Merge pull request #25 from nais/new_ns_reconciler

New namespace reconciler
nais · Jan 6, 2025 · e0035a2 · e0035a2
2 parents a5b3d9e + 1e839e0
commit e0035a2
Show file tree

Hide file tree

Showing 30 changed files with 1,055 additions and 653 deletions.
diff --git a/.configs/mockery.yaml b/.configs/mockery.yaml
@@ -3,6 +3,7 @@ disable-version-string: true
 inpackage: true
 dir: "{{.InterfaceDir}}"
 filename: "mock_{{.InterfaceNameSnake}}.go"
+issue-845-fix: True
 packages:
   github.com/nais/api-reconcilers/internal/azureclient:
     interfaces:

diff --git a/.env.example b/.env.example
@@ -6,4 +6,5 @@ INSECURE_GRPC=true
 LOG_LEVEL=debug
 RECONCILERS_TO_ENABLE=
 PUBSUB_EMULATOR_HOST="localhost:3004"
-PUBSUB_PROJECT_ID="nais-local-dev"
+PUBSUB_PROJECT_ID="nais-local-dev"
+NAV_ONPREM_CLUSTERS=
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -45,10 +45,9 @@ jobs:
             ${{ steps.go-cache.outputs.gocache }}
             ${{ steps.go-cache.outputs.gomodcache }}
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - run: go test ./...
-      - run: helm lint --strict ./charts
-      - run: make staticcheck
-      - run: make vulncheck
+      - run: make test
+      - run: make helm-lint
+      - run: make check
       - name: Check code format and run code generators
         run: |
           make fmt

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -36,10 +36,9 @@ jobs:
             ${{ steps.go-cache.outputs.gocache }}
             ${{ steps.go-cache.outputs.gomodcache }}
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-      - run: go test ./...
-      - run: helm lint --strict ./charts
-      - run: make staticcheck
-      - run: make vulncheck
+      - run: make test
+      - run: make helm-lint
+      - run: make check
       - name: Check code format and run code generators
         run: |
           make fmt

diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -0,0 +1,28 @@
+name: Build and push commit
+on:
+  push:
+    branches-ignore:
+      - main
+
+env:
+  NAME: nais-api-reconcilers
+  IMAGE_REPOSITORY: oci://europe-north1-docker.pkg.dev/nais-io/nais
+jobs:
+  build_push:
+    permissions:
+      contents: read
+      id-token: write
+    name: Build and push
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - id: go_version
+        run: echo "go_version=$(cat .tool-versions | grep golang | awk '{print $2}')" >> $GITHUB_OUTPUT
+      - uses: nais/platform-build-push-sign@main
+        id: build-push-sign
+        with:
+          name: ${{ env.NAME }}
+          build_args: GO_VERSION=${{ steps.go_version.outputs.go_version }}-
+          google_service_account: gh-api-reconcilers
+          workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }}
+          push: true
diff --git a/.gitignore b/.gitignore
@@ -21,3 +21,4 @@
 .env
 /local/
 .envrc
+.air.toml
diff --git a/README.md b/README.md
@@ -10,7 +10,8 @@ The main purpose is to create team resources, permissions and maintain them.
 To run the reconciler locally, you need to have the nais/api project cloned and running.
 See the [nais/api README](https://github.com/nais/api?tab=readme-ov-file#local-development) for more information.
 
-Given that a lot of the reconcilers are using external services, most of these requires authentication and access to these services.
+Given that a lot of the reconcilers are using external services, most of these requires authentication and access to
+these services.
 So ensure that you configure and provide a proper environment for the reconcilers to run.
 You may use the example configuration file to skip the boring process of figuring it out:
 
@@ -29,6 +30,32 @@ It sets an environment variable to communicate with the nais/api project running
 
 Run `make test` to run the tests.
 
+### Local kind cluster setup (only relevant if doing stuff against Kubernetes, e.g. the namespace reconciler)
+
+1. Ensure you have [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) installed.
+
+2. Create a kind cluster:
+
+```shell
+kind create cluster 
+```
+
+3. Apply required cluster resources:
+
+```shell
+kubectl apply -f ./hack/configconnectorcontexts.yaml
+kubectl apply -f ./hack/rbac.yaml
+```
+
+4. Create a NAV_ONPREM_CLUSTERS entry in the .env file like so:
+
+Run the following command in the same terminal as the previous step:
+
+```shell
+NAV_ONPREM_CLUSTERS="kind-kind|127.0.0.1:$(docker ps | grep kindest | cut -d":" -f3 | cut -d "-" -f1)|$(kubectl create token api-reconciler --duration=99999h)"
+(echo ""; echo "NAV_ONPREM_CLUSTERS=\"$NAV_ONPREM_CLUSTERS\"") >> .env # only works once
+```
+
 ## Architecture
 
 The project contains a set of reconcilers which are run on schedule or triggered by events.
@@ -37,3 +64,5 @@ A manager is responsible for running the reconcilers and handling the errors.
 The manager will listen for pubsub events and trigger the correct reconcilers when needed.
 
