Added updatecli script for Cilium

Signed-off-by: Roberto Bonafiglia <[email protected]>
rancher · May 9, 2024 · a3197da · a3197da
1 parent 7f35fe2
commit a3197da
Show file tree

Hide file tree

Showing 3 changed files with 328 additions and 0 deletions.
diff --git a/updatecli/scripts/cilium-values.yaml.patch.template b/updatecli/scripts/cilium-values.yaml.patch.template
@@ -0,0 +1,206 @@
+--- charts-original/values.yaml
++++ charts/values.yaml
+@@ -145,12 +145,10 @@
+ # -- Agent container image.
+ image:
+   override: ~
+-  repository: "quay.io/cilium/cilium"
++  repository: "rancher/mirrored-cilium-cilium"
+   tag: "CILIUM_IMAGE_VERSION"
+   pullPolicy: "IfNotPresent"
+-  # cilium-digest
+-  digest: "CILIUM_IMAGE_DIGEST"
+-  useDigest: true
++  useDigest: false
+
+ # -- Affinity for cilium-agent.
+ affinity:
+@@ -559,8 +557,10 @@
+   #  - flannel
+   #  - generic-veth
+   #  - portmap
+-  chainingMode: ~
+
++  # Otherwise rke2 hostPort does not work! Used for nginx
++  chainingMode: portmap
++
+   # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin.
+   # This will cause the agent to watch for a CNI network with this network name. When it is
+   # found, this will be used as the basis for Cilium's CNI configuration file. If this is
+@@ -974,10 +974,9 @@
+ certgen:
+   image:
+     override: ~
+-    repository: "quay.io/cilium/certgen"
++    repository: "rancher/mirrored-cilium-certgen"
+     tag: "CILIUM_CERTGEN_VERSION"
+-    digest: "CILIUM_CERTGEN_DIGEST"
+-    useDigest: true
++    useDigest: false
+     pullPolicy: "IfNotPresent"
+   # -- Seconds after which the completed job pod will be deleted
+   ttlSecondsAfterFinished: 1800
+@@ -1002,7 +1001,7 @@
+
+ hubble:
+   # -- Enable Hubble (true by default).
+-  enabled: true
++  enabled: false
+
+   # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble)
+   annotations: {}
+@@ -1233,11 +1232,9 @@
+     # -- Hubble-relay container image.
+     image:
+       override: ~
+-      repository: "quay.io/cilium/hubble-relay"
++      repository: "rancher/mirrored-cilium-hubble-relay"
+       tag: "CILIUM_HUBBLE_RELAY_VERSION"
+-       # hubble-relay-digest
+-      digest: "CILIUM_HUBBLE_RELAY_DIGEST"
+-      useDigest: true
++      useDigest: false
+       pullPolicy: "IfNotPresent"
+
+     # -- Specifies the resources for the hubble-relay pods
+@@ -1470,10 +1467,9 @@
+       # -- Hubble-ui backend image.
+       image:
+         override: ~
+-        repository: "quay.io/cilium/hubble-ui-backend"
++        repository: "rancher/mirrored-cilium-hubble-ui-backend"
+         tag: "CILIUM_HUBBLE_UI_BACKEND_VERSION"
+-        digest: "CILIUM_HUBBLE_UI_BACKEND_DIGEST"
+-        useDigest: true
++        useDigest: false
+         pullPolicy: "IfNotPresent"
+
+       # -- Hubble-ui backend security context.
+@@ -1509,10 +1505,9 @@
+       # -- Hubble-ui frontend image.
+       image:
+         override: ~
+-        repository: "quay.io/cilium/hubble-ui"
++        repository: "rancher/mirrored-cilium-hubble-ui"
+         tag: "CILIUM_HUBBLE_UI_VERSION"
+-        digest: "CILIUM_HUBBLE_UI_DIGEST"
+-        useDigest: true
++        useDigest: false
+         pullPolicy: "IfNotPresent"
+
+       # -- Hubble-ui frontend security context.
+@@ -1690,7 +1685,7 @@
+ ipam:
+   # -- Configure IP Address Management mode.
+   # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
+-  mode: "cluster-pool"
++  mode: "kubernetes"
+   # -- Maximum rate at which the CiliumNode custom resource is updated.
