feat: downgrade knative-serving (#257)

* feat: automated schema fetching and packing, added k8s v1.19

* fix: validate-templates now correct exit code, bash tests robust

* fix: docker secret auth with username prefix

* fix: now alphasorting arrays before toJson to avoid diff [ci skip]

Co-authored-by: Maurice Faber <[email protected]>

Author: jeho

.demo/env/clusters.yaml

@@ -6,7 +6,7 @@ clouds:
                 enabled: false
                 apiName: eks_otomi-cloud_eu-central-1_otomi-eks-demo
                 apiServer: 1.1.1.1
-                k8sVersion: '1.16'
+                k8sVersion: '1.17'
                 otomiVersion: 'master'
                 region: eu-central-1
     google:
@@ -16,7 +16,7 @@ clouds:
                 enabled: true
                 apiName: gke_otomi-cloud_europe-west4_otomi-gke-demo
                 apiServer: 1.1.1.1
-                k8sVersion: '1.17'
+                k8sVersion: '1.18'
                 otomiVersion: 'master'
                 region: europe-west4
     azure:
@@ -26,7 +26,7 @@ clouds:
                 enabled: false
                 apiName: aks_otomi-cloud_westeurope_otomi-aks-demo
                 apiServer: 1.1.1.1
-                k8sVersion: '1.17'
+                k8sVersion: '1.18'
                 otomiVersion: 'master'
                 region: westeurope
     onprem:
@@ -37,7 +37,7 @@ clouds:
                 dnsProvider: google
                 apiName: onprem_otomi-cloud
                 apiServer: 1.1.1.1
-                k8sVersion: '1.18'
+                k8sVersion: '1.19'
                 otomiVersion: 'master'
                 region: local
                 entrypoint: 1.1.1.1

bin/gen-schemas.sh

@@ -0,0 +1,39 @@
+#!/bin/bash -xe
+
+# This script uses openapi2jsonschema to generate a set of JSON schemas for
+# the specified Kubernetes versions in different flavours:
+#
+#   X.Y.Z - URL referenced based on the specified GitHub repository
+#   X.Y.Z-standalone - de-referenced schemas, more useful as standalone documents
+#   X.Y.Z-standalone-strict - de-referenced schemas, more useful as standalone documents, additionalProperties disallowed
+#   X.Y.Z-local - relative references, useful to avoid the network dependency
+
+declare -a arr=(
+  # v1.19.6
+  # v1.18.14
+  v1.17.16
+)
+
+readonly tmp_path=$(mktemp -d)
+readonly schemas_path=$PWD/schemas
+
+cd $tmp_path
+for version in "${arr[@]}"; do
+  schema=https://raw.githubusercontent.com/kubernetes/kubernetes/${version}/api/openapi-spec/swagger.json
+  prefix=https://kubernetesjsonschema.dev/${version}/_definitions.JSON
+  out_version=${version%.*}
+
+  # openapi2jsonschema -o "${out_version}-standalone-strict" --expanded --kubernetes --stand-alone --strict "${schema}"
+  openapi2jsonschema -o "${out_version}-standalone" --expanded --kubernetes --stand-alone "${schema}"
+  # openapi2jsonschema -o "${out_version}-local" --expanded --kubernetes "${schema}"
+  # openapi2jsonschema -o "${out_version}" --expanded --kubernetes --prefix "${prefix}" "${schema}"
+  # openapi2jsonschema -o "${out_version}-standalone-strict" --kubernetes --stand-alone --strict "${schema}"
+  openapi2jsonschema -o "${out_version}-standalone" --kubernetes --stand-alone "${schema}"
+  # openapi2jsonschema -o "${out_version}-local" --kubernetes "${schema}"
+  # openapi2jsonschema -o "${out_version}" --kubernetes --prefix "${prefix}" "${schema}"
+
+  tar -zcvf ${out_version}-standalone.tar.gz ${out_version}-standalone
+  mv *.tar.gz $schemas_path/
+  rm -rf ${out_version}*
+done
+cd -

bin/hooks/pre-commit

@@ -1,4 +1,4 @@
 #!/bin/sh
 
 echo "Don't commit directly via git. Use 'otomi commit'."
-exit 1
+exit 1

bin/otomi

@@ -48,7 +48,7 @@ set +e
 customer=$(customer_name || $CUSTOMER || "unknown")
 set -e
 cmd_image=''
-docker_terminal_params='-ti'
+docker_terminal_params='-t'
 helm_config=''
 readme_url='https://github.com/redkubes/otomi-core'
 
