Skip to content

Commit 9aa758a

Browse files
syan-tibcosyan-tibco
authored
2025 week32 update 2 (#85)
changes * upgrade default depoyment of TIBCO Platfrom to 1.9 * upgrade default tekton to v1 * upgrade default EKS version from 1.31 to 1.33
1 parent 9cdab7b commit 9aa758a

File tree

7 files changed

+280
-167
lines changed

7 files changed

+280
-167
lines changed

charts/provisioner-config-local/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ apiVersion: v2
88
name: provisioner-config-local
99
description: Platform Provisioner local config
1010
type: application
11-
version: "1.8.1"
11+
version: "1.9.11"
1212
appVersion: "2.0.1"
1313
home: https://github.com/TIBCOSoftware/tp-helm-charts
1414
maintainers:

charts/provisioner-config-local/recipes/pp-deploy-cp-core-on-prem.yaml

Lines changed: 137 additions & 81 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,8 @@ meta:
3131
GUI_CP_PROXY_NO_PROXY: ""
3232

3333
# CP version see: https://docs.tibco.com/pub/platform-cp/1.5.1/doc/html/Default.htm#Installation/helm-chart-version-matrix.htm
34-
GUI_CP_PLATFORM_BOOTSTRAP_VERSION: 1.8.0
35-
GUI_CP_PLATFORM_BASE_VERSION: 1.8.0
34+
GUI_CP_PLATFORM_BOOTSTRAP_VERSION: 1.9.0
35+
GUI_CP_PLATFORM_BASE_VERSION: 1.9.0
3636

3737
# CP env
3838
GUI_CP_INSTANCE_ID: "cp1"
@@ -202,6 +202,8 @@ meta:
202202
CP_DB_SSL_MODE: ${GUI_CP_DB_SSL_MODE:-"disable"} # verify-full, disable
203203
CP_DB_SSL_ROOT_CERT: ${GUI_CP_DB_SSL_ROOT_CERT:-""}
204204
CP_DB_DELETE_ON_UNINSTALL: ${GUI_CP_DB_DELETE_ON_UNINSTALL:-"false"}
205+
CP_ENCRYPTION_SECRET_NAME: ${GUI_CP_ENCRYPTION_SECRET_NAME:-"cporch-encryption-secret"}
206+
CP_ENCRYPTION_SECRET_KEY: ${GUI_CP_ENCRYPTION_SECRET_KEY:-"CP_ENCRYPTION_SECRET"}
205207
CP_DB_SSL_ROOT_CERT_SECRET_NAME: ${GUI_CP_DB_SSL_ROOT_CERT_SECRET_NAME:-"db-ssl-root-cert"}
206208
CP_DB_SSL_ROOT_CERT_FILENAME: ${GUI_CP_DB_SSL_ROOT_CERT_FILENAME:-"db_ssl_root.cert"}
207209

@@ -239,8 +241,8 @@ meta:
239241
TP_TLS_KEY_HYBRID_PROXY: ${GUI_TP_TLS_KEY_HYBRID_PROXY:-""} # the tls.key for hybrid-proxy ingress
240242

241243
# CP version see: https://docs.tibco.com/pub/platform-cp/1.5.1/doc/html/Default.htm#Installation/helm-chart-version-matrix.htm
242-
CP_PLATFORM_BOOTSTRAP_VERSION: ${GUI_CP_PLATFORM_BOOTSTRAP_VERSION:-1.8.0} # use ^1.0.0 for latest
243-
CP_PLATFORM_BASE_VERSION: ${GUI_CP_PLATFORM_BASE_VERSION:-1.8.0} # use ^1.0.0 for latest
244+
CP_PLATFORM_BOOTSTRAP_VERSION: ${GUI_CP_PLATFORM_BOOTSTRAP_VERSION:-1.9.0} # use ^1.0.0 for latest
245+
CP_PLATFORM_BASE_VERSION: ${GUI_CP_PLATFORM_BASE_VERSION:-1.9.0} # use ^1.0.0 for latest
244246

