Merge branch 'release/v3.0.6' into main

cloudogu · Nov 27, 2024 · c45737a · c45737a
2 parents 6130c7a + 7fee133
commit c45737a
Show file tree

Hide file tree

Showing 21 changed files with 323 additions and 217 deletions.
diff --git a/.env.template b/.env.template
@@ -23,9 +23,9 @@ export DOCKER_REGISTRY_USERNAME=
 export DOCKER_REGISTRY_PASSWORD=
 
 # credentials for the helm registry
-export HELM_REGISTRY_HOST=registry.cloudogu.com
+export HELM_REGISTRY_HOST=k3ces.local:30098
 export HELM_REGISTRY_SCHEMA=oci
-export HELM_REGISTRY_PLAIN_HTTP=false
+export HELM_REGISTRY_PLAIN_HTTP=true
 export HELM_REGISTRY_INSECURE_TLS=
 export HELM_REGISTRY_USERNAME=
 # Password in Base64-encoding

diff --git a/.gitignore b/.gitignore
@@ -29,3 +29,4 @@ tmp
 .bin
 
 k8s/dev-resources/*
+.additionalValues.yaml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,16 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [v3.0.6] - 2024-11-27
+### Changed
+- [#180] Split rbac permissions into separate files
+
+### Fixed 
+- [#117] Increase wait limit to prevent problems with slow internet connection
+
+### Removed
+- [#180] Remove unused metrics permission
+
 ## [v3.0.5] - 2024-11-19
 ### Fixed
 - [#113] Use retry watchers for wait steps and thus fix a bug where wait steps for component installations got canceled.

diff --git a/Dockerfile b/Dockerfile
@@ -30,7 +30,7 @@ RUN make compile-generic
 FROM gcr.io/distroless/static:nonroot
 LABEL maintainer="[email protected]" \
       NAME="k8s-ces-setup" \
-      VERSION="3.0.5"
+      VERSION="3.0.6"
 
 WORKDIR /
 

diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # Set these to the desired values
 ARTIFACT_ID=k8s-ces-setup
-VERSION=3.0.5
+VERSION=3.0.6
 
 GOTAG?=1.23.2
 MAKEFILES_VERSION=9.3.2

diff --git a/app/setup/data/fqdnRetrieverStep.go b/app/setup/data/fqdnRetrieverStep.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"github.com/cloudogu/retry-lib/retry"
+	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -14,7 +16,8 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-const waitLimit = time.Minute * 3
+const defaultFqdnFromLoadBalancerWaitTimeoutMins = time.Duration(15)
+const fqdnFromLoadBalancerWaitTimeoutMinsEnv = "FQDN_FROM_LOAD_BALANCER_WAIT_TIMEOUT_MINS"
 
 type fqdnRetrieverStep struct {
 	config    *appcontext.SetupJsonConfiguration
@@ -38,7 +41,7 @@ func (fcs *fqdnRetrieverStep) PerformSetupStep(ctx context.Context) error {
 }
 
 func (fcs *fqdnRetrieverStep) setFQDNFromLoadbalancerIP(ctx context.Context) error {
-	return retry.OnErrorWithLimit(waitLimit, serviceRetry, func() error {
+	return retry.OnErrorWithLimit(readFqdnFromLoadBalancerWaitTimeoutMinsEnv()*time.Minute, serviceRetry, func() error {
 		logrus.Debug("Try retrieving service...")
 		service, err := fcs.clientSet.CoreV1().Services(fcs.namespace).Get(ctx, cesLoadbalancerName, metav1.GetOptions{})
 
@@ -57,6 +60,25 @@ func (fcs *fqdnRetrieverStep) setFQDNFromLoadbalancerIP(ctx context.Context) err
 	})
 }
 
+func readFqdnFromLoadBalancerWaitTimeoutMinsEnv() time.Duration {
+	fqdnFromLoadBalancerWaitTimeoutMinsString, found := os.LookupEnv(fqdnFromLoadBalancerWaitTimeoutMinsEnv)
+	if !found {
+		logrus.Debugf("failed to read %s environment variable, using default value of %d", fqdnFromLoadBalancerWaitTimeoutMinsEnv, defaultFqdnFromLoadBalancerWaitTimeoutMins)
+		return defaultFqdnFromLoadBalancerWaitTimeoutMins
+	}
+	fqdnFromLoadBalancerWaitTimeoutMinsParsed, err := strconv.Atoi(fqdnFromLoadBalancerWaitTimeoutMinsString)
+	if err != nil {
+		logrus.Warningf("failed to parse %s environment variable, using default value of %d", fqdnFromLoadBalancerWaitTimeoutMinsEnv, defaultFqdnFromLoadBalancerWaitTimeoutMins)
+		return defaultFqdnFromLoadBalancerWaitTimeoutMins
+	}
+	if fqdnFromLoadBalancerWaitTimeoutMinsParsed <= 0 {
+		logrus.Warningf("parsed value (%d) is smaller than 0, using default value of %d", fqdnFromLoadBalancerWaitTimeoutMinsParsed, defaultFqdnFromLoadBalancerWaitTimeoutMins)
+		return defaultFqdnFromLoadBalancerWaitTimeoutMins
+
+	}
+	return time.Duration(fqdnFromLoadBalancerWaitTimeoutMinsParsed)
+}
+
 func serviceRetry(err error) bool {
 	return strings.Contains(err.Error(), "service not yet ready")
 }
diff --git a/app/setup/data/fqdnRetrieverStep_test.go b/app/setup/data/fqdnRetrieverStep_test.go
@@ -1,14 +1,17 @@
 package data
 
