Add APPUiO Cloud Agent deployment

appuio · Apr 6, 2022 · b26c761 · b26c761
1 parent ef6a54e
commit b26c761
Show file tree

Hide file tree

Showing 13 changed files with 483 additions and 0 deletions.
diff --git a/class/appuio-cloud.yml b/class/appuio-cloud.yml
@@ -1,5 +1,11 @@
 parameters:
   kapitan:
+    dependencies:
+      - type: git
+        output_path: dependencies/appuio-cloud/agent/manifests/${appuio_cloud:images:agent:tag}/
+        source: https://github.com/appuio/appuio-cloud-agent.git
+        subdir: config
+        ref: feat/deploy
     compile:
       - input_paths:
           - appuio-cloud/component/app.jsonnet
@@ -17,3 +23,8 @@ parameters:
           - appuio-cloud/component/runonce-activedeadlineseconds.jsonnet
         input_type: jsonnet
         output_path: appuio-cloud/
+      - input_paths:
+          - appuio-cloud/component/agent.jsonnet
+        input_type: jsonnet
+        output_path: appuio-cloud/01_agent/
+
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -3,6 +3,27 @@ parameters:
     =_metadata: {}
     namespace: appuio-cloud
 
+    images:
+      agent:
+        registry: ghcr.io
+        repository: appuio/appuio-cloud-agent
+        tag: v0.1.0
+
+    agent:
+      replicas: 3
+      resource-ratio:
+        memory-per-core: 4Gi
+      webhook:
+        tls:
+          certSecretName: webhook-service-tls
+          caCertificate: ""
+          certificate: ""
+          key: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/webhook-key}"
+        namespaceSelector:
+          matchExpressions:
+          - key: appuio.io/organization
+            operator: Exists
+
     bypassNamespaceRestrictions:
       roles: {}
       clusterRoles:

diff --git a/component/agent.jsonnet b/component/agent.jsonnet
@@ -0,0 +1,143 @@
+/*
+* Deploys the appuio-cloud-agent
+*/
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local inv = kap.inventory();
+local params = inv.parameters.appuio_cloud;
+
+local image = params.images.agent;
+local loadManifest(manifest) = std.parseJson(kap.yaml_load('appuio-cloud/agent/manifests/' + image.tag + '/' + manifest));
+
+local serviceAccount = loadManifest('rbac/service_account.yaml') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+};
+local role = com.namespaced(params.namespace, loadManifest('rbac/role.yaml'));
+local leaderElectionRole = com.namespaced(params.namespace, loadManifest('rbac/leader_election_role.yaml'));
+
+local webhookCertDir = '/var/run/webhook-service-tls';
+
+local deployment = loadManifest('manager/manager.yaml') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+  spec+: {
+    template+: {
+      spec+: {
+        replicas: params.agent.replicas,
+        containers: [
+          if c.name == 'manager' then
+            c {
+              image: '%(registry)s/%(repository)s:%(tag)s' % image,
+              args: [
+                '--leader-elect',
+                '--webhook-cert-dir=' + webhookCertDir,
+                '--memory-per-core-limit=' + params.agent['resource-ratio']['memory-per-core'],
+              ],
+              volumeMounts+: [
+                {
+                  name: 'webhook-service-tls',
+                  mountPath: webhookCertDir,
+                  readOnly: true,
+                },
+              ],
+            }
+          else
+            c
+          for c in super.containers
+        ],
+        volumes+: [
+          {
+            name: 'webhook-service-tls',
+            secret: {
+              secretName: params.agent.webhook.tls.certSecretName,
+            },
+          },
+        ],
+      },
+    },
+  },
+};
+
+local admissionWebhookTlsSecret =
+  assert std.length(params.agent.webhook.tls.certificate) > 0 : 'agent.webhook.tls.certificate is required';
+  assert std.length(params.agent.webhook.tls.key) > 0 : 'agent.webhook.tls.key is required';
+  kube.Secret(params.agent.webhook.tls.certSecretName) {
+    metadata+: {
+      namespace: params.namespace,
+    },
+    type: 'kubernetes.io/tls',
+    stringData: {
+      'tls.key': params.agent.webhook.tls.key,
+      'tls.crt': params.agent.webhook.tls.certificate,
+    },
+  };
+
+local admissionWebhook = loadManifest('webhook/manifests.yaml') {
+  metadata+: {
+    name: '%s-validating-webhook' % params.namespace,
+  },
+  webhooks: [
+    w {
+      clientConfig+: {
+        [if std.length(params.agent.webhook.tls.caCertificate) > 0 then 'caBundle']:
+          std.base64(params.agent.webhook.tls.caCertificate),
+        service+: {
+          namespace: params.namespace,
+        },
+      },
+      namespaceSelector: params.agent.webhook.namespaceSelector,
+    }
+    for w in super.webhooks
+  ],
+};
+
+local admissionWebhookService = loadManifest('webhook/service.yaml') {
+  metadata+: {
+    namespace: params.namespace,
+  },
+};
+
+{
+  '01_role': role,
+  '01_leader_election_role': leaderElectionRole,
+  '01_role_binding': kube.ClusterRoleBinding(role.metadata.name) {
+    roleRef: {
+      kind: 'ClusterRole',
+      apiGroup: 'rbac.authorization.k8s.io',
+      name: role.metadata.name,
+    },
+    subjects: [
+      {
+        kind: 'ServiceAccount',
+        name: serviceAccount.metadata.name,
+        namespace: serviceAccount.metadata.namespace,
+      },
+    ],
+  },
+  '01_leader_election_role_binding': kube.RoleBinding(role.metadata.name) {
+    metadata+: {
+      namespace: params.namespace,
+    },
+    roleRef: {
+      kind: 'Role',
+      apiGroup: 'rbac.authorization.k8s.io',
+      name: leaderElectionRole.metadata.name,
+    },
+    subjects: [
+      {
+        kind: 'ServiceAccount',
+        name: serviceAccount.metadata.name,
+        namespace: serviceAccount.metadata.namespace,
+      },
+    ],
+  },
+  '01_service_account': serviceAccount,
+  '02_webhook_cert_secret': admissionWebhookTlsSecret,
+  '02_deployment': deployment,
+  '10_webhook_config': admissionWebhook,
+  '11_webhook_service': admissionWebhookService,
+}
diff --git a/tests/defaults.yml b/tests/defaults.yml
@@ -11,6 +11,44 @@ parameters:
         output_path: vendor/lib/resource-locker.libjsonnet
 
