Merge pull request #37 from gmlexx/main

Add promxy-operator

.github/workflows/build.yml

@@ -0,0 +1,84 @@
+name: promxy-operator-build
+on:
+  pull_request_target:
+    types:
+      - labeled
+      - opened
+      - synchronize
+      - reopened
+    branches:
+      - main
+      - release-*
+    paths:
+      - "promxy-operator/**"
+      - "!**.md"
+  push:
+    tags:
+      - "*"
+
+env:
+  GO_VERSION: "1.22"
+
+jobs:
+  build:
+    concurrency:
+      group: build-${{ github.head_ref || github.run_id }}
+      cancel-in-progress: true
+    name: Build and Unit Test
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.vars.outputs.version }}
+      pr: ${{ steps.pr.outputs.result }}
+    permissions:
+      packages: write
+    steps:
+      - name: Get PR ref
+        uses: actions/github-script@v7
+        id: pr
+        with:
+          script: |
+            const { data: pullRequest } = await github.rest.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            return pullRequest
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{fromJSON(steps.pr.outputs.result).merge_commit_sha}}
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: Unit tests
+        working-directory: ./promxy-operator
+        run: |
+          make test
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GHCR
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Get outputs
+        id: vars
+        run: |
+          GIT_VERSION=$(git describe --tags --always)
+          echo "version=${GIT_VERSION:1}" >> $GITHUB_OUTPUT
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        if: github.repository == 'k0rdent/kof'
+        with:
+          build-args: |
+            LD_FLAGS=-s -w
+          context: "{{defaultContext}}:promxy-operator"
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/k0rdent/kof/promxy-operator-controller:${{ steps.vars.outputs.version }}
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Makefile

@@ -31,6 +31,9 @@ STORAGE_DOMAIN = $(USER)-storage.$(KOF_DNS)
 KOF_STORAGE_NAME = kof-storage
 KOF_STORAGE_NG = kof
 
+KIND_CLUSTER_NAME ?= kcm-dev
+
+
 dev:
 	mkdir -p dev
 
@@ -79,6 +82,11 @@ helm-push: helm-package
 		fi; \
 	done
 
+.PHONY: promxy-operator-docker-build
+promxy-operator-docker-build: ## Build promxy-operator controller docker image
+	cd promxy-operator && make docker-build
+	$(KIND) load docker-image promxy-operator-controller --name $(KIND_CLUSTER_NAME)
+
 .PHONY: dev-operators-deploy
 dev-operators-deploy: dev ## Deploy kof-operators helm chart to the K8s cluster specified in ~/.kube/config
 	cp -f $(TEMPLATES_DIR)/kof-operators/values.yaml dev/operators-values.yaml
@@ -102,15 +110,15 @@ dev-storage-deploy: dev ## Deploy kof-storage helm chart to the K8s cluster spec
 	$(HELM) upgrade -i $(KOF_STORAGE_NAME) ./charts/kof-storage --create-namespace -n $(KOF_STORAGE_NG) -f dev/storage-values.yaml
 
 .PHONY: dev-ms-deploy-aws
-dev-ms-deploy-aws: dev ## Deploy Mothership helm chart to the K8s cluster specified in ~/.kube/config for a remote storage cluster
+dev-ms-deploy-aws: dev promxy-operator-docker-build ## Deploy Mothership helm chart to the K8s cluster specified in ~/.kube/config for a remote storage cluster
 	cp -f $(TEMPLATES_DIR)/kof-mothership/values.yaml dev/mothership-values.yaml
 	@$(YQ) eval -i '.kcm.installTemplates = true' dev/mothership-values.yaml
 	@$(YQ) eval -i '.kcm.kof.clusterProfiles.kof-aws-dns-secrets = {"matchLabels": {"k0rdent.mirantis.com/kof-aws-dns-secrets": "true"}, "secrets": ["external-dns-aws-credentials"]}' dev/mothership-values.yaml
 	@$(YQ) eval -i '.grafana.logSources = [{"name": "$(USER)-aws-storage", "url": "https://vmauth.$(STORAGE_DOMAIN)/vls", "type": "victoriametrics-logs-datasource", "auth": {"credentials_secret_name": "storage-vmuser-credentials", "username_key": "username", "password_key": "password"}}]' dev/mothership-values.yaml
-	@$(YQ) eval -i '.promxy.config.serverGroups = [{"clusterName": "$(USER)-aws-storage", "targets": ["vmauth.$(STORAGE_DOMAIN):443"], "auth": {"credentials_secret_name": "storage-vmuser-credentials", "create_secret": true, "username_key": "username", "password_key": "password"}}]' dev/mothership-values.yaml
 
