From ae2d02810cdb6a22561b2f801168c539b10fccd8 Mon Sep 17 00:00:00 2001 From: Anthony Yeh Date: Thu, 24 Jun 2021 23:34:20 -0500 Subject: [PATCH] Add signadot/workspaces chart. --- README.md | 1 + signadot/workspaces/.gitignore | 1 + signadot/workspaces/.helmignore | 23 + signadot/workspaces/Chart.yaml | 15 + signadot/workspaces/README.md | 37 ++ signadot/workspaces/templates/NOTES.txt | 7 + signadot/workspaces/templates/agent.yaml | 751 +++++++++++++++++++++++ signadot/workspaces/values.yaml | 0 8 files changed, 835 insertions(+) create mode 100644 README.md create mode 100644 signadot/workspaces/.gitignore create mode 100644 signadot/workspaces/.helmignore create mode 100644 signadot/workspaces/Chart.yaml create mode 100644 signadot/workspaces/README.md create mode 100644 signadot/workspaces/templates/NOTES.txt create mode 100644 signadot/workspaces/templates/agent.yaml create mode 100644 signadot/workspaces/values.yaml diff --git a/README.md b/README.md new file mode 100644 index 0000000..3e1c29f --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# Signadot Helm Chart Repository diff --git a/signadot/workspaces/.gitignore b/signadot/workspaces/.gitignore new file mode 100644 index 0000000..1377554 --- /dev/null +++ b/signadot/workspaces/.gitignore @@ -0,0 +1 @@ +*.swp diff --git a/signadot/workspaces/.helmignore b/signadot/workspaces/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/signadot/workspaces/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/signadot/workspaces/Chart.yaml b/signadot/workspaces/Chart.yaml new file mode 100644 index 0000000..1314d44 --- /dev/null +++ b/signadot/workspaces/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: workspaces +description: In-cluster components for Signadot Workspaces +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.5.4" diff --git a/signadot/workspaces/README.md b/signadot/workspaces/README.md new file mode 100644 index 0000000..5d42c27 --- /dev/null +++ b/signadot/workspaces/README.md @@ -0,0 +1,37 @@ +# Signadot Workspaces + +This chart installs the in-cluster components for Signadot Workspaces. + +## Prerequisites + +Please [install cert-manager](https://cert-manager.io/docs/installation/kubernetes/) +first if it's not already installed in the cluster. +This chart relies on cert-manager to generate the certificate for its admission webhook. + +## Installation + +```sh +# Install +helm repo add signadot https://charts.signadot.com +helm install signadot-workspaces signadot/workspaces + +# Upgrade +helm repo update +helm upgrade signadot-workspaces signadot/workspaces + +# Uninstall +helm uninstall signadot-workspaces +``` + +## Cluster Registration + +In addition to installing this chart, the cluster must also be registered +in the [Signadot Workspaces console](https://app.signadot.com). + +After generating a cluster token, complete the registration by populating a Secret +called `cluster-agent` in the `signadot` namespace: + +```sh +# Replace "..." with the token value. +kubectl -n signadot create secret generic cluster-agent --from-literal=token=... +``` diff --git a/signadot/workspaces/templates/NOTES.txt b/signadot/workspaces/templates/NOTES.txt new file mode 100644 index 0000000..a697692 --- /dev/null +++ b/signadot/workspaces/templates/NOTES.txt @@ -0,0 +1,7 @@ +Please visit https://app.signadot.com to register this cluster and create a cluster token. + +Then populate the cluster token in a Secret by running the following command +with "..." replaced by the token value. + +kubectl -n signadot create secret generic cluster-agent --from-literal=token=... + diff --git a/signadot/workspaces/templates/agent.yaml b/signadot/workspaces/templates/agent.yaml new file mode 100644 index 0000000..8abb27e --- /dev/null +++ b/signadot/workspaces/templates/agent.yaml @@ -0,0 +1,751 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: signadot +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: signadot-operator +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: signadotroutes.signadot.com +spec: + group: signadot.com + names: + kind: SignadotRoute + listKind: SignadotRouteList + plural: signadotroutes + shortNames: + - sdr + singular: signadotroute + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SignadotRoute is the Schema for the signadotroutes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SignadotRouteSpec defines the desired state of SignadotRoute + properties: + containerPorts: + description: ContainerPorts are all the ports declared by all containers + in the underlying workload. + items: + description: ContainerPort represents a network port in a single + container. + properties: + containerPort: + description: Number of port to expose on the pod's IP address. + This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If specified, + this must be a valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. Most