From 6bac1343f6039cb563ba69504530c37fcb0924c0 Mon Sep 17 00:00:00 2001 From: Dimitrios Giannopoulos Date: Mon, 2 Sep 2024 17:24:03 +0300 Subject: [PATCH 1/7] feat: added dedicated cridge helm chart --- helm/cridge/.helmignore | 23 +++++++ helm/cridge/Chart.yaml | 23 +++++++ .../files/org.etsi.osl.cridge/kubeconfig.yaml | 19 ++++++ helm/cridge/templates/_helpers.tpl | 62 +++++++++++++++++++ helm/cridge/templates/deployment.yaml | 55 ++++++++++++++++ helm/cridge/templates/secret.yaml | 14 +++++ helm/cridge/values.yaml | 36 +++++++++++ 7 files changed, 232 insertions(+) create mode 100644 helm/cridge/.helmignore create mode 100644 helm/cridge/Chart.yaml create mode 100644 helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml create mode 100644 helm/cridge/templates/_helpers.tpl create mode 100644 helm/cridge/templates/deployment.yaml create mode 100644 helm/cridge/templates/secret.yaml create mode 100644 helm/cridge/values.yaml diff --git a/helm/cridge/.helmignore b/helm/cridge/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm/cridge/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/cridge/Chart.yaml b/helm/cridge/Chart.yaml new file mode 100644 index 0000000..e8bf1a8 --- /dev/null +++ b/helm/cridge/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: cridge +description: Cridge Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 2024Q2 diff --git a/helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml b/helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml new file mode 100644 index 0000000..1176403 --- /dev/null +++ b/helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Config +clusters: +- name: development-cluster + cluster: + certificate-authority: path/to/ca.crt # Path to certificate authority file + server: https://123.45.67.89:6443 # Cluster API server address +contexts: +- name: dev-user@development-cluster + context: + cluster: development-cluster + namespace: development # Default namespace + user: dev-user +current-context: dev-user@development-cluster +users: +- name: dev-user + user: + client-certificate: path/to/cert.crt # Path to the client certificate + client-key: path/to/key.key # Path to the client key diff --git a/helm/cridge/templates/_helpers.tpl b/helm/cridge/templates/_helpers.tpl new file mode 100644 index 0000000..89f9f71 --- /dev/null +++ b/helm/cridge/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "openslice.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "openslice.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "openslice.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "openslice.labels" -}} +helm.sh/chart: {{ include "openslice.chart" . }} +{{ include "openslice.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "openslice.selectorLabels" -}} +app.kubernetes.io/name: {{ include "openslice.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "openslice.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "openslice.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/cridge/templates/deployment.yaml b/helm/cridge/templates/deployment.yaml new file mode 100644 index 0000000..cbdc132 --- /dev/null +++ b/helm/cridge/templates/deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: cridge + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-cridge +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: cridge + {{- include "openslice.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: cridge + {{- include "openslice.selectorLabels" . | nindent 8 }} + spec: +# initContainers: +# - name: init-osscapi +# image: busybox:1.28 +# command: ['sh', '-c', "until nslookup {{ include "openslice.fullname" . }}-osscapi; do echo waiting for osscapi; sleep 2; done"] + containers: + - image: "{{ .Values.image.cridge.repository }}:{{ .Values.image.cridge.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.cridge.pullPolicy | default "Always" }} + name: {{ include "openslice.fullname" . }}-cridge + env: + - name: SPRING_APPLICATION_JSON + value: >- + { + "spring.activemq.brokerUrl": "{{ .Values.oscreds.activemq.brokerUrl }}", + "spring.activemq.user": "{{ .Values.oscreds.activemq.user }}", + "spring.activemq.password": "{{ .Values.oscreds.activemq.password }}", + "logging.level.org.springframework" : "{{ .Values.spring.logLevel | default "INFO" }}", + "logging.level.org.etsi.osl.cridge" : "{{ .Values.logLevel | default "INFO" }}" + } + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: cridge-kubeconfig + readOnly: true + mountPath: /root/.kube + restartPolicy: Always + volumes: + - name: cridge-kubeconfig + secret: + secretName: {{ include "openslice.fullname" . }}-cridge-kubeconfig diff --git a/helm/cridge/templates/secret.yaml b/helm/cridge/templates/secret.yaml new file mode 100644 index 0000000..2f2e547 --- /dev/null +++ b/helm/cridge/templates/secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "openslice.fullname" . }} + org.etsi.osl.service: cridge + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + {{- include "openslice.labels" . | nindent 4 }} + name: {{ include "openslice.fullname" . }}-cridge-kubeconfig +type: Opaque +data: + config: |- + {{ .Files.Get "files/org.etsi.osl.cridge/config.yaml" | b64enc | nindent 4 }} diff --git a/helm/cridge/values.yaml b/helm/cridge/values.yaml new file mode 100644 index 0000000..8a5ae77 --- /dev/null +++ b/helm/cridge/values.yaml @@ -0,0 +1,36 @@ +# Default values for cridge. + +replicaCount: 1 + +image: + cridge: + repository: labs.etsi.org:5050/osl/code/org.etsi.osl.cridge + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "2024Q2_RC" + +oscreds: + activemq: + brokerUrl: tcp://myopenslice-artemis:61616?jms.watchTopicAdvisories=false # Where the cridge should connect to + user: artemis + password: artemis + +logLevel: INFO +spring: + loglevel: INFO + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" -- GitLab From 3d593b1ab0bc76ebbe46a9343ecbfd1c61da713d Mon Sep 17 00:00:00 2001 From: Dimitrios Giannopoulos Date: Mon, 2 Sep 2024 17:29:55 +0300 Subject: [PATCH 2/7] feat: aligned filename to path --- helm/cridge/templates/secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/cridge/templates/secret.yaml b/helm/cridge/templates/secret.yaml index 2f2e547..1b4b9d1 100644 --- a/helm/cridge/templates/secret.yaml +++ b/helm/cridge/templates/secret.yaml @@ -11,4 +11,4 @@ metadata: type: Opaque data: config: |- - {{ .Files.Get "files/org.etsi.osl.cridge/config.yaml" | b64enc | nindent 4 }} + {{ .Files.Get "files/org.etsi.osl.cridge/kubeconfig.yaml" | b64enc | nindent 4 }} -- GitLab From 3508688c13665db8fa6784c59de813c349a8615c Mon Sep 17 00:00:00 2001 From: Dimitrios Giannopoulos Date: Thu, 5 Sep 2024 16:08:14 +0300 Subject: [PATCH 3/7] feat: error handling and kubeconfig from local dir --- helm/cridge/templates/deployment.yaml | 4 ---- helm/cridge/templates/secret.yaml | 3 ++- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/helm/cridge/templates/deployment.yaml b/helm/cridge/templates/deployment.yaml index cbdc132..03d55fe 100644 --- a/helm/cridge/templates/deployment.yaml +++ b/helm/cridge/templates/deployment.yaml @@ -24,10 +24,6 @@ spec: org.etsi.osl.service: cridge {{- include "openslice.selectorLabels" . | nindent 8 }} spec: -# initContainers: -# - name: init-osscapi -# image: busybox:1.28 -# command: ['sh', '-c', "until nslookup {{ include "openslice.fullname" . }}-osscapi; do echo waiting for osscapi; sleep 2; done"] containers: - image: "{{ .Values.image.cridge.repository }}:{{ .Values.image.cridge.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.cridge.pullPolicy | default "Always" }} diff --git a/helm/cridge/templates/secret.yaml b/helm/cridge/templates/secret.yaml index 1b4b9d1..e790b53 100644 --- a/helm/cridge/templates/secret.yaml +++ b/helm/cridge/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- $kubeconfig := .Values.kubeconfig | default (.Files.Get "files/org.etsi.osl.cridge/kubeconfig.yaml") -}} apiVersion: v1 kind: Secret metadata: @@ -11,4 +12,4 @@ metadata: type: Opaque data: config: |- - {{ .Files.Get "files/org.etsi.osl.cridge/kubeconfig.yaml" | b64enc | nindent 4 }} + {{- required "A kubeconfig file is required." ($kubeconfig | b64enc) | nindent 4 }} -- GitLab From 7086b236cad740cfbd0c695000527269d2b839ab Mon Sep 17 00:00:00 2001 From: Dimitrios Giannopoulos Date: Thu, 14 Nov 2024 17:12:32 +0200 Subject: [PATCH 4/7] feat: added capability to input kubeconf as b64 --- .../{kubeconfig.yaml => kubeconfig.yaml.empty} | 0 helm/cridge/templates/deployment.yaml | 8 +++----- helm/cridge/templates/secret.yaml | 17 +++++++++++++++-- helm/cridge/values.yaml | 13 +++++-------- 4 files changed, 23 insertions(+), 15 deletions(-) rename helm/cridge/files/org.etsi.osl.cridge/{kubeconfig.yaml => kubeconfig.yaml.empty} (100%) diff --git a/helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml b/helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml.empty similarity index 100% rename from helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml rename to helm/cridge/files/org.etsi.osl.cridge/kubeconfig.yaml.empty diff --git a/helm/cridge/templates/deployment.yaml b/helm/cridge/templates/deployment.yaml index 03d55fe..e276c71 100644 --- a/helm/cridge/templates/deployment.yaml +++ b/helm/cridge/templates/deployment.yaml @@ -9,9 +9,7 @@ metadata: {{- include "openslice.labels" . | nindent 4 }} name: {{ include "openslice.fullname" . }}-cridge spec: - {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} - {{- end }} selector: matchLabels: app: {{ include "openslice.fullname" . }} @@ -41,11 +39,11 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - - name: cridge-kubeconfig + - name: kubeconfig