bundle is ready, readiness added

AccessibleAI · Dec 21, 2023 · 61601f0 · 61601f0
1 parent 384c59e
commit 61601f0
Show file tree

Hide file tree

Showing 18 changed files with 196 additions and 58 deletions.
diff --git a/charts/cnvrg-admission/Chart.yaml b/charts/cnvrg-admission/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 1.0.0
+description: Admission controller for cnvrg MLOps operator
+name: copadmission
+type: application
+version: 1.0.0
diff --git a/charts/cnvrg-admission/templates/_helpers.yml b/charts/cnvrg-admission/templates/_helpers.yml
@@ -0,0 +1,31 @@
+{{- define "admission.annotations"}}
+{{- if .Values.admissionHook.annotations }}
+{{- range $k, $v :=  .Values.admissionHook.annotations }}
+{{$k}}: "{{$v}}"
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "admission.labels"}}
+{{- if .Values.admissionHook.labels }}
+{{- range $k, $v :=  .Values.admissionHook.labels }}
+{{$k}}: "{{$v}}"
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "startupJob.annotations"}}
+{{- if .Values.startupJob.annotations }}
+{{- range $k, $v :=  .Values.startupJob.annotations }}
+{{$k}}: "{{$v}}"
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "startupJob.labels"}}
+{{- if .Values.startupJob.labels }}
+{{- range $k, $v :=  .Values.startupJob.labels }}
+{{$k}}: "{{$v}}"
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/copctl-admission/templates/dep.yml → charts/cnvrg-admission/templates/dep.yml b/charts/copctl-admission/templates/dep.yml → charts/cnvrg-admission/templates/dep.yml
@@ -1,10 +1,13 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  labels:
-    control-plane: cnvrg-admission-controller
   name: cnvrg-admission-controller
   namespace: {{ .Release.Namespace }}
+  labels:
+    control-plane: cnvrg-admission-controller
+    {{- include "admission.labels" . | indent 4 }}
+  annotations:
+    {{- include "admission.annotations" . | indent 4 }}
 spec:
   replicas: 1
   selector:
@@ -16,23 +19,22 @@ spec:
         control-plane: cnvrg-admission-controller
     spec:
       imagePullSecrets:
-        - name: operator-pull-secret
+        - name: admission-pull-secret
       containers:
         - command:
             - /bin/bash
             - -c
             - |
-              sleep inf
               /opt/app-root/copctl \
               create \
-              kube-certs \
-              -c cnvrg-operator-admission.cnvrg-shim.svc \
+              webhook \
+              -c {{.Values.hookSvc}}.{{.Release.Namespace}}.svc \
               &&
               /opt/app-root/copctl \
               start \
               admission-controller \
-              --crt=certs/server.crt \
-              --key=certs/server.key
+              --crt=/opt/app-root/certs/server.crt \
+              --key=/opt/app-root/certs/server.key
           image: "{{.Values.imageHub}}/copctl:latest"
           imagePullPolicy: Always
           name: cnvrg-admission-controller
@@ -45,5 +47,15 @@ spec:
             requests:
               cpu: 200m
               memory: 400Mi
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+              scheme: HTTPS
+          livenessProbe:
+            httpGet:
+              path: /ready
+              port: 8080
+              scheme: HTTPS
       serviceAccountName: cnvrg-admission-controller
       terminationGracePeriodSeconds: 10
diff --git a/charts/cnvrg-admission/templates/jobhack.yml b/charts/cnvrg-admission/templates/jobhack.yml
@@ -0,0 +1,27 @@
+{{- if .Values.startupJob.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: admission-startup-readiness-job
+  namespace: {{ .Release.Namespace}}
+  labels:
+    {{- include "startupJob.labels" . | indent 4 }}
+  annotations:
+    {{- include "startupJob.annotations" . | indent 4 }}
+spec:
+  template:
+    spec:
+      imagePullSecrets:
+        - name: admission-pull-secret
+      containers:
