From 3e99f129854c322ec26df2342983c9349c36532a Mon Sep 17 00:00:00 2001 From: Konrad Ohms Date: Wed, 16 Apr 2025 13:55:50 +0200 Subject: [PATCH 1/5] chore: Add image-pre-pulling to Makefile --- Makefile | 31 ++++++++ ci/scripts/instana-agent-image-prepuller.yaml | 72 +++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 ci/scripts/instana-agent-image-prepuller.yaml diff --git a/Makefile b/Makefile index c6d08825..be9b2d39 100644 --- a/Makefile +++ b/Makefile @@ -69,6 +69,7 @@ else endif NAMESPACE ?= instana-agent +NAMESPACE_PREPULLER ?= instana-agent-image-prepuller INSTANA_AGENT_CLUSTER_WIDE_RESOURCES := \ "crd/agents.instana.io" \ @@ -301,6 +302,36 @@ create-pull-secret: ## Creates image pull secret for delivery.instana.io from yo @echo "Restarting operator deployment..." @kubectl delete pods -l app.kubernetes.io/name=instana-agent-operator -n $(NAMESPACE) +.PHONY: pre-pull-images +pre-pull-images: ## Pre-pulls images on the target cluster (useful in slow network situations to run tests reliably) + @if [ "$(INSTANA_API_KEY)" == "" ]; then \ + echo "env variable INSTANA_API_KEY is undefined but should contain the agent download key"; \ + exit 1; \ + fi + oc new-project $(NAMESPACE_PREPULLER) || true + @echo "Creating Docker registry secret..." + @echo "Checking if secret containers-instana-io-pull-secret exists in namespace $(NAMESPACE_PREPULLER)..." + @if kubectl get secret containers-instana-io-pull-secret -n $(NAMESPACE_PREPULLER) >/dev/null 2>&1; then \ + echo "Updating existing secret containers-instana-io-pull-secret..."; \ + kubectl delete secret containers-instana-io-pull-secret -n $(NAMESPACE_PREPULLER); \ + fi + @kubectl create secret docker-registry containers-instana-io-pull-secret \ + --docker-server=containers.instana.io \ + --docker-username="_" \ + --docker-password=$${INSTANA_API_KEY} \ + -n $(NAMESPACE_PREPULLER) + @echo "Start instana-agent-image-prepuller daemonset..." + @echo "Checking if daemonset instana-agent-image-prepuller exists in namespace $(NAMESPACE_PREPULLER)..." + @if kubectl get ds instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) >/dev/null 2>&1; then \ + echo "Updating existing secret containers-instana-io-pull-secret..."; \ + kubectl delete ds instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER); \ + kubectl delete pods -n instana-agent-image-prepuller -l name=instana-agent-image-prepuller --force --grace-period=0; \ + fi + @kubectl apply -f ci/scripts/instana-agent-image-prepuller.yaml -n $(NAMESPACE_PREPULLER) + @echo "Waiting for the instana-agent-prepuller daemonset" + @kubectl rollout status ds/instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) --timeout=900s +# if pods should be deleted without waiting for the pull to stop: kubectl delete pods -n instana-agent-image-prepuller -l name=instana-agent-image-prepuller --force --grace-period=0 && kubectl delete ns instana-agent-image-prepuller + .PHONY: dev-run-ocp dev-run-ocp: namespace install create-cr run ## Creates a full dev deployment on OCP from scratch, also useful after purge diff --git a/ci/scripts/instana-agent-image-prepuller.yaml b/ci/scripts/instana-agent-image-prepuller.yaml new file mode 100644 index 00000000..59cc6dcf --- /dev/null +++ b/ci/scripts/instana-agent-image-prepuller.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: instana-agent-image-prepuller +spec: + selector: + matchLabels: + name: instana-agent-image-prepuller + template: + metadata: + labels: + name: instana-agent-image-prepuller + spec: + imagePullSecrets: + - name: containers-instana-io-pull-secret + containers: + - name: wait-container + image: icr.io/instana/instana-agent-operator:latest + command: ["/bin/sh", "-c", "echo 'All images pre-pulled successfully'; sleep 600"] + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + initContainers: + - name: pull-operator + image: icr.io/instana/instana-agent-operator:latest + command: ["/bin/sh", "-c", "echo 'Pulled operator image'"] + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - name: pull-dynamic-agent + image: icr.io/instana/agent:latest + command: ["/bin/sh", "-c", "echo 'Pulled dynamic agent image'"] + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - name: pull-k8sensor + image: icr.io/instana/k8sensor:latest + command: ["/ko-app/k8sensor", "--help"] + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + - name: pull-static-agent + image: containers.instana.io/instana/release/agent/static:latest + command: ["/bin/sh", "-c", "echo 'Pulled static agent image'"] + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault From 195e760d267a39938979aa5baae7cae4c042c393 Mon Sep 17 00:00:00 2001 From: Konrad Ohms Date: Wed, 16 Apr 2025 14:25:56 +0200 Subject: [PATCH 2/5] chore: Harden pre-pull target and cleanup --- Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index be9b2d39..db676950 100644 --- a/Makefile +++ b/Makefile @@ -325,12 +325,15 @@ pre-pull-images: ## Pre-pulls images on the target cluster (useful in slow netwo @if kubectl get ds instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) >/dev/null 2>&1; then \ echo "Updating existing secret containers-instana-io-pull-secret..."; \ kubectl delete ds instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER); \ - kubectl delete pods -n instana-agent-image-prepuller -l name=instana-agent-image-prepuller --force --grace-period=0; \ + kubectl delete pods -n $(NAMESPACE_PREPULLER) -l name=instana-agent-image-prepuller --force --grace-period=0; \ fi @kubectl apply -f ci/scripts/instana-agent-image-prepuller.yaml -n $(NAMESPACE_PREPULLER) @echo "Waiting for the instana-agent-prepuller daemonset" @kubectl rollout status ds/instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) --timeout=900s -# if pods should be deleted without waiting for the pull to stop: kubectl delete pods -n instana-agent-image-prepuller -l name=instana-agent-image-prepuller --force --grace-period=0 && kubectl delete ns instana-agent-image-prepuller + @echo "Cleaning up instana-agent-prepuller namespace" + kubectl delete ds instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) + kubectl delete pods -n $(NAMESPACE_PREPULLER) -l name=instana-agent-image-prepuller --force --grace-period=0 + kubectl delete ns -n $(NAMESPACE_PREPULLER) .PHONY: dev-run-ocp dev-run-ocp: namespace install create-cr run ## Creates a full dev deployment on OCP from scratch, also useful after purge From e1dd188c9a451d8bf678b68bda1e8df1f298d238 Mon Sep 17 00:00:00 2001 From: Konrad Ohms Date: Tue, 22 Apr 2025 13:32:01 +0200 Subject: [PATCH 3/5] ci: Pre-pull images on Kubernetes clusters --- Makefile | 6 +++--- ci/pipeline.yaml | 2 ++ ci/pr-pipeline.yml | 2 ++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index db676950..c282f35c 100644 --- a/Makefile +++ b/Makefile @@ -329,11 +329,11 @@ pre-pull-images: ## Pre-pulls images on the target cluster (useful in slow netwo fi @kubectl apply -f ci/scripts/instana-agent-image-prepuller.yaml -n $(NAMESPACE_PREPULLER) @echo "Waiting for the instana-agent-prepuller daemonset" - @kubectl rollout status ds/instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) --timeout=900s + @kubectl rollout status ds/instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) --timeout=1800s @echo "Cleaning up instana-agent-prepuller namespace" kubectl delete ds instana-agent-image-prepuller -n $(NAMESPACE_PREPULLER) - kubectl delete pods -n $(NAMESPACE_PREPULLER) -l name=instana-agent-image-prepuller --force --grace-period=0 - kubectl delete ns -n $(NAMESPACE_PREPULLER) + kubectl delete pods -n $(NAMESPACE_PREPULLER) -l name=instana-agent-image-prepuller --force --grace-period=0 || true + kubectl delete ns $(NAMESPACE_PREPULLER) .PHONY: dev-run-ocp dev-run-ocp: namespace install create-cr run ## Creates a full dev deployment on OCP