From 5308368fefcf9803196eaee8cc4db91895eb11fc Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Fri, 9 May 2025 12:17:14 +0000
Subject: [PATCH] Add Operator deployment to CI/CD

---
 .github/workflows/pr.yml                    |   2 +-
 ansible/inventory/group_vars/all/additional |   2 +
 ansible/inventory/group_vars/all/crd        | 192 ++++++++++++++++++++
 ansible/inventory/group_vars/all/operator   |  21 +++
 ansible/inventory/group_vars/all/rbac       | 126 +++++++++++++
 ansible/inventory/group_vars/all/secrets    |   2 +
 ansible/run.yml                             |  30 +++
 7 files changed, 374 insertions(+), 1 deletion(-)
 create mode 100644 ansible/inventory/group_vars/all/additional
 create mode 100644 ansible/inventory/group_vars/all/crd
 create mode 100644 ansible/inventory/group_vars/all/operator
 create mode 100644 ansible/inventory/group_vars/all/rbac
 create mode 100644 ansible/inventory/group_vars/all/secrets

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 22ed702..7ffb667 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -27,5 +27,5 @@ jobs:
 
     - name: Run playbook
       run: >
-        ansible-playbook -i ansible/inventory ansible/run.yml
+        ansible-playbook -i ansible/inventory ansible/run.yml --check --diff
 
