Dev #1
Dev #1
Conversation
templates/events/event-bind.yaml
Outdated
| apiVersion: argoproj.io/v1alpha1 | ||
| kind: WorkflowEventBinding | ||
| metadata: | ||
| name: event-bind-workflow |
There was a problem hiding this comment.
Rectified Indentation
There was a problem hiding this comment.
seems there is still too much indentation
There was a problem hiding this comment.
This is the first commit (the outdated one ), I have made a different commit named "Minor Changes".
templates/secrets/secret-svc.yaml
Outdated
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: github.com |
| container: | ||
| image: alpine/helm | ||
| command: [sh, -c] | ||
| args: ["apk add --update git; git clone {{ workflow.parameters.github }}; DIR_TEST=$(ls) && cd $DIR_TEST && ls && export HELM_EXPERIMENTAL_OCI=1 && echo {{ inputs.parameters.token }} | helm registry login --username AWS --password-stdin {{ workflow.parameters.registry }}; helm chart save . {{ workflow.parameters.imagename }} && helm chart push {{ workflow.parameters.imagename }}"] |
There was a problem hiding this comment.
apk add should not be used, nor any package manager, since the image should not be root so these command should not be able to work. so this step should be splitted into more steps, one with git image and another with helm.
And by the way, how did this work ? Did you use an SCC or something ?
There was a problem hiding this comment.
Removed the apk and added an extra step for git . No, I did not use any SCC. This would just pull the repo package it and push it to the Registry. Also there needs to be a webhook created for the repository so that it could be the trigger point
| value: <secret_key> | ||
| - name: access | ||
| value: <access_key> | ||
| - name: github |
There was a problem hiding this comment.
should be a generic git url, not only github
There was a problem hiding this comment.
Removed it and passed it on k8s secret
| value: <aws_region> | ||
| - name: registry | ||
| value: "<registry_name>" | ||
| - name: imagename |
There was a problem hiding this comment.
chart name instead of imagename
There was a problem hiding this comment.
Changed to imagename
|
|
||
| - name: gen-token-bash | ||
| script: | ||
| image: amazon/aws-cli |
There was a problem hiding this comment.
we should have an image with a tag (specific version), not latest
There was a problem hiding this comment.
Made the image tag specific
| templates: | ||
| - name: generate-token | ||
| steps: | ||
| - - name: generate |
There was a problem hiding this comment.
we need a more specific name for this step, "generate" is too generic
There was a problem hiding this comment.
Changed generate to "create-token"
| image: amazon/aws-cli | ||
| command: [bash] | ||
| source: | | ||
| export AWS_ACCESS_KEY_ID={{ workflow.parameters.access }} && export AWS_SECRET_ACCESS_KEY={{ workflow.parameters.secret }} && export AWS_DEFAULT_REGION={{ workflow.parameters.region }} && /usr/local/bin/aws ecr-public get-login-password --region {{ workflow.parameters.region }} |
There was a problem hiding this comment.
there are several security issues here. secrets should not be exposed like this in CLI
There was a problem hiding this comment.
Passed access-keys and all secrets into k8s secrets
| container: | ||
| image: alpine/helm | ||
| command: [sh, -c] | ||
| args: ["apk add --update git; git clone {{ workflow.parameters.github }}; DIR_TEST=$(ls) && cd $DIR_TEST && ls && export HELM_EXPERIMENTAL_OCI=1 && echo {{ inputs.parameters.token }} | helm registry login --username AWS --password-stdin {{ workflow.parameters.registry }}; helm chart save . {{ workflow.parameters.imagename }} && helm chart push {{ workflow.parameters.imagename }}"] |
There was a problem hiding this comment.
DIR_TEST: is it really a directory for test ?
| container: | ||
| image: alpine/helm | ||
| command: [sh, -c] | ||
| args: ["apk add --update git; git clone {{ workflow.parameters.github }}; DIR_TEST=$(ls) && cd $DIR_TEST && ls && export HELM_EXPERIMENTAL_OCI=1 && echo {{ inputs.parameters.token }} | helm registry login --username AWS --password-stdin {{ workflow.parameters.registry }}; helm chart save . {{ workflow.parameters.imagename }} && helm chart push {{ workflow.parameters.imagename }}"] |
There was a problem hiding this comment.
how do you manage git clone git repos that are not public which needs an authentication ?
