mongodb · igor-karpukhin · Oct 10, 2024 · Oct 10, 2024 · Oct 11, 2024 · Oct 11, 2024
diff --git a/.github/workflows/update-helm.yaml b/.github/workflows/update-helm.yaml
@@ -0,0 +1,63 @@
+name: Helm update
+
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  verify-helm-changes:
+    name: Verify if AKO helm charts needs updates
+    runs-on: ubuntu-latest
+    env:
+      JWT_APP_ID: ${{ secrets.AKO_RELEASER_APP_ID }}
+      JWT_RSA_PEM_KEY_BASE64: ${{ secrets.AKO_RELEASER_RSA_KEY_BASE64 }}
+    steps:
+      - name: Checkout AKO repo
+        uses: actions/checkout@v4
+
+      - name: Install devbox
+        uses: jetify-com/[email protected]
+        with:
+          enable-cache: 'true'
+
+      - name: Configure git
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Checkout Helm Repo
+        run: |
+          git clone https://github.com/mongodb/helm-charts.git ./helm-charts-cloned
+          ls -lah
+
+      - name: Verify if CRDs were changed
+        id: crd-check
+        env:
+          HELM_CRDS_PATH: "./helm-charts-cloned/charts/atlas-operator-crds/templates"
+        run: |
+          devbox run -- "make helm-upd-crds"
+
+      - name: Verify if RBAC were changed
+        id: rbac-check
+        env:
+          HELM_RBAC_FILE: "./helm-charts-cloned/charts/atlas-operator/rbac.yaml"
+        run: |
+          devbox run -- "make helm-upd-rbac"
+
+      - name: Create PR for helm-charts repo
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd ./helm-charts-cloned
+
+          if [[ -n $(git status --porcelain) ]]; then
+            BRANCH_NAME=CRD-RBAC-changes-${{ github.run_id }}
+            COMMIT_MSG="[autogenerated] update CRDs and RBAC ${{ github.run_id }}"
+            echo "Changes detected. Creating PR"
+            git checkout -b "${BRANCH_NAME}"
+            git add .
+            git commit -m "${COMMIT_MSG}"
+            gh pr create -B main -H "${BRANCH_NAME}" --title "${COMMIT_MSG}" --body "${COMMIT_MSG}"
+          fi
+          echo "Nothing to commit"
diff --git a/Makefile b/Makefile
@@ -201,7 +201,7 @@ uninstall: manifests ## Uninstall CRDs from a cluster
 .PHONY: deploy
 deploy: generate manifests run-kind ## Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 	@./scripts/deploy.sh
- 
+
 .PHONY: manifests
 # Produce CRDs that work back to Kubernetes 1.16 (so 'apiVersion: apiextensions.k8s.io/v1')
 manifests: CRD_OPTIONS ?= "crd:crdVersions=v1,ignoreUnexportedFields=true"
@@ -431,24 +431,31 @@ test-metrics:
 .PHONY: test-tools ## Test all tools
 test-tools: test-clean test-makejwt test-metrics
 
-.PHONY: sign 
+.PHONY: sign
 sign: ## Sign an AKO multi-architecture image
 	@echo "Signing multi-architecture image $(IMG)..."
 	IMG=$(IMG) SIGNATURE_REPO=$(SIGNATURE_REPO) ./scripts/sign-multiarch.sh
 
 ./ako.pem:
 	curl $(AKO_SIGN_PUBKEY) > $@
 
-.PHONY: verify 
+.PHONY: verify
 verify: ./ako.pem ## Verify an AKO multi-architecture image's signature
 	@echo "Verifying multi-architecture image signature $(IMG)..."
 	IMG=$(IMG) SIGNATURE_REPO=$(SIGNATURE_REPO) \
 	./scripts/sign-multiarch.sh verify && echo "VERIFIED OK"
 
+.PHONY: helm-upd-crds
+helm-upd-crds:
+	HELM_CRDS_PATH=$(HELM_CRDS_PATH) ./scripts/helm-upd-crds.sh
+
+.PHONY: helm-upd-rbac
+helm-upd-rbac:
+	HELM_RBAC_FILE=$(HELM_RBAC_FILE) ./scripts/helm-upd-rbac.sh
+
 .PHONY: vulncheck
 vulncheck: ## Run govulncheck to find vulnerabilities in code
 	@./scripts/vulncheck.sh ./vuln-ignore
-
 
 .PHONY: generate-sboms
 generate-sboms: ./ako.pem ## Generate a released version SBOMs

diff --git a/scripts/helm-upd-crds.sh b/scripts/helm-upd-crds.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -eou pipefail
+
+echo "Working dir: $(pwd)"
+
+if [[ -z "${HELM_CRDS_PATH}" ]]; then
+  echo "HELM_CRDS_PATH is not set"
+  exit 1
+fi
+
+filesToCopy=()
+for filename in ./bundle/manifests/atlas.mongodb.com_*.yaml; do
+  absName="$(basename "$filename")"
+  echo "Verifying file: ${filename}"
+  if ! diff "$filename" "${HELM_CRDS_PATH}"/"$absName"; then
+    filesToCopy+=("$filename")
+  fi
+done
+
+fLen=${#filesToCopy[@]}
+if [ "$fLen" -eq 0 ]; then
+  echo "No CRD changes detected"
+  exit 0
+fi
+
+echo "The following CRD changes detected:"
+for (( i=0; i < fLen; i++ )); do
+  echo "${filesToCopy[$i]}"
+done
+
+for (( i=0; i < fLen; i++ )); do
+  echo "Copying ${filesToCopy[$i]} to ${HELM_CRDS_PATH}/"
+  cp "${filesToCopy[$i]}" "${HELM_CRDS_PATH}"/
+done
diff --git a/scripts/helm-upd-rbac.sh b/scripts/helm-upd-rbac.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -eou pipefail
+
+echo "Working dir: $(pwd)"
+
+if [[ -z "${HELM_RBAC_FILE}" ]]; then
+  echo "HELM_RBAC_FILE is not set"
+  exit 1
+fi
+
+if [ ! -f "${HELM_RBAC_FILE}" ]; then
+  echo "File ${HELM_RBAC_FILE} does not exist. Skipping RBAC validation"
+  exit 0
+fi
+
+yq '.spec.install.spec.clusterPermissions[0].rules' ./bundle/manifests/mongodb-atlas-kubernetes.clusterserviceversion.yaml > rbac.yaml
+
+echo "Comparing RBAC for CSV to RBAC in AKO helm chart"
+if ! diff rbac.yaml "$HELM_RBAC_FILE"; then
+  echo "Copying RBAC"
+  cp rbac.yaml "$HELM_RBAC_FILE"
+else
+  echo "No changes detected"
+fi