+        - name: admission-startup-readiness-job
+          image: "{{ .Values.imageHub }}/cnvrg-tools:v0.3"
+          args:
+            - /bin/bash
+            - -c
+            - |
+              set -x
+              curl -k --max-time 30 https://{{.Values.hookSvc}}.{{.Release.Namespace}}.svc/ready
+      restartPolicy: Never
+  backoffLimit: 4
+{{- end }}
diff --git a/charts/copctl-admission/templates/rbac.yml → charts/cnvrg-admission/templates/rbac.yml b/charts/copctl-admission/templates/rbac.yml → charts/cnvrg-admission/templates/rbac.yml
@@ -3,40 +3,46 @@ kind: ServiceAccount
 metadata:
   name: cnvrg-admission-controller
   namespace: {{ .Release.Namespace }}
+  labels:
+    control-plane: cnvrg-admission-controller
+    {{- include "admission.labels" . | indent 4 }}
+  annotations:
+    {{- include "admission.annotations" . | indent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: cnvrg-admission-controller
   namespace: {{ .Release.Namespace }}
+  labels:
+    control-plane: cnvrg-admission-controller
+    {{- include "admission.labels" . | indent 4 }}
+  annotations:
+    {{- include "admission.annotations" . | indent 4 }}
 rules:
 - apiGroups:
-  - certificates.k8s.io
+  - admissionregistration.k8s.io
   resources:
-  - certificatesigningrequests
+  - mutatingwebhookconfigurations
   verbs:
-  - get
-  - list
-  - watch
+  - create
+  - delete
 - apiGroups:
-  - certificates.k8s.io
+  - metacloud.cnvrg.io
   resources:
-  - certificatesigningrequests/approval
+  - domains
   verbs:
-  - update
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - signers
-  resourceNames:
-  - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain
-  verbs:
-  - approve
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: cnvrg-admission-controller
+  labels:
+    control-plane: cnvrg-admission-controller
+    {{- include "admission.labels" . | indent 4 }}
+  annotations:
+    {{- include "admission.annotations" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/...ts/copctl-admission/templates/regcred.yml → charts/cnvrg-admission/templates/regcred.yml b/...ts/copctl-admission/templates/regcred.yml → charts/cnvrg-admission/templates/regcred.yml
@@ -2,7 +2,12 @@ apiVersion: v1
 kind: Secret
 type: kubernetes.io/dockerconfigjson
 metadata:
-  name: operator-pull-secret
+  name: admission-pull-secret
   namespace: {{ .Release.Namespace }}
+  labels:
+    control-plane: cnvrg-admission-controller
+    {{- include "admission.labels" . | indent 4 }}
+  annotations:
+    {{- include "admission.annotations" . | indent 4 }}
 data:
   .dockerconfigjson: {{ printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.registry.url .Values.registry.user .Values.registry.password (printf "%s:%s" .Values.registry.user .Values.registry.password | b64enc) | b64enc }}
diff --git a/charts/cnvrg-admission/templates/svc.yaml b/charts/cnvrg-admission/templates/svc.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{.Values.hookSvc}}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    control-plane: cnvrg-admission-controller
+    {{- include "admission.labels" . | indent 4 }}
+  annotations:
+    {{- include "admission.annotations" . | indent 4 }}
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    control-plane: cnvrg-admission-controller
diff --git a/charts/cnvrg-admission/values.yaml b/charts/cnvrg-admission/values.yaml
@@ -0,0 +1,16 @@
+imageHub: docker.io/cnvrg
+hookSvc: cnvrg-operator-admission
+labels: {}
+annotations: {}
+startupJob:
+  enabled: true
+  labels: { }
+  annotations: { }
+admissionHook:
+  labels: { }
+  annotations: {}
+registry:
+  name: cnvrg-admission-registry
+  url: docker.io
+  user: ''
+  password: ''
diff --git a/charts/cnvrg-all-in-one/Chart.lock b/charts/cnvrg-all-in-one/Chart.lock
@@ -2,5 +2,8 @@ dependencies:
 - name: domainpool
   repository: https://catalog.stg.intelcloud.cnvrg.io/stage
   version: 0.1.2