245247
# flow control
246248
CP_VALIDATE_CLUSTER_RESOURCE: ${GUI_CP_VALIDATE_CLUSTER_RESOURCE:-true}
@@ -545,70 +547,69 @@ helmCharts:
545547
values:
546548
keepPrevious: false
547549
content: |
548-
tp-cp-bootstrap:
549-
compute-services:
550-
enabled: true
551-
resources:
552-
requests:
553-
cpu: ${CP_RESOURCES_REQUEST_CPU}
554-
memory: ${CP_RESOURCES_REQUEST_MEMORY}
555-
limits:
556-
cpu: 1250m
557-
memory: 1000Mi
558-
hybrid-proxy:
559-
enabled: true
560-
resources:
561-
requests:
562-
cpu: ${CP_RESOURCES_REQUEST_CPU}
563-
memory: ${CP_RESOURCES_REQUEST_MEMORY}
564-
limits:
565-
cpu: 1250m
566-
memory: 1000Mi
567-
ingress:
568-
enabled: ${CP_BOOTSTRAP_INGRESS_HYBRID_PROXY}
569-
annotations:
570-
external-dns.alpha.kubernetes.io/hostname: "*.${CP_TUNNEL_DNS_DOMAIN}"
571-
nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
572-
ingressClassName: ${CP_INGRESS_CLASSNAME}
573-
hosts:
574-
- host: '*.${CP_TUNNEL_DNS_DOMAIN}'
575-
paths:
576-
- path: /
577-
pathType: Prefix
578-
port: 105
579-
router-operator:
580-
enabled: true
581-
resources:
582-
requests:
583-
cpu: ${CP_RESOURCES_REQUEST_CPU}
584-
memory: ${CP_RESOURCES_REQUEST_MEMORY}
585-
limits:
586-
cpu: 3000m
587-
memory: 1000Mi
588-
ingress:
589-
enabled: ${CP_BOOTSTRAP_INGRESS_ROUTER}
590-
annotations:
591-
external-dns.alpha.kubernetes.io/hostname: "*.${CP_SERVICE_DNS_DOMAIN}"
592-
nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
593-
nginx.ingress.kubernetes.io/proxy-body-size: 200m # set to 200m to allow large file upload PCP-7954
594-
ingressClassName: ${CP_INGRESS_CLASSNAME}
595-
hosts:
596-
- host: '*.${CP_SERVICE_DNS_DOMAIN}'
597-
paths:
598-
- path: /
599-
pathType: Prefix
600-
port: 100
601-
resource-set-operator:
602-
enabled: true
603-
resources:
604-
requests:
605-
cpu: ${CP_RESOURCES_REQUEST_CPU}
606-
memory: ${CP_RESOURCES_REQUEST_MEMORY}
607-
limits:
608-
cpu: 1000m
609-
memory: 1000Mi
610-
otel-collector:
611-
enabled: ${CP_LOG_ENABLE}
550+
compute-services:
551+
enabled: true
552+
resources:
553+
requests:
554+
cpu: ${CP_RESOURCES_REQUEST_CPU}
555+
memory: ${CP_RESOURCES_REQUEST_MEMORY}
556+
limits:
557+
cpu: 1250m
558+
memory: 1000Mi
559+
hybrid-proxy:
560+
enabled: true
561+
resources:
562+
requests:
563+
cpu: ${CP_RESOURCES_REQUEST_CPU}
564+
memory: ${CP_RESOURCES_REQUEST_MEMORY}
565+
limits:
566+
cpu: 1250m
567+
memory: 1000Mi
568+
ingress:
569+
enabled: ${CP_BOOTSTRAP_INGRESS_HYBRID_PROXY}
570+
annotations:
571+
external-dns.alpha.kubernetes.io/hostname: "*.${CP_TUNNEL_DNS_DOMAIN}"
572+
nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
573+
ingressClassName: ${CP_INGRESS_CLASSNAME}
574+
hosts:
575+
- host: '*.${CP_TUNNEL_DNS_DOMAIN}'
576+
paths:
577+
- path: /
578+
pathType: Prefix
579+
port: 105
580+
router-operator:
