infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

updatebot: Updates for latest version 

The latest version of `updatebot` has two major changes:

1. Projects can encompass multiple images, eliminating the need for
   multiple configuration files and CronJobs.  Projects are now defined
   in a YAML documen, since the data structure is very nested and is
   cumbersome to express in TOML.
2. Pull requests can now include a diff of the resources that will
   change if the PR is merged.  This requires the `kubectl` and `diff`
   programs (which are not currently included in the _updatebot_
   container image, so we bind-mount them from the host) and permission
   to compare the local manifests using the Kubernetes API.  Oddly,
   computing the diff requires permission to use the PATCH method, even
   though the client is not requesting any changes.  This is apparently
   a long-standing bug ([issue #981][0]) that may or may not ever be
   fixed.

[0]: https://github.com/kubernetes/kubectl/issues/981
pull/22/head
Dustin 2024-09-08 19:54:58 -05:00
parent 431395f18f
commit f17ad4f779
7 changed files with 134 additions and 248 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
updatebot/config.yml Normal file
View File

@ -0,0 +1,71 @@
repo:
url: https://git.pyrocufflink.net/infra/kubernetes
token_file: /run/secrets/updatebot/gitea.token
projects:
- name: home-assistant
kind: kustomize
images:
- name: home-assistant
image: ghcr.io/home-assistant/home-assistant
source:
kind: github
organization: home-assistant
repo: core
- name: whisper
image: docker.io/rhasspy/wyoming-whisper
source:
kind: docker
namespace: rhasspy
repository: wyoming-whisper
- name: piper
image: docker.io/rhasspy/wyoming-piper
source:
kind: docker
namespace: rhasspy
repository: wyoming-piper
- name: zigbee2mqtt
image: docker.io/koenkk/zigbee2mqtt
source:
kind: github
organization: Koenkk
repo: zigbee2mqtt
- name: zwavejs2mqtt
image: docker.io/zwavejs/zwave-js-ui
source:
kind: github
organization: zwave-js
repo: zwave-js-ui
- name: firefly-iii
kind: kustomize
images:
- name: firefly-iii
image: docker.io/fireflyiii/core
tag_format: version-{version}
source:
kind: github
organization: firefly-iii
repo: firefly-iii
- name: paperless-ngx
kind: kustomize
images:
- name: paperless-ngx
image: ghcr.io/paperless-ngx/paperless-ngx
source:
kind: github
organization: paperless-ngx
repo: paperless-ngx
- name: gotenberg
image: docker.io/gotenberg/gotenberg
source:
kind: github
organization: gotenberg
repo: gotenberg
- name: tika
image: docker.io/apache/tika
source:
kind: docker
namespace: apache
repository: tika

15
updatebot/kustomization.yaml
View File

@ -8,28 +8,27 @@ labels:
app.kubernetes.io/component: updatebot app.kubernetes.io/component: updatebot
app.kubernetes.io/instance: updatebot app.kubernetes.io/instance: updatebot
app.kubernetes.io/part-of: updatebot app.kubernetes.io/part-of: updatebot
includeTemplates: true
resources: resources:
- namespace.yaml - namespace.yaml
- rbac.yaml
- updatebot.yaml - updatebot.yaml
- secrets.yaml - secrets.yaml
configMapGenerator: configMapGenerator:
- name: updatebot-projects - name: updatebot-projects
files: files:
- home-assistant.toml=projects/home-assistant.toml - config.yml
- firefly-iii.toml=projects/firefly-iii.toml
- paperless-ngx.toml=projects/paperless-ngx.toml
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
labels:
app.kubernetes.io/name: updatebot-projects
- name: ssh-known-hosts - name: ssh-known-hosts
files: files:
- ssh_known_hosts - ssh_known_hosts
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
labels:
--- app.kubernetes.io/name: ssh-known-hosts
images:
- image: git.pyrocufflink.net/infra/updatebot
newTag: dev

13
updatebot/projects/firefly-iii.toml
View File

@ -1,13 +0,0 @@
[repo]
url = "https://git.pyrocufflink.net/infra/kubernetes"
token_file = "/run/secrets/updatebot/gitea.token"
[projects.firefly-iii]
kind = "kustomize"
image = "docker.io/fireflyiii/core"
tag_format = "version-{version}"
[projects.firefly-iii.source]
kind = "github"
organization = "firefly-iii"
repo = "firefly-iii"

52
updatebot/projects/home-assistant.toml
View File

@ -1,52 +0,0 @@
[repo]
url = "https://git.pyrocufflink.net/infra/kubernetes"
token_file = "/run/secrets/updatebot/gitea.token"
[projects.home-assistant]
kind = "kustomize"
image = "ghcr.io/home-assistant/home-assistant"
[projects.home-assistant.source]
kind = "github"
organization = "home-assistant"
repo = "core"
[projects.whisper]
kind = "kustomize"
path = "home-assistant"
image = "docker.io/rhasspy/wyoming-whisper"
[projects.whisper.source]
kind = "docker"
namespace = "rhasspy"
repository = "wyoming-whisper"
[projects.piper]
kind = "kustomize"
path = "home-assistant"
image = "docker.io/rhasspy/wyoming-piper"
[projects.piper.source]
kind = "docker"
namespace = "rhasspy"
repository = "wyoming-piper"
[projects.zigbee2mqtt]
kind = "kustomize"
path = "home-assistant"
image = "docker.io/koenkk/zigbee2mqtt"
[projects.zigbee2mqtt.source]
kind = "github"
organization = "Koenkk"
repo = "zigbee2mqtt"
[projects.zwavejs2mqtt]
kind = "kustomize"
path = "home-assistant"
image = "docker.io/zwavejs/zwave-js-ui"
[projects.zwavejs2mqtt.source]
kind = "github"
organization = "zwave-js"
repo = "zwave-js-ui"

32
updatebot/projects/paperless-ngx.toml
View File

@ -1,32 +0,0 @@
[repo]
url = "https://git.pyrocufflink.net/infra/kubernetes"
token_file = "/run/secrets/updatebot/gitea.token"
[projects.paperless-ngx]
kind = "kustomize"
image = "ghcr.io/paperless-ngx/paperless-ngx"
[projects.paperless-ngx.source]
kind = "github"
organization = "paperless-ngx"
repo = "paperless-ngx"
[projects.gotenberg]
kind = "kustomize"
path = "paperless-ngx"
image = "docker.io/gotenberg/gotenberg"
[projects.gotenberg.source]
kind = "github"
organization = "gotenberg"
repo = "gotenberg"
[projects.tika]
kind = "kustomize"
path = "paperless-ngx"
image = "docker.io/apache/tika"
[projects.tika.source]
kind = "docker"
namespace = "apache"
repository = "tika"

37
updatebot/rbac.yaml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: updatebot
labels:
app.kubernetes.io/name: updatebot
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: updatebot
labels:
app.kubernetes.io/name: updatebot
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: updatebot
labels:
app.kubernetes.io/name: updatebot
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: updatebot
subjects:
- kind: ServiceAccount
name: updatebot