containers + do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME and + unique within the pod. Each named port in a pod must have + a unique name. Name for the port that can be referred to by + services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults + to "TCP". + type: string + required: + - containerPort + type: object + type: array + workloadID: + description: WorkloadID is the unique ID of the original workload + (e.g. a Deployment) that was cloned into the destination workspace. + type: string + workspaceID: + description: WorkspaceID is the unique ID of the destination workspace + of this route. + type: string + required: + - containerPorts + - workloadID + - workspaceID + type: object + status: + description: SignadotRouteStatus defines the observed state of SignadotRoute + properties: + endpoints: + description: Endpoints are the currently-available (Ready) endpoints + for this route, if any. + items: + description: RouteEndpoint is one endpoint that can be used to satisfy + a given route. + properties: + address: + description: Address is the IP or host (no port). + type: string + port: + description: Port is the port number. + format: int32 + type: integer + required: + - address + - port + type: object + type: array + observedGeneration: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + creationTimestamp: null + name: signadotworkspaces.signadot.com +spec: + group: signadot.com + names: + kind: SignadotWorkspace + listKind: SignadotWorkspaceList + plural: signadotworkspaces + shortNames: + - sdw + singular: signadotworkspace + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SignadotWorkspace can be used to create a workspace in which + customized versions of one or more workloads (e.g. running work-in-progress + code) run alongside the real workloads and serve only those requests that + are explicitly tagged to run in this workspace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SignadotWorkspaceSpec defines the desired state of SignadotWorkspace + properties: + customization: + description: Customization describes the ways in which live workloads + running in the cluster should be customized for this workspace. + properties: + images: + description: "Images to replace when cloning workloads (e.g. Deployments) + for this workspace. \n Any live Deployment (one that isn't part + of a workspace) that uses an image from this list will be cloned + and the clone will use the new image name and/or tag specified." + items: + description: ImageReplacement describes a rule for replacing + images in cloned containers. + properties: + name: + description: "Name specifies which image name in live workloads + will be replaced. \n Example: us.gcr.io/my-staging-registry/widget" + type: string + newName: + description: "NewName provides a replacement for the image + name (the part before the tag). If this is left unset, + the image name will not be changed. \n Example: us.gcr.io/my-dev-registry/username/widget" + type: string + newTag: + description: "NewTag provides a replacement tag for the + image. If this is left unset, the image tag will not be + changed. \n Example: v1.0.0-snapshot-abc123" + type: string + required: + - name + type: object + type: array + type: object + id: + description: ID should be a unique identifier for the workspace. It + can be up to 63 alphanumeric characters. + type: string + required: + - id + type: object + status: + description: SignadotWorkspaceStatus defines the observed state of SignadotWorkspace + properties: + customizedDeployments: + description: CustomizedDeployments is the number of Deployments that + have been cloned and customized. + format: int32 + type: integer + observedGeneration: + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: signadot-controller-manager + namespace: signadot-operator +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent + namespace: signadot +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: routeserver + namespace: signadot +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: signadot-leader-election-role + namespace: signadot-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: signadot-agent +rules: +- apiGroups: + - signadot.com + resources: + - signadotworkspaces + verbs: + - get + - list + - watch + - create + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: signadot-manager-role +rules: +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - signadot.com + resources: + - signadotroutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - signadot.com + resources: + - signadotroutes/finalizers + verbs: + - update +- apiGroups: + - signadot.com + resources: + - signadotroutes/status + verbs: + - get + - patch + - update +- apiGroups: + - signadot.com + resources: + - signadotworkspaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - signadot.com + resources: + - signadotworkspaces/finalizers + verbs: + - update +- apiGroups: + - signadot.com + resources: + - signadotworkspaces/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: signadot-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: signadot-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: signadot-routeserver +rules: +- apiGroups: + - signadot.com + resources: + - signadotroutes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: signadot-leader-election-rolebinding + namespace: signadot-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: signadot-leader-election-role +subjects: +- kind: ServiceAccount + name: signadot-controller-manager + namespace: signadot-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: signadot-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: signadot-agent +subjects: +- kind: ServiceAccount + name: agent + namespace: signadot +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: signadot-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: signadot-manager-role +subjects: +- kind: ServiceAccount + name: signadot-controller-manager + namespace: signadot-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: signadot-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: signadot-proxy-role +subjects: +- kind: ServiceAccount + name: signadot-controller-manager + namespace: signadot-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: signadot-routeserver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: signadot-routeserver +subjects: +- kind: ServiceAccount + name: routeserver + namespace: signadot +--- +apiVersion: v1 +data: + controller_manager_config.yaml: | + apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 + kind: ControllerManagerConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 127.0.0.1:8080 + webhook: + port: 9443 + leaderElection: + leaderElect: true + resourceName: 42470b05.signadot.com +kind: ConfigMap +metadata: + name: signadot-manager-config + namespace: signadot-operator +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: signadot-controller-manager-metrics-service + namespace: signadot-operator +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager +--- +apiVersion: v1 +kind: Service +metadata: + name: signadot-webhook-service + namespace: signadot-operator +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + control-plane: controller-manager +--- +apiVersion: v1 +kind: Service +metadata: + name: routeserver + namespace: signadot +spec: + ports: + - port: 8080 + selector: + app: routeserver +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: signadot-controller-manager + namespace: signadot-operator +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + command: + - /manager + image: signadot/workspaces-operator:latest + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + securityContext: + runAsNonRoot: true + serviceAccountName: signadot-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent + namespace: signadot +spec: + replicas: 1 + selector: + matchLabels: + app: signadot-agent + template: + metadata: + labels: + app: signadot-agent + spec: + containers: + - args: + - --agent-token=$(AGENT_TOKEN) + - --tunnel-addr=preview.signadot.com:2222 + - --tunnel-ca=/app/tunnel-server.crt + env: + - name: AGENT_TOKEN + valueFrom: + secretKeyRef: + key: token + name: cluster-agent + image: signadot/workspaces-agent:v0.5.4-7fabc2b + imagePullPolicy: IfNotPresent + name: agent + ports: + - containerPort: 8088 + serviceAccountName: agent +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: routeserver + namespace: signadot +spec: + replicas: 1 + selector: + matchLabels: + app: routeserver + template: + metadata: + labels: + app: routeserver + spec: + containers: + - image: signadot/workspaces-routeserver + imagePullPolicy: IfNotPresent + name: routeserver + ports: + - containerPort: 8080 + serviceAccountName: routeserver +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: signadot-serving-cert + namespace: signadot-operator +spec: + dnsNames: + - signadot-webhook-service.signadot-operator.svc + - signadot-webhook-service.signadot-operator.svc.cluster.local + issuerRef: + kind: Issuer + name: signadot-selfsigned-issuer + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: signadot-selfsigned-issuer + namespace: signadot-operator +spec: + selfSigned: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: signadot-operator/signadot-serving-cert + name: signadot-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: signadot-webhook-service + namespace: signadot-operator + path: /mutate-v1-pod + failurePolicy: Ignore + name: sidecar-injector.signadot.com + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None diff --git a/signadot/workspaces/values.yaml b/signadot/workspaces/values.yaml new file mode 100644 index 0000000..e69de29