Add Sonobuoy chart

This adds a Sonobuoy chart that only runs the systemd-logs plugin[1]. The Sonobuoy pod (tests) are executed as a `helm test`. This chart must be installed under the heptio-sonobuoy namespace[2]. A node with the label selector specified in values.yaml (labels.api) must exist for the Sonobuoy pod to even be created. Also add an experimental job to test Sonobuoy chart. [1] https://github.com/heptio/sonobuoy-plugin-systemd-logs [2] https://github.com/heptio/sonobuoy/issues/420 Change-Id: I613fab635b97a70ac20820e1ececde48952ac2da
2018-09-24 11:12:19 -05:00 · 2018-09-24 11:12:19 -05:00 · f823544adb
parent 96c4444e8d
commit f823544adb
11 changed files with 383 additions and 0 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -27,6 +27,9 @@
              - ^.*\.rst$
              - ^doc/.*$
              - ^releasenotes/.*$
+    experimental:
+      jobs:
+        - openstack-helm-addons-sonobuoy

 - job:
    name: openstack-helm-addons-linter
@ -51,3 +54,9 @@
    required-projects:
      - openstack/openstack-helm-infra
    nodeset: openstack-helm-ubuntu
+
+- job:
+    name: openstack-helm-addons-sonobuoy
+    parent: openstack-helm-multinode
+    nodeset: openstack-helm-ubuntu
+    run: tools/gate/playbooks/osh-addons-sonobuoy.yaml
--- a/sonobuoy/Chart.yaml
+++ b/sonobuoy/Chart.yaml
@ -0,0 +1,22 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: OpenStack-Helm Sonobuoy
+name: sonobuoy
+version: 0.1.0
+sources:
+  - https://git.openstack.org/cgit/openstack/openstack-helm-addons
+maintainers:
+  - name: OpenStack-Helm Authors
--- a/sonobuoy/requirements.yaml
+++ b/sonobuoy/requirements.yaml
@ -0,0 +1,18 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: 0.1.0
--- a/sonobuoy/templates/bin/_run_master.sh.tpl
+++ b/sonobuoy/templates/bin/_run_master.sh.tpl
@ -0,0 +1,21 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+/sonobuoy master --v 3 --logtostderr
--- a/sonobuoy/templates/configmap-bin.yaml
+++ b/sonobuoy/templates/configmap-bin.yaml
@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sonobuoy-bin
+data:
+  run_master.sh: |
+{{ tuple "bin/_run_master.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
--- a/sonobuoy/templates/configmap-plugins.yaml
+++ b/sonobuoy/templates/configmap-plugins.yaml
@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_plugins }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sonobuoy-plugins
+data:
+  {{ range .Values.conf.plugins }}
+{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .data "key" .name ) | indent 4 }}
+  {{ end }}
+{{- end }}
--- a/sonobuoy/templates/pod-api.yaml
+++ b/sonobuoy/templates/pod-api.yaml
@ -0,0 +1,99 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_api }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "sonobuoy-serviceaccount" }}
+{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $serviceAccountName }}
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ $serviceAccountName }}-heptio-sonobuoy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ $serviceAccountName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $serviceAccountName }}
+  namespace: {{ $envAll.Release.Namespace }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+{{ tuple $envAll "sonobuoy" "sonobuoy" | include "helm-toolkit.snippets.kubernetes_metadata_labels"  | indent 4 }}
+    run: sonobuoy-master
+    tier: analysis
+  name: sonobuoy
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  nodeSelector:
+    {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value}}
+  containers:
+  - name: kube-sonobuoy
+    env:
+    - name: SONOBUOY_ADVERTISE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+{{ tuple $envAll "sonobuoy_api" | include "helm-toolkit.snippets.image" | indent 4 }}
+    command:
+      - /run_master.sh
+    volumeMounts:
+    - mountPath: /etc/sonobuoy
+      name: sonobuoy-config-volume
+    - mountPath: /plugins.d
+      name: sonobuoy-plugins-volume
+    - mountPath: {{ .Values.conf.sonobuoy.ResultsDir }}
+      name: sonobuoy-output
+    - name: sonobuoy-bin
+      mountPath: /run_master.sh
+      subPath: run_master.sh
+      readOnly: true
+  restartPolicy: Never
+  serviceAccountName: {{ $serviceAccountName }}
+  volumes:
+  - name: sonobuoy-bin
+    configMap:
+      name: sonobuoy-bin
+      defaultMode: 0555
+  - secret:
+      secretName: sonobuoy-etc
+      defaultMode: 0444
+    name: sonobuoy-config-volume
+  - configMap:
+      name: sonobuoy-plugins
+      defaultMode: 0444
+    name: sonobuoy-plugins-volume
+  - emptyDir: {}
+    name: sonobuoy-output
+{{- end }}
--- a/sonobuoy/templates/secret-etc.yaml
+++ b/sonobuoy/templates/secret-etc.yaml
@ -0,0 +1,30 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_etc }}
+{{- if empty .Values.conf.WorkerImage -}}
+{{- $_ := set .Values.conf "WorkerImage" .Values.images.tags.sonobuoy_api -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sonobuoy-etc
+type: Opaque
+data:
+  config.json: |
+{{ .Values.conf.sonobuoy | toJson | b64enc | indent 4}}
+{{- end }}
--- a/sonobuoy/values.yaml
+++ b/sonobuoy/values.yaml
@ -0,0 +1,100 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for Sonobuoy.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  tags:
+    sonobuoy_api: gcr.io/heptio-images/sonobuoy:v0.11.4
+    systemd_logs: gcr.io/heptio-images/sonobuoy-plugin-systemd-logs:v0.1
+  pull_policy: IfNotPresent
+  local_registry:
+    active: false
+    exclude: []
+
+conf:
+  sonobuoy:
+    Description: "sonobuoy run for scanner.heptio.com"
+    Version: v0.11.4
+    ResultsDir: /tmp/resultshost
+    Resources:
+      - Nodes
+      - ServerVersion
+    Filters:
+      Namespaces: ""
+      LabelSelector: ""
+    Server:
+      bindaddress: 0.0.0.0
+      bindport: 8080
+      advertiseaddress: ""
+      timeoutseconds: 8000
+    Plugins:
+      - name: systemd-logs
+    Limits:
+      PodLogs:
+        SizeLimitBytes: 10000
+    # NOTE: the WorkerImage should not be defined and is set in sonobuoy-etc
+    WorkerImage: null
+    ImagePullPolicy: IfNotPresent
+  plugins:
+    - name: systemd_logs.yaml
+      data: |
+        sonobuoy-config:
+          driver: DaemonSet
+          plugin-name: systemd-logs
+          result-type: systemd_logs
+        spec:
+          command:
+          - sh
+          - -c
+          - /get_systemd_logs.sh && sleep 3600
+          env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: RESULTS_DIR
+            value: /tmp/results
+          - name: CHROOT_DIR
+            value: /node
+          image: {{ .Values.images.tags.systemd_logs }}
+          imagePullPolicy: Always
+          name: sonobuoy-systemd-logs-config
+          securityContext:
+            privileged: true
+          volumeMounts:
+          - mountPath: /tmp/results
+            name: results
+            readOnly: false
+          - mountPath: /node
+            name: root
+            readOnly: false
+
+dependencies:
+  dynamic: {}
+  static: {}
+
+manifests:
+  configmap_bin: true
+  configmap_plugins: true
+  pod_api: true
+  secret_etc: true
--- a/tools/gate/playbooks/osh-addons-sonobuoy.yaml
+++ b/tools/gate/playbooks/osh-addons-sonobuoy.yaml
@ -0,0 +1,8 @@
+- hosts: primary
+  tasks:
+    - name: Install and Test Sonobuoy Chart
+      shell: |
+        set -xe;
+        ./tools/gate/scripts/sonobuoy.sh
+      args:
+        chdir: "{{ zuul.project.src_dir }}"
--- a/tools/gate/scripts/sonobuoy.sh
+++ b/tools/gate/scripts/sonobuoy.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+
+helm dependency update sonobuoy
+helm install sonobuoy --namespace=heptio-sonobuoy --name=sonobuoy
+helm test sonobuoy