@@ -283,7 +283,7 @@ function execute() {
       check_sops_file
       check_kube_context=0
       evaluate_secrets
-      if [ "$@" != '' ]; then
+      if [[ "$@" != '' ]]; then
         for f in $@; do
           echo "Decrypting $f"
           drun helm secrets dec ./env/$f >/dev/null
@@ -306,7 +306,7 @@ function execute() {
       check_sops_file
       check_kube_context=0
       evaluate_secrets
-      if [ "$@" != '' ]; then
+      if [[ "$@" != '' ]]; then
         for f in $@; do
           echo "Encrypting $f"
           drun helm secrets enc ./env/$f >/dev/null
@@ -349,7 +349,7 @@ function execute() {
       drun bin/test.sh
       ;;
     validate-templates)
-      if [ "$@" != '' ]; then
+      if [[ "$@" != '' ]]; then
         validate_cluster_env
       fi
       check_kube_context=0

bin/validate-templates.sh

@@ -3,32 +3,32 @@
 [ "$CI" != "" ] && set -e
 set -uo pipefail
 
-schemaOutputPath="/tmp/otomi/kubernetes-json-schema/master"
+schemaOutputPath="/tmp/otomi/kubernetes-json-schema"
 outputPath="/tmp/otomi/generated-crd-schemas"
 schemasBundleFile="$outputPath/all.json"
 k8sResourcesPath="/tmp/otomi/kubeval-fixtures"
 extractCrdSchemaJQFile=$(mktemp -u)
-exitcode=1
+exitcode=0
 
 . bin/common.sh
 
+readonly k8s_version="v$(get_k8s_version)"
+
 cleanup() {
   [ $exitcode -eq 0 ] && echo "Validation Success" || echo "Validation Failed"
   rm -rf $extractCrdSchemaJQFile
-  rm -rf $k8sResourcesPath $outputPath $schemaOutputPath
+  rm -rf $k8sResourcesPath -rf $outputPath $schemaOutputPath
   exit $exitcode
 }
 trap cleanup EXIT ERR
 
 run_setup() {
-  exitcode=1
-  local version="v$(get_k8s_version).0"
   rm -rf $k8sResourcesPath $outputPath $schemaOutputPath
   mkdir -p $k8sResourcesPath $outputPath $schemaOutputPath
   echo "" >$schemasBundleFile
   # use standalone schemas
-  tar -xzf "schemas/${version}-standalone.tar.gz" -C $schemaOutputPath
-  tar -xzf "schemas/generated-crd-schemas.tar.gz" -C "$schemaOutputPath/$version-standalone"
+  tar -xzf "schemas/$k8s_version-standalone.tar.gz" -C "$schemaOutputPath/"
+  tar -xzf "schemas/generated-crd-schemas.tar.gz" -C "$schemaOutputPath/$k8s_version-standalone"
 
   # loop over .spec.versions[] and generate one file for each version
   cat <<'EOF' >$extractCrdSchemaJQFile
@@ -66,11 +66,10 @@ process_crd() {
 }
 
 validate_templates() {
-  local version="v$(get_k8s_version).0"
 
   run_setup
   # generate_manifests
-  echo "Generating Kubernetes ${version} Manifests for ${CLOUD}-${CLUSTER}."
+  echo "Generating Kubernetes $k8s_version Manifests for ${CLOUD}-${CLUSTER}."
 
   hf -f helmfile.tpl/helmfile-init.yaml template --skip-deps --output-dir="$k8sResourcesPath" >/dev/null
   hf template --skip-deps --output-dir="$k8sResourcesPath" >/dev/null
@@ -88,19 +87,22 @@ validate_templates() {
   done
   # create schema in canonical format for each extracted file
   for json in $(jq -s -r '.[] | .filename' $schemasBundleFile); do
-    jq "select(.filename==\"$json\")" $schemasBundleFile | jq '.schema' >"$schemaOutputPath/$version-standalone/$json"
+    jq "select(.filename==\"$json\")" $schemasBundleFile | jq '.schema' >"$schemaOutputPath/$k8s_version-standalone/$json"
   done
 