readOnly: true mountPath: /root/.kube restartPolicy: Always volumes: - - name: cridge-kubeconfig + - name: kubeconfig secret: - secretName: {{ include "openslice.fullname" . }}-cridge-kubeconfig + secretName: {{ include "openslice.fullname" . }}-kubeconfig diff --git a/helm/cridge/templates/secret.yaml b/helm/cridge/templates/secret.yaml index e790b53..5d0e729 100644 --- a/helm/cridge/templates/secret.yaml +++ b/helm/cridge/templates/secret.yaml @@ -1,4 +1,13 @@ -{{- $kubeconfig := .Values.kubeconfig | default (.Files.Get "files/org.etsi.osl.cridge/kubeconfig.yaml") -}} +{{- $kubeconfigBase64 := .Values.kubeconfig.base64 | default "" -}} +{{- $kubeconfigFile := .Values.kubeconfig.raw | default (.Files.Get "files/org.etsi.osl.cridge/kubeconfig.yaml") -}} +{{- $kubeconfig := "" -}} + +{{- if $kubeconfigBase64 }} + {{- $kubeconfig = $kubeconfigBase64 | b64dec }} +{{- else if $kubeconfigFile }} + {{- $kubeconfig = $kubeconfigFile }} +{{- end }} + apiVersion: v1 kind: Secret metadata: @@ -8,8 +17,12 @@ metadata: org.etsi.osl.service: cridge chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" {{- include "openslice.labels" . | nindent 4 }} - name: {{ include "openslice.fullname" . }}-cridge-kubeconfig + name: {{ include "openslice.fullname" . }}-kubeconfig type: Opaque data: config: |- + {{- if $kubeconfig }} + {{ $kubeconfig | b64enc | nindent 4 }} + {{- else }} {{- required "A kubeconfig file is required." ($kubeconfig | b64enc) | nindent 4 }} + {{- end }} diff --git a/helm/cridge/values.yaml b/helm/cridge/values.yaml index 8a5ae77..e92e4e9 100644 --- a/helm/cridge/values.yaml +++ b/helm/cridge/values.yaml @@ -11,7 +11,7 @@ image: oscreds: activemq: - brokerUrl: tcp://myopenslice-artemis:61616?jms.watchTopicAdvisories=false # Where the cridge should connect to + brokerUrl: tcp://openslice-artemis:61616?jms.watchTopicAdvisories=false # Where the cridge should connect to user: artemis password: artemis @@ -19,13 +19,6 @@ logLevel: INFO spring: loglevel: INFO -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: 80 - serviceAccount: # Specifies whether a service account should be created create: true @@ -34,3 +27,7 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + +kubeconfig: + base64: "" # Provide base64-encoded kubeconfig here if available + raw: "" # Provide raw kubeconfig here if available -- GitLab From 3abf3fa2954a6a4858ca0991b90077975f7ad005 Mon Sep 17 00:00:00 2001 From: Dimitrios Giannopoulos Date: Thu, 14 Nov 2024 17:25:27 +0200 Subject: [PATCH 5/7] feat: added security context features --- helm/cridge/templates/deployment.yaml | 8 ++++++++ helm/cridge/values.yaml | 15 +++++++-------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/helm/cridge/templates/deployment.yaml b/helm/cridge/templates/deployment.yaml index e276c71..0353795 100644 --- a/helm/cridge/templates/deployment.yaml +++ b/helm/cridge/templates/deployment.yaml @@ -38,6 +38,14 @@ spec: } resources: {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- if .Values.securityContext.enabled }} + allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }} + capabilities: + drop: {{ .Values.securityContext.capabilities.drop }} + seccompProfile: + type: {{ .Values.securityContext.seccompProfile.type }} + {{- end }} volumeMounts: - name: kubeconfig readOnly: true diff --git a/helm/cridge/values.yaml b/helm/cridge/values.yaml index e92e4e9..bb1ed6d 100644 --- a/helm/cridge/values.yaml +++ b/helm/cridge/values.yaml @@ -19,14 +19,13 @@ logLevel: INFO spring: loglevel: INFO -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" +securityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault kubeconfig: base64: "" # Provide base64-encoded kubeconfig here if available -- GitLab From d11aead239fc2a442f02097dd0740b520c02aa23 Mon Sep 17 00:00:00 2001 From: Dimitrios Giannopoulos Date: Fri, 22 Nov 2024 15:13:09 +0200 Subject: [PATCH 6/7] feat: use develop tag --- helm/cridge/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/cridge/values.yaml b/helm/cridge/values.yaml index bb1ed6d..1d87a53 100644 --- a/helm/cridge/values.yaml +++ b/helm/cridge/values.yaml @@ -7,7 +7,7 @@ image: repository: labs.etsi.org:5050/osl/code/org.etsi.osl.cridge pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "2024Q2_RC" + tag: "develop" oscreds: activemq: -- GitLab From 8c8c6f60b4098a5322fe87e03135c7768ea699aa Mon Sep 17 00:00:00 2001 From: Dimitrios Giannopoulos Date: Fri, 22 Nov 2024 15:20:42 +0200 Subject: [PATCH 7/7] feat: update appversion in chart --- helm/cridge/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/cridge/Chart.yaml b/helm/cridge/Chart.yaml index e8bf1a8..b2f5982 100644 --- a/helm/cridge/Chart.yaml +++ b/helm/cridge/Chart.yaml @@ -20,4 +20,4 @@ version: 1.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 2024Q2 +appVersion: 2024Q4-SNAPSHOT -- GitLab