From f17ad4f77952ca51c78d1d7df5d3af0c68343cb2 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 8 Sep 2024 19:54:58 -0500 Subject: [PATCH] updatebot: Updates for latest version The latest version of `updatebot` has two major changes: 1. Projects can encompass multiple images, eliminating the need for multiple configuration files and CronJobs. Projects are now defined in a YAML documen, since the data structure is very nested and is cumbersome to express in TOML. 2. Pull requests can now include a diff of the resources that will change if the PR is merged. This requires the `kubectl` and `diff` programs (which are not currently included in the _updatebot_ container image, so we bind-mount them from the host) and permission to compare the local manifests using the Kubernetes API. Oddly, computing the diff requires permission to use the PATCH method, even though the client is not requesting any changes. This is apparently a long-standing bug ([issue #981][0]) that may or may not ever be fixed. [0]: https://github.com/kubernetes/kubectl/issues/981 --- updatebot/config.yml | 71 +++++++++++ updatebot/kustomization.yaml | 15 ++- updatebot/projects/firefly-iii.toml | 13 -- updatebot/projects/home-assistant.toml | 52 -------- updatebot/projects/paperless-ngx.toml | 32 ----- updatebot/rbac.yaml | 37 ++++++ updatebot/updatebot.yaml | 162 +++---------------------- 7 files changed, 134 insertions(+), 248 deletions(-) create mode 100644 updatebot/config.yml delete mode 100644 updatebot/projects/firefly-iii.toml delete mode 100644 updatebot/projects/home-assistant.toml delete mode 100644 updatebot/projects/paperless-ngx.toml create mode 100644 updatebot/rbac.yaml diff --git a/updatebot/config.yml b/updatebot/config.yml new file mode 100644 index 0000000..31b5ec9 --- /dev/null +++ b/updatebot/config.yml @@ -0,0 +1,71 @@ +repo: + url: https://git.pyrocufflink.net/infra/kubernetes + token_file: /run/secrets/updatebot/gitea.token + +projects: +- name: home-assistant + kind: kustomize + images: + - name: home-assistant + image: ghcr.io/home-assistant/home-assistant + source: + kind: github + organization: home-assistant + repo: core + - name: whisper + image: docker.io/rhasspy/wyoming-whisper + source: + kind: docker + namespace: rhasspy + repository: wyoming-whisper + - name: piper + image: docker.io/rhasspy/wyoming-piper + source: + kind: docker + namespace: rhasspy + repository: wyoming-piper + - name: zigbee2mqtt + image: docker.io/koenkk/zigbee2mqtt + source: + kind: github + organization: Koenkk + repo: zigbee2mqtt + - name: zwavejs2mqtt + image: docker.io/zwavejs/zwave-js-ui + source: + kind: github + organization: zwave-js + repo: zwave-js-ui + +- name: firefly-iii + kind: kustomize + images: + - name: firefly-iii + image: docker.io/fireflyiii/core + tag_format: version-{version} + source: + kind: github + organization: firefly-iii + repo: firefly-iii + +- name: paperless-ngx + kind: kustomize + images: + - name: paperless-ngx + image: ghcr.io/paperless-ngx/paperless-ngx + source: + kind: github + organization: paperless-ngx + repo: paperless-ngx + - name: gotenberg + image: docker.io/gotenberg/gotenberg + source: + kind: github + organization: gotenberg + repo: gotenberg + - name: tika + image: docker.io/apache/tika + source: + kind: docker + namespace: apache + repository: tika diff --git a/updatebot/kustomization.yaml b/updatebot/kustomization.yaml index 7391cf8..cdb8faa 100644 --- a/updatebot/kustomization.yaml +++ b/updatebot/kustomization.yaml @@ -8,28 +8,27 @@ labels: app.kubernetes.io/component: updatebot app.kubernetes.io/instance: updatebot app.kubernetes.io/part-of: updatebot + includeTemplates: true resources: - namespace.yaml +- rbac.yaml - updatebot.yaml - secrets.yaml configMapGenerator: - name: updatebot-projects files: - - home-assistant.toml=projects/home-assistant.toml - - firefly-iii.toml=projects/firefly-iii.toml - - paperless-ngx.toml=projects/paperless-ngx.toml + - config.yml options: disableNameSuffixHash: true + labels: + app.kubernetes.io/name: updatebot-projects - name: ssh-known-hosts files: - ssh_known_hosts options: disableNameSuffixHash: true - ---- -images: -- image: git.pyrocufflink.net/infra/updatebot - newTag: dev + labels: + app.kubernetes.io/name: ssh-known-hosts diff --git a/updatebot/projects/firefly-iii.toml b/updatebot/projects/firefly-iii.toml deleted file mode 100644 index be1ee0f..0000000 --- a/updatebot/projects/firefly-iii.toml +++ /dev/null @@ -1,13 +0,0 @@ -[repo] -url = "https://git.pyrocufflink.net/infra/kubernetes" -token_file = "/run/secrets/updatebot/gitea.token" - -[projects.firefly-iii] -kind = "kustomize" -image = "docker.io/fireflyiii/core" -tag_format = "version-{version}" - -[projects.firefly-iii.source] -kind = "github" -organization = "firefly-iii" -repo = "firefly-iii" diff --git a/updatebot/projects/home-assistant.toml b/updatebot/projects/home-assistant.toml deleted file mode 100644 index a01ae16..0000000 --- a/updatebot/projects/home-assistant.toml +++ /dev/null @@ -1,52 +0,0 @@ -[repo] -url = "https://git.pyrocufflink.net/infra/kubernetes" -token_file = "/run/secrets/updatebot/gitea.token" - -[projects.home-assistant] -kind = "kustomize" -image = "ghcr.io/home-assistant/home-assistant" - -[projects.home-assistant.source] -kind = "github" -organization = "home-assistant" -repo = "core" - -[projects.whisper] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/rhasspy/wyoming-whisper" - -[projects.whisper.source] -kind = "docker" -namespace = "rhasspy" -repository = "wyoming-whisper" - -[projects.piper] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/rhasspy/wyoming-piper" - -[projects.piper.source] -kind = "docker" -namespace = "rhasspy" -repository = "wyoming-piper" - -[projects.zigbee2mqtt] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/koenkk/zigbee2mqtt" - -[projects.zigbee2mqtt.source] -kind = "github" -organization = "Koenkk" -repo = "zigbee2mqtt" - -[projects.zwavejs2mqtt] -kind = "kustomize" -path = "home-assistant" -image = "docker.io/zwavejs/zwave-js-ui" - -[projects.zwavejs2mqtt.source] -kind = "github" -organization = "zwave-js" -repo = "zwave-js-ui" diff --git a/updatebot/projects/paperless-ngx.toml b/updatebot/projects/paperless-ngx.toml deleted file mode 100644 index aabee4a..0000000 --- a/updatebot/projects/paperless-ngx.toml +++ /dev/null @@ -1,32 +0,0 @@ -[repo] -url = "https://git.pyrocufflink.net/infra/kubernetes" -token_file = "/run/secrets/updatebot/gitea.token" - -[projects.paperless-ngx] -kind = "kustomize" -image = "ghcr.io/paperless-ngx/paperless-ngx" - -[projects.paperless-ngx.source] -kind = "github" -organization = "paperless-ngx" -repo = "paperless-ngx" - -[projects.gotenberg] -kind = "kustomize" -path = "paperless-ngx" -image = "docker.io/gotenberg/gotenberg" - -[projects.gotenberg.source] -kind = "github" -organization = "gotenberg" -repo = "gotenberg" - -[projects.tika] -kind = "kustomize" -path = "paperless-ngx" -image = "docker.io/apache/tika" - -[projects.tika.source] -kind = "docker" -namespace = "apache" -repository = "tika" diff --git a/updatebot/rbac.yaml b/updatebot/rbac.yaml new file mode 100644 index 0000000..fdac5d5 --- /dev/null +++ b/updatebot/rbac.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: updatebot + labels: + app.kubernetes.io/name: updatebot + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: updatebot + labels: + app.kubernetes.io/name: updatebot +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - patch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: updatebot + labels: + app.kubernetes.io/name: updatebot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: updatebot +subjects: +- kind: ServiceAccount + name: updatebot diff --git a/updatebot/updatebot.yaml b/updatebot/updatebot.yaml index 705f67e..c6bc555 100644 --- a/updatebot/updatebot.yaml +++ b/updatebot/updatebot.yaml @@ -1,9 +1,9 @@ apiVersion: batch/v1 kind: CronJob metadata: - name: updatebot-home-assistant + name: updatebot labels: &labels - app.kubernetes.io/name: updatebot-home-assistant + app.kubernetes.io/name: updatebot spec: schedule: 32 6 * * 1 timeZone: America/Chicago @@ -18,9 +18,7 @@ spec: containers: - name: updatebot image: git.pyrocufflink.net/infra/updatebot - args: - - --branch-name - - updatebot/home-assistant + imagePullPolicy: Always securityContext: readOnlyRootFilesystem: true volumeMounts: @@ -28,146 +26,9 @@ spec: name: ssh-known-hosts readOnly: true subPath: ssh_known_hosts - - mountPath: /home/bot/.config/updatebot/config.toml + - mountPath: /home/bot/.config/updatebot name: updatebot-config readOnly: true - subPath: home-assistant.toml - - mountPath: /home/bot/.ssh - name: updatebot-ssh - readOnly: true - - mountPath: /run/secrets/updatebot - name: updatebot-secrets - readOnly: true - - mountPath: /tmp - name: tmp - subPath: tmp - nodeSelector: - kubernetes.io/arch: amd64 - securityContext: - runAsNonRoot: true - fsGroup: 25167 - volumes: - - name: ssh-known-hosts - configMap: - name: ssh-known-hosts - - name: tmp - emptyDir: - medium: Memory - - name: updatebot-config - configMap: - name: updatebot-projects - - name: updatebot-secrets - secret: - secretName: updatebot - defaultMode: 0640 - - name: updatebot-ssh - secret: - secretName: updatebot-ssh - defaultMode: 0640 - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: updatebot-firefly-iii - labels: &labels - app.kubernetes.io/name: updatebot-firefly-iii -spec: - schedule: 33 6 * * 1 - timeZone: America/Chicago - concurrencyPolicy: Forbid - jobTemplate: - spec: - template: - metadata: - labels: *labels - spec: - restartPolicy: Never - containers: - - name: updatebot - image: git.pyrocufflink.net/infra/updatebot - args: - - --branch-name - - updatebot/firefly-iii - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/ssh/ssh_known_hosts - name: ssh-known-hosts - readOnly: true - subPath: ssh_known_hosts - - mountPath: /home/bot/.config/updatebot/config.toml - name: updatebot-config - readOnly: true - subPath: firefly-iii.toml - - mountPath: /home/bot/.ssh - name: updatebot-ssh - readOnly: true - - mountPath: /run/secrets/updatebot - name: updatebot-secrets - readOnly: true - - mountPath: /tmp - name: tmp - subPath: tmp - nodeSelector: - kubernetes.io/arch: amd64 - securityContext: - runAsNonRoot: true - fsGroup: 25167 - volumes: - - name: ssh-known-hosts - configMap: - name: ssh-known-hosts - - name: tmp - emptyDir: - medium: Memory - - name: updatebot-config - configMap: - name: updatebot-projects - - name: updatebot-secrets - secret: - secretName: updatebot - defaultMode: 0640 - - name: updatebot-ssh - secret: - secretName: updatebot-ssh - defaultMode: 0640 - ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: updatebot-paperless-ngx - labels: &labels - app.kubernetes.io/name: updatebot-paperless-ngx -spec: - schedule: 34 6 * * 1 - timeZone: America/Chicago - concurrencyPolicy: Forbid - jobTemplate: - spec: - template: - metadata: - labels: *labels - spec: - restartPolicy: Never - containers: - - name: updatebot - image: git.pyrocufflink.net/infra/updatebot - args: - - --branch-name - - updatebot/paperless-ngx - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /etc/ssh/ssh_known_hosts - name: ssh-known-hosts - readOnly: true - subPath: ssh_known_hosts - - mountPath: /home/bot/.config/updatebot/config.toml - name: updatebot-config - readOnly: true - subPath: paperless-ngx.toml - mountPath: /home/bot/.ssh name: updatebot-ssh readOnly: true @@ -177,12 +38,27 @@ spec: - mountPath: /tmp name: tmp subPath: tmp + - mountPath: /usr/bin/diff + name: diff + readOnly: true + - mountPath: /usr/bin/kubectl + name: kubectl + readOnly: true nodeSelector: kubernetes.io/arch: amd64 securityContext: runAsNonRoot: true fsGroup: 25167 + serviceAccountName: updatebot volumes: + - name: diff + hostPath: + path: /usr/bin/diff + type: File + - name: kubectl + hostPath: + path: /usr/bin/kubectl + type: File - name: ssh-known-hosts configMap: name: ssh-known-hosts