feat(deploy): add helm chart (#138)

* chore: wip

* chore: wip

* chore: wip

* chore: wip

* chore: wip

* chore(manifests): update container entrypoints

* chore(deploy): split redis URL in host + port

* fix(cli): make Redis flags global

* fix(redis): rename port field

* fix(runner): try log layer

* fix: trigger ci

* fix(runner): fix get layer

* fix(runner): fix logs layer/repo

* chore(deploy): fix RBAC for burrito-runner + ssh known hosts

* chore(deploy): add TODO on CM reloading

* chore(deploy): helm: add checksums for configmap

* chore(deploy): helm: use appVersion for image tag

* ci(helm): add CI/CD for Helm chart

* ci(helm): test Helm rendering

* ci(helm): make Helm render mandatory

* fix(helm): appVersion references

* ci(helm): trigger on Helm chart files for PR

* docs(burrito): fix some typos and markdown lint

* chore(manifests): update references to burrito namespace

* fix(cmd): add --namespaces flag + update doc

* chore(manifests): use burrito NS for manifest install method

* docs(burrito): describe 2 installation methods

* docs(burrito): describe multi-tenant architecture

* fix(helm): update values-example

* fix(helm): remove burrito-runner default SA

* fix(helm): make tenants a empty array

* ci(helm): remove ghcr logout

* fix(helm): rename redis default hostname

---------

Co-authored-by: Alan <alanl@padok.fr>

.github/workflows/helm.yaml

@@ -0,0 +1,61 @@
+name: Helm CI/CD
+
+on:
+  push:
+    branches:
+    - main
+    tags:
+    - v*
+  pull_request:
+    branches:
+    - main
+    paths:
+    - 'deploy/charts/**'
+
+env:
+  CHART_NAME: burrito
+  CHART_PATH: ./deploy/charts/burrito
+  CHART_REPO: ghcr.io/${{ github.repository_owner }}/charts
+
+jobs:
+  helm-render:
+    name: Helm Render
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Helm Render
+      run: helm template ${{ env.CHART_PATH }}
+
+  helm-push:
+    name: Helm Push
+    runs-on: ubuntu-latest
+    needs: helm-render
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: GHCR Login
+      run: echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u ${{ github.repository_owner }} --password-stdin
+
+    - name: Compute versions
+      shell: bash
+      run: |
+        CURRENT_VERSION=$(yq $CHART_PATH/Chart.yaml --expression .version)
+        if [[ ${{ github.event_name }} == 'pull_request' || ${{ github.event_name }} == 'push' && ${{ github.ref_type }} == 'branch' ]]; then
+          echo "VERSION=$(echo $CURRENT_VERSION-${{ github.sha }})" >> $GITHUB_ENV
+          echo "APP_VERSION=${{ github.sha }}" >> $GITHUB_ENV
+        elif [[ ${{ github.event_name }} == 'push' && ${{ github.ref_type }} == 'tag' ]]; then
+          echo "VERSION=$(echo ${{ github.ref_name }} | sed 's/v//')" >> $GITHUB_ENV
+          echo "APP_VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+        else
+          echo "Unsupported event type"
+          exit 1
+        fi
+
+    - name: Helm Package
+      run: helm package ${{ env.CHART_PATH }} -u --version ${{ env.VERSION }} --app-version ${{ env.APP_VERSION }}
+
+    - name: Helm Push
+      run: helm push ./${{ env.CHART_NAME }}-${{ env.VERSION }}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts

.github/workflows/release.yaml

@@ -13,11 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     steps:
-
     - name: Checkout
       uses: actions/checkout@v3
       with:
         fetch-depth: 0
+
     - name: Fetch all tags
       run: git fetch --force --tags
 
@@ -44,15 +44,26 @@ jobs:
   version:
     runs-on: ubuntu-latest
     environment: production
+    env:
+      CHART_PATH: ./deploy/charts/burrito
     steps:
     - name: Checkout
       uses: actions/checkout@v3
       with:
         fetch-depth: 0
         ref: main
-    - name: Bump version
+
+    - name: Bump VERSION file
       run: |
         echo ${{ github.ref_name }} > VERSION
+
+    - name: Bump Helm Chart versions
+      run: |
+        export CHART_VERSION=$(echo ${{ github.ref_name }} | sed 's/v//g')
+        export APP_VERSION=${{ github.ref_name }}
+        yq -i '.version = env(CHART_VERSION)' $CHART_PATH/Chart.yaml
+        yq -i '.appVersion = env(APP_VERSION)' $CHART_PATH/Chart.yaml
+
     - name: Commit version to repository
       uses: stefanzweifel/git-auto-commit-action@v4
       with:

README.md

@@ -13,21 +13,21 @@
 [`terraform`](https://www.terraform.io/) is a tremendous tool to manage your infrastructure in IaC.
 But, it does not come up with an out-of the box solution for managing [state drift](https://developer.hashicorp.com/terraform/tutorials/state/resource-drift).
 