581+
enabled: true
582+
resources:
583+
requests:
584+
cpu: ${CP_RESOURCES_REQUEST_CPU}
585+
memory: ${CP_RESOURCES_REQUEST_MEMORY}
586+
limits:
587+
cpu: 3000m
588+
memory: 1000Mi
589+
ingress:
590+
enabled: ${CP_BOOTSTRAP_INGRESS_ROUTER}
591+
annotations:
592+
external-dns.alpha.kubernetes.io/hostname: "*.${CP_SERVICE_DNS_DOMAIN}"
593+
nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
594+
nginx.ingress.kubernetes.io/proxy-body-size: 200m # set to 200m to allow large file upload PCP-7954
595+
ingressClassName: ${CP_INGRESS_CLASSNAME}
596+
hosts:
597+
- host: '*.${CP_SERVICE_DNS_DOMAIN}'
598+
paths:
599+
- path: /
600+
pathType: Prefix
601+
port: 100
602+
resource-set-operator:
603+
enabled: true
604+
resources:
605+
requests:
606+
cpu: ${CP_RESOURCES_REQUEST_CPU}
607+
memory: ${CP_RESOURCES_REQUEST_MEMORY}
608+
limits:
609+
cpu: 1000m
610+
memory: 1000Mi
611+
otel-collector:
612+
enabled: ${CP_LOG_ENABLE}
612613
global:
613614
external:
614615
clusterInfo:
@@ -668,12 +669,12 @@ helmCharts:
668669
export _star_tunnel_dns="'*.${CP_TUNNEL_DNS_DOMAIN}'"
669670
export _tp_generate_certificate_name="${TP_GENERATE_CERTIFICATE_NAME}"
670671
yq eval '
671-
(.tp-cp-bootstrap.router-operator.ingress.tls[0].secretName = env(_tp_generate_certificate_name)) |
672-
(.tp-cp-bootstrap.router-operator.ingress.tls[0].hosts[0] = env(_star_service_dns)) |
673-
(.tp-cp-bootstrap.router-operator.ingress.tls[0].hosts[0] style="single") |
674-
(.tp-cp-bootstrap.hybrid-proxy.ingress.tls[0].secretName = env(_tp_generate_certificate_name)) |
675-
(.tp-cp-bootstrap.hybrid-proxy.ingress.tls[0].hosts[0] = env(_star_tunnel_dns)) |
676-
(.tp-cp-bootstrap.hybrid-proxy.ingress.tls[0].hosts[0] style="single")
672+
(.router-operator.ingress.tls[0].secretName = env(_tp_generate_certificate_name)) |
673+
(.router-operator.ingress.tls[0].hosts[0] = env(_star_service_dns)) |
674+
(.router-operator.ingress.tls[0].hosts[0] style="single") |
675+
(.hybrid-proxy.ingress.tls[0].secretName = env(_tp_generate_certificate_name)) |
676+
(.hybrid-proxy.ingress.tls[0].hosts[0] = env(_star_tunnel_dns)) |
677+
(.hybrid-proxy.ingress.tls[0].hosts[0] style="single")
677678
' tls_values.yaml > tls_values.yaml
678679
679680
echo "TLS values:"
@@ -685,9 +686,9 @@ helmCharts:
685686
export _star_service_dns="'*.${CP_SERVICE_DNS_DOMAIN}'"
686687
export _tp_router_certificate_name="${TP_TLS_SECRET_NAME_ROUTER}"
687688
yq eval '
688-
(.tp-cp-bootstrap.router-operator.ingress.tls[0].secretName = env(_tp_router_certificate_name)) |
689-
(.tp-cp-bootstrap.router-operator.ingress.tls[0].hosts[0] = env(_star_service_dns)) |
690-
(.tp-cp-bootstrap.router-operator.ingress.tls[0].hosts[0] style="single")
689+
(.router-operator.ingress.tls[0].secretName = env(_tp_router_certificate_name)) |