   # validate_resources
-  echo "Validating resources against Kubernetes version: $version"
+  echo "Validating resources against Kubernetes version: $k8s_version"
   local kubevalSchemaLocation="file://${schemaOutputPath}"
   local skipKinds="CustomResourceDefinition"
   local skipFilenames="crd,knative-services"
-  {
-    set +o pipefail
-    kubeval --quiet --skip-kinds $skipKinds --ignored-filename-patterns $skipFilenames --force-color -d $k8sResourcesPath --schema-location $kubevalSchemaLocation --kubernetes-version $(echo $version | sed 's/v//') | grep -Ev 'PASS\b'
-    set -o pipefail
-  } && exitcode=0
+  local tmp_out=$(mktemp -u)
+  set +o pipefail
+  kubeval --quiet --skip-kinds $skipKinds --ignored-filename-patterns $skipFilenames \
+    --force-color -d $k8sResourcesPath --schema-location $kubevalSchemaLocation \
+    --kubernetes-version $(echo $k8s_version | sed 's/v//') | tee $tmp_out | grep -Ev 'PASS\b'
+  set -o pipefail
+  grep -q "ERROR" $tmp_out && exitcode=1
+  rm $tmp_out
 }
 
 if [ "${1-}" != "" ]; then

charts/keycloak/templates/statefulset.yaml

@@ -67,7 +67,7 @@ spec:
             - sh
             - -c
             - |
-              until printf "." && nc -z -w 2 {{ include "keycloak.postgresql.fullname" . }} {{ .Values.postgresql.service.port }}; do
+              until printf "." && nc -z -w 2 {{ include "keycloak.postgresql.fullname" . }}.{{ .Release.Namespace }} {{ .Values.postgresql.service.port }}; do
                   sleep 2;
               done;
 

charts/raw/ci/resources-values.yaml

@@ -1,5 +1,5 @@
 resources:
-- apiVersion: scheduling.k8s.io/v1beta1
+- apiVersion: scheduling.k8s.io/v1
   kind: PriorityClass
   metadata:
     name: common-critical

charts/team-ns/templates/_helpers.tpl

@@ -24,7 +24,7 @@ helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
 {{- end -}}
 
 {{- define "dockercfg" -}}
-{"auths":{"{{ .server }}":{"username":"{{ .username }}","password":"{{ .password | replace "\"" "\\\"" }}","email":"[email protected]","auth":"{{ .password | b64enc}}"}}}
+{"auths":{"{{ .server }}":{"username":"{{ .username }}","password":"{{ .password | replace "\"" "\\\"" }}","email":"[email protected]","auth":"{{ print .username ":" .password | b64enc}}"}}}
 {{- end -}}
 
 {{- define "itemsByName" -}}

helmfile.d/helmfile-20.ingress.yaml

@@ -32,6 +32,7 @@ releases:
     namespace: ingress
     labels:
       tag: ingress
+      pkg: ingress-azure
     <<: *default
   - name: ingress-merge
     installed: {{ and (eq $v.cluster.provider "aws") $v.otomi.hasCloudLB }}

helmfile.d/helmfile-99.post.yaml

@@ -7,8 +7,10 @@ bases:
 
 releases:
   - name: jobs-ingress-azure
-    installed: {{ eq $v.cluster.provider "azure" }}
+    installed: {{ and (eq $v.cluster.provider "azure") $v.otomi.hasCloudLB }}
     <<: *jobs
+    labels:
+      pkg: ingress-azure
   - name: jobs-harbor
     installed: {{ $c | get "harbor.enabled" false }}
     labels:

helmfile.d/snippets/domains.gotmpl

@@ -5,7 +5,6 @@
 {{- $domains := list }}
 {{- $domainNames := list }}
 {{- $teams := set $tc.teams "admin" dict }}
-# {{ $tc.teams | toJson }}
 {{- range $teamId, $team := $tc.teams }}
   {{- $baseDomain := printf "%s%s" (eq $teamId "admin" | ternary "" (printf "team-%s." $teamId)) $v.cluster.domain }}
   {{- $services := (eq $teamId "admin" | ternary $coreAdminServices (concat $coreTeamServices ($team | get "services" list))) }}

schemas/v1.16.0-standalone.tar.gz

@@ -211,9 +211,9 @@ definitions:
     default: '1.18'
     description: The cluster k8s version. Otomi supports 2 minor versions backwards compatibility from the suggested default.
     enum:
-      - '1.16'
       - '1.17'
       - '1.18'
+      - '1.19'
     type: string
   labels:
     $ref: '#/definitions/labelsAnnotations'

schemas/v1.17-standalone.tar.gz

@@ -38,7 +38,7 @@ tasks:
       OIDC_CLIENT_SECRET: {{ $hasKeycloak | ternary $k.idp.clientSecret $o.clientSecret }}
     env:
       HARBOR_BASE_URL: "http://harbor-harbor-core.harbor/api/v2.0"
-      TEAM_NAMES: '{{ $teamNames | toJson }}'
+      TEAM_NAMES: '{{ $teamNames | sortAlpha | toJson }}'
       OIDC_ENDPOINT: '{{ $hasKeycloak | ternary $keycloakIssuer $o.issuer }}'
       OIDC_GROUPS_CLAIM: 'groups'
       OIDC_NAME: 'keycloak'

schemas/v1.17.0-standalone.tar.gz

@@ -49,7 +49,7 @@ tasks:
       IDP_ALIAS: {{ $k.idp.alias }}
       IDP_GROUP_OTOMI_ADMIN: {{ $v.oidc.adminGroupID }}
       IDP_GROUP_TEAM_ADMIN: {{ $v.oidc.teamAdminGroupID }}
-      IDP_GROUP_MAPPINGS_TEAMS: '{{ $teamsMapping | toJson }}'
+      IDP_GROUP_MAPPINGS_TEAMS: '{{ $teamsMapping | sortAlpha | toJson }}'
       IDP_OIDC_URL: {{ $v.oidc.issuer }}
       REDIRECT_URIS: '[
           "https://otomi.{{ $v.cluster.domain }}",

schemas/v1.18-standalone.tar.gz

@@ -95,7 +95,7 @@ resources:
     - name: gcr-json-key
   {{- end }}
   {{- end }}
-  - apiVersion: scheduling.k8s.io/v1beta1
+  - apiVersion: scheduling.k8s.io/v1
     kind: PriorityClass
     metadata:
       name: otomi-critical

schemas/v1.18.0-standalone.tar.gz

@@ -6,7 +6,7 @@ resources:
       name: knative-serving
       namespace: knative-serving
     spec:
-      version: 0.19.0
+      version: 0.18.0
       config:
         defaults:
           revision-timeout-seconds: "300"  # 5 minutes

schemas/v1.19-standalone.tar.gz

@@ -40,7 +40,7 @@ env:
   CONTEXT_PATH: ''
   CONSOLE_MODE: {{ and (ne ($v.otomi | get "pullSecret" "") "") (ne ($v.otomi | get "mode" "ee") "ce") | ternary "ee" "ce" }}
   CLUSTER_ID: '{{ printf "%s/%s" $c.provider $c.name }}'
-  CLUSTERS: '{{ $clusters | toJson }}'
-  CORE: '{"services":{{ $v.services | toJson }},"teamConfig":{"services":{{ $v.teamConfig.services | toJson }}}}'
+  CLUSTERS: '{{ $clusters | sortAlpha | toJson }}'
+  CORE: '{"services":{{ $v.services | sortAlpha | toJson }},"teamConfig":{"services":{{ $v.teamConfig.services | sortAlpha | toJson }}}}'
   CORE_VERSION: '{{ $version }}'
-  TEAMS: '{{ keys $v.teamConfig.teams | toJson }}'
+  TEAMS: '{{ keys $v.teamConfig.teams | sortAlpha | toJson }}'