There was a problem hiding this comment.
Have taken a user input if repo is private or public , if private then user will have to create a secret whose template also I have added.
| value: private # Can be private or public accordingly, private creds to be stored in a secret . | ||
|
|
||
| - name: public-url | ||
| value: "https://github.com/Ishu27/test-argo-workflow.git" |
There was a problem hiding this comment.
these examples should be removed, we need something clean
There was a problem hiding this comment.
Removed examples and changed variable to git-url
| value: us-east-1 | ||
|
|
||
| - name: registry | ||
| value: "public.ecr.aws/h8x3r6g1" |
There was a problem hiding this comment.
these examples should be removed, we need something clean
There was a problem hiding this comment.
Removed example and added simple registry_name instead.
| - name: registry | ||
| value: "public.ecr.aws/h8x3r6g1" | ||
| - name: chartname | ||
| value: "public.ecr.aws/h8x3r6g1/test-argo:v2" |
There was a problem hiding this comment.
this should be removed, we need something clean
| - name: workdir | ||
| mountPath: /mnt/vol | ||
|
|
||
| - name: others |
There was a problem hiding this comment.
"others" is too generic. step names should be specific and self-explanatory about the function of that step, like you did for other steps.
There was a problem hiding this comment.
Changed to private-registry
| metadata: | ||
| name: push-to-registry-template | ||
| spec: | ||
| arguments: |
There was a problem hiding this comment.
is arguments field necessary or can it be removed ?
There was a problem hiding this comment.
Parameters needs to be passed which are under arguments
| templates: | ||
| - name: generate-token | ||
| steps: | ||
| - - name: pull-public-repo |
There was a problem hiding this comment.
this should be simplified. we should only have one "pull-repo" step, which should check in bash script whether git credentials have been provided. if yes, then they should be used. if not, then the script should assume that it's a public repo
There was a problem hiding this comment.
Changed the code and used a single step pull-repo
| image: alpine/helm:3.5.4 | ||
| imagePullPolicy: IfNotPresent | ||
| command: [sh, -c] | ||
| args: ["export HELM_EXPERIMENTAL_OCI=1 && helm registry login {{ workflow.parameters.registry }} --username $registry_username --password $registry_password ; cd /mnt/vol/git-local-dir && helm chart save . {{ workflow.parameters.chartname }} && helm chart push {{ workflow.parameters.chartname }} "] |
There was a problem hiding this comment.
you can use "script" step to make the code more readable instead of using "&&" a lot. you can find an example here: https://argoproj.github.io/argo-workflows/examples/#scripts-results
There was a problem hiding this comment.
Changed and used script
| image: amazon/aws-cli:2.2.4 | ||
| imagePullPolicy: IfNotPresent | ||
| command: [sh, -c] | ||
| args: ["export AWS_ACCESS_KEY_ID=$access_key && export AWS_SECRET_ACCESS_KEY=$secret_key && export AWS_DEFAULT_REGION={{ workflow.parameters.region }} && /usr/local/bin/aws ecr-public get-login-password --region {{ workflow.parameters.region }}"] |
There was a problem hiding this comment.
you can use "script" step to make the code more readable instead of using "&&" a lot. you can find an example here: https://argoproj.github.io/argo-workflows/examples/#scripts-results
There was a problem hiding this comment.
changed and used script
| image: alpine/helm:3.5.4 | ||
| imagePullPolicy: IfNotPresent | ||
| command: [sh, -c] | ||
| args: ["export HELM_EXPERIMENTAL_OCI=1 && echo {{ inputs.parameters.token }} | helm registry login --username AWS --password-stdin {{ workflow.parameters.registry }}; cd /mnt/vol/git-local-dir && helm chart save . {{ workflow.parameters.chartname }} && helm chart push {{ workflow.parameters.chartname }}"] |
There was a problem hiding this comment.
you can use "script" step to make the code more readable instead of using "&&" a lot. you can find an example here: https://argoproj.github.io/argo-workflows/examples/#scripts-results
Addition of Event Templates