infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

updatebot: Updates for latest version

Browse Source 
The latest version of `updatebot` has two major changes:

1. Projects can encompass multiple images, eliminating the need for
   multiple configuration files and CronJobs.  Projects are now defined
   in a YAML documen, since the data structure is very nested and is
   cumbersome to express in TOML.
2. Pull requests can now include a diff of the resources that will
   change if the PR is merged.  This requires the `kubectl` and `diff`
   programs (which are not currently included in the _updatebot_
   container image, so we bind-mount them from the host) and permission
   to compare the local manifests using the Kubernetes API.  Oddly,
   computing the diff requires permission to use the PATCH method, even
   though the client is not requesting any changes.  This is apparently
   a long-standing bug ([issue #981][0]) that may or may not ever be
   fixed.

[0]: https://github.com/kubernetes/kubectl/issues/981
This commit is contained in:
Dustin
2024-09-08 19:54:58 -05:00
parent 431395f18f
commit f17ad4f779
7 changed files with 134 additions and 248 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
updatebot/updatebot.yaml
View File

@@ -1,9 +1,9 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatebot-home-assistant
name: updatebot
labels: &labels
app.kubernetes.io/name: updatebot-home-assistant
app.kubernetes.io/name: updatebot
spec:
schedule: 32 6 * * 1
timeZone: America/Chicago
@@ -18,9 +18,7 @@ spec:
containers:
- name: updatebot
image: git.pyrocufflink.net/infra/updatebot
args:
- --branch-name
- updatebot/home-assistant
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
@@ -28,146 +26,9 @@ spec:
name: ssh-known-hosts
readOnly: true
subPath: ssh_known_hosts
- mountPath: /home/bot/.config/updatebot/config.toml
- mountPath: /home/bot/.config/updatebot
name: updatebot-config
readOnly: true
subPath: home-assistant.toml
- mountPath: /home/bot/.ssh
name: updatebot-ssh
readOnly: true
- mountPath: /run/secrets/updatebot
name: updatebot-secrets
readOnly: true
- mountPath: /tmp
name: tmp
subPath: tmp
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsNonRoot: true
fsGroup: 25167
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts
- name: tmp
emptyDir:
medium: Memory
- name: updatebot-config
configMap:
name: updatebot-projects
- name: updatebot-secrets
secret:
secretName: updatebot
defaultMode: 0640
- name: updatebot-ssh
secret:
secretName: updatebot-ssh
defaultMode: 0640
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatebot-firefly-iii
labels: &labels
app.kubernetes.io/name: updatebot-firefly-iii
spec:
schedule: 33 6 * * 1
timeZone: America/Chicago
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels: *labels
spec:
restartPolicy: Never
containers:
- name: updatebot
image: git.pyrocufflink.net/infra/updatebot
args:
- --branch-name
- updatebot/firefly-iii
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
readOnly: true
subPath: ssh_known_hosts
- mountPath: /home/bot/.config/updatebot/config.toml
name: updatebot-config
readOnly: true
subPath: firefly-iii.toml
- mountPath: /home/bot/.ssh
name: updatebot-ssh
readOnly: true
- mountPath: /run/secrets/updatebot
name: updatebot-secrets
readOnly: true
- mountPath: /tmp
name: tmp
subPath: tmp
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsNonRoot: true
fsGroup: 25167
volumes:
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts
- name: tmp
emptyDir:
medium: Memory
- name: updatebot-config
configMap:
name: updatebot-projects
- name: updatebot-secrets
secret:
secretName: updatebot
defaultMode: 0640
- name: updatebot-ssh
secret:
secretName: updatebot-ssh
defaultMode: 0640
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: updatebot-paperless-ngx
labels: &labels
app.kubernetes.io/name: updatebot-paperless-ngx
spec:
schedule: 34 6 * * 1
timeZone: America/Chicago
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels: *labels
spec:
restartPolicy: Never
containers:
- name: updatebot
image: git.pyrocufflink.net/infra/updatebot
args:
- --branch-name
- updatebot/paperless-ngx
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
readOnly: true
subPath: ssh_known_hosts
- mountPath: /home/bot/.config/updatebot/config.toml
name: updatebot-config
readOnly: true
subPath: paperless-ngx.toml
- mountPath: /home/bot/.ssh
name: updatebot-ssh
readOnly: true
@@ -177,12 +38,27 @@ spec:
- mountPath: /tmp
name: tmp
subPath: tmp
- mountPath: /usr/bin/diff
name: diff
readOnly: true
- mountPath: /usr/bin/kubectl
name: kubectl
readOnly: true
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsNonRoot: true
fsGroup: 25167
serviceAccountName: updatebot
volumes:
- name: diff
hostPath:
path: /usr/bin/diff
type: File
- name: kubectl
hostPath:
path: /usr/bin/kubectl
type: File
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts