Warden promotion workflow (kyma-project#178)

* Warden promotion workflow

* fetch skr-config via gh cli

* Tag warden repo when promoting warden module to release channel

* separator

* code review

* code review

.github/scripts/upgrade-sec-scanners-config.sh

@@ -2,5 +2,6 @@
 
 IMG_VERSION=${IMG_VERSION?"Define IMG_VERSION env"}
 
-yq -i ".protecode[] |= sub(\":main\", \":${IMG_VERSION}\")" sec-scanners-config.yaml
+yq -i ".protecode[0] = \"europe-docker.pkg.dev/kyma-project/prod/warden/operator:${IMG_VERSION}\"" sec-scanners-config.yaml
+yq -i ".protecode[1] = \"europe-docker.pkg.dev/kyma-project/prod/warden/admission:${IMG_VERSION}\"" sec-scanners-config.yaml
 yq -i "del(.rc-tag)" sec-scanners-config.yaml

.github/workflows/promote-to-release-channel-with-config.yaml

@@ -0,0 +1,150 @@
+name: "Promote to release channel with config"
+
+on:
+  workflow_dispatch:
+    inputs:
+      new_warden_tag:
+        description: 'New warden tag (`x.x.x`)'
+        default: ""
+        required: true
+      warden_skr_config_version:
+        description: 'Warden SKR config version (`y.y`)'
+        default: ""
+        required: true
+      channel:
+        description: 'Module channel'
+        default: "fast"
+        required: true
+
+env:
+  MODULE_VERSION: ${{ github.event.inputs.new_warden_tag }}
+  CHANNEL: ${{ github.event.inputs.channel }}
+  # needed by gh cli for GitHub enterprise
+  GH_ENTERPRISE_TOKEN: ${{ secrets.GH_BOT_TOKEN }}
+  WARDEN_SKR_OVERRIDES_REPO_URL: ${{ secrets.WARDEN_SKR_OVERRIDES_REPO_URL }}
+  BOT_USERNAME: kyma-otter-serviceuser
+  BOT_EMAIL: [email protected]
+  GH_TOOLS_REPO_URL: ${{ secrets.GH_TOOLS_REPO_URL }}
+
+jobs:
+
+  upgrade-images:
+    name: Bump warden images references
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Bump sec-scanners-config.yaml
+        run: ./.github/scripts/upgrade-sec-scanners-config.sh
+        env:
+          IMG_VERSION: ${{ github.event.inputs.new_warden_tag }}
+
+      - name: Bump values.yaml
+        run: |
+          make replace-chart-images
+        env:
+          IMG_DIRECTORY: "prod"
+          IMG_VERSION: ${{ github.event.inputs.new_warden_tag }}
+
+      - name: Bump chart version
+        run: ./.github/scripts/upgrade-chart-version.sh
+        env:
+          CHART_VERSION: ${{ github.event.inputs.new_warden_tag }}
+
+      - name: Commit&Push
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "otter-releaser"
+
+          git add .
+          git commit --allow-empty -m "upgrade dependencies"
+          git push origin ${{ github.ref_name }}
+
+  create-tag:
+    name: Create tag
+    needs: upgrade-images
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.ref_name }} # fetching the latest changes (incl. the commit from previous job) from branch name
+
+      - name: Create lightweight tag
+        run: |
+          git tag ${{ github.event.inputs.new_warden_tag }}
+          git push origin ${{ github.event.inputs.new_warden_tag }}
+
+      - name: Verify prow release jobs
+        run: ./.github/scripts/verify-release-builds.sh ${{ github.ref_name }}
+
+  promote-warden:
+    name: Render warden with skr config
+    needs: create-tag
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.new_warden_tag }} # fetching tag that was created in previous job 
+
+      - name: Download warden-SKR-config
+        run: |
+          gh release download ${{ github.event.inputs.warden_skr_config_version }} -R "${WARDEN_SKR_OVERRIDES_REPO_URL}" --pattern '*.yaml' --output values.yaml
+      
+      - name: Render warden manifest for values
+        run: |
+          make render-manifest-for-values
+          echo "==== warden manifest ==="
+          cat warden.yaml
+          
+      - name: Render module-config
+        run: |
+          make module-config
+          echo "==== module-config ==="
+          cat module-config.yaml 
+
+      - name: Set up module-manifests repo
+        run: |
+          git config --global user.email "${BOT_EMAIL}"
+          git config --global user.name "${BOT_USERNAME}"
+          git clone "https://${BOT_USERNAME}:${GH_ENTERPRISE_TOKEN}@${GH_TOOLS_REPO_URL}/${BOT_USERNAME}/module-manifests.git"
+          git -C module-manifests remote add upstream "https://${BOT_USERNAME}:${GH_ENTERPRISE_TOKEN}@github.tools.sap/kyma/module-manifests.git"
+
+      - name: Commit manifest
+        working-directory: module-manifests
+        run: |
+          git fetch upstream
+          git checkout -B "${MODULE_VERSION}-${CHANNEL}" upstream/main
+
+          mkdir -p modules/warden/${CHANNEL}
+          cp ../warden.yaml modules/warden/${CHANNEL}/warden.yaml
+          cp ../module-config.yaml modules/warden/${CHANNEL}/module-config.yaml
+
+          git add .
+          git commit -m "promote warden ${MODULE_VERSION} to ${CHANNEL} channel"
+          git push origin "${MODULE_VERSION}-${CHANNEL}" -f
+
+      - name: Create PullRequest to module-manifests
+        working-directory: module-manifests
+        run: |
+          prs=$(gh pr list -R "https://${GH_TOOLS_REPO_URL}/kyma/module-manifests" -A "${BOT_USERNAME}" --state open --json headRefName)
+
+          if  echo $prs | jq -e ".[] | select(.headRefName==\"${MODULE_VERSION}-${CHANNEL}\")"; then
+              echo "opened PR already exists, no need to create new one, PR will be updated by push from previous step"
+              exit 0
+          fi
+
+          gh pr create -B main --fill \
+            -H "${BOT_USERNAME}:${MODULE_VERSION}-${CHANNEL}" \
+            -R "https://${GH_TOOLS_REPO_URL}/kyma/module-manifests/" \
+            --title "Promote Warden ${MODULE_VERSION} to ${CHANNEL} channel" \
+            --body "${WARDEN_SKR_OVERRIDES_REPO_URL}/actions/runs/${{github.run_id}}"

