ff0eaeb1c8
This is a squashed commit, keeping messages intact for history. - feat(charts/development-pipeline): work behind corporate proxy dockerd sidecar works behind proxy with cert. Proxy is only needed on the sidecar to pull public images. The cert is mounted via a host path so that the proxy may be trusted. - fix(standard-container/roles): remove installing Helm push plugin The standard-container Dockerfile already installs the Helm push plugin, so no reason to try to install it in multiple ansible roles. I suspect this was originally done because someone tried to use `helm push` in the ansible role, but Helm couldn't find even though it was installed in the image. But tekton defines a the HOME env var if you describe the pod in a cluster. So if we just define HELM_DATA_HOME to the location where the push plugin is installed we can remove having to install it in the ansible roles. - feat(standard-container/roles): use image.image_from for docker build Change-Id: Ibc3c5f400978cb98d2d2a37b737b56125f4c2aa7
78 lines
2.4 KiB
YAML
78 lines
2.4 KiB
YAML
apiVersion: tekton.dev/v1beta1
|
|
kind: Task
|
|
metadata:
|
|
name: promote
|
|
namespace: {{ $.Release.Namespace }}
|
|
spec:
|
|
description: >-
|
|
This task will promote images and chart into a non-test repository
|
|
workspaces:
|
|
- name: k8s_cluster_data
|
|
- name: development_pipeline_data
|
|
steps:
|
|
- name: promote-artifacts
|
|
image: {{ $.Values.tasks.promote.promoteImage }}
|
|
env:
|
|
# Connect to the sidecar over TCP, with TLS.
|
|
- name: DOCKER_HOST
|
|
value: tcp://localhost:2376
|
|
# Verify TLS.
|
|
- name: DOCKER_TLS_VERIFY
|
|
value: '1'
|
|
# Use the certs generated by the sidecar daemon.
|
|
- name: DOCKER_CERT_PATH
|
|
value: /certs/client
|
|
# specify HELM_DATA_HOME since tekton defines HOME as /home/tekton, which is used by Helm by default meaning
|
|
# Helm won't find any plugins installed during image build time
|
|
- name: HELM_DATA_HOME
|
|
value: /root/.local/share/helm
|
|
volumeMounts:
|
|
- mountPath: /tekton/home/.docker/config.json
|
|
name: image-push-creds
|
|
subPath: .dockerconfigjson
|
|
- mountPath: /certs/client
|
|
name: dind-certs
|
|
- mountPath: /usr/local/share/ca-certificates/harbor-ca.crt
|
|
name: harbor-ca
|
|
subPath: harbor-ca
|
|
- mountPath: /workspace/helm-creds
|
|
name: helm-publish-creds
|
|
script: |
|
|
/jarvis/promote_artifacts.sh
|
|
sidecars:
|
|
- image: {{ $.Values.tasks.image.sidecarServer }}
|
|
name: server
|
|
args:
|
|
- --storage-driver=vfs
|
|
- --userland-proxy=false
|
|
- --debug
|
|
- --insecure-registry={{ $.Values.tasks.image.insecureRegistry }}
|
|
##TODO: Get rid of privileged true
|
|
securityContext:
|
|
privileged: true
|
|
env:
|
|
# Write generated certs to the path shared with the client.
|
|
- name: DOCKER_TLS_CERTDIR
|
|
value: /certs
|
|
volumeMounts:
|
|
- mountPath: /certs/client
|
|
name: dind-certs
|
|
# Wait for the dind daemon to generate the certs it will share with the
|
|
# client.
|
|
readinessProbe:
|
|
periodSeconds: 1
|
|
exec:
|
|
command: ['ls', '/certs/client/ca.pem']
|
|
volumes:
|
|
- name: dind-certs
|
|
emptyDir: {}
|
|
- name: image-push-creds
|
|
secret:
|
|
secretName: harbor-docker-auth
|
|
- name: helm-publish-creds
|
|
secret:
|
|
secretName: harbor-basic-auth
|
|
- name: harbor-ca
|
|
secret:
|
|
secretName: harbor-ca
|