 	@$(YQ) eval -i '.kcm.kof.charts.collectors.version = "$(COLLECTORS_VERSION)"' dev/mothership-values.yaml
 	@$(YQ) eval -i '.kcm.kof.charts.storage.version = "$(STORAGE_VERSION)"' dev/mothership-values.yaml
+	@$(YQ) eval -i '.promxy.operator.image.repository= "promxy-operator-controller"' dev/mothership-values.yaml
 	@if [ "$(REGISTRY_REPO)" = "oci://127.0.0.1:$(REGISTRY_PORT)/charts" ]; then \
 		$(YQ) eval -i '.kcm.kof.repo.url = "oci://$(REGISTRY_NAME):5000/charts"' dev/mothership-values.yaml; \
 		$(YQ) eval -i '.kcm.kof.repo.insecure = true' dev/mothership-values.yaml; \
@@ -123,19 +131,21 @@ dev-ms-deploy-aws: dev ## Deploy Mothership helm chart to the K8s cluster specif
 .PHONY: dev-storage-deploy-aws
 dev-storage-deploy-aws: dev ## Deploy Regional Managed cluster using KCM
 	cp -f demo/cluster/aws-storage.yaml dev/aws-storage.yaml
-	@$(YQ) eval -i '.metadata.name = "$(USER)-aws-storage"' dev/aws-storage.yaml
-	@$(YQ) '.spec.serviceSpec.services[] | select(.name == "kof-storage") | .values' dev/aws-storage.yaml > dev/kof-storage-values.yaml
+	@$(YQ) eval -i '.metadata.name = "$(USER)-aws-storage"' dev/aws-storage.yaml # set the same name for both documents in yaml
+	@$(YQ) eval -i 'select(documentIndex == 1).spec.cluster_name = "$(USER)-aws-storage"' dev/aws-storage.yaml
+	@$(YQ) 'select(documentIndex == 0).spec.serviceSpec.services[] | select(.name == "kof-storage") | .values' dev/aws-storage.yaml > dev/kof-storage-values.yaml
 	@$(YQ) eval -i '.["cert-manager"].email = "$(USER_EMAIL)"' dev/kof-storage-values.yaml
 	@$(YQ) eval -i '.victoriametrics.vmauth.ingress.host = "vmauth.$(STORAGE_DOMAIN)"' dev/kof-storage-values.yaml
 	@$(YQ) eval -i '.grafana.ingress.host = "grafana.$(STORAGE_DOMAIN)"' dev/kof-storage-values.yaml
 	@$(YQ) eval -i '.["external-dns"].enabled = true' dev/kof-storage-values.yaml
-	@$(YQ) eval -i '(.spec.serviceSpec.services[] | select(.name == "kof-storage")).values |= load_str("dev/kof-storage-values.yaml")' dev/aws-storage.yaml
+	@$(YQ) eval -i '(select(documentIndex == 0).spec.serviceSpec.services[] | select(.name == "kof-storage")).values |= load_str("dev/kof-storage-values.yaml")' dev/aws-storage.yaml
+	@$(YQ) eval -i 'select(documentIndex == 1).spec.targets = ["vmauth.$(STORAGE_DOMAIN):443"]' dev/aws-storage.yaml
 	kubectl apply -f dev/aws-storage.yaml
 
 .PHONY: dev-managed-deploy-aws
 dev-managed-deploy-aws: dev ## Deploy Regional Managed cluster using KCM
 	cp -f demo/cluster/aws-managed.yaml dev/aws-managed.yaml
-	@$(YQ) eval -i '.metadata.name = "$(MANAGED_CLUSTER_NAME)"' dev/aws-managed.yaml
+	@$(YQ) eval -i 'select(documentIndex == 0) | .metadata.name = "$(MANAGED_CLUSTER_NAME)"' dev/aws-managed.yaml
 	@$(YQ) '.spec.serviceSpec.services[] | select(.name == "kof-collectors") | .values' dev/aws-managed.yaml > dev/kof-managed-values.yaml
 	@$(YQ) eval -i '.global.clusterName = "$(MANAGED_CLUSTER_NAME)"' dev/kof-managed-values.yaml
 	@$(YQ) eval -i '.opencost.opencost.exporter.defaultClusterId = "$(MANAGED_CLUSTER_NAME)"' dev/kof-managed-values.yaml
@@ -159,12 +169,18 @@ export YQ
 ## Tool Versions
 HELM_VERSION ?= v3.15.1
 YQ_VERSION ?= v4.44.2
+KIND_VERSION ?= v0.23.0
 
 .PHONY: yq
 yq: $(YQ) ## Download yq locally if necessary.
 $(YQ): | $(LOCALBIN)
 	$(call go-install-tool,$(YQ),github.com/mikefarah/yq/v4,${YQ_VERSION})
 
+.PHONY: kind
+kind: $(KIND) ## Download kind locally if necessary.
+$(KIND): | $(LOCALBIN)
+	$(call go-install-tool,$(KIND),sigs.k8s.io/kind,${KIND_VERSION})
+
 .PHONY: helm
 helm: $(HELM) ## Download helm locally if necessary.
 HELM_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3"
@@ -173,7 +189,7 @@ $(HELM): | $(LOCALBIN)
 	curl -s --fail $(HELM_INSTALL_SCRIPT) | USE_SUDO=false HELM_INSTALL_DIR=$(LOCALBIN) DESIRED_VERSION=$(HELM_VERSION) BINARY_NAME=helm-$(HELM_VERSION) PATH="$(LOCALBIN):$(PATH)" bash
 
 .PHONY: cli-install
-cli-install: yq helm ## Install the necessary CLI tools for deployment, development and testing.
+cli-install: yq helm kind ## Install the necessary CLI tools for deployment, development and testing.
 