   appuio_cloud:
+    agent:
+      webhook:
+        tls:
+          caCertificate: ${appuio_cloud:agent:webhook:tls:certificate}
+          certificate: |-
+            -----BEGIN CERTIFICATE-----
+            MIIFeDCCA2CgAwIBAgIUH+xWxqMcAYp2t9jmRZ8SlZ3mkNswDQYJKoZIhvcNAQEL
+            BQAwMTEvMC0GA1UEAwwmd2ViaG9vay1zZXJ2aWNlLmFwcHVpby1jb250cm9sLWFw
+            aS5zdmMwHhcNMjIwMzI5MDkyNTM1WhcNMzIwMzI2MDkyNTM1WjAxMS8wLQYDVQQD
+            DCZ3ZWJob29rLXNlcnZpY2UuYXBwdWlvLWNvbnRyb2wtYXBpLnN2YzCCAiIwDQYJ
+            KoZIhvcNAQEBBQADggIPADCCAgoCggIBANuLXjhC1YyO4AjKRdrKa4aYIr93wtQU
+            FhGavZU5+NsD4DaeuBtAylnQ2i2y6ltUlX8LWTwDKGYa2zLiWONXdZMXXad+hYz6
+            fVTJ681GH4/ko2dMcU7IAIRKDQ8cL8rb3GUXsOGRLQM1E4fNCbGi6oURyxcAGRqQ
+            Ym18PfGfqjXC0HUVjkWAPQuc9lGzKjFTR58pVEo5po4gShrG7QOdZosVxVrI8qHY
+            ZTgKeZseoDWo4IeHpke9uZg20K/mPYSWyA4Q1C1bhXyvbAonhz0eE0jzRoyNlRfg
+            0gJFDo8HcaPLgS3xGNxIQtHXF4gZv8VhVjM4CALEp4M4j3bNJ2MN+tBoEvy7eaa5
+            HDnFRbskTrgaSO6GVdH2QNeYQw1wxf1WzBL/GftARn8maRyzJe4/piKykx6+U51S
+            ozwvExvc7UOnuALFKhzZMZyiSRDR+ryhMskvk4zPzlYq246ssCSnfdos2ChMivhq
+            /Hfs57R6UjC3H2aLypdyx3aifAJwZiDwZ0LijcoWfXfHsjk+F9a1+vtGAxFft5Ao
+            dDswcet4gnzR2lDpIha0f6Q7065sEgWQA/Xz0ghiGg94UsBJTk8U6qGrsngafxHh
+            rmCFZOOexn2v6FpkYaNFHSvJ8fckWYR7MlTZi3ihv2OdZUS8MtnZqgzrDfjWZ/oh
+            yr6V7Hj1r1ttAgMBAAGjgYcwgYQwHQYDVR0OBBYEFCfDCDwxYs3XeeW45jEU+B6K
+            H3M0MB8GA1UdIwQYMBaAFCfDCDwxYs3XeeW45jEU+B6KH3M0MA8GA1UdEwEB/wQF
+            MAMBAf8wMQYDVR0RBCowKIImd2ViaG9vay1zZXJ2aWNlLmFwcHVpby1jb250cm9s
+            LWFwaS5zdmMwDQYJKoZIhvcNAQELBQADggIBAIeZ9lJhPyA7FI98Z8bLP3kC/a6n
+            pbzt9exkzc+ERiNmUy9n3Q1ykIDpMMlDmtzci3EejuHL82i/A4Jtuj+B/iRgIkGY
+            L3Ph8BsJNSZhsvEvhqJU02/Nr04SYify4dqe4SjZLnvd45wdHNaCmloRcKtz0QTN
+            E0tnbJISvpTlR8patftEN4ru1amd+GMUPunoykERZTftHw0SO/lVOlVATDjLpNJP
+            0IWbBrZJTLSF7uhkGfpR2aIukqUi0QvDRQJ4D77Va3DqwetmWSEABlg1rfxuvP0k
+            3kbD1/JX1I3A26Sqs9X5lSqXTq1sTKzd+2gtEulIJ5z0Et2y0rOWnPvXxJ4Ld4C/
+            zAcro9aM11yqP/BjmdL+l3rYRj8N38s39EzhAY3MvYnSy1P2RmL/p4BsrOEvN5Mq
+            /E9zKEXsTQXviZc56J+iCrMAuRfQHXDIkwtID2oRuP0t4xtatQorf4JV/PRMAw0i
+            ZvrGMzX61r0eqn1t3bEJ49P+YvzawErH/l3zdITMc13sOWZQ1NayekxeVIOa6hyd
+            SFObMdLVJCUWcdz52EAk4jlqN0vN8iMSFnB8mBT4X+8reauopfWAnFH8VWfN8tyN
+            m2j6L7Lb2uwBCq2NaOY9HNSi52N/J6DnQZegogQxCUiT7YJr4Xtkabv99c6mn230
+            al+L9+1VcdfaZsPI
+            -----END CERTIFICATE-----
+
     bypassNamespaceRestrictions:
       subjects:
         argocd:

diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_leader_election_role.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_leader_election_role.yaml
@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: appuio-cloud-agent:leader-election-role
+  namespace: appuio-cloud
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
diff --git a/...s/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_leader_election_role_binding.yaml b/...s/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_leader_election_role_binding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: appuio-cloud-agent
+  name: appuio-cloud-agent
+  namespace: appuio-cloud
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: appuio-cloud-agent:leader-election-role
+subjects:
+  - kind: ServiceAccount
+    name: appuio-cloud-agent
+    namespace: appuio-cloud
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_role.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_role.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: appuio-cloud-agent
+  namespace: appuio-cloud
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_role_binding.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_role_binding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: appuio-cloud-agent
+  name: appuio-cloud-agent
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: appuio-cloud-agent
+subjects:
+  - kind: ServiceAccount
+    name: appuio-cloud-agent
+    namespace: appuio-cloud
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_service_account.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: appuio-cloud-agent
+  namespace: appuio-cloud
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_deployment.yaml
@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: appuio-cloud-agent
+  name: appuio-cloud-agent
+  namespace: appuio-cloud
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      control-plane: appuio-cloud-agent
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: agent
+      labels:
+        control-plane: appuio-cloud-agent
+    spec:
+      containers:
+        - args:
+            - --leader-elect
+            - --webhook-cert-dir=/var/run/webhook-service-tls
+            - --memory-per-core-limit=4Gi
+          command:
+            - /appuio-cloud-agent
+          image: ghcr.io/appuio/appuio-cloud-agent:v0.1.0
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          name: manager
+          ports:
+            - containerPort: 9443
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 500m
+              memory: 256Mi
+            requests:
+              cpu: 10m
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+          volumeMounts:
+            - mountPath: /var/run/webhook-service-tls
+              name: webhook-service-tls
+              readOnly: true
+      replicas: 3
+      serviceAccountName: appuio-cloud-agent
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - name: webhook-service-tls
+          secret:
+            secretName: webhook-service-tls