Skip to content

add flux, automate deployment if ocm change #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MJarmo wants to merge 4 commits into
base: showroom
Choose a base branch
from
Open

add flux, automate deployment if ocm change #121

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ee118a7
add flux, automate deployment if ocm change
MJarmo Apr 14, 2026
bba83bb
fix flux reconcile setup for showroom branch testing
MJarmo Apr 15, 2026
4c75ca3
ci switch ocm manifest sync to pull-request workflow
MJarmo Apr 15, 2026
486b572
chore(ci): trigger full OCM-to-Flux flow validation
MJarmo Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 30 additions & 9 deletions .github/workflows/ocm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,6 @@
name: OCM

on:
pull_request:
branches: [showroom]
paths:
- "showroom/ocm/**"
- ".github/workflows/ocm.yaml"
- "charts/**"
- "ocm/**"
workflow_dispatch:
inputs:
oci_registry:
Expand All @@ -28,10 +21,9 @@ concurrency:

jobs:
ocm:
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
permissions:
contents: read
contents: write
packages: write
env:
OCI_REGISTRY_INPUT: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.oci_registry || '' }}
Expand Down Expand Up @@ -142,3 +134,32 @@ jobs:
fi
echo "Pushing OCM transport archive to ${OCI_REGISTRY}"
env -u GITHUB_TOKEN ocm transfer ctf ./ocm/transport.ctf "OCIRegistry::${OCI_REGISTRY}"

- name: Sync tier manifests from OCM descriptors
id: sync_tier_images
if: github.event_name != 'pull_request'
shell: bash
run: |
set -euxo pipefail
SIGNING_IMAGE="$(yq -r '.components[0].resources[] | select(.name == "image") | .access.imageReference' showroom/ocm/collector-contrib-signing.yaml)"
VERIFY_IMAGE="$(yq -r '.components[0].resources[] | select(.name == "image") | .access.imageReference' showroom/ocm/collector-contrib-verify.yaml)"
test -n "${SIGNING_IMAGE}"
test -n "${VERIFY_IMAGE}"
yq -i '(. | select(.kind == "Deployment") | .spec.template.spec.containers[] | select(.name == "otel-collector") | .image) = strenv(SIGNING_IMAGE)' showroom/kubectl/tier-1.yaml
yq -i '(. | select(.kind == "DaemonSet") | .spec.template.spec.containers[] | select(.name == "otel-collector") | .image) = strenv(VERIFY_IMAGE)' showroom/kubectl/tier-2.yaml
if git diff --quiet -- showroom/kubectl/tier-1.yaml showroom/kubectl/tier-2.yaml; then
echo "changed=false" >> "${GITHUB_OUTPUT}"
exit 0
fi
echo "changed=true" >> "${GITHUB_OUTPUT}"

- name: Commit synced tier manifests
if: github.event_name != 'pull_request' && steps.sync_tier_images.outputs.changed == 'true'
shell: bash
run: |
set -euxo pipefail
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add showroom/kubectl/tier-1.yaml showroom/kubectl/tier-2.yaml
git commit -m "chore(showroom): sync tier collector images from OCM descriptors"
git push
Copy link
Copy Markdown
Member

@hilmarf hilmarf Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what's the idea behind this? I'm a bit concerned about direct commits... I normally prefer peter-evans/create-pull-request instead

5 changes: 5 additions & 0 deletions showroom/flux/tier-1-tier-2/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../kubectl/tier-1.yaml
- ../../kubectl/tier-2.yaml
25 changes: 25 additions & 0 deletions showroom/kubectl/flux-tier-1-tier-2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: showroom-tier-sync
namespace: flux-system
spec:
interval: 1m
url: https://github.com/apeirora/audit-log-poc-for-otel.git
ref:
branch: showroom
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: showroom-tier-1-tier-2
namespace: flux-system
spec:
interval: 1m
prune: true
wait: true
timeout: 3m
sourceRef:
kind: GitRepository
name: showroom-tier-sync
path: ./showroom/flux/tier-1-tier-2
13 changes: 13 additions & 0 deletions showroom/taskfile.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ includes:
desc: OCM tasks.
taskfile: ./tasks/ocm.yaml

flux:
desc: Flux GitOps tasks for tier-1 and tier-2.
taskfile: ./tasks/flux.yaml

dice:
desc: Install and manage the sample application (dice-java).
taskfile: ./tasks/tier-1.yaml
Expand Down Expand Up @@ -65,6 +69,15 @@ tasks:
- task: otelcol-agent:install
- task: dice:install

deploy-gitops:
desc: Install setup and let Flux reconcile tier-1 and tier-2 from git.
cmds:
- task: garden:set-kubeconfig
- task: cluster:install
- task: secrets:apply
- task: monitoring:install
- task: flux:install

clean:
desc: Uninstall the complete setup, client applications (tier-1), OTel Collector agent (tier-2) and monitoring stack (tier-3)
deps:
Expand Down
58 changes: 58 additions & 0 deletions showroom/tasks/flux.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
version: "3"

description: Taskfile for Flux reconciliation of tier-1 and tier-2.

includes:
tools:
taskfile: ./tools.yaml
internal: true
cluster:
taskfile: ./cluster.yaml
internal: true

tasks:
install:
desc: Install Flux GitRepository and Kustomization for tier-1 and tier-2.
deps:
- task: tools:install-kubectl
- task: cluster:install
requires:
vars: [KUBECTL_CMD]
preconditions:
- sh: "{{ .KUBECTL_CMD }} cluster-info >/dev/null 2>&1"
msg: "Please ensure that you have a k8s-cluster running. Try:\ttask garden:set-kubeconfig"
- sh: "{{ .KUBECTL_CMD }} get crd gitrepositories.source.toolkit.fluxcd.io >/dev/null 2>&1"
msg: "Flux CRDs are not installed. Install Flux first and retry."
cmds:
- "{{ .KUBECTL_CMD }} apply -f kubectl/flux-tier-1-tier-2.yaml"
- "{{ .KUBECTL_CMD }} -n flux-system wait --for=condition=Ready gitrepository/showroom-tier-sync --timeout=180s"
- "{{ .KUBECTL_CMD }} -n flux-system wait --for=condition=Ready kustomization/showroom-tier-1-tier-2 --timeout=180s"

reconcile:
desc: Trigger immediate Flux reconciliation for tier-1 and tier-2.
deps:
- task: tools:install-kubectl
requires:
vars: [KUBECTL_CMD]
cmds:
- "{{ .KUBECTL_CMD }} -n flux-system annotate --overwrite kustomization/showroom-tier-1-tier-2 reconcile.fluxcd.io/requestedAt=\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\""
- "{{ .KUBECTL_CMD }} -n flux-system get kustomization showroom-tier-1-tier-2 -o wide"

status:
desc: Show Flux status for tier-1 and tier-2 sync.
deps:
- task: tools:install-kubectl
requires:
vars: [KUBECTL_CMD]
cmds:
- "{{ .KUBECTL_CMD }} -n flux-system get gitrepository showroom-tier-sync -o wide"
- "{{ .KUBECTL_CMD }} -n flux-system get kustomization showroom-tier-1-tier-2 -o wide"

uninstall:
desc: Remove Flux GitRepository and Kustomization for tier-1 and tier-2.
deps:
- task: tools:install-kubectl
requires:
vars: [KUBECTL_CMD]
cmds:
- "{{ .KUBECTL_CMD }} delete -f kubectl/flux-tier-1-tier-2.yaml --ignore-not-found"
43 changes: 43 additions & 0 deletions showroom/tasks/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
version: "3"

description: Taskfile for listing, exporting, and applying workload secrets.

includes:
tools:
taskfile: ./tools.yaml
internal: true

tasks:
list:
desc: List all secrets in tier-1, tier-2, and tier-3.
deps:
- task: tools:install-kubectl
cmds:
- "kubectl get secrets -n tier-1 -o wide"
- "kubectl get secrets -n tier-2 -o wide"
- "kubectl get secrets -n tier-3 -o wide"

export:
desc: Export required tier-1 and tier-2 secrets to kubectl/secrets.local.yaml.
deps:
- task: tools:install-kubectl
cmds:
- "kubectl get secret dice-java-openbao-token -n tier-1 -o yaml --show-managed-fields=false > kubectl/secrets.local.yaml"
- "echo --- >> kubectl/secrets.local.yaml"
- "kubectl get secret otel-otlp-client-auth -n tier-1 -o yaml --show-managed-fields=false >> kubectl/secrets.local.yaml"
- "echo --- >> kubectl/secrets.local.yaml"
- "kubectl get secret otel-otlp-ingest-htpasswd -n tier-2 -o yaml --show-managed-fields=false >> kubectl/secrets.local.yaml"
- "echo --- >> kubectl/secrets.local.yaml"
- "kubectl get secret opensearch-credentials -n tier-2 -o yaml --show-managed-fields=false >> kubectl/secrets.local.yaml"
- "echo --- >> kubectl/secrets.local.yaml"
- "kubectl get secret opensearch-ca-cert -n tier-2 -o yaml --show-managed-fields=false >> kubectl/secrets.local.yaml"

apply:
desc: Apply secrets from local file kubectl/secrets.local.yaml.
deps:
- task: tools:install-kubectl
preconditions:
- sh: 'test -f "kubectl/secrets.local.yaml"'
msg: "Missing kubectl/secrets.local.yaml. Run task secrets:export first."
cmds:
- "kubectl apply -f kubectl/secrets.local.yaml"
Loading