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary (ideally with version)

charts/kof-mothership/crds/kof.k0rdent.mirantis.com_promxyservergroups.yaml

@@ -0,0 +1 @@
+../../../promxy-operator/config/crd/bases/kof.k0rdent.mirantis.com_promxyservergroups.yaml

charts/kof-mothership/templates/grafana/secret.yaml

@@ -1,15 +1,19 @@
 {{- if .Values.grafana.security.create_secret }}
 {{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.grafana.security.credentials_secret_name) }}
-{{- if not $secret }}
+{{- $username := randAlpha (.Values.global.random_username_length | int) }}
+{{- $password := randAlpha (.Values.global.random_password_length | int) }}
+{{- if $secret }}
+{{- $username = index $secret.data "GF_SECURITY_ADMIN_USER" | b64dec }}
+{{- $password = index $secret.data "GF_SECURITY_ADMIN_PASSWORD" | b64dec }}
+{{- end }}
 ---
 kind: Secret
 apiVersion: v1
 metadata:
   name: {{ .Values.grafana.security.credentials_secret_name }}
   namespace: {{ .Release.Namespace }}
 stringData:
-  GF_SECURITY_ADMIN_USER: {{ randAlpha  (.Values.global.random_username_length | int) | quote }} # Grafana username
-  GF_SECURITY_ADMIN_PASSWORD: {{ randAlpha (.Values.global.random_password_length | int) | quote }} # Grafana password
+  GF_SECURITY_ADMIN_USER: {{ $username | quote }} # Grafana username
+  GF_SECURITY_ADMIN_PASSWORD: {{ $password | quote }} # Grafana password
 type: Opaque
 {{- end }}
-{{- end }}

charts/kof-mothership/templates/kcm/kof/secrets.yaml

@@ -0,0 +1,24 @@
+{{- range $profile, $values := .Values.kcm.kof.clusterProfiles }}
+{{- if $values.create_secrets }}
+{{- range $values.secrets }}
+{{- /* Checking that the secret isn't created yet to avoid credentials regeneration */}}
+{{- $secret := (lookup "v1" "Secret" $.Release.Namespace . ) }}
+{{- $username := randAlpha ($.Values.global.random_username_length | int) }}
+{{- $password := randAlpha ($.Values.global.random_password_length | int) }}
+{{- if $secret }}
+{{- $username = index $secret.data "username" | b64dec }}
+{{- $password = index $secret.data "password" | b64dec }}
+{{- end }}
+---
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ . }}
+  namespace: {{ $.Release.Namespace }}
+stringData:
+  username: {{ $username | quote }}
+  password: {{ $password | quote }}
+type: Opaque
+{{- end }}
+{{- end }}
+{{- end }}

charts/kof-mothership/templates/promxy/deployment.yaml

@@ -52,7 +52,36 @@ spec:
 {{ toYaml .Values.promxy.affinity | indent 8 }}
     {{- end }}
       containers:
-      - args:
+      - name: operator
+        command:
+        - "/manager"
+        image: "{{ .Values.promxy.operator.image.repository }}:{{ .Values.promxy.operator.image.tag }}"
+        imagePullPolicy: {{ .Values.promxy.operator.image.pullPolicy }}
+        livenessProbe:
+          failureThreshold: 6
+          httpGet:
+            path: /healthz
+            port: operator-http
+            scheme: HTTP
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 3
+        readinessProbe:
+          failureThreshold: 120
+          httpGet:
+            path: /readyz
+            port: operator-http
+            scheme: HTTP
+          periodSeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 3
+        ports:
+        - containerPort: 8081
+          name: operator-http
+        resources:
+          {{- toYaml .Values.promxy.operator.resources | nindent 12 }}
+      - name: promxy
+        args:
         - "--config=/etc/promxy/config.yaml"
         - "--web.enable-lifecycle"
         {{- range $key, $value := .Values.promxy.extraArgs }}
@@ -66,7 +95,6 @@ spec:
         - "/bin/promxy"
         image: "{{ .Values.promxy.image.repository }}:{{ default .Chart.AppVersion .Values.promxy.image.tag }}"
         imagePullPolicy: {{ .Values.promxy.image.pullPolicy }}
-        name: promxy
         livenessProbe:
           failureThreshold: 6
           httpGet:

charts/kof-mothership/templates/promxy/role.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.promxy.operator.rbac.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "chart.fullname" . }}-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - kof.k0rdent.mirantis.com
+  resources:
+  - promxyservergroups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kof.k0rdent.mirantis.com
+  resources:
+  - promxyservergroups/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - kof.k0rdent.mirantis.com
+  resources:
+  - promxyservergroups/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}

charts/kof-mothership/templates/promxy/role_binding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.promxy.operator.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: promxy-operator
+  name: {{ include "chart.fullname" . }}-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "chart.fullname" . }}-operator
+subjects:
+- kind: ServiceAccount
+  name: {{ include "chart.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}