Jenkinsfile_k8s

def cronExpr = env.BRANCH_IS_PRIMARY ? 'H/30 * * * *' : ''

pipeline {
  agent none

  options {
    buildDiscarder(logRotator(numToKeepStr: '10'))
    timeout(time: 30, unit: 'MINUTES')
    disableConcurrentBuilds()
  }

  triggers {
    cron (cronExpr)
  }

  stages {
    stage('Yaml Lint') {
      agent {
        kubernetes {
          yamlFile 'PodTemplates.yaml'
        }
      }
      steps {
        sh 'yamllint --config-file yamllint.config config'
      }
    } // stage 'Yaml Lint'
    stage('Kubernetes Management Tasks') {
      matrix {
        axes {
          axis {
            name 'K8S_CLUSTER'
            values 'cik8s', 'doks', 'doks-public', 'eks-public', 'privatek8s', 'prodpublick8s', 'publick8s'
          }
        } // axes
        agent {
          kubernetes {
            yamlFile 'PodTemplates.yaml'
          }
        }
      environment {
        KUBECONFIG            = credentials("kubeconfig-${K8S_CLUSTER}")
        // Required for secret decryption
        AZURE_TENANT_ID           = credentials('sops-tenant-id')
        AZURE_CLIENT_ID           = credentials('sops-client-id')
        AZURE_CLIENT_SECRET       = credentials('sops-client-secret')
        DIGITALOCEAN_ACCESS_TOKEN = credentials('production-terraform-digitalocean-pat')
        // Required for AWS-hosted clusters.
        // Variable name is constrained (ref. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)
        AWS_SHARED_CREDENTIALS_FILE       =   credentials("${env.K8S_CLUSTER == 'eks-public' ? 'eks-public-charter-awsconfig': 'cik8s-charter-awsconfig'}")
      }
        stages {
          stage('Prepare Environment'){
            steps {
              // Retrieve the private repository holding the SOPS encrypted YAML secrets into the local directory "./secrets"
              dir ('secrets'){
                git branch: 'main', credentialsId: 'github-app-infra', url: 'https://github.com/jenkins-infra/charts-secrets.git'
              }
              sh 'if (test "${K8S_CLUSTER}" = "doks" || test "${K8S_CLUSTER}" = "doks-public"); then doctl auth init > /dev/null; echo "INFO: command doctl auth init executed."; fi'
              sh 'kubectl cluster-info'
            }
          }
          stage('Helmfile Lint'){
            steps {
              sh 'helmfile -f "clusters/${K8S_CLUSTER}.yaml" lint'
            }
          } // stage
          stage('Diff on Pull Request'){
            when {
              changeRequest()
            }
            steps {
              script {
                def diff = sh(
                  script:'helmfile --no-color -f "clusters/${K8S_CLUSTER}.yaml" diff --suppress-secrets --skip-deps --context=2 --concurrency=8',
                  returnStdout: true,
                ).trim()
                // Note the GitHub markdown formatting for the diff, to have syntax coloration
                publishChecks name: "helmfile-diff-${K8S_CLUSTER}", title: "Helmfile Diff for cluster ${K8S_CLUSTER}", text: '```diff\n' + diff + '\n```'
              }
            }
          } // stage
          stage('Apply'){
            when {
              branch 'main'
            }
            steps {
              sh 'helmfile -f "clusters/${K8S_CLUSTER}.yaml" apply --suppress-secrets --concurrency=8'
            }
          } // stage
        } // stages
      } // matrix
    } // stage 'stage('Kubernetes Management Tasks')
  } // stages
}