from scratch, also useful after purge diff --git a/ci/pipeline.yaml b/ci/pipeline.yaml index 28440fe8..ec363887 100644 --- a/ci/pipeline.yaml +++ b/ci/pipeline.yaml @@ -543,6 +543,7 @@ jobs: - | cd pipeline-source bash ./ci/scripts/cluster-authentication.sh + make pre-pull-images make e2e on_success: put: gh-status @@ -652,6 +653,7 @@ jobs: - | cd pipeline-source bash ./ci/scripts/cluster-authentication.sh + make pre-pull-images make e2e on_success: put: gh-status diff --git a/ci/pr-pipeline.yml b/ci/pr-pipeline.yml index dd9f4c7c..5d438517 100644 --- a/ci/pr-pipeline.yml +++ b/ci/pr-pipeline.yml @@ -624,6 +624,7 @@ jobs: - | cd pipeline-source bash ./ci/scripts/cluster-authentication.sh + make pre-pull-images make e2e on_success: put: gh-status @@ -737,6 +738,7 @@ jobs: - | cd pipeline-source bash ./ci/scripts/cluster-authentication.sh + make pre-pull-images make e2e on_success: put: gh-status From b5bde4be449f4e84fff704a84dca1f361003557f Mon Sep 17 00:00:00 2001 From: Konrad Ohms Date: Tue, 22 Apr 2025 14:29:24 +0200 Subject: [PATCH 4/5] ci: Don't rely on oc for pre-pull-images --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c282f35c..9ca8ad55 100644 --- a/Makefile +++ b/Makefile @@ -308,7 +308,7 @@ pre-pull-images: ## Pre-pulls images on the target cluster (useful in slow netwo echo "env variable INSTANA_API_KEY is undefined but should contain the agent download key"; \ exit 1; \ fi - oc new-project $(NAMESPACE_PREPULLER) || true + kubectl create namespace $(NAMESPACE_PREPULLER) || true @echo "Creating Docker registry secret..." @echo "Checking if secret containers-instana-io-pull-secret exists in namespace $(NAMESPACE_PREPULLER)..." @if kubectl get secret containers-instana-io-pull-secret -n $(NAMESPACE_PREPULLER) >/dev/null 2>&1; then \ From ee51cae0775ca6ea448a128fc3e6f6d5de6866e4 Mon Sep 17 00:00:00 2001 From: Konrad Ohms Date: Thu, 24 Apr 2025 11:06:07 +0200 Subject: [PATCH 5/5] ci: Fix pre-pull-images for GKE and OCP --- Makefile | 2 +- ci/scripts/instana-agent-image-prepuller-ns.yaml | 7 +++++++ ci/scripts/instana-agent-image-prepuller.yaml | 10 ++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 ci/scripts/instana-agent-image-prepuller-ns.yaml diff --git a/Makefile b/Makefile index 9ca8ad55..0fc25994 100644 --- a/Makefile +++ b/Makefile @@ -308,7 +308,7 @@ pre-pull-images: ## Pre-pulls images on the target cluster (useful in slow netwo echo "env variable INSTANA_API_KEY is undefined but should contain the agent download key"; \ exit 1; \ fi - kubectl create namespace $(NAMESPACE_PREPULLER) || true + kubectl apply -f ci/scripts/instana-agent-image-prepuller-ns.yaml || true @echo "Creating Docker registry secret..." @echo "Checking if secret containers-instana-io-pull-secret exists in namespace $(NAMESPACE_PREPULLER)..." @if kubectl get secret containers-instana-io-pull-secret -n $(NAMESPACE_PREPULLER) >/dev/null 2>&1; then \ diff --git a/ci/scripts/instana-agent-image-prepuller-ns.yaml b/ci/scripts/instana-agent-image-prepuller-ns.yaml new file mode 100644 index 00000000..55a5c854 --- /dev/null +++ b/ci/scripts/instana-agent-image-prepuller-ns.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: instana-agent-image-prepuller + annotations: + openshift.io/sa.scc.uid-range: 1000/1000 + openshift.io/sa.scc.supplemental-groups: 1000/1000 diff --git a/ci/scripts/instana-agent-image-prepuller.yaml b/ci/scripts/instana-agent-image-prepuller.yaml index 59cc6dcf..3292bab9 100644 --- a/ci/scripts/instana-agent-image-prepuller.yaml +++ b/ci/scripts/instana-agent-image-prepuller.yaml @@ -22,6 +22,8 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -34,6 +36,8 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -45,6 +49,8 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -56,6 +62,8 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -67,6 +75,8 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault