diff --git a/charts/gitops-runtime/templates/hooks/pre-install/helm-values-cm.yaml b/charts/gitops-runtime/templates/hooks/pre-install/helm-values-cm.yaml new file mode 100644 index 00000000..08472a36 --- /dev/null +++ b/charts/gitops-runtime/templates/hooks/pre-install/helm-values-cm.yaml @@ -0,0 +1,13 @@ +{{- if not (and .Values.installer.skipValidation .Values.installer.skipUsageValidation) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: helm-values-config + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "-10" +data: + values.yaml: | +{{ .Values | toYaml | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml b/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml index 48f6eb77..60250770 100644 --- a/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml +++ b/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml @@ -41,3 +41,48 @@ metadata: helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed helm.sh/hook-weight: "-10" {{- end }} + +{{- if not .Values.installer.skipUsageValidation }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: validate-usage-cr + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "5" +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: validate-usage-crb + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "5" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: validate-usage-cr +subjects: + - kind: ServiceAccount + name: validate-usage-sa + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: validate-usage-sa + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "5" +{{- end }} diff --git a/charts/gitops-runtime/templates/hooks/pre-install/validate-usage.yaml b/charts/gitops-runtime/templates/hooks/pre-install/validate-usage.yaml new file mode 100644 index 00000000..d6abecbe --- /dev/null +++ b/charts/gitops-runtime/templates/hooks/pre-install/validate-usage.yaml @@ -0,0 +1,46 @@ +{{- if not .Values.installer.skipUsageValidation }} +apiVersion: batch/v1 +kind: Job +metadata: + name: validate-usage + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "10" +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 300 + template: + spec: + serviceAccountName: validate-usage-sa + restartPolicy: Never + containers: + - name: validate-usage + image: "{{ .Values.installer.image.repository }}:{{ .Values.installer.image.tag | default .Chart.Version }}" + imagePullPolicy: {{ .Values.installer.image.pullPolicy }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: ["sh", "-c"] + args: + - | + cf account validate-usage --fail-condition=reached --subject=clusters --values /job_tmp/values.yaml --namespace ${NAMESPACE} --hook --log-level debug + volumeMounts: + - name: validate-usage-volume + mountPath: "/job_tmp" + volumes: + - name: validate-usage-volume + configMap: + name: helm-values-config + {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.installer.tolerations | default .Values.global.tolerations}} + tolerations: {{ toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.installer.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml b/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml index 02be159f..2326c7b1 100644 --- a/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml +++ b/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml @@ -1,17 +1,4 @@ {{- if not .Values.installer.skipValidation }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: validate-values-config - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed - helm.sh/hook-weight: "-10" -data: - values.yaml: | -{{ .Values | toYaml | indent 4 }} - ---- apiVersion: batch/v1 kind: Job metadata: @@ -174,7 +161,7 @@ spec: volumes: - name: customized-values configMap: - name: validate-values-config + name: helm-values-config {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/gitops-runtime/tests/global_constraints_test.yaml b/charts/gitops-runtime/tests/global_constraints_test.yaml index 4d64f765..dccede4a 100644 --- a/charts/gitops-runtime/tests/global_constraints_test.yaml +++ b/charts/gitops-runtime/tests/global_constraints_test.yaml @@ -436,6 +436,68 @@ tests: value: another-value effect: NoSchedule + - it: validate-usage job should have nodeSelector from .Values.global + values: + - ./values/global-constraints-values.yaml + template: hooks/pre-install/validate-usage.yaml + documentSelector: + path: kind + value: Job + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + some-key: some-value + extra-key: extra-value + + - it: validate-usage job should have nodeSelector from .Values.installer and NOT from .Values.global + values: + - ./values/global-constraints-values.yaml + - ./values/subcharts-constraints-values.yaml + template: hooks/pre-install/validate-usage.yaml + documentSelector: + path: kind + value: Job + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + some-key: another-value + foo: bar + + - it: validate-usage job should have tolerations from .Values.global + values: + - ./values/global-constraints-values.yaml + template: hooks/pre-install/validate-usage.yaml + documentSelector: + path: kind + value: Job + asserts: + - equal: + path: spec.template.spec.tolerations + value: + - key: some-key + operator: Equal + value: some-value + effect: NoSchedule + + - it: validate-usage job should have tolerations from .Values.installer and NOT from .Values.global + values: + - ./values/global-constraints-values.yaml + - ./values/subcharts-constraints-values.yaml + template: hooks/pre-install/validate-usage.yaml + documentSelector: + path: kind + value: Job + asserts: + - equal: + path: spec.template.spec.tolerations + value: + - key: another-key + operator: Equal + value: another-value + effect: NoSchedule + - it: cleanup-resources job should have nodeSelector from .Values.global values: diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 0908f33c..9cb07ec2 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -186,6 +186,8 @@ global: installer: # -- if set to true, pre-install hook will *not* run skipValidation: false + # -- if set to true, pre-install hook will *not* run + skipUsageValidation: false image: repository: quay.io/codefresh/gitops-runtime-installer tag: "" diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index f164c094..b2401ee3 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -8,7 +8,7 @@ FROM debian:12.10-slim RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections -ARG CF_CLI_VERSION=v0.2.6 +ARG CF_CLI_VERSION=v0.2.8 ARG TARGETARCH RUN apt-get update && apt-get install curl jq -y