162
updatebot/updatebot.yaml
View File

@ -1,9 +1,9 @@
apiVersion: batch/v1 apiVersion: batch/v1
kind: CronJob kind: CronJob
metadata: metadata:
name: updatebot-home-assistant name: updatebot
labels: &labels labels: &labels
app.kubernetes.io/name: updatebot-home-assistant app.kubernetes.io/name: updatebot
spec: spec:
schedule: 32 6 * * 1 schedule: 32 6 * * 1
timeZone: America/Chicago timeZone: America/Chicago
@ -18,9 +18,7 @@ spec:
containers: containers:
- name: updatebot - name: updatebot
image: git.pyrocufflink.net/infra/updatebot image: git.pyrocufflink.net/infra/updatebot
args: imagePullPolicy: Always
- --branch-name
- updatebot/home-assistant
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
volumeMounts: volumeMounts:
@ -28,146 +26,9 @@ spec:
name: ssh-known-hosts name: ssh-known-hosts
readOnly: true readOnly: true
subPath: ssh_known_hosts subPath: ssh_known_hosts
- mountPath: /home/bot/.config/updatebot/config.toml - mountPath: /home/bot/.config/updatebot
name: updatebot-config name: updatebot-config
readOnly: true readOnly: true
subPath: home-assistant.toml
- mountPath: /home/bot/.ssh
name: updatebot-ssh
readOnly: true
- mountPath: /run/secrets/updatebot
name: updatebot-secrets
readOnly: true
- mountPath: /tmp
name: tmp
subPath: tmp
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsNonRoot: true
fsGroup: 25167
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts
- name: tmp
emptyDir:
medium: Memory
- name: updatebot-config
configMap:
name: updatebot-projects
- name: updatebot-secrets
secret:
secretName: updatebot
defaultMode: 0640
- name: updatebot-ssh
secret:
secretName: updatebot-ssh
defaultMode: 0640
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatebot-firefly-iii
labels: &labels
app.kubernetes.io/name: updatebot-firefly-iii
spec:
schedule: 33 6 * * 1
timeZone: America/Chicago
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels: *labels
spec:
restartPolicy: Never
containers:
- name: updatebot
image: git.pyrocufflink.net/infra/updatebot
args:
- --branch-name
- updatebot/firefly-iii
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
readOnly: true
subPath: ssh_known_hosts
- mountPath: /home/bot/.config/updatebot/config.toml
name: updatebot-config
readOnly: true
subPath: firefly-iii.toml
- mountPath: /home/bot/.ssh
name: updatebot-ssh
readOnly: true
- mountPath: /run/secrets/updatebot
name: updatebot-secrets
readOnly: true
- mountPath: /tmp
name: tmp
subPath: tmp
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsNonRoot: true
fsGroup: 25167
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts
- name: tmp
emptyDir:
medium: Memory
- name: updatebot-config
configMap:
name: updatebot-projects
- name: updatebot-secrets
secret:
secretName: updatebot
defaultMode: 0640
- name: updatebot-ssh
secret:
secretName: updatebot-ssh
defaultMode: 0640
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatebot-paperless-ngx
labels: &labels
app.kubernetes.io/name: updatebot-paperless-ngx
spec:
schedule: 34 6 * * 1
timeZone: America/Chicago
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels: *labels
spec:
restartPolicy: Never
containers:
- name: updatebot
image: git.pyrocufflink.net/infra/updatebot
args:
- --branch-name
- updatebot/paperless-ngx
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
readOnly: true
subPath: ssh_known_hosts
- mountPath: /home/bot/.config/updatebot/config.toml
name: updatebot-config
readOnly: true
subPath: paperless-ngx.toml
- mountPath: /home/bot/.ssh - mountPath: /home/bot/.ssh
name: updatebot-ssh name: updatebot-ssh
readOnly: true readOnly: true
@ -177,12 +38,27 @@ spec:
- mountPath: /tmp - mountPath: /tmp
name: tmp name: tmp
subPath: tmp subPath: tmp
- mountPath: /usr/bin/diff
name: diff
readOnly: true
- mountPath: /usr/bin/kubectl
name: kubectl
readOnly: true
nodeSelector: nodeSelector:
kubernetes.io/arch: amd64 kubernetes.io/arch: amd64
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
fsGroup: 25167 fsGroup: 25167
serviceAccountName: updatebot
volumes: volumes:
- name: diff
hostPath:
path: /usr/bin/diff
type: File
- name: kubectl
hostPath:
path: /usr/bin/kubectl
type: File
- name: ssh-known-hosts - name: ssh-known-hosts
configMap: configMap:
name: ssh-known-hosts name: ssh-known-hosts