| garciadeblas | 8d8cd99 | 2024-05-21 16:04:14 +0200 | [diff] [blame] | 1 | ####################################################################################### |
| 2 | # Copyright ETSI Contributors and Others. |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
| 13 | # implied. |
| 14 | # See the License for the specific language governing permissions and |
| 15 | # limitations under the License. |
| 16 | ####################################################################################### |
| 17 | |
| 18 | set -e -o pipefail |
| 19 | |
| 20 | export HERE=$(dirname "$(readlink --canonicalize "$BASH_SOURCE")") |
| 21 | source "${HERE}/library/functions.sh" |
| 22 | source "${HERE}/library/trap.sh" |
| 23 | |
| 24 | |
| 25 | |
| 26 | # Input values |
| 27 | export CLUSTER_DIR="$1" |
| 28 | export PROJECT_DIR="$2" |
| 29 | export PROFILE_NAME="$3" |
| 30 | export TEMPLATES_DIR="$4" |
| 31 | export PUBLIC_KEY="$5" |
| 32 | |
| 33 | |
| 34 | # Helper functions to create the profile ConfigMaps |
| 35 | function safe_name() { |
| 36 | echo "$1" | \ |
| 37 | sed '/\.\// s|./||' | \ |
| 38 | sed 's|\.|-|g' | \ |
| 39 | sed 's|/|-|g' | \ |
| 40 | sed 's|_|-|g' | \ |
| 41 | sed 's| |-|g' |
| 42 | } |
| 43 | |
| 44 | function create_profile_configmap() { |
| 45 | local CONFIGMAP_NAME=$(safe_name "$1") |
| 46 | local PROFILE_REPO_URL="$2" |
| 47 | local PROFILE_PATH="$3" |
| 48 | kubectl create configmap ${CONFIGMAP_NAME} \ |
| 49 | --namespace flux-system \ |
| 50 | --from-literal=repo="${PROFILE_REPO_URL}" \ |
| 51 | --from-literal=path="${PROFILE_PATH}" \ |
| 52 | -o yaml \ |
| 53 | --dry-run=client |
| 54 | } |
| 55 | |
| 56 | # Helper functions to clone secret from one namespace to other |
| 57 | function clone_secret_to_new_ns_stdout() { |
| 58 | local SECRET_NAME="$1" |
| 59 | local SOURCE_NS="$2" |
| 60 | local DESTINATION_NS="$3" |
| 61 | |
| 62 | kubectl get secret "${SECRET_NAME}" -n "${SOURCE_NS}" -o yaml | \ |
| 63 | yq 'del(.metadata.uid) | del(.metadata.resourceVersion) | del(.metadata.creationTimestamp)' | \ |
| 64 | yq ".metadata.namespace = \"${DESTINATION_NS}\"" |
| 65 | } |
| 66 | |
| 67 | # Helper function to encrypt secrets from stdin |
| 68 | function encrypt_secret_from_stdin() { |
| 69 | local PUBLIC_KEY="$1" |
| 70 | |
| 71 | # Save secret manifest to temporary file |
| 72 | local TMPFILE=$(mktemp /tmp/secret.XXXXXXXXXX.yaml) || exit 1 |
| 73 | cat > "${TMPFILE}" |
| 74 | |
| 75 | # Encrypt |
| 76 | sops \ |
| 77 | --age=${PUBLIC_KEY} \ |
| 78 | --encrypt \ |
| 79 | --encrypted-regex '^(data|stringData)$' \ |
| 80 | --in-place "${TMPFILE}" |
| 81 | |
| 82 | # Outputs the result and removes the temporary file |
| 83 | cat "${TMPFILE}" && rm -f "${TMPFILE}" |
| 84 | } |
| 85 | |
| 86 | # Creates all folders in the profile (as well as env var aliases) |
| 87 | export ADDON_CTRL_DIR="${PROJECT_DIR}/infra-controller-profiles/${PROFILE_NAME}" |
| 88 | export ADDON_CONFIG_DIR="${PROJECT_DIR}/infra-config-profiles/${PROFILE_NAME}" |
| 89 | export RESOURCES_DIR="${PROJECT_DIR}/managed-resources/${PROFILE_NAME}" |