 import (
+	"bytes"
 	"context"
 	appctx "github.com/cloudogu/k8s-ces-setup/app/context"
+	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/fake"
+	"os"
 	"testing"
 	"time"
 )
@@ -92,3 +95,81 @@ func Test_fqdnRetrieverStep_GetStepDescription(t *testing.T) {
 	// then
 	assert.Equal(t, "Retrieving a new FQDN from the IP of a loadbalancer service", description)
 }
+
+func Test_readFqdnFromLoadBalancerWaitTimeoutMinsEnv(t *testing.T) {
+	tests := []struct {
+		name        string
+		setEnvVar   bool
+		envVarValue string
+		want        time.Duration
+		wantLogs    bool
+		wantedLogs  string
+		logLevel    logrus.Level
+	}{
+		{
+			name:       "Environment variable not set",
+			setEnvVar:  false,
+			want:       time.Duration(15),
+			wantLogs:   true,
+			wantedLogs: "failed to read FQDN_FROM_LOAD_BALANCER_WAIT_TIMEOUT_MINS environment variable, using default value of 15",
+			logLevel:   logrus.DebugLevel,
+		},
+		{
+			name:        "Environment variable not set correctly",
+			setEnvVar:   true,
+			envVarValue: "15//",
+			want:        time.Duration(15),
+			wantLogs:    true,
+			wantedLogs:  "failed to parse FQDN_FROM_LOAD_BALANCER_WAIT_TIMEOUT_MINS environment variable, using default value of 15",
+			logLevel:    logrus.WarnLevel,
+		},
+		{
+			name:        "read negative environment variable",
+			setEnvVar:   true,
+			envVarValue: "-20",
+			want:        time.Duration(15),
+			wantLogs:    true,
+			wantedLogs:  "parsed value (-20) is smaller than 0, using default value of 15",
+			logLevel:    logrus.WarnLevel,
+		},
+		{
+			name:        "Successfully read environment variable",
+			setEnvVar:   true,
+			envVarValue: "20",
+			want:        time.Duration(20),
+			wantLogs:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.setEnvVar {
+				err := os.Setenv(fqdnFromLoadBalancerWaitTimeoutMinsEnv, tt.envVarValue)
+				require.NoError(t, err)
+			}
+			var result = time.Duration(0)
+
+			var logOutput bytes.Buffer
+
+			originalOutput := logrus.StandardLogger().Out
+			originalLevel := logrus.StandardLogger().Level
+			if tt.wantLogs {
+				logrus.StandardLogger().SetOutput(&logOutput)
+				logrus.StandardLogger().SetLevel(tt.logLevel)
+			}
+
+			result = readFqdnFromLoadBalancerWaitTimeoutMinsEnv()
+
+			logrus.StandardLogger().SetOutput(originalOutput)
+			logrus.StandardLogger().SetLevel(originalLevel)
+
+			logs := logOutput.String()
+
+			assert.Equalf(t, tt.want, result, "readFqdnFromLoadBalancerWaitTimeoutMinsEnv()")
+
+			if tt.wantLogs {
+				assert.Contains(t, logs, tt.wantedLogs)
+			}
+		})
+	}
+}
diff --git a/docs/development/developers_guide_de.md b/docs/development/developers_guide_de.md
@@ -9,6 +9,23 @@ Zuerst sollten Entwicklungsdateien angelegt werden, die anstelle der Cluster-Wer
 * `k8s/dev-resources/k8s-ces-setup.yaml`: [setup-config](../operations/configuration_guide_de.md)
 * `k8s/dev-resources/setup.json`: [custom-setup-config](../operations/custom_setup_configuration_de.md)
 
+### Installation des Ces-Setups im lokalen Cluster
+
+Damit das ces-setup im lokalen Cluster ausgeführt und getestet werden kann, müssen einige Dinge beachtet werden.
+Zuerst sollten alle vorhandenen Dogus, Komponenten, etc. aus dem System entfernt werden. Dazu kann
+der Befehl `make k8s-clean` verwendet werden.
+Damit anschließend das Ces-Setup installiert werden kann, muss vorher noch eine kleine Änderung an der 
+k8s/helm/values.yaml durchgeführt werden.
+Der folgende Teil muss einkommentiert werden, andernfalls kann das Setup nicht durchgeführt werden:
+```
+  # k8s-longhorn:
+  #   version: latest
+  #   helmRepositoryNamespace: k8s
+  #   deployNamespace: longhorn-system
+```
+Anschließend kann mit `make helm-apply` das Ces-Setup installiert werden. Es wird dann automatisch durchgeführt.
+
+
 ### Ausführung mit `go run` oder einer IDE
 
 - die lokale Entwicklung am Setup kann mit `STAGE=development go run .` gestartet werden

diff --git a/docs/development/developers_guide_en.md b/docs/development/developers_guide_en.md
@@ -9,6 +9,23 @@ First, development files should be created to be used instead of the cluster val
 * `k8s/dev-resources/k8s-ces-setup.yaml`: [setup-config](../operations/configuration_guide_en.md)
 * `k8s/dev-resources/setup.json`: [custom-setup-config](../operations/custom_setup_configuration_en.md)
 
+
+### Installing the ces setup in the local cluster
+
+In order for the ces-setup to be executed and tested in the local cluster, a few things must be taken into account.
+Firstly, all existing dogus, components, etc. should be removed from the system. To do this
+the command `make k8s-clean` can be used.
+So that the Ces setup can then be installed, a small change must first be made to the
+k8s/helm/values.yaml file beforehand.
+The following part must be commented in, otherwise the setup cannot be carried out:
+```
+  # k8s-longhorn:
+  # version: latest
+  # helmRepositoryNamespace: k8s
+  # deployNamespace: longhorn-system
+```
+The Ces setup can then be installed with `make helm-apply`. It is then carried out automatically.
+
 ### execution with `go run` or an IDE
 
 - local development at the setup can be started with `STAGE=development go run .`

diff --git a/k8s/helm/component-patch-tpl.yaml b/k8s/helm/component-patch-tpl.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 values:
   images:
-    k8sCesSetup: cloudogu/k8s-ces-setup:3.0.5
+    k8sCesSetup: cloudogu/k8s-ces-setup:3.0.6
     kubectl: bitnami/kubectl:1.27.4
 patches:
   values.yaml:

diff --git a/k8s/helm/templates/cluster-resources-role-binding.yaml b/k8s/helm/templates/cluster-resources-role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "k8s-ces-setup.name" . }}-cluster-resources
+  labels:
+    {{- include "k8s-ces-setup.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "k8s-ces-setup.name" . }}-cluster-resources
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "k8s-ces-setup.name" . }}
+    namespace: {{ .Release.Namespace }}
diff --git a/k8s/helm/templates/cluster-resources-role.yaml b/k8s/helm/templates/cluster-resources-role.yaml
@@ -0,0 +1,70 @@
+# The cluster role allows the setup to provide the dogu operator with the dogu CRD
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "k8s-ces-setup.name" . }}-cluster-resources
+  labels:
+    {{- include "k8s-ces-setup.labels" . | nindent 4 }}
+    # Specify these labels to grant permissions to the admin default role
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+      - clusterrolebindings
+    verbs:
+      - "*"
+  - apiGroups:
+      - "*"
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - create
+      - list
+      - watch
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - create
+      - delete
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - create
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - clusterissuers
+    verbs:
+      - get
+      - create
+      - list
+      - delete
diff --git a/k8s/helm/templates/deployment.yaml b/k8s/helm/templates/deployment.yaml
@@ -36,6 +36,8 @@ spec:
               value: "{{ .Values.setup.env.doguWaitTimeoutSecs | default "300" }}"
             - name: COMPONENT_TIMEOUT_SECS
               value: "{{ .Values.setup.env.componentWaitTimeoutSecs | default "1800" }}"
+            - name: FQDN_FROM_LOAD_BALANCER_WAIT_TIMEOUT_MINS
+              value: "{{ .Values.setup.env.fqdnFromLoadBalancerWaitTimeoutMins | default "15" }}"
           startupProbe:
             httpGet:
               path: /api/v1/health

diff --git a/k8s/helm/templates/rbac-role-binding.yaml b/k8s/helm/templates/rbac-role-binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "k8s-ces-setup.name" . }}
+  labels:
+    {{- include "k8s-ces-setup.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "k8s-ces-setup.name" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "k8s-ces-setup.name" . }}
diff --git a/k8s/helm/templates/rbac-role.yaml b/k8s/helm/templates/rbac-role.yaml
@@ -0,0 +1,12 @@
+# The ces-setup installs some components which could have or in fact have (component-operator) this permission
+# Without this permission, the setup of some components could not be done
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "k8s-ces-setup.name" . }}
+  labels:
+    {{- include "k8s-ces-setup.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "*" ]
+    resources: [ "*" ]
+    verbs: [ "*" ]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -29,3 +29,4 @@ tmp
		.bin

		k8s/dev-resources/*
		.additionalValues.yaml