diff --git a/ansible/inventory/group_vars/all/additional b/ansible/inventory/group_vars/all/additional
new file mode 100644
index 0000000..2cfc0f2
--- /dev/null
+++ b/ansible/inventory/group_vars/all/additional
@@ -0,0 +1,2 @@
+---
+zuul_operator_additional: []
diff --git a/ansible/inventory/group_vars/all/crd b/ansible/inventory/group_vars/all/crd
new file mode 100644
index 0000000..5dc5f28
--- /dev/null
+++ b/ansible/inventory/group_vars/all/crd
@@ -0,0 +1,192 @@
+---
+zuul_operator_crd: |
+  apiVersion: apiextensions.k8s.io/v1
+  kind: CustomResourceDefinition
+  metadata:
+    name: zuuls.operator.zuul-ci.org
+  spec:
+    group: operator.zuul-ci.org
+    names:
+      kind: Zuul
+      listKind: ZuulList
+      plural: zuuls
+      singular: zuul
+      shortNames:
+        - zuul
+    scope: Namespaced
+    versions:
+      - name: v1alpha1
+        served: false
+        storage: false
+        schema:
+          openAPIV3Schema:
+            type: object
+      - name: v1alpha2
+        served: true
+        storage: true
+        schema:
+          openAPIV3Schema:
+            type: object
+            properties:
+              spec:
+                type: object
+                properties:
+                  imagePrefix:
+                    type: string
+                  imagePullSecrets:
+                    type: array
+                    items:
+                      type: string
+                  zuulImageVersion:
+                    type: string
+                  zuulPreviewImageVersion:
+                    type: string
+                  zuulRegistryImageVersion:
+                    type: string
+                  nodepoolImageVersion:
+                    type: string
+                  database:
+                    type: object
+                    properties:
+                      secretName:
+                        type: string
+                      allowUnsafeConfig:
+                        type: boolean
+                        default: false
+                  zookeeper:
+                    type: object
+                    properties:
+                      hosts:
+                        type: string
+                      secretName:
+                        type: string
+                      storageClassName:
+                        type: string
+                  env:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        name:
+                          type: string
+                        value:
+                          type: string
+                  scheduler:
+                    type: object
+                    properties:
+                      config:
+                        type: object
+                        properties:
+                          secretName:
+                            type: string
+                      count:
+                        type: integer
+                        default: 1
+                        minimum: 1
+                      storageClassName:
+                        type: string
+                  launcher:
+                    type: object
+                    properties:
+                      config:
+                        type: object
+                        properties:
+                          secretName:
+                            type: string
+                  executor:
+                    type: object
+                    properties:
+                      count:
+                        type: integer
+                        default: 1
+                        minimum: 1
+                      sshkey:
+                        type: object
+                        properties:
+                          secretName:
+                            type: string
+                      terminationGracePeriodSeconds:
+                        type: integer
+                        default: 21600
+                        minimum: 0
+                  merger:
+                    type: object
+                    properties:
+                      count:
+                        type: integer
+                      git_user_email:
+                        type: string
+                      git_user_name:
+                        type: string
+                  web:
+                    type: object
+                    properties:
+                      count:
+                        type: integer
+                        default: 1
+                      status_url:
+                        type: string
+                  fingergw:
+                    type: object
+                    properties:
+                      count:
+                        type: integer
+                        default: 1
+                  connections:
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                  externalConfig:
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
+                  jobVolumes:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        context:
+                          type: string
+                          pattern: ^(trusted|untrusted)$
+                        access:
+                          type: string
+                          pattern: ^(rw|ro)$
+                        path:
+                          type: string
+                        volume:
+                          type: object
+                          properties:
+                            name:
+                              type: string
+                            hostPath:
+                              type: object
+                              properties:
+                                path:
+                                  type: string
+                                type:
+                                  type: string
+                  preview:
+                    type: object
+                    properties:
+                      count:
+                        type: integer
+                        default: 0
+                  registry:
+                    type: object
+                    properties:
+                      count:
+                        type: integer
+                        default: 0
+                      volumeSize:
+                        type: string
+                        default: "80G"
+                      tls:
+                        type: object
+                        properties:
+                          secretName:
+                            type: string
+                      config:
+                        type: object
+                        properties:
+                          secretName:
+                            type: string
+                      storageClassName:
+                        type: string
diff --git a/ansible/inventory/group_vars/all/operator b/ansible/inventory/group_vars/all/operator
new file mode 100644
index 0000000..3aa4a6a
--- /dev/null
+++ b/ansible/inventory/group_vars/all/operator
@@ -0,0 +1,21 @@
+---
+zuul_operator_operator: |
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: zuul-operator
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        name: zuul-operator
+    template:
+      metadata:
+        labels:
+          name: zuul-operator
+      spec:
+        serviceAccountName: zuul-operator
+        containers:
+          - name: operator
+            image: "quay.io/zuul-ci/zuul-operator"
+            imagePullPolicy: "IfNotPresent"
diff --git a/ansible/inventory/group_vars/all/rbac b/ansible/inventory/group_vars/all/rbac
new file mode 100644
index 0000000..881afbf
--- /dev/null
+++ b/ansible/inventory/group_vars/all/rbac
@@ -0,0 +1,126 @@
+---
+zuul_operator_rbac: |
+  apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: zuul-operator
+  
+  ---
+  
+  apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    name: zuul-operator
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    - pods/exec
+    - services
+    - services/finalizers
+    - endpoints
+    - persistentvolumeclaims
+    - events
+    - configmaps
+    - secrets
+    - ingresses
+    - namespaces
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    - daemonsets
+    - replicasets
+    - statefulsets
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - networking.k8s.io
+    resources:
+    - ingresses
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - policy
+    resources:
+    - poddisruptionbudgets
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - apps
+    resourceNames:
+    - zuul-operator
+    resources:
+    - deployments/finalizers
+    verbs:
+    - update
+  - apiGroups:
+    - apps
+    resources:
+    - replicasets
+    - deployments
+    verbs:
+    - get
+  - apiGroups:
+    - operator.zuul-ci.org
+    - cert-manager.io
+    - pxc.percona.com
+    resources:
+    - '*'
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - monitoring.coreos.com
+    resources:
+    - servicemonitors
+    verbs:
+    - get
+    - create
+  
+  ---
+  
+  kind: ClusterRoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1
+  metadata:
+    name: zuul-operator
+  subjects:
+  - kind: ServiceAccount
+    name: zuul-operator
+    namespace: zuul
+  roleRef:
+    kind: ClusterRole
+    name: cluster-admin #zuul-operator
+    apiGroup: rbac.authorization.k8s.io
diff --git a/ansible/inventory/group_vars/all/secrets b/ansible/inventory/group_vars/all/secrets
new file mode 100644
index 0000000..34bae82
--- /dev/null
+++ b/ansible/inventory/group_vars/all/secrets
@@ -0,0 +1,2 @@
+---
+zuul_operator_secrets: []
diff --git a/ansible/run.yml b/ansible/run.yml
index a1ac080..675c897 100644
--- a/ansible/run.yml
+++ b/ansible/run.yml
@@ -10,3 +10,33 @@
         api_version: v1
         kind: Namespace
         state: present
+
+    - name: Ensure CRDs
+      kubernetes.core.k8s:
+        definition: "{{ zuul_operator_crd }}"
+        namespace: "zuul"
+        state: present
+
+    - name: Ensure RBAC
+      kubernetes.core.k8s:
+        namespace: "zuul"
+        definition: "{{ zuul_operator_rbac }}"
+        state: present
+
+    - name: Ensure Operator
+      kubernetes.core.k8s:
+        definition: "{{ zuul_operator_operator }}"
+        namespace: "zuul"
+        state: present
+
+    - name: Ensure Secrets
+      kubernetes.core.k8s:
+        namespace: "zuul"
+        state: present
+      loop: "{{ zuul_operator_secrets }}"
+
+    - name: Ensure additional config
+      kubernetes.core.k8s:
+        namespace: "zuul"
+        state: present
+      loop: "{{ zuul_operator_additional }}"