-Also, writing a CI/CD pipeline for terraform can be painful and depends on the tool you are using.
+Also, writing a CI/CD pipeline for Terraform can be painful and depends on the tool you are using.
 
-Finally, currently, there is no easy way to navigate your terraform state to truly understand the modifications it undergoes when running `terraform apply`.
+Finally, currently, there is no easy way to navigate your Terraform state to truly understand the modifications it undergoes when running `terraform apply`.
 
 `burrito` aims to tackle those issues by:
 
-- Planning continuously your terraform code and run applies if needed
-- Offering an out of the box PR/MR integration so you do not have to write CI/CD pipelines for terraform ever again (not implemented yet)
+- Planning continuously your Terraform code and run applies if needed
+- Offering an out of the box PR/MR integration so you do not have to write CI/CD pipelines for Terraform ever again
 - Showing your state's modifications in a simple Web UI (not implemented yet)
 
-## Demo 
+## Demo
 
 ![demo](./docs/assets/demo/demo.gif)
 
-## Documenation
+## Documentation
 
 To learn more about burrito [go to the complete documentation](https://padok-team.github.io/burrito/).
 

cmd/controllers/start.go

@@ -28,8 +28,8 @@ func buildControllersStartCmd(app *burrito.App) *cobra.Command {
 	defaultWaitActionTimer, _ := time.ParseDuration("1m")
 	defaultFailureGracePeriod, _ := time.ParseDuration("15s")
 
+	cmd.Flags().StringSliceVar(&app.Config.Controller.Namespaces, "namespaces", []string{"burrito-system"}, "list of namespaces to watch")
 	cmd.Flags().StringSliceVar(&app.Config.Controller.Types, "types", []string{"layer", "repository", "pullrequest"}, "list of controllers to start")
-
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.DriftDetection, "drift-detection-period", defaultDriftDetectionTimer, "period between two plans. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.OnError, "on-error-period", defaultOnErrorTimer, "period between two runners launch when an error occurred in the controllers. Must end with s, m or h.")
 	cmd.Flags().DurationVar(&app.Config.Controller.Timers.WaitAction, "wait-action-period", defaultWaitActionTimer, "period between two runners when a layer is locked. Must end with s, m or h.")

cmd/root.go

@@ -25,9 +25,10 @@ func buildBurritoCmd(app *burrito.App) *cobra.Command {
 		},
 	}
 
-	cmd.Flags().StringVar(&app.Config.Redis.URL, "redis-url", "burrito-redis:6379", "the redis URL to connect to")
-	cmd.Flags().StringVar(&app.Config.Redis.Password, "redis-password", "", "the redis password")
-	cmd.Flags().IntVar(&app.Config.Redis.Database, "redis-database", 0, "the redis database")
+	cmd.PersistentFlags().StringVar(&app.Config.Redis.Hostname, "redis-host", "burrito-redis.burrito-system", "the redis host to connect to")
+	cmd.PersistentFlags().IntVar(&app.Config.Redis.ServerPort, "redis-port", 6379, "the port of the redis to connect to")
+	cmd.PersistentFlags().StringVar(&app.Config.Redis.Password, "redis-password", "", "the redis password")
+	cmd.PersistentFlags().IntVar(&app.Config.Redis.Database, "redis-database", 0, "the redis database")
 
 	cmd.AddCommand(controllers.BuildControllersCmd(app))
 	cmd.AddCommand(runner.BuildRunnerCmd(app))

deploy/charts/burrito/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/charts/burrito/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: burrito
+description: A Helm chart for handling a complete burrito deployment
+type: application
+version: 0.1.0
+appVersion: "v0.1.0"

