feat(tkn): overhaul Tekton tasks with operation param, secrets, and G…

Makefile

@@ -100,6 +100,7 @@ define tkn_update
 	rm -f tkn/*.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/rhelai-aws.yaml > tkn/rhelai-aws.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/rhelai-azure.yaml > tkn/rhelai-azure.yaml
+	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/rhelai-gcp.yaml > tkn/rhelai-gcp.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/snc-aws.yaml > tkn/snc-aws.yaml
 	sed -e 's%<IMAGE>%$(1)%g' -e 's%<VERSION>%$(2)%g' tkn/template/snc-azure.yaml > tkn/snc-azure.yaml
 endef

tkn/rhelai-aws.yaml

@@ -14,30 +14,59 @@ spec:
   description: >-
     This Task imports a RAW image to AWS using the cloud-importer tool.
   params:
-    - name: raw-image-path
-      description: Local path to the raw image.
-    - name: ami-name
+    # general
+    - name: debug
+      description: run with deug logs
+    - name: id
+      description: identifier for the taskrun
+    - name: operation
+      description: operation to perform (create or destroy)
+      default: create
+    - name: secret-aws-credentials
+      description: |
+        K8S secret holding the AWS credentials. Secret should be accessible to this task.
+
+        ---
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: aws-${name}
+        type: Opaque
+        data:
+          access-key: ${access_key}
+          secret-key: ${secret_key}
+          region: ${region}
+          bucket: ${bucket}
+
+    # uploading of images
+    - name: image-name
       description: The name of the AMI to be created.
-    - name: share-with-account-ids
-      description: "A comma-separated list of account IDs to share the AMI with."
       default: ""
-    - name: share-orgs-ids
-      description: "A comma-separated list of organization ARNs to share the AMI with."
+    - name: image-path
+      description: Local path to the raw image.
       default: ""
-    - name: replicate-to-regions
+    - name: replicate
       description: "A comma-separated list of regions to replicate the AMI to."
       default: "all"
-    - name: id
-      description: identifier for the taskrun
-    - name: debug
-      description: run with deug logs
+    - name: share-orgs-ids
+      description: "A comma-separated list of organization ARNs to share the AMI with."
+      default: ""
+    - name: tags
+      description: "A comma-separated list of tags to add to the AMI."
+      default: ""
+
+    # removal of images
+    - name: force-destroy
+      description: destroy even if there is a lock
+      default: "false"
+    - name: keep-state
+      description: keep the Pulumi state in the S3 backend after successful destroy
+      default: "false"
   workspaces:
-    - name: credentials
-      description: A workspace containing the cloud provider credentials.
-      mountPath: /opt/aws-credentials
     - name: data
       description: A workspace for the raw image.
       mountPath: /data
+      optional: true
   steps:
     - name: run-cloud-importer
       image: quay.io/aipcc-cicd/cloud-importer:v1.0.0-dev
@@ -72,19 +101,52 @@ spec:
           set -xeuo pipefail
         fi
 
-        cmd="cloud-importer rhelai aws --output /data/output.json --image-path /data/$(params.raw-image-path) "
-        cmd+="--image-name $(params.ami-name) "
-        cmd+="--backed-url s3://${BUCKET}/cloud-importer/$(params.id) "
-        if [[ "$(params.debug)" == "true" ]]; then
-          cmd+="--debug"
-        fi
-        if [ -n "$(params.share-orgs-ids)" ]; then
-          cmd+=" --share-orgs-ids=$(params.share-orgs-ids)"
+        cmd="cloud-importer "
+        if [[ "$(params.operation)" == "create" ]]; then
+          if [[ "$(workspaces.data.bound)" != "true" ]]; then
+            echo "ERROR: workspace 'data' must be bound for create operation"
+            exit 1
+          fi
+          cmd+="rhelai aws "
+          cmd+="--image-path /data/$(params.image-path) "
+          cmd+="--image-name $(params.image-name) "
+
+          if [ -n "$(params.share-orgs-ids)" ]; then
+            cmd+="--share-orgs-ids=$(params.share-orgs-ids) "
+          fi
+
+          if [ -n "$(params.replicate)" ]; then
+            cmd+="--replicate=$(params.replicate) "
+          fi
+
+          if [ -n "$(params.tags)" ]; then
+            cmd+="--tags=$(params.tags) "
+          fi
+        else
+          cmd+="destroy "
+
+          if [[ "$(params.force-destroy)" == "true" ]]; then
+            cmd+="--force-destroy "
+          fi
+
+          if [[ "$(params.keep-state)" == "true" ]]; then
+            cmd+="--keep-state "
+          fi
         fi
 
-        if [ -n "$(params.replicate-to-regions)" ]; then
-          cmd+=" --replicate=$(params.replicate-to-regions)"
+        cmd+="--project-name $(params.id) "
+        cmd+="--backed-url s3://${BUCKET}/cloud-importer "
+
+        if [[ "$(params.debug)" == "true" ]]; then
+          cmd+="--debug "
         fi
 
         eval ${cmd}
 
+      volumeMounts:
+        - name: aws-credentials
+          mountPath: /opt/aws-credentials
+  volumes:
+    - name: aws-credentials
+      secret:
+        secretName: $(params.secret-aws-credentials)

tkn/rhelai-azure.yaml

@@ -14,27 +14,63 @@ spec:
   description: >-
     This Task imports a RAW image to Azure using the cloud-importer tool.
   params:
-    - name: raw-image-path
-      description: Local path to the raw image.
+    # general
+    - name: debug
+      description: run with deug logs
+    - name: id
+      description: identifier for the taskrun
+    - name: operation
+      description: operation to perform (create or destroy)
+      default: create
+    - name: secret-az-credentials
+      description: |
+        K8S secret holding the Azure credentials. Secret should be accessible to this task.
+
+        ---
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: azure-${name}
+        type: Opaque
+        data:
+          blob: ${blob}
+          client-id: ${client_id}
+          client-secret: ${client_secret}
+          location: ${location}
+          storage-account: ${storage_account}
+          storage-key: ${storage_key}
+          subscription-id: ${subscription_id}
+          tenant-id: ${tenant_id}
+
+    # uploading of images
     - name: image-name
       description: The name for the image in Azure.
-    - name: replicate-to-regions
+      default: ""
+    - name: image-path
+      description: Local path to the vhd image.
+      default: ""
+    - name: replicate
       description: "A comma-separated list of regions to replicate the image to."
       default: "all"
     - name: share-orgs-ids
-      description: "A comma-separated list of organization ARNs to share the AMI with."
+      description: "A comma-separated list of organization tenant IDs to share the image with."
       default: ""
-    - name: id
-      description: identifier for the taskrun
-    - name: debug
-      description: run with deug logs
+    - name: tags
+      description: "A comma-separated list of tags to add to the image."
+      default: ""
+
+    # removal of images
+    - name: force-destroy
+      description: destroy even if there is a lock
+      default: "false"
+    - name: keep-state
+      description: keep the Pulumi state in the Azure Blob backend after successful destroy
+      default: "false"
   workspaces:
-    - name: credentials
-      description: A workspace containing the cloud provider credentials.
-      mountPath: /opt/azure-credentials
     - name: data
-      description: A workspace for the raw image.
+      description: A workspace for the vhd image.
       mountPath: /data
+      optional: true
   steps:
     - name: run-cloud-importer
       image: quay.io/aipcc-cicd/cloud-importer:v1.0.0-dev
@@ -55,35 +91,74 @@ spec:
         }
 
         # Credentials - set these BEFORE enabling debug mode
-        export AZURE_CLIENT_ID=$(cat /opt/azure-credentials/client-id)
-        export AZURE_CLIENT_SECRET=$(cat /opt/azure-credentials/client-secret)
-        export AZURE_TENANT_ID=$(cat /opt/azure-credentials/tenant-id)
-        export AZURE_SUBSCRIPTION_ID=$(cat /opt/azure-credentials/subscription-id)
-        export AZURE_STORAGE_ACCOUNT_NAME=$(cat /opt/azure-credentials/storage-account)
-
+        export AZURE_STORAGE_ACCOUNT=$(cat /opt/azure-credentials/storage-account)
+        export AZURE_STORAGE_KEY=$(cat /opt/azure-credentials/storage-key)
+        export ARM_CLIENT_ID=$(cat /opt/azure-credentials/client-id)
+        export ARM_CLIENT_SECRET=$(cat /opt/azure-credentials/client-secret)
+        export ARM_LOCATION_NAME=$(cat /opt/azure-credentials/location)
+        export ARM_SUBSCRIPTION_ID=$(cat /opt/azure-credentials/subscription-id)
+        export ARM_TENANT_ID=$(cat /opt/azure-credentials/tenant-id)
+        BLOB=$(cat /opt/azure-credentials/blob)
 