+   ciliumNodeUpdateRate: "15s"
+   operator:
+@@ -1984,7 +1979,7 @@
+
+ # -- Configure prometheus metrics on the configured port at /metrics
+ prometheus:
+-  enabled: false
++  enabled: true
+   port: 9962
+   serviceMonitor:
+     # -- Enable service monitors.
+@@ -2073,11 +2068,10 @@
+   # -- Envoy container image.
+   image:
+     override: ~
+-    repository: "quay.io/cilium/cilium-envoy"
++    repository: "rancher/mirrored-cilium-cilium-envoy"
+     tag: "CILIUM_ENVOY_VERSION"
+     pullPolicy: "IfNotPresent"
+-    digest: "CILIUM_ENVOY_DIGEST"
+-    useDigest: true
++    useDigest: false
+
+   # -- Additional containers added to the cilium Envoy DaemonSet.
+   extraContainers: []
+@@ -2386,10 +2380,9 @@
+   # -- cilium-etcd-operator image.
+   image:
+     override: ~
+-    repository: "quay.io/cilium/cilium-etcd-operator"
++    repository: "rancher/mirrored-cilium-cilium-etcd-operator"
+     tag: "CILIUM_ETCD_OPERATOR_VERSION"
+-    digest: "CILIUM_ETCD_OPERATOR_DIGEST"
+-    useDigest: true
++    useDigest: false
+     pullPolicy: "IfNotPresent"
+
+   # -- The priority class to use for cilium-etcd-operator
+@@ -2494,17 +2487,9 @@
+   # -- cilium-operator image.
+   image:
+     override: ~
+-    repository: "quay.io/cilium/operator"
++    repository: "rancher/mirrored-cilium-operator"
+     tag: "CILIUM_OPERATOR_VERSION"
+-    # operator-generic-digest
+-    genericDigest: "CILIUM_OPERATOR_DIGEST"
+-    # operator-azure-digest
+-    azureDigest: "CILIUM_AZURE_OPERATOR_DIGEST"
+-    # operator-aws-digest
+-    awsDigest: "CILIUM_AWS_OPERATOR_DIGEST"
+-    # operator-alibabacloud-digest
+-    alibabacloudDigest: "CILIUM_ALIBA_OPERATOR_DIGEST"
+-    useDigest: true
++    useDigest: false
+     pullPolicy: "IfNotPresent"
+     suffix: ""
+
+@@ -2676,8 +2661,7 @@
+
+   # -- Taint nodes where Cilium is scheduled but not running. This prevents pods
+   # from being scheduled to nodes where Cilium is not the default CNI provider.
+-  # @default -- same as removeNodeTaints
+-  setNodeTaints: ~
++  setNodeTaints: false
+
+   # -- Set Node condition NetworkUnavailable to 'false' with the reason
+   # 'CiliumIsUp' for nodes that have a healthy Cilium pod.
+@@ -2791,11 +2775,9 @@
+   # -- Cilium pre-flight image.
+   image:
+     override: ~
+-    repository: "quay.io/cilium/cilium"
++    repository: "rancher/mirrored-cilium-cilium"
+     tag: "CILIUM_IMAGE_VERSION"
+-    # cilium-digest
+-    digest: "CILIUM_IMAGE_DIGEST"
+-    useDigest: true
++    useDigest: false
+     pullPolicy: "IfNotPresent"
+
+   # -- The priority class to use for the preflight pod.
+@@ -2953,11 +2935,9 @@
+     # -- Clustermesh API server image.
