tekton-resources/nix2container-copyto.yaml similarity index 100% rename from native-cli/components/embedded/nix2container-copyto.yaml rename to kubernetes/components/tekton-resources/nix2container-copyto.yaml diff --git a/native-cli/components/embedded/nix2container-image-info.yaml b/kubernetes/components/tekton-resources/nix2container-image-info.yaml similarity index 100% rename from native-cli/components/embedded/nix2container-image-info.yaml rename to kubernetes/components/tekton-resources/nix2container-image-info.yaml diff --git a/native-cli/components/embedded/rebuild-nativelink.yaml b/kubernetes/components/tekton-resources/rebuild-nativelink.yaml similarity index 100% rename from native-cli/components/embedded/rebuild-nativelink.yaml rename to kubernetes/components/tekton-resources/rebuild-nativelink.yaml diff --git a/native-cli/components/embedded/skopeo-check-hashlocked-url.yaml b/kubernetes/components/tekton-resources/skopeo-check-hashlocked-url.yaml similarity index 100% rename from native-cli/components/embedded/skopeo-check-hashlocked-url.yaml rename to kubernetes/components/tekton-resources/skopeo-check-hashlocked-url.yaml diff --git a/native-cli/components/embedded/skopeo-copy.yaml b/kubernetes/components/tekton-resources/skopeo-copy.yaml similarity index 100% rename from native-cli/components/embedded/skopeo-copy.yaml rename to kubernetes/components/tekton-resources/skopeo-copy.yaml diff --git a/native-cli/components/embedded/trigger.yaml b/kubernetes/components/tekton-resources/trigger.yaml similarity index 100% rename from native-cli/components/embedded/trigger.yaml rename to kubernetes/components/tekton-resources/trigger.yaml diff --git a/native-cli/components/embedded/update-image-tags.yaml b/kubernetes/components/tekton-resources/update-image-tags.yaml similarity index 100% rename from native-cli/components/embedded/update-image-tags.yaml rename to kubernetes/components/tekton-resources/update-image-tags.yaml diff --git a/native-cli/components/capacitor.go b/native-cli/components/capacitor.go new file mode 100644 index 000000000..26c5c977e --- /dev/null +++ b/native-cli/components/capacitor.go @@ -0,0 +1,40 @@ +package components + +import ( + _ "embed" + "fmt" + + "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/yaml" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +type Capacitor struct { + Dependencies []pulumi.Resource +} + +// These are vendored yaml files which we don't port to Pulumi so that we can +// potentially adjust/reuse them in more generic contexts. We embed them in the +// executable to keep the cli portable. +// +//go:embed embedded/capacitor.yaml +var capacitorYaml string + +// Install sets up the Capacitor dashboard. +func (component *Capacitor) Install( + ctx *pulumi.Context, + name string, +) ([]pulumi.Resource, error) { + capacitor, err := yaml.NewConfigGroup( + ctx, + name, + &yaml.ConfigGroupArgs{ + YAML: []string{capacitorYaml}, + }, + pulumi.DependsOn(component.Dependencies), + ) + if err != nil { + return nil, fmt.Errorf("%w: %w", errPulumi, err) + } + + return []pulumi.Resource{capacitor}, nil +} diff --git a/native-cli/components/rebuild-nativelink.go b/native-cli/components/rebuild-nativelink.go deleted file mode 100644 index b89659f3a..000000000 --- a/native-cli/components/rebuild-nativelink.go +++ /dev/null @@ -1,109 +0,0 @@ -package components - -import ( - "embed" - "fmt" - "io/fs" - "os" - "path/filepath" - - "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/kustomize" - "github.com/pulumi/pulumi/sdk/v3/go/pulumi" -) - -type RebuildNativeLink struct { - Dependencies []pulumi.Resource -} - -// These are vendored yaml files which we don't port to Pulumi so that we can -// potentially adjust/reuse them in more generic contexts. We embed them in the -// executable to keep the cli portable. -// -//go:embed embedded/* -var kustomization embed.FS - -// Install installs a Tekton Task, Pipeline and EventListener and some -// supporting resources which ultimately allow querying the cluster at a Gateway -// named `eventlistener` with requests like so: -// -// ``` -// EVENTLISTENER=$(kubectl get gtw eventlistener -o=jsonpath='{.status.addresses[0].value}') -// -// # If imageNameOverride and imageTagOverride are unset, they default to: -// # $(nix eval .imageName --raw) -// # $(nix eval .imageTag --raw) -// -// curl -v \ -// -H 'content-Type: application/json' \ -// -d '{ -// "flakeOutput": "./src_root#image", -// "imageNameOverride": "nativelink", -// "imageTagOverride": "local" -// }' \ -// http://${EVENTLISTENER}:8080 -// -// ``` -// -// This pipeline only works with the specific local setup for the NativeLink -// development cluster. The Task makes use of the double-pipe through volumes -// `host -> kind -> K8s` to reuse the host's nix store and local nativelink git -// repository. It then pushes the container image to the container registry -// which previous infrastructure setups configured to pass through from host to -// the cluster. The result is that these Pipelines can complete in <15sec as -// opposed to ~10min without these optimizations. -// -// WARNING: At the moment the Task makes use of `SYS_ADMIN` privilege escalation -// to interact with the host's nix socket and the kind node's container daemon. -func (component *RebuildNativeLink) Install( - ctx *pulumi.Context, - name string, -) ([]pulumi.Resource, error) { - tmpDir, err := os.MkdirTemp("", "kustomization") - if err != nil { - return nil, fmt.Errorf("%w: %w", errPulumi, err) - } - - err = fs.WalkDir( - kustomization, - "embedded", - func(path string, d fs.DirEntry, err error) error { - if err != nil { - return fmt.Errorf("failed to walk: %w", err) - } - - if d.IsDir() { - return nil - } - - outPath := filepath.Join(tmpDir, filepath.Base(path)) - - data, err := kustomization.ReadFile(path) - if err != nil { - return fmt.Errorf("failed to read file: %w", err) - } - - // Write file with owner-read-only permissions. - //nolint:mnd - if err := os.WriteFile(outPath, data, os.FileMode(0o600)); err != nil { - return fmt.Errorf("failed to write file: %w", err) - } - - return nil - }, - ) - if err != nil { - return nil, fmt.Errorf("%w: %w", errPulumi, err) - } - - rebuildNativeLink, err := kustomize.NewDirectory(ctx, name, - kustomize.DirectoryArgs{ - Directory: pulumi.String(tmpDir), - }, - pulumi.DependsOn(component.Dependencies), - ) - if err != nil { - return nil, fmt.Errorf("%w: %w", errPulumi, err) - } - - return []pulumi.Resource{rebuildNativeLink}, nil -} diff --git a/native-cli/default.nix b/native-cli/default.nix index b2d499956..e6d22236f 100644 --- a/native-cli/default.nix +++ b/native-cli/default.nix @@ -7,9 +7,9 @@ }: buildGoModule { pname = "native-cli"; - version = "0.4.0"; + version = "0.5.3"; src = ./.; - vendorHash = "sha256-ASmQhGHplG4ayeezhhM4R01pZLBLjYcqEuKVVxNADX0="; + vendorHash = "sha256-F6nEK/KylCcNvBscXnNYDSwOHiKLpSlCWv19GistNpI="; buildInputs = [makeWrapper]; ldflags = ["-s -w"]; installPhase = '' diff --git a/native-cli/programs/local.go b/native-cli/programs/local.go index 32fff7673..d196fb28b 100644 --- a/native-cli/programs/local.go +++ b/native-cli/programs/local.go @@ -32,31 +32,23 @@ func ProgramForLocalCluster(ctx *pulumi.Context) error { os.Exit(1) } - localSources, err := components.AddComponent( + components.Check(components.AddComponent( ctx, "local-sources", &components.LocalPVAndPVC{ Size: "50Mi", HostPath: "/mnt", }, - ) - if err != nil { - log.Println(err) - os.Exit(1) - } + )) - nixStore, err := components.AddComponent( + components.Check(components.AddComponent( ctx, "nix-store", &components.LocalPVAndPVC{ Size: "10Gi", HostPath: "/nix", }, - ) - if err != nil { - log.Println(err) - os.Exit(1) - } + )) flux, err := components.AddComponent( ctx, @@ -68,6 +60,16 @@ func ProgramForLocalCluster(ctx *pulumi.Context) error { os.Exit(1) } + components.Check(components.AddComponent( + ctx, + "capacitor", + &components.Capacitor{ + Dependencies: slices.Concat( + flux, + ), + }, + )) + tektonPipelines, err := components.AddComponent( ctx, "tekton-pipelines", @@ -106,21 +108,6 @@ func ProgramForLocalCluster(ctx *pulumi.Context) error { }, )) - components.Check(components.AddComponent( - ctx, - "rebuild-nativelink", - &components.RebuildNativeLink{ - Dependencies: slices.Concat( - cilium, - tektonPipelines, - tektonTriggers, - localSources, - nixStore, - flux, - ), - }, - )) - nativeLinkGateways, err := components.AddComponent( ctx, "nativelink-gatways",