         # If debug add verbosity and print masked credentials
         if [[ "$(params.debug)" == "true" ]]; then
-          echo "AZURE_CLIENT_ID=$(mask_credential "$AZURE_CLIENT_ID")"
-          echo "AZURE_CLIENT_SECRET=$(mask_credential "$AZURE_CLIENT_SECRET")"
-          echo "AZURE_TENANT_ID=$AZURE_TENANT_ID"
-          echo "AZURE_SUBSCRIPTION_ID"=$AZURE_SUBSCRIPTION_ID
-          echo "AZURE_STORAGE_ACCOUNT_NAME"=$AZURE_STORAGE_ACCOUNT_NAME
+          echo "AZURE_STORAGE_ACCOUNT"=$(mask_credential "$AZURE_STORAGE_ACCOUNT")
+          echo "AZURE_STORAGE_KEY=$(mask_credential "$AZURE_STORAGE_KEY")"
+          echo "ARM_CLIENT_ID=$(mask_credential "$ARM_CLIENT_ID")"
+          echo "ARM_CLIENT_SECRET=$(mask_credential "$ARM_CLIENT_SECRET")"
+          echo "ARM_LOCATION_NAME"=$ARM_LOCATION_NAME
+          echo "ARM_SUBSCRIPTION_ID"=$(mask_credential "$ARM_SUBSCRIPTION_ID")
+          echo "ARM_TENANT_ID"=$(mask_credential "$ARM_TENANT_ID")
+          echo "BLOB"=$BLOB
           set -xeuo pipefail
         fi
 
-        cmd="cloud-importer rhelai az --output /data/output.json --image-path /data/$(params.raw-image-path) "
-        cmd+="--image-name $(params.image-name) "
-        cmd+="--backed-url azblob://${AZURE_STORAGE_ACCOUNT_NAME}/cloud-importer/$(params.id) "
-        if [[ "$(params.debug)" == "true" ]]; then
-          cmd+="--debug"
-        fi
-        if [ -n "$(params.replicate-to-regions)" ]; then
-          cmd+=" --replicate=$(params.replicate-to-regions)"
+        cmd="cloud-importer "
+        if [[ "$(params.operation)" == "create" ]]; then
+          if [[ "$(workspaces.data.bound)" != "true" ]]; then
+            echo "ERROR: workspace 'data' must be bound for create operation"
+            exit 1
+          fi
+          cmd+="rhelai az "
+          cmd+="--image-path /data/$(params.image-path) "
+          cmd+="--image-name $(params.image-name) "
+
+          if [ -n "$(params.share-orgs-ids)" ]; then
+            cmd+="--share-orgs-ids=$(params.share-orgs-ids) "
+          fi
+
+          if [ -n "$(params.replicate)" ]; then
+            cmd+="--replicate=$(params.replicate) "
+          fi
+
+          if [ -n "$(params.tags)" ]; then
+            cmd+="--tags=$(params.tags) "
+          fi
+        else
+          cmd+="destroy "
+
+          if [[ "$(params.force-destroy)" == "true" ]]; then
+            cmd+="--force-destroy "
+          fi
+
+          if [[ "$(params.keep-state)" == "true" ]]; then
+            cmd+="--keep-state "
+          fi
         fi
-        if [ -n "$(params.share-orgs-ids)" ]; then
-          cmd+=" --replicate=$(params.share-orgs-ids)"
+
+        cmd+="--project-name $(params.id) "
+        cmd+="--backed-url azblob://${BLOB}/cloud-importer "
+
+        if [[ "$(params.debug)" == "true" ]]; then
+          cmd+="--debug "
         fi
 
         eval ${cmd}
 
+      volumeMounts:
+        - name: az-credentials
+          mountPath: /opt/az-credentials
+  volumes:
+    - name: az-credentials
+      secret:
+        secretName: $(params.secret-az-credentials)