+     image:
+       override: ~
+-      repository: "quay.io/cilium/clustermesh-apiserver"
++      repository: "rancher/mirrored-cilium-clustermesh-apiserver"
+       tag: "CILIUM_CLUSTERMESH_VERSION"
+-      # clustermesh-apiserver-digest
+-      digest: "CILIUM_CLUSTERMESH_DIGEST"
+-      useDigest: true
++      useDigest: false
+       pullPolicy: "IfNotPresent"
+
+     etcd:
+@@ -3526,3 +3506,11 @@
+       agentSocketPath: /run/spire/sockets/agent/agent.sock
+       # -- SPIRE connection timeout
+       connectionTimeout: 30s
++
++portmapPlugin:
++  image:
++    repository: "rancher/hardened-cni-plugins"
++    tag: "v1.4.1-build20240325"
++
++global:
++  systemDefaultRegistry: ""
diff --git a/updatecli/scripts/update-cilium.sh b/updatecli/scripts/update-cilium.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+if [ -n "$CILIUM_VERSION" ]; then
+	current_cilium_version=$(sed -nr 's/^\ version: ('[0-9]+.[0-9]+.[0-9+]')/\1/p' packages/rke2-cilium/generated-changes/patch/Chart.yaml.patch)
+	if [ "$current_cilium_version" != "$CILIUM_VERSION" ]; then
+		echo "Updating Cilium chart to $CILIUM_VERSION"
+		cilium_major=$(echo "$CILIUM_VERSION" | grep -Eo '[0-9]+.[0-9]+')
+		mkdir workdir
+		sed -i "s/ appVersion: .*/ appVersion: $CILIUM_VERSION/g" packages/rke2-cilium/generated-changes/patch/Chart.yaml.patch
+		sed -i "s/-icon: .*/-icon: https:\/\/cdn.jsdelivr.net\/gh\/cilium\/cilium@v$cilium_major\/Documentation\/images\/logo-solo.svg/g" packages/rke2-cilium/generated-changes/patch/Chart.yaml.patch
+		sed -i "s/ version: .*/ version: $CILIUM_VERSION/g" packages/rke2-cilium/generated-changes/patch/Chart.yaml.patch
+		yq -i ".url = \"https://helm.cilium.io/cilium-$CILIUM_VERSION.tgz\" |
+			.packageVersion = 00" packages/rke2-cilium/package.yaml
+		mv packages/rke2-cilium/generated-changes/patch/values.yaml.patch workdir
+		GOCACHE='/home/runner/.cache/go-build' GOPATH='/home/runner/go' PACKAGE='rke2-cilium' make prepare
+		cp packages/rke2-cilium/charts/values.yaml workdir
+		cp updatecli/scripts/cilium-values.yaml.patch.template workdir
+		#Extract values used to patch the file
+		CILIUM_IMAGE_VERSION=$(yq ".image.tag" workdir/values.yaml)
+		CILIUM_IMAGE_DIGEST=$(yq ".image.digest" workdir/values.yaml)
+		CILIUM_CERTGEN_VERSION=$(yq ".certgen.image.tag" workdir/values.yaml)
+		CILIUM_CERTGEN_DIGEST=$(yq ".certgen.image.digest" workdir/values.yaml)
+		CILIUM_HUBBLE_RELAY_VERSION=$(yq ".hubble.relay.image.tag" workdir/values.yaml)
+		CILIUM_HUBBLE_RELAY_DIGEST=$(yq ".hubble.relay.image.digest" workdir/values.yaml)
+		CILIUM_HUBBLE_UI_BACKEND_VERSION=$(yq ".hubble.ui.backend.image.tag" workdir/values.yaml)
+		CILIUM_HUBBLE_UI_BACKEND_DIGEST=$(yq ".hubble.ui.backend.image.digest" workdir/values.yaml)
+		CILIUM_HUBBLE_UI_VERSION=$(yq ".hubble.ui.frontend.image.tag" workdir/values.yaml)
+		CILIUM_HUBBLE_UI_DIGEST=$(yq ".hubble.ui.frontend.image.digest" workdir/values.yaml)
+		CILIUM_ENVOY_VERSION=$(yq ".envoy.image.tag" workdir/values.yaml)
+		CILIUM_ENVOY_DIGEST=$(yq ".envoy.image.digest" workdir/values.yaml)
+		CILIUM_ETCD_OPERATOR_VERSION=$(yq ".etcd.image.tag" workdir/values.yaml)
+		CILIUM_ETCD_OPERATOR_DIGEST=$(yq ".etcd.image.digest" workdir/values.yaml)
+		CILIUM_OPERATOR_VERSION=$(yq ".operator.image.tag" workdir/values.yaml)
+		CILIUM_OPERATOR_DIGEST=$(yq ".operator.image.genericDigest" workdir/values.yaml)
+		CILIUM_AZURE_OPERATOR_DIGEST=$(yq ".operator.image.azureDigest" workdir/values.yaml)
+		CILIUM_AWS_OPERATOR_DIGEST=$(yq ".operator.image.awsDigest" workdir/values.yaml)
+		CILIUM_ALIBA_OPERATOR_DIGEST=$(yq ".operator.image.alibabacloudDigest" workdir/values.yaml)
+		CILIUM_CLUSTERMESH_VERSION=$(yq ".clustermesh.apiserver.image.tag" workdir/values.yaml)
+		CILIUM_CLUSTERMESH_DIGEST=$(yq ".clustermesh.apiserver.image.digest" workdir/values.yaml)