 All state and data is stored in NAIS api, and the communication with the API is done through GRPC.
+
+
diff --git a/charts/Feature.yaml b/charts/Feature.yaml
@@ -57,7 +57,7 @@ values:
 
   gitHub.authEndpoint:
     displayName: GitHub auth endpoint
-    description: The endpoint for the token service that provisions teams-backend with GitHub installation tokens for the correct tenant organization.
+    description: The endpoint for the token service that provisions GitHub installation tokens for the correct tenant organization.
     computed:
       template: |
         {{ .Env.teams_github_auth_endpoint | quote }}
@@ -80,7 +80,7 @@ values:
     description: The email address of the service account that is used when using the Google APIs
     computed:
       template: |
-        {{ .Env.teams_google_service_account_email | quote }}
+        {{ .Env.nais_api_reconcilers_serviceaccount_email | quote }}
 
   google.adminServiceAccountEmail:
     displayName: Email address of the Google Workspace Admin service account
@@ -99,6 +99,28 @@ values:
     computed:
       template: "{{ .Env.billing_account | quote }}"
 
+  kubernetes.static:
+    displayName: Static Kubernetes clusters
+    description: Comma-separated list of clusters with static credentials on the format 'name|apiserverHost|token'
+    config:
+      type: string
+      secret: true
+
+  kubernetes.clusters:
+    displayName: GKE clusters
+    description: Comma-separated list of static resources to monitor
+    config:
+      type: string
+    computed:
+      template: |
+        {{ if (eq .Tenant.Name "nav") }}
+        {{- $tenantEnvs := filter "kind" "legacy" .Envs -}}
+        {{ eachOf $tenantEnvs "name" | sortAlpha | join "," }}
+        {{ else }}
+        {{- $tenantEnvs := filter "kind" "tenant" .Envs -}}
+        {{ eachOf $tenantEnvs "name" | sortAlpha | join "," }}
+        {{ end }}
+
   gcp.clusters:
     displayName: Cluster information
     computed:

diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml
@@ -99,7 +99,7 @@ spec:
               value: {{ .Values.dependencyTrack.username | quote }}
             # Google
             - name: GOOGLE_ADMIN_SERVICE_ACCOUNT_EMAIL
-              value: {{ .Values.google.adminServiceAccountEmail | default (printf "nais-admin@%s.iam.gserviceaccount.com" .Values.googleManagementProjectID) | quote }}
+              value: {{ .Values.google.adminServiceAccountEmail | default (printf "tenant-directory-sa@%s.iam.gserviceaccount.com" .Values.googleManagementProjectID) | quote }}
             - name: GOOGLE_ADMIN_USER_EMAIL
               value: {{ .Values.google.adminUserEmail | default (printf "nais-admin@%s" .Values.tenantDomain) | quote }}
             # Feature flags
@@ -111,6 +111,10 @@ spec:
             - name: FEATURE_CNRM_ROLE_IN_PROJECT
               value: {{ .Values.featureFlags.cnrmRoleInProject | quote }}
             {{- end }}
+            {{- if .Values.kubernetes.static }}
+            - name: NAV_ONPREM_CLUSTERS
+              value: {{ .Values.kubernetes.static | quote }}
+            {{- end }}
           ports:
             - name: http
               containerPort: 3005

diff --git a/charts/templates/fqdnnetworkpolicy.yaml b/charts/templates/fqdnnetworkpolicy.yaml
@@ -15,6 +15,38 @@ spec:
         - fqdns:
             - {{ get (urlParse .Values.gitHub.authEndpoint) "host" }}
     {{- end }}
+    - ports:
+        - port: 80
+          protocol: TCP
+      to:
+        - fqdns:
+            - metadata.google.internal
+    - ports:
+        - port: 443
+          protocol: TCP
+      to:
+        - fqdns:
+            - private.googleapis.com
+
+{{- $root := . }}
+{{- range split "," .Values.kubernetes.clusters }}
+    - ports:
+        - port: 443
+          protocol: TCP
+      to:
+        - fqdns:
+            - "apiserver.{{ . }}.{{ $root.Values.fasit.tenant.name }}.cloud.nais.io"
+{{- end }}
+{{- if .Values.kubernetes.static }}
+{{- range split "," .Values.kubernetes.static }}
+    - ports:
+        - port: 443
+          protocol: TCP
+      to:
+        - fqdns:
+            - {{ (split "|" .)._1  }}
+{{- end }}
+{{- end }}
   podSelector:
     matchLabels:
       {{- include "api-reconcilers.selectorLabels" . | nindent 6 }}

diff --git a/charts/values.yaml b/charts/values.yaml
@@ -10,7 +10,7 @@ logLevel: info
 logFormat: json
 googleManagementProjectID: # mapped in fasit
 tenantDomain: # mapped in fasit
-clusterAlias: []
+clusterAlias: [ ]
 reconcilersToEnable: "google:gcp:project,google:workspace-admin,nais:namespace,nais:deploy,google:gcp:gar,google:gcp:cdn,grafana"
 fasit:
   tenant:
@@ -34,6 +34,10 @@ google:
   adminServiceAccountEmail: null
   adminUserEmail: null
 
+kubernetes:
+  clusters: "dev,prod"
+  static: ""
+
 gcp:
   billingAccount: # mapped in fasit
   clusters: # mapped in fasit
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,3 +21,4 @@ @@
     .env
     /local/
     .envrc
+    .air.toml