690+
(.router-operator.ingress.tls[0].hosts[0] = env(_star_service_dns)) |
691+
(.router-operator.ingress.tls[0].hosts[0] style="single")
691692
' tls_router_values.yaml > tls_router_values.yaml
692693
693694
echo "TLS Router values:"
@@ -699,9 +700,9 @@ helmCharts:
699700
export _star_tunnel_dns="'*.${CP_TUNNEL_DNS_DOMAIN}'"
700701
export _tp_hybrid_proxy_certificate_name="${TP_TLS_SECRET_NAME_HYBRID_PROXY}"
701702
yq eval '
702-
(.tp-cp-bootstrap.hybrid-proxy.ingress.tls[0].secretName = env(_tp_hybrid_proxy_certificate_name)) |
703-
(.tp-cp-bootstrap.hybrid-proxy.ingress.tls[0].hosts[0] = env(_star_tunnel_dns)) |
704-
(.tp-cp-bootstrap.hybrid-proxy.ingress.tls[0].hosts[0] style="single")
703+
(.hybrid-proxy.ingress.tls[0].secretName = env(_tp_hybrid_proxy_certificate_name)) |
704+
(.hybrid-proxy.ingress.tls[0].hosts[0] = env(_star_tunnel_dns)) |
705+
(.hybrid-proxy.ingress.tls[0].hosts[0] style="single")
705706
' tls_hybrid_proxy_values.yaml > tls_hybrid_proxy_values.yaml
706707
707708
echo "TLS Hybrid Proxy values:"
@@ -730,12 +731,29 @@ helmCharts:
730731
else
731732
echo "Log server password not found, please set it in the recipe"
732733
echo "disable otel-collector"
733-
yq eval '.tp-cp-bootstrap.otel-collector.enabled = false' log_values.yaml > log_values.tmp.yaml
734+
yq eval '.otel-collector.enabled = false' log_values.yaml > log_values.tmp.yaml
734735
fi
735736
mv log_values.tmp.yaml log_values.yaml
736737
echo "Log values:"
737738
cat log_values.yaml
738739
fi
740+
TSC_SESSION_KEY=$(kubectl get tibcoclusterenv ops.tsc.session.key -n $CP_NAMESPACE -o jsonpath='{.spec.value}')
741+
DOMAIN_SESSION_KEY=$(kubectl get tibcoclusterenv ops.domain.session.key -n $CP_NAMESPACE -o jsonpath='{.spec.value}')
742+
if [[ -n "${TSC_SESSION_KEY}" && -n "${DOMAIN_SESSION_KEY}" ]]; then
743+
if kubectl get secret -n $CP_NAMESPACE session-keys --ignore-not-found | grep -q session-keys; then
744+
echo "session-keys secret already exists, not creating a new one"
745+
else
746+
echo "Found session keys in tibcoclusterenv, creating session-keys secret using existing tibcoclusterenv values"
747+
kubectl create secret -n $CP_NAMESPACE generic session-keys --from-literal=TSC_SESSION_KEY=$TSC_SESSION_KEY --from-literal=DOMAIN_SESSION_KEY=$DOMAIN_SESSION_KEY
748+
fi
749+
else
750+
if kubectl get secret -n $CP_NAMESPACE session-keys --ignore-not-found | grep -q session-keys; then
751+
echo "session-keys secret already exists, not creating a new one"
752+
else
753+
echo "session-keys secret not found, creating a new one using random values"
754+
kubectl create secret -n $CP_NAMESPACE generic session-keys --from-literal=TSC_SESSION_KEY=$(openssl rand -base64 48 | tr -dc A-Za-z0-9 | head -c32) --from-literal=DOMAIN_SESSION_KEY=$(openssl rand -base64 48 | tr -dc A-Za-z0-9 | head -c32)
755+
fi
756+
fi
739757
- name: platform-base
740758
version: ${CP_PLATFORM_BASE_VERSION}
741759
condition: ${CP_INSTALL_PLATFORM_BASE}
@@ -749,6 +767,23 @@ helmCharts:
749767
content: |
750768
global:
751769
tibco:
770+
logging:
771+
fluentbit:
772+
enabled: ${CP_LOG_ENABLE} # set to true to enable fluentbit for CP
773+
containerRegistry:
774+
url: ${CP_CONTAINER_REGISTRY}
775+
password: "${CP_CONTAINER_REGISTRY_PASSWORD}"
776+
username: "${CP_CONTAINER_REGISTRY_USERNAME}"
777+
repository: "${CP_CONTAINER_REGISTRY_REPOSITORY}"
778+
proxy:
779+
httpProxy: "${CP_PROXY_HTTP_PROXY}"
780+
httpsProxy: "${CP_PROXY_HTTPS_PROXY}"
781+
noProxy: "${CP_PROXY_NO_PROXY}"
782+
controlPlaneInstanceId: ${CP_INSTANCE_ID}
783+
serviceAccount: ${CP_INSTANCE_ID}-sa
784+
createNetworkPolicy: ${TP_CREATE_NETWORK_POLICIES}
785+
enableResourceConstraints: ${CP_GLOBAL_ENABLE_RESOURCE_CONSTRAINTS}
786+
useSingleNamespace: ${CP_GLOBAL_USE_SINGLE_NAMESPACE}
752787
db_ssl_root_cert_secretname: "${CP_DB_SSL_ROOT_CERT_SECRET_NAME}"
753788
db_ssl_root_cert_filename: "${CP_DB_SSL_ROOT_CERT_FILENAME}"
754789
helm:
@@ -760,6 +795,13 @@ helmCharts:
760795
deleteDBOnUninstall: "${CP_DB_DELETE_ON_UNINSTALL}"
761796
enableResourceConstraints: ${CP_GLOBAL_ENABLE_RESOURCE_CONSTRAINTS}
762797
external:
798+
cpEncryptionSecretName: "${CP_ENCRYPTION_SECRET_NAME}"
799+
cpEncryptionSecretKey: "${CP_ENCRYPTION_SECRET_KEY}"
800+
clusterInfo:
801+
nodeCIDR: ${TP_CLUSTER_NODE_CIDR}
802+
podCIDR: ${TP_CLUSTER_POD_CIDR}
803+
serviceCIDR: ${TP_CLUSTER_SERVICE_CIDR}
804+
dnsDomain: ${CP_SERVICE_DNS_DOMAIN}
763805
environment: ${CP_EXTERNAL_ENVIRONMENT}
764806
helmRepo: ${CP_CHART_REPO}
765807
db_host: ${CP_DB_HOST}
@@ -1048,3 +1090,17 @@ helmCharts:
10481090
wait: true
10491091
timeout: 1h
10501092
createNamespace: ${CP_CREATE_NAMESPACE}
1093+
hooks:
1094+
preDeploy:
1095+
ignoreErrors: false
1096+
base64Encoded: false
1097+
skip: false
1098+
content: |
1099+
if kubectl get secret -n $CP_NAMESPACE $CP_ENCRYPTION_SECRET_NAME --ignore-not-found | grep -q $CP_ENCRYPTION_SECRET_NAME; then
1100+
echo "$CP_ENCRYPTION_SECRET_NAME secret already exists, not creating a new one"
1101+
echo "Annotating the secret with helm.sh/resource-policy=keep so that it doesn't get deleted by helm upgrade"
1102+
kubectl annotate secret $CP_ENCRYPTION_SECRET_NAME helm.sh/resource-policy=keep --overwrite -n $CP_NAMESPACE
1103+
else
1104+
echo "CP_ENCRYPTION_SECRET_NAME secret not found, Creating a new secret with random value"
1105+
kubectl create secret -n $CP_NAMESPACE generic $CP_ENCRYPTION_SECRET_NAME --from-literal=$CP_ENCRYPTION_SECRET_KEY=$(openssl rand -base64 48 | tr -dc A-Za-z0-9 | head -c44)
1106+
fi