| 90 | export APPS_DIR="${PROJECT_DIR}/app-profiles/${PROFILE_NAME}" |
| 91 | mkdir -p "${ADDON_CTRL_DIR}" |
| 92 | mkdir -p "${ADDON_CONFIG_DIR}" |
| 93 | mkdir -p "${RESOURCES_DIR}" |
| 94 | mkdir -p "${APPS_DIR}" |
| 95 | |
| 96 | # Copies the templates for cluster setup |
| 97 | cp "${TEMPLATES_DIR}"/* "${CLUSTER_DIR}/" |
| 98 | |
| 99 | # Repo URLs |
| garciadeblas | cf603f5 | 2025-06-04 11:57:28 +0200 | [diff] [blame] | 100 | export FLEET_REPO_URL="${FLEET_REPO_HTTP_URL}" |
| 101 | export SW_CATALOGS_REPO_URL="${SW_CATALOGS_REPO_HTTP_URL}" |
| garciadeblas | 8d8cd99 | 2024-05-21 16:04:14 +0200 | [diff] [blame] | 102 | export INFRA_CONTROLLERS_PATH="./${MGMT_PROJECT_NAME}/infra-controller-profiles/_management" |
| 103 | export INFRA_CONFIGS_PATH="./${MGMT_PROJECT_NAME}/infra-config-profiles/_management" |
| 104 | export MANAGED_RESOURCES_PATH="./${MGMT_PROJECT_NAME}/managed-resources/_management" |
| 105 | export APPS_PATH="./${MGMT_PROJECT_NAME}/app-profiles/_management" |
| 106 | |
| 107 | # Render Flux `GitRepository` objects with proper Git URL and relative repo paths |
| 108 | envsubst < "${TEMPLATES_DIR}/fleet-repo.yaml" > "${CLUSTER_DIR}/fleet-repo.yaml" |
| 109 | envsubst < "${TEMPLATES_DIR}/sw-catalogs-repo.yaml" > "${CLUSTER_DIR}/sw-catalogs-repo.yaml" |
| 110 | |
| 111 | # Secrets to access both Git repos |
| 112 | # (NOTE: these are the last secrets to be added imperatively) |
| 113 | kubectl delete secret fleet-repo --namespace flux-system 2> /dev/null || true |
| garciadeblas | 8a28f6d | 2025-06-11 11:11:56 +0200 | [diff] [blame] | 114 | if [ -n "${MGMT_CLUSTER_CA_FILE}" ]; then |
| 115 | kubectl create secret generic fleet-repo \ |
| 116 | --namespace flux-system \ |
| 117 | --from-literal=username="${FLEET_REPO_GIT_USERNAME}" \ |
| 118 | --from-literal=password="${FLEET_REPO_GIT_USER_PASS}" \ |
| 119 | --from-file=ca.crt="${MGMT_CLUSTER_CA_FILE}" |
| 120 | else |
| 121 | kubectl create secret generic fleet-repo \ |
| 122 | --namespace flux-system \ |
| 123 | --from-literal=username="${FLEET_REPO_GIT_USERNAME}" \ |
| 124 | --from-literal=password="${FLEET_REPO_GIT_USER_PASS}" |
| 125 | fi |
| garciadeblas | 8d8cd99 | 2024-05-21 16:04:14 +0200 | [diff] [blame] | 126 | kubectl delete secret sw-catalogs --namespace flux-system 2> /dev/null || true |
| garciadeblas | 8a28f6d | 2025-06-11 11:11:56 +0200 | [diff] [blame] | 127 | if [ -n "${MGMT_CLUSTER_CA_FILE}" ]; then |
| 128 | kubectl create secret generic sw-catalogs \ |
| 129 | --namespace flux-system \ |
| 130 | --from-literal=username="${SW_CATALOGS_REPO_GIT_USERNAME}" \ |
| 131 | --from-literal=password="${SW_CATALOGS_REPO_GIT_USER_PASS}" \ |
| 132 | --from-file=ca.crt="${MGMT_CLUSTER_CA_FILE}" |
| 133 | else |
| 134 | kubectl create secret generic sw-catalogs \ |
| 135 | --namespace flux-system \ |
| 136 | --from-literal=username="${SW_CATALOGS_REPO_GIT_USERNAME}" \ |
| 137 | --from-literal=password="${SW_CATALOGS_REPO_GIT_USER_PASS}" |
| 138 | fi |
| garciadeblas | 8d8cd99 | 2024-05-21 16:04:14 +0200 | [diff] [blame] | 139 | # Render Flux `Kustomizations` to sync with default profiles |
