Merge pull request #65 from stefanprodan/helm-migration

Migrate Istio control plane to Flux managed Helm releases

Author: stefanprodan

.github/actions/helm/action.yml

@@ -0,0 +1,38 @@
+name: analyze
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  istio:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Get Istio current version
+        id: get-istio-version
+        run: |
+          ISTIO_VERSION=$(yq eval '.data.version' ./clusters/my-cluster/istio-version.yaml)
+          echo "ISTIO_VERSION=$ISTIO_VERSION" >> $GITHUB_ENV
+      - name: Get Istio CTL URL
+        id: get-istioctl
+        uses: istio/get-istioctl@e9b2b82bc1cecf150ec6aee77ceee8c256f4faf4
+        with:
+          version: ${{ env.ISTIO_VERSION }}
+      - name: Download Istio CTL
+        run: |
+          curl -o istioctl.tar.gz -fsLO ${{ steps.get-istioctl.outputs.istioctl-url }}
+          tar -xzf istioctl.tar.gz
+          ./istioctl version --remote=false
+      - name: Analyze manifests
+        run: |
+          ./istioctl analyze -A --use-kube=false \
+            --failure-threshold ERROR \
+            $(find . -not -path "*/.git*/*" -not -path "*/clusters/*" -name "*.yaml" -type f)

.github/workflows/analyze-istio.yaml

@@ -6,6 +6,9 @@ on:
     branches: [ '*' ]
     tags-ignore: [ '*' ]
 
+permissions:
+  contents: read
+
 jobs:
   kubernetes:
     runs-on: ubuntu-latest
@@ -20,6 +23,9 @@ jobs:
           version: v0.11.1
       - name: Install Flux in Kubernetes Kind
         run: flux install
+      - name: Set Istio Gateway service type
+        run: |
+          kubectl -n flux-system create cm istio-version --from-literal=service=NodePort
       - name: Setup cluster reconciliation
         run: |
           flux create source git flux-system \
@@ -30,16 +36,19 @@ jobs:
           --path=./clusters/my-cluster
       - name: Verify cluster reconciliation
         run: |
-          kubectl -n flux-system wait kustomization/istio-operator --for=condition=ready --timeout=2m
           kubectl -n flux-system wait kustomization/istio-system --for=condition=ready --timeout=2m
+          kubectl -n flux-system wait kustomization/istio-gateway --for=condition=ready --timeout=2m
           kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=2m
           kubectl -n prod wait canary/frontend --for=condition=promoted --timeout=1m
           kubectl -n prod rollout status deployment/frontend --timeout=1m
           kubectl -n prod wait canary/backend --for=condition=promoted --timeout=1m
           kubectl -n prod rollout status deployment/backend --timeout=1m
+      - name: List Flux managed objects
+        run: |
+          flux get all --all-namespaces
       - name: Test canary release
         run: |
-          kubectl -n prod set image deployment/backend backend=stefanprodan/podinfo:5.0.1
+          kubectl -n prod set image deployment/backend backend=ghcr.io/stefanprodan/podinfo:6.1.1
           echo '>>> Waiting for canary finalization'
           retries=25
           count=0

.github/workflows/analyze.yaml

@@ -1,4 +1,4 @@
-name: update-istio
+name: update
 
 on:
   workflow_dispatch:
@@ -8,39 +8,32 @@ on:
     branches:
       - 'main'
 
+permissions:
+  contents: write
+
 jobs:
-  check-istio:
+  istio:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
           ref: main
-      - name: Setup Helm
-        uses: ./.github/actions/helm
+      - name: Find Istio latest version
+        id: get-istioctl
+        uses: istio/get-istioctl@e9b2b82bc1cecf150ec6aee77ceee8c256f4faf4
         with:
-          version: 3.5.3
-      - name: Check for updates
+          version: "1.*"
+      - name: Set the Istio version
         id: check
+        env:
+          ISTIO_VERSION: ${{ steps.get-istioctl.outputs.istioctl-url }}
         run: |
-          git config user.name github-actions
-          git config user.email [email protected]
-          
-          curl -sL https://istio.io/downloadIstio | sh -
-          ISTIO_DIR=$(find . -name 'istio-*' -type d -maxdepth 1 -print | head -n1)
-          ISTIO_VER=${ISTIO_DIR##./istio-}
-
-          echo "Build manifests for ${ISTIO_VER} in dir ${ISTIO_DIR}"
-          helm template --include-crds \
-          --namespace istio-operator \
-          ${ISTIO_DIR}/manifests/charts/istio-operator/ > ./istio/operator/manifests.yaml
-
-          cat ${ISTIO_DIR}/samples/addons/prometheus.yaml > ./istio/system/prometheus.yaml
-
-          rm -rf ${ISTIO_DIR}
+          echo "Found Istio version ${ISTIO_VERSION}"
+          yq eval '.data.version=env(ISTIO_VERSION)' -i ./clusters/my-cluster/istio-version.yaml
 
           if [[ $(git diff --stat) != '' ]]; then
-            echo ::set-output name=version::${ISTIO_VER}
+            echo ::set-output name=version::${ISTIO_VERSION}
           fi
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v3
@@ -52,5 +45,5 @@ jobs:
           commit-message: Update Istio to ${{ steps.check.outputs.version }}
           title: Update Istio to ${{ steps.check.outputs.version }}
           body: |
-            Istio operator v${{ steps.check.outputs.version }}
+            Istio v${{ steps.check.outputs.version }}
           branch: update-istio

.github/workflows/e2e.yaml

@@ -0,0 +1,7 @@
+# Flux ignore
+# https://fluxcd.io/docs/components/source/gitrepositories/#excluding-files
+
+# Exclude dirs and files which don't contain Kubernetes resources
+.github/
+docs/
+*.md