+		sed -ie "s/CILIUM_IMAGE_VERSION/$CILIUM_IMAGE_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_IMAGE_DIGEST/$CILIUM_IMAGE_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_CERTGEN_VERSION/$CILIUM_CERTGEN_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_CERTGEN_DIGEST/$CILIUM_CERTGEN_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_HUBBLE_RELAY_VERSION/$CILIUM_HUBBLE_RELAY_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_HUBBLE_RELAY_DIGEST/$CILIUM_HUBBLE_RELAY_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_HUBBLE_UI_BACKEND_VERSION/$CILIUM_HUBBLE_UI_BACKEND_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_HUBBLE_UI_BACKEND_DIGEST/$CILIUM_HUBBLE_UI_BACKEND_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_HUBBLE_UI_VERSION/$CILIUM_HUBBLE_UI_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_HUBBLE_UI_DIGEST/$CILIUM_HUBBLE_UI_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_ENVOY_VERSION/$CILIUM_ENVOY_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_ENVOY_DIGEST/$CILIUM_ENVOY_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_ETCD_OPERATOR_VERSION/$CILIUM_ETCD_OPERATOR_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_ETCD_OPERATOR_DIGEST/$CILIUM_ETCD_OPERATOR_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_OPERATOR_VERSION/$CILIUM_OPERATOR_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_OPERATOR_DIGEST/$CILIUM_OPERATOR_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_AZURE_OPERATOR_DIGEST/$CILIUM_AZURE_OPERATOR_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_AWS_OPERATOR_DIGEST/$CILIUM_AWS_OPERATOR_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_ALIBA_OPERATOR_DIGEST/$CILIUM_ALIBA_OPERATOR_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_CLUSTERMESH_VERSION/$CILIUM_CLUSTERMESH_VERSION/g" workdir/cilium-values.yaml.patch.template
+		sed -ie "s/CILIUM_CLUSTERMESH_DIGEST/$CILIUM_CLUSTERMESH_DIGEST/g" workdir/cilium-values.yaml.patch.template
+		make clean
+		cp workdir/cilium-values.yaml.patch.template packages/rke2-cilium/generated-changes/patch/values.yaml.patch
+		rm -fr workdir
+		GOCACHE='/home/runner/.cache/go-build' GOPATH='/home/runner/go' PACKAGE='rke2-cilium' make prepare
+		find packages/rke2-cilium/charts -name '*.orig' -delete 
+		GOCACHE='/home/runner/.cache/go-0build' GOPATH='/home/runner/go' PACKAGE='rke2-cilium' make patch
+		make clean
+	fi
+fi
diff --git a/updatecli/updatecli.d/updatecilium.yaml b/updatecli/updatecli.d/updatecilium.yaml
@@ -0,0 +1,54 @@
+---
+name: "Update Cilium version" 
+
+sources:
+  cilium:
+    name: Get cilium version
+    kind: githubrelease
+    spec:
+      owner: cilium
+      repository: cilium
+      token: '{{ requiredEnv .github.token }}'
+      typefilter:
+        release: true
+        draft: false
+        prerelease: false
+      versionfilter:
+        kind: latest
+
+targets:
+  ciliumImage:
+    name: "Bump to latest cilium version on the chart"
+    kind: shell
+    scmid: default
+    sourceid: cilium
+    spec:
+      command: 'updatecli/scripts/update-cilium.sh'
+      environments:
+        - name: CILIUM_VERSION
+          value: '{{ source "cilium" }}'
+
+
+scms:
+  default:
+    kind: github
+    spec:
+      token: '{{ requiredEnv .github.token }}'
+      username: '{{ requiredEnv .github.username }}'
+      user: '{{ .github.username }}'
+      email: '{{ .github.email }}'
+      owner: '{{ .github.owner }}'
+      repository: '{{ .github.repository }}'
+      branch: '{{ .github.branch }}'
+
+actions:
+  default:
+    title: 'Update Cilium version to {{ source "cilium" }}'
+    kind: github/pullrequest
+    spec:
+      automerge: false
+      labels:
+        - chore
+        - skip-changelog
+        - status/auto-created 
+    scmid: default