deploy/charts/burrito/templates/config.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.config.create }}
+
+{{- $config := .Values.config.burrito }}
+
+{{/*
+Tenant Namespaces
+*/}}
+{{- $tenantNamespaces := list }}
+{{- range $tenant := .Values.tenants }}
+{{- $tenantNamespaces = append $tenantNamespaces $tenant.namespace.name }}
+{{- end }}
+{{- $_ := set $config.controller "namespaces" (default $tenantNamespaces $config.controller.namespaces) }}
+
+{{/*
+Redis Hostname
+*/}}
+{{- if .Values.redis.enabled }}
+{{- $_ := set $config.redis "hostname" (printf "%s.%s" "burrito-redis" .Release.Namespace) }}
+{{- end }}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: burrito-config
+  labels:
+    app.kubernetes.io/name: burrito-config
+    {{- toYaml .Values.global.metadata.labels | nindent 4 }}
+  {{- with (mergeOverwrite (deepCopy .Values.global.metadata.annotations) .Values.config.annotations) }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+data:
+  config.yaml: |-
+    {{- toYaml $config | nindent 4 }}
+{{- end }}

deploy/charts/burrito/templates/controllers.yaml

@@ -0,0 +1,121 @@
+{{ $configChecksum := (include (print $.Template.BasePath "/config.yaml") . | sha256sum) }}
+{{ $sshKnownHostsChecksum := (include (print $.Template.BasePath "/ssh-known-hosts.yaml") . | sha256sum) }}
+
+{{- with mergeOverwrite (deepCopy .Values.global) .Values.controllers }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: burrito-controllers
+  annotations:
+    {{- toYaml .metadata.annotations | nindent 4 }}
+  labels:
+    {{- toYaml .metadata.labels | nindent 4 }}
+spec:
+  {{- if not .deployment.autoscaling.enabled }}
+  replicas: {{ .deployment.replicas }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- toYaml .metadata.labels | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/burrito-config: {{ $configChecksum }}
+        checksum/burrito-ssh-known-hosts: {{ $sshKnownHostsChecksum }}
+        {{- toYaml .deployment.podAnnotations | nindent 8 }}
+      labels:
+        {{- toYaml .metadata.labels | nindent 8 }}
+    spec:
+      {{- with .deployment.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: burrito-controllers
+      securityContext:
+        {{- toYaml .deployment.podSecurityContext | nindent 8 }}
+      containers:
+        - name: burrito
+          command:
+            {{- toYaml .deployment.command | nindent 12 }}
+          args:
+            {{- toYaml .deployment.args | nindent 12 }}
+          securityContext:
+            {{- toYaml .deployment.securityContext | nindent 12 }}
+          image: "{{ .deployment.image.repository }}:{{ .deployment.image.tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ .deployment.image.pullPolicy }}
+          ports:
+            {{- toYaml .deployment.ports | nindent 12 }}
+          livenessProbe:
+            {{- toYaml .deployment.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .deployment.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .deployment.resources | nindent 12 }}
+          env:
+            {{- toYaml .deployment.env | nindent 12 }}
+          envFrom:
+            {{- toYaml .deployment.envFrom | nindent 12 }}
+          volumeMounts:
+            - name: burrito-config
+              mountPath: /etc/burrito
+              readOnly: true
+      {{- with .deployment.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .deployment.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .deployment.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: burrito-config
+          configMap:
+            name: burrito-config
+{{- if .service.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: burrito-controllers
+  labels:
+    {{- toYaml .metadata.labels | nindent 4}}
+  annotations:
+    {{- toYaml .metadata.annotations | nindent 4}}
+spec:
+  type: {{ .type }}
+  ports:
+    {{- toYaml .service.ports | nindent 4 }}
+  selector:
+    {{- toYaml .metadata.labels | nindent 4 }}
+{{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: burrito-controllers
+  labels:
+    {{- toYaml .metadata.labels | nindent 4 }}
+  annotations:
+    {{- toYaml .metadata.annotations | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: burrito-controllers
+  labels:
+    {{- toYaml .metadata.labels | nindent 4 }}
+  annotations:
+    {{- toYaml .metadata.annotations | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: burrito-controllers
+subjects:
+  - kind: ServiceAccount
+    name: burrito-controllers
+    namespace: {{ $.Release.Namespace }}
+{{- end }}

deploy/charts/burrito/templates/crds/crd-terraformlayers.yaml

@@ -0,0 +1 @@
+../../../../../manifests/crds/config.terraform.padok.cloud_terraformlayers.yaml

deploy/charts/burrito/templates/crds/crd-terraformpullrequests.yaml

@@ -0,0 +1 @@
+../../../../../manifests/crds/config.terraform.padok.cloud_terraformpullrequests.yaml

deploy/charts/burrito/templates/crds/crd-terraformrepositories.yaml

@@ -0,0 +1 @@
+../../../../../manifests/crds/config.terraform.padok.cloud_terraformrepositories.yaml