| 140 | envsubst < "${TEMPLATES_DIR}/infra-controllers.yaml" > "${CLUSTER_DIR}/infra-controllers.yaml" |
| 141 | envsubst < "${TEMPLATES_DIR}/infra-configs.yaml" > "${CLUSTER_DIR}/infra-configs.yaml" |
| 142 | envsubst < "${TEMPLATES_DIR}/managed-resources.yaml" > "${CLUSTER_DIR}/managed-resources.yaml" |
| 143 | envsubst < "${TEMPLATES_DIR}/apps.yaml" > "${CLUSTER_DIR}/apps.yaml" |
| 144 | |
| 145 | # Create `ConfigMaps` into profiles (and `Namespace` specs when needed) to avoid sync errors |
| 146 | ## Infra controllers ConfigMap |
| 147 | CONFIGMAP_NAME="infra-controllers" |
| 148 | PROFILE_REPO_URL="${FLEET_REPO_URL}" |
| 149 | PROFILE_PATH="${INFRA_CONTROLLERS_PATH}" |
| 150 | create_profile_configmap \ |
| 151 | "${CONFIGMAP_NAME}" \ |
| 152 | "${PROFILE_REPO_URL}" \ |
| 153 | "${PROFILE_PATH}" \ |
| 154 | > "${ADDON_CTRL_DIR}/profile-configmap.yaml" |
| 155 | |
| 156 | ## Infra configurations ConfigMap |
| 157 | CONFIGMAP_NAME="infra-configs" |
| 158 | PROFILE_REPO_URL="${FLEET_REPO_URL}" |
| 159 | PROFILE_PATH="${INFRA_CONFIGS_PATH}" |
| 160 | create_profile_configmap \ |
| 161 | "${CONFIGMAP_NAME}" \ |
| 162 | "${PROFILE_REPO_URL}" \ |
| 163 | "${PROFILE_PATH}" \ |
| 164 | > "${ADDON_CONFIG_DIR}/profile-configmap.yaml" |
| 165 | |
| 166 | ## Managed resources ConfigMap |
| 167 | CONFIGMAP_NAME="managed-resources" |
| 168 | PROFILE_REPO_URL="${FLEET_REPO_URL}" |
| 169 | PROFILE_PATH="${MANAGED_RESOURCES_PATH}" |
| 170 | create_profile_configmap \ |
| 171 | "${CONFIGMAP_NAME}" \ |
| 172 | "${PROFILE_REPO_URL}" \ |
| 173 | "${PROFILE_PATH}" \ |
| 174 | > "${RESOURCES_DIR}/profile-configmap.yaml" |
| 175 | |
| 176 | ## Managed resources namespace |
| 177 | kubectl create ns ${CONFIGMAP_NAME} \ |
| 178 | -o yaml \ |
| 179 | --dry-run=client \ |
| 180 | > "${RESOURCES_DIR}/namespace.yaml" |
| 181 | |
| 182 | ### Copy secrets for Git repos from `flux-system` to `managed-resources` namespace |
| 183 | clone_secret_to_new_ns_stdout \ |
| 184 | flux-system \ |
| 185 | flux-system \ |
| 186 | "${CONFIGMAP_NAME}" | \ |
| 187 | encrypt_secret_from_stdin \ |
| 188 | "${PUBLIC_KEY}" \ |
| 189 | > "${RESOURCES_DIR}/secret-flux-system.yaml" |
| 190 | |
| 191 | clone_secret_to_new_ns_stdout \ |
| 192 | fleet-repo \ |
| 193 | flux-system \ |
| 194 | "${CONFIGMAP_NAME}" | \ |
| 195 | encrypt_secret_from_stdin \ |
| 196 | "${PUBLIC_KEY}" \ |
| 197 | > "${RESOURCES_DIR}/secret-fleet-repo.yaml" |
| 198 | |
| 199 | clone_secret_to_new_ns_stdout \ |
| 200 | sw-catalogs \ |
| 201 | flux-system \ |
| 202 | "${CONFIGMAP_NAME}" | \ |
| 203 | encrypt_secret_from_stdin \ |
| 204 | "${PUBLIC_KEY}" \ |
| 205 | > "${RESOURCES_DIR}/secret-sw-catalogs.yaml" |
| 206 | |
| 207 | ## Apps ConfigMap |
| 208 | CONFIGMAP_NAME="apps" |
| 209 | PROFILE_REPO_URL="${FLEET_REPO_URL}" |
| 210 | PROFILE_PATH="${APPS_PATH}" |
| 211 | create_profile_configmap \ |
| 212 | "${CONFIGMAP_NAME}" \ |
| 213 | "${PROFILE_REPO_URL}" \ |
| 214 | "${PROFILE_PATH}" \ |
| 215 | > "${APPS_DIR}/profile-configmap.yaml" |