Makefile

@@ -111,6 +111,15 @@ docker-buildx: test ## Build and push docker image for the manager for cross-pla
 render-manifest: helm ## renders warden-manifest.yaml
 	${HELM} template --namespace kyma-system warden charts/warden --set admission.enabled=true > warden-manifest.yaml
 
+.PHONY: render-manifest-for-values
+render-manifest-for-values: helm ## renders warden-manifest.yaml for values.yaml file
+	${HELM} template --namespace kyma-system warden charts/warden --values values.yaml > warden.yaml
+
+.PHONY: module-config
+module-config:
+	yq ".channel = \"${CHANNEL}\" | .version = \"${MODULE_VERSION}\""\
+    	module-config-template.yaml > module-config.yaml
+
 ##@ CI
 
 .PHONY: configure-git-origin

module-config-template.yaml

@@ -1,7 +1,7 @@
-name: {{.Name}}
-channel: {{.Channel}}
-version: {{.Version}}
-manifest: warden-manifest.yaml
-annotations:
-  "operator.kyma-project.io/doc-url": "https://github.com/kyma-project/warden/blob/{{.Version}}/README.md"
+name: kyma-project.io/module/warden
+channel: <this-will-be-autofilled>
+version: <this-will-be-autofilled>
+manifest: warden.yaml
 moduleRepo: https://github.com/kyma-project/warden.git
+moduleRepoTag: <this-will-be-autofilled>
+mandatory: true