dev/platform-provisioner-install.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,8 @@
4848
[[ -z "${PIPELINE_SKIP_PROVISIONER_UI}" ]] && export PIPELINE_SKIP_PROVISIONER_UI=${PIPELINE_SKIP_PROVISIONER_UI:-false}
4949
[[ -z "${PIPELINE_SKIP_TEKTON_PIPELINE}" ]] && export PIPELINE_SKIP_TEKTON_PIPELINE=${PIPELINE_SKIP_TEKTON_PIPELINE:-false}
5050
[[ -z "${PIPELINE_SKIP_TEKTON_DASHBOARD}" ]] && export PIPELINE_SKIP_TEKTON_DASHBOARD=${PIPELINE_SKIP_TEKTON_DASHBOARD:-true}
51-
[[ -z "${TEKTON_PIPELINE_RELEASE}" ]] && export TEKTON_PIPELINE_RELEASE=${TEKTON_PIPELINE_RELEASE:-"v0.65.0"}
52-
[[ -z "${TEKTON_DASHBOARD_RELEASE}" ]] && export TEKTON_DASHBOARD_RELEASE=${TEKTON_DASHBOARD_RELEASE:-"v0.52.0"}
51+
[[ -z "${TEKTON_PIPELINE_RELEASE}" ]] && export TEKTON_PIPELINE_RELEASE=${TEKTON_PIPELINE_RELEASE:-"v1.0.0"}
52+
[[ -z "${TEKTON_DASHBOARD_RELEASE}" ]] && export TEKTON_DASHBOARD_RELEASE=${TEKTON_DASHBOARD_RELEASE:-"v0.57.0"}
5353
[[ -z "${PIPELINE_CHART_VERSION_COMMON}" ]] && export PIPELINE_CHART_VERSION_COMMON=${PIPELINE_CHART_VERSION_COMMON:-"^1.0.0"}
5454
[[ -z "${PIPELINE_CHART_VERSION_GENERIC_RUNNER}" ]] && export PIPELINE_CHART_VERSION_GENERIC_RUNNER=${PIPELINE_CHART_VERSION_GENERIC_RUNNER:-"^1.0.0"}
5555
[[ -z "${PIPELINE_CHART_VERSION_HELM_INSTALL}" ]] && export PIPELINE_CHART_VERSION_HELM_INSTALL=${PIPELINE_CHART_VERSION_HELM_INSTALL:-"^1.0.0"}

dev/platform-provisioner-pipelinerun.sh

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ fi
3838

3939
# Accept the integer input from the user
4040
recipe_template='
41-
apiVersion: tekton.dev/v1beta1
41+
apiVersion: tekton.dev/v1
4242
kind: PipelineRun
4343
metadata:
4444
labels:
@@ -63,7 +63,8 @@ ${pipeline_recipe}
6363
value: "${region}"
6464
pipelineRef:
6565
name: "${pipeline_name}"
66-
serviceAccountName: ${pipeline_service_account_name}
66+
taskRunTemplate:
67+
serviceAccountName: ${pipeline_service_account_name}
6768
timeouts:
6869
finally: 5m0s
6970
pipeline: 2h0m0s

0 commit comments

Comments
 (0)