From 5de1379c1ff730c72c2b5cb16e70199ce577cd2c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 27 Aug 2024 18:05:50 -0500 Subject: [PATCH] updatebot: Add CronJob to run for Home Assistant `updatebot` is a script I wrote that automatically opens Gitea Pull Requests to update container image references in Kubernetes resource manifests. It checks Github or Docker Hub for the latest release and updates manifests or Kustommization configuration files to point to the current version. It then commits the changes and opens a pull request in Gitea. When combined with ArgoCD automatic synchronization, this makes updating Kubernetes-deployed applications as simple as clicking the merge button in the Gitea PR. To start with, we'll automate Home Assistant upgrades this way. --- updatebot/.gitignore | 2 + updatebot/kustomization.yaml | 35 ++++++++++++++ updatebot/namespace.yaml | 6 +++ updatebot/projects/home-assistant.toml | 52 ++++++++++++++++++++ updatebot/secrets.yaml | 34 +++++++++++++ updatebot/ssh_known_hosts | 3 ++ updatebot/sshkey.pub | 1 + updatebot/updatebot.yaml | 66 ++++++++++++++++++++++++++ 8 files changed, 199 insertions(+) create mode 100644 updatebot/.gitignore create mode 100644 updatebot/kustomization.yaml create mode 100644 updatebot/namespace.yaml create mode 100644 updatebot/projects/home-assistant.toml create mode 100644 updatebot/secrets.yaml create mode 100644 updatebot/ssh_known_hosts create mode 100644 updatebot/sshkey.pub create mode 100644 updatebot/updatebot.yaml diff --git a/updatebot/.gitignore b/updatebot/.gitignore new file mode 100644 index 0000000..f520692 --- /dev/null +++ b/updatebot/.gitignore @@ -0,0 +1,2 @@ +gitea.token +sshkey diff --git a/updatebot/kustomization.yaml b/updatebot/kustomization.yaml new file mode 100644 index 0000000..7391cf8 --- /dev/null +++ b/updatebot/kustomization.yaml @@ -0,0 +1,35 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: updatebot + +labels: +- pairs: + app.kubernetes.io/component: updatebot + app.kubernetes.io/instance: updatebot + app.kubernetes.io/part-of: updatebot + +resources: +- namespace.yaml +- updatebot.yaml +- secrets.yaml + +configMapGenerator: +- name: updatebot-projects + files: + - home-assistant.toml=projects/home-assistant.toml + - firefly-iii.toml=projects/firefly-iii.toml + - paperless-ngx.toml=projects/paperless-ngx.toml + options: + disableNameSuffixHash: true + +- name: ssh-known-hosts + files: + - ssh_known_hosts + options: + disableNameSuffixHash: true + +--- +images: +- image: git.pyrocufflink.net/infra/updatebot + newTag: dev diff --git a/updatebot/namespace.yaml b/updatebot/namespace.yaml new file mode 100644 index 0000000..c627c4d --- /dev/null +++ b/updatebot/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: updatebot + labels: + app.kubernetes.io/name: updatebot diff --git a/updatebot/projects/home-assistant.toml b/updatebot/projects/home-assistant.toml new file mode 100644 index 0000000..a01ae16 --- /dev/null +++ b/updatebot/projects/home-assistant.toml @@ -0,0 +1,52 @@ +[repo] +url = "https://git.pyrocufflink.net/infra/kubernetes" +token_file = "/run/secrets/updatebot/gitea.token" + +[projects.home-assistant] +kind = "kustomize" +image = "ghcr.io/home-assistant/home-assistant" + +[projects.home-assistant.source] +kind = "github" +organization = "home-assistant" +repo = "core" + +[projects.whisper] +kind = "kustomize" +path = "home-assistant" +image = "docker.io/rhasspy/wyoming-whisper" + +[projects.whisper.source] +kind = "docker" +namespace = "rhasspy" +repository = "wyoming-whisper" + +[projects.piper] +kind = "kustomize" +path = "home-assistant" +image = "docker.io/rhasspy/wyoming-piper" + +[projects.piper.source] +kind = "docker" +namespace = "rhasspy" +repository = "wyoming-piper" + +[projects.zigbee2mqtt] +kind = "kustomize" +path = "home-assistant" +image = "docker.io/koenkk/zigbee2mqtt" + +[projects.zigbee2mqtt.source] +kind = "github" +organization = "Koenkk" +repo = "zigbee2mqtt" + +[projects.zwavejs2mqtt] +kind = "kustomize" +path = "home-assistant" +image = "docker.io/zwavejs/zwave-js-ui" + +[projects.zwavejs2mqtt.source] +kind = "github" +organization = "zwave-js" +repo = "zwave-js-ui" diff --git a/updatebot/secrets.yaml b/updatebot/secrets.yaml new file mode 100644 index 0000000..d866e48 --- /dev/null +++ b/updatebot/secrets.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: updatebot-ssh + namespace: updatebot + labels: &labels + app.kubernetes.io/name: updatebot-ssh +spec: + encryptedData: + id_ed25519: AgBtJeOutVpyMyvzIQfAatNqomOXTwPJ6hRwE8r7pAR3UNQdgKoaz+i6f4IIWeLnGDWCveUTFFGp5O6uvuKCqZzo5J8706CV4Y1Cba+nGKbGyObNF5gF7qD2Jz8n4z99SKLA7ZPBRBj4rgtmKz68cJyi4PfDla2/csjONV+PMsMYLquDX8I+7G7YYzdhzt0V89XwzDl4PhegyPTLH0AaQysXfj2/OnmQINiIwwPcbhXv8AiRVFsqWRpsWTCs4nCcNAHIxmSVgzgwqDNZRym31FbLbNpYTD4KhL6zhBpp3GAX/q2Dk5tJtVsUc6v/cvD0+pgcKvgRFMOcH9Z6MgcmotTdpwSINZe4mUY4VHONAt8WNvqUCo+Y80eHDpV5OVfAnMARowwnF8CRV9v19Q6hWnnVvV214IUJuqEgV1IDDIpRl3jmtFBjEQ+s0A0HtYyhgoEZoK7ZeypgIyQJucGjaBh6QArD1hjQtzPsFji52VWdkf/ocqPmg6H4ZL38MRQFhOnvrucJandqQihS0XCMLe5WdLTNzjbTS2skYw/9LqPUZ05pHPPGZQseLcgTclfuNKxYHTS5RNA3xWSWnNUt53VHEjPUMWRQNf1tfqA/EeK52fTM5iqRiI8chtHNUTwX+ZegONJtwwBoxWwfgjEJWBTwiGxjAXkIQoCNfaIqZI6wdHWQs3cXjgsIw8h8H7NIdN/O59CxbpLaU1YgxoKFvfhRQoO8F8RhMuX691o/lIzjFTkE5uZmsQWUCZGQu1M/OiqepmibbFguwIk9hNI41vwcd4nPdxTmQazD0rO72ZsJlUWdoK+psGFiv3Haeua1SXF3XbD0FO/tHu1HW+QDrtThlShP/ozebceEApYmdVHZkcuKYxIbDwL5lgax9L6mFSPpENX7M06uHGMqGLjOBHPXiSacVK6GuNj9ZdNmux6kOrSL9CYdcru/eeWyv64vZxwFavNqK7K/Pu7sgOOe3N+be73awtB7qhfMNaVMP/kK0kF74pHpZLI8qotTkcPv30N9q+yBoSm/nmuYG6Mv1FONSSRUPdBmeeSTpVAIviePvl0C0BApQG6zvBimVEDcWQ/VYnqgwo769lvMjlAVCcOXOqQt4CQ/1lxVtOXHpMt/+ZH+6RoyYu1sGzlPP/yXi5AMVPdYRDvEhUQ/qkpDDL3Up/MiSIKVeQxLTBc+FCz8mj08b+AgyVk1Rl0TfSzaL05Yiv17uvjYrkozTWXk/Yk= + id_ed25519.pub: AgALz9mR5yjRcR+LRllzY/+x75tubtbD0+rfdky0+LbwxsVfDirxB4x3vWKzlDMQiB+vtj3DyZz3K+k85MYrEbpZvwMePJ8HM/VW09fImW99+RcD6593bE5jOqAAujNhReopIJpJ3fTqMcNSOHs0eU1bogFJiY+ErsXKuY30EEM2wn53o73jRFThVVNfrS4QG85mFATrkAkS5CBTbUqzzoixhtqbtC+Wnlu4JnAU+c5aUcRdm05G/n0Eh5rKwtvN1SoWF0x4YG6jspzfZuKlhtgaLEK8gYHlMtZfEmUeUy/hpt5nHP3yc/hONUtz0TTYMmtxaMfqZZgGQlM2zTfvWAlxfqDr8U6rANB8HN64LQ2OQ3MGpkYEpMC37hkgVjSL+awttE2h49XuvS6zYg8ia/HTEm0lyE/8eBoVvmZgPzpl7QCcxs0YucrEyV5X1vOwiIO0bueumxsld5rGR5Gn4ReCayuU0Erq5MjXSbOEZf3r/9LbL90KJYLCUFdhSxfbNqSZjorco4ZXHLlhsBFqDFGxjkWDCH9aA7ZFQLH2oUaY4txYl1VmBtTTlIcGMTsBXrvlgdCz4bI9mt1lPFi3WgwYyCWwT0AitYl/FL/1mwlrs0yH9w1Y7AVwJoEp729w8DQ1Qm+wkzMtjVxsgu4bEHQym+5DaDF2XifcT/T/GEBFcqoqrl6e0x25tybI3GnzGcaZ/TY1b5FBW41wl5inwBzwilnlc70nykiCq2Pg/+EQlUFWzh/6el70xlnVatIln3/Lz/sJ2qZjvEugfiESnOy/6JhbP3KSWjoJM5u3K6I6moQeWOH1g7ZDoJb6 + template: + metadata: + name: updatebot-ssh + namespace: updatebot + labels: *labels + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: updatebot + namespace: updatebot + labels: &labels + app.kubernetes.io/name: updatebot +spec: + encryptedData: + gitea.token: AgCsTbakH+a911jC4w2VAMxNCec0DSVg3PufcwVMvLp8N1mZs4g7Btg33FhSDv4GnG6tluhNrvjNm9CwA9Hb6DX+lAlGM20ntBr7whC4x3XQqVYVVkk9loQTsNkVYbuUye3cnlTVi1RIku5qtKA4iiopc0naaAFYPAJZXd/oUP6Ghs9ttsPoYRAK3QeKkGUDsDoe7EpRFrvmdmV71R7OxSsCQBR9EoWJiKRJYNzZ6RyjrdLA5tJT/oVkpRzBVqp92Ujgbz731KtGuBesWWbXYI7sjQFYfc+KCg3taOyhpOTAxF74JETxOyyMkdg3memcPaZKXGIn1fm8/pTOXOZYdn5I65wwIJa91GT7xZ7jMT+EvgQkEDXenQia71sgcInngFcVGdHtWH8+a2HkTTHaRibQW6EivgafO+61Ukc/HL1ULwVT6lAHMs1h+/JhLrdPcqXIfZxrD6k1cWk9H5AbzTUtA43M0jCcdlk0LuKdSyq6Mi85OSs1aU+fBdRiAzXnMUgL3Gcku94E2SPKgZ/2i5W6gpBig5Q1m8qZKXQiopZelqIQt9IkORBp+ge9E2SB+6H84q59csuUVxqn7BNAT24eOrdZSNCT8I9oxnO9YyXqrty58/WD206eloVejtGXwWjtCBWWEg3T7DTVheEeRJgCUwFzaGYtw8VuPr0VOXFXNkF0VcQ83XGqOUTlMEsUtHEEuk3btD5AjFKK+q3+jp1qCoafYgoxV1FZA3GxxWhalIh9yVz+RLla + template: + metadata: + name: updatebot + namespace: updatebot + labels: *labels diff --git a/updatebot/ssh_known_hosts b/updatebot/ssh_known_hosts new file mode 100644 index 0000000..2c87f1e --- /dev/null +++ b/updatebot/ssh_known_hosts @@ -0,0 +1,3 @@ +git.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9 +git.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJPLXOT4j+jYAIGfuGbtG8ea3oBZwtvOEYNzUHpsQBF9VO9E9nTQBswSRzc+otPzZhr5lJ+BlGo439hHGkbOIo8= +git.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZUu95QA3i7d5LZvB/RncHN diff --git a/updatebot/sshkey.pub b/updatebot/sshkey.pub new file mode 100644 index 0000000..371946a --- /dev/null +++ b/updatebot/sshkey.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDw5BwoaF5bHI+VDT7vDCRu62FjdBNX4B/NcAtcgd/Qs updatebot diff --git a/updatebot/updatebot.yaml b/updatebot/updatebot.yaml new file mode 100644 index 0000000..649cc28 --- /dev/null +++ b/updatebot/updatebot.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: updatebot-home-assistant + labels: &labels + app.kubernetes.io/name: updatebot-home-assistant +spec: + schedule: 32 6 * * 1 + timeZone: America/Chicago + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + labels: *labels + spec: + restartPolicy: Never + containers: + - name: updatebot + image: git.pyrocufflink.net/infra/updatebot + args: + - --branch-name + - updatebot/home-assistant + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/ssh/ssh_known_hosts + name: ssh-known-hosts + readOnly: true + subPath: ssh_known_hosts + - mountPath: /home/bot/.config/updatebot/config.toml + name: updatebot-config + readOnly: true + subPath: home-assistant.toml + - mountPath: /home/bot/.ssh + name: updatebot-ssh + readOnly: true + - mountPath: /run/secrets/updatebot + name: updatebot-secrets + readOnly: true + - mountPath: /tmp + name: tmp + subPath: tmp + nodeSelector: + kubernetes.io/arch: amd64 + securityContext: + runAsNonRoot: true + fsGroup: 25167 + volumes: + - name: ssh-known-hosts + configMap: + name: ssh-known-hosts + - name: tmp + emptyDir: + medium: Memory + - name: updatebot-config + configMap: + name: updatebot-projects + - name: updatebot-secrets + secret: + secretName: updatebot + defaultMode: 0640 + - name: updatebot-ssh + secret: + secretName: updatebot-ssh + defaultMode: 0640