diff --git a/.zuul.yaml b/.zuul.yaml index b41a3240..d5ae9311 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -27,6 +27,9 @@ - ^.*\.rst$ - ^doc/.*$ - ^releasenotes/.*$ + experimental: + jobs: + - openstack-helm-addons-sonobuoy - job: name: openstack-helm-addons-linter @@ -51,3 +54,9 @@ required-projects: - openstack/openstack-helm-infra nodeset: openstack-helm-ubuntu + +- job: + name: openstack-helm-addons-sonobuoy + parent: openstack-helm-multinode + nodeset: openstack-helm-ubuntu + run: tools/gate/playbooks/osh-addons-sonobuoy.yaml diff --git a/sonobuoy/Chart.yaml b/sonobuoy/Chart.yaml new file mode 100644 index 00000000..93db831f --- /dev/null +++ b/sonobuoy/Chart.yaml @@ -0,0 +1,22 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm Sonobuoy +name: sonobuoy +version: 0.1.0 +sources: + - https://git.openstack.org/cgit/openstack/openstack-helm-addons +maintainers: + - name: OpenStack-Helm Authors diff --git a/sonobuoy/requirements.yaml b/sonobuoy/requirements.yaml new file mode 100755 index 00000000..53782e69 --- /dev/null +++ b/sonobuoy/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/sonobuoy/templates/bin/_run_master.sh.tpl b/sonobuoy/templates/bin/_run_master.sh.tpl new file mode 100644 index 00000000..e1b689d1 --- /dev/null +++ b/sonobuoy/templates/bin/_run_master.sh.tpl @@ -0,0 +1,21 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -xe + +/sonobuoy master --v 3 --logtostderr diff --git a/sonobuoy/templates/configmap-bin.yaml b/sonobuoy/templates/configmap-bin.yaml new file mode 100644 index 00000000..7a04f7c6 --- /dev/null +++ b/sonobuoy/templates/configmap-bin.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sonobuoy-bin +data: + run_master.sh: | +{{ tuple "bin/_run_master.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/sonobuoy/templates/configmap-plugins.yaml b/sonobuoy/templates/configmap-plugins.yaml new file mode 100644 index 00000000..2edc466c --- /dev/null +++ b/sonobuoy/templates/configmap-plugins.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_plugins }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sonobuoy-plugins +data: + {{ range .Values.conf.plugins }} +{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .data "key" .name ) | indent 4 }} + {{ end }} +{{- end }} diff --git a/sonobuoy/templates/pod-api.yaml b/sonobuoy/templates/pod-api.yaml new file mode 100644 index 00000000..21dee2f2 --- /dev/null +++ b/sonobuoy/templates/pod-api.yaml @@ -0,0 +1,99 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.pod_api }} +{{- $envAll := . }} + +{{- $serviceAccountName := "sonobuoy-serviceaccount" }} +{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }}-heptio-sonobuoy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +apiVersion: v1 +kind: Pod +metadata: + labels: +{{ tuple $envAll "sonobuoy" "sonobuoy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} + run: sonobuoy-master + tier: analysis + name: sonobuoy + annotations: + "helm.sh/hook": test-success +spec: + nodeSelector: + {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value}} + containers: + - name: kube-sonobuoy + env: + - name: SONOBUOY_ADVERTISE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +{{ tuple $envAll "sonobuoy_api" | include "helm-toolkit.snippets.image" | indent 4 }} + command: + - /run_master.sh + volumeMounts: + - mountPath: /etc/sonobuoy + name: sonobuoy-config-volume + - mountPath: /plugins.d + name: sonobuoy-plugins-volume + - mountPath: {{ .Values.conf.sonobuoy.ResultsDir }} + name: sonobuoy-output + - name: sonobuoy-bin + mountPath: /run_master.sh + subPath: run_master.sh + readOnly: true + restartPolicy: Never + serviceAccountName: {{ $serviceAccountName }} + volumes: + - name: sonobuoy-bin + configMap: + name: sonobuoy-bin + defaultMode: 0555 + - secret: + secretName: sonobuoy-etc + defaultMode: 0444 + name: sonobuoy-config-volume + - configMap: + name: sonobuoy-plugins + defaultMode: 0444 + name: sonobuoy-plugins-volume + - emptyDir: {} + name: sonobuoy-output +{{- end }} diff --git a/sonobuoy/templates/secret-etc.yaml b/sonobuoy/templates/secret-etc.yaml new file mode 100644 index 00000000..a2990022 --- /dev/null +++ b/sonobuoy/templates/secret-etc.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_etc }} +{{- if empty .Values.conf.WorkerImage -}} +{{- $_ := set .Values.conf "WorkerImage" .Values.images.tags.sonobuoy_api -}} +{{- end -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: sonobuoy-etc +type: Opaque +data: + config.json: | +{{ .Values.conf.sonobuoy | toJson | b64enc | indent 4}} +{{- end }} diff --git a/sonobuoy/values.yaml b/sonobuoy/values.yaml new file mode 100644 index 00000000..6c385a2c --- /dev/null +++ b/sonobuoy/values.yaml @@ -0,0 +1,100 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for Sonobuoy. +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +labels: + api: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +images: + tags: + sonobuoy_api: gcr.io/heptio-images/sonobuoy:v0.11.4 + systemd_logs: gcr.io/heptio-images/sonobuoy-plugin-systemd-logs:v0.1 + pull_policy: IfNotPresent + local_registry: + active: false + exclude: [] + +conf: + sonobuoy: + Description: "sonobuoy run for scanner.heptio.com" + Version: v0.11.4 + ResultsDir: /tmp/resultshost + Resources: + - Nodes + - ServerVersion + Filters: + Namespaces: "" + LabelSelector: "" + Server: + bindaddress: 0.0.0.0 + bindport: 8080 + advertiseaddress: "" + timeoutseconds: 8000 + Plugins: + - name: systemd-logs + Limits: + PodLogs: + SizeLimitBytes: 10000 + # NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc + WorkerImage: null + ImagePullPolicy: IfNotPresent + plugins: + - name: systemd_logs.yaml + data: | + sonobuoy-config: + driver: DaemonSet + plugin-name: systemd-logs + result-type: systemd_logs + spec: + command: + - sh + - -c + - /get_systemd_logs.sh && sleep 3600 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: RESULTS_DIR + value: /tmp/results + - name: CHROOT_DIR + value: /node + image: {{ .Values.images.tags.systemd_logs }} + imagePullPolicy: Always + name: sonobuoy-systemd-logs-config + securityContext: + privileged: true + volumeMounts: + - mountPath: /tmp/results + name: results + readOnly: false + - mountPath: /node + name: root + readOnly: false + +dependencies: + dynamic: {} + static: {} + +manifests: + configmap_bin: true + configmap_plugins: true + pod_api: true + secret_etc: true diff --git a/tools/gate/playbooks/osh-addons-sonobuoy.yaml b/tools/gate/playbooks/osh-addons-sonobuoy.yaml new file mode 100644 index 00000000..dfccce7e --- /dev/null +++ b/tools/gate/playbooks/osh-addons-sonobuoy.yaml @@ -0,0 +1,8 @@ +- hosts: primary + tasks: + - name: Install and Test Sonobuoy Chart + shell: | + set -xe; + ./tools/gate/scripts/sonobuoy.sh + args: + chdir: "{{ zuul.project.src_dir }}" diff --git a/tools/gate/scripts/sonobuoy.sh b/tools/gate/scripts/sonobuoy.sh new file mode 100755 index 00000000..1b5fc3ad --- /dev/null +++ b/tools/gate/scripts/sonobuoy.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +helm dependency update sonobuoy +helm install sonobuoy --namespace=heptio-sonobuoy --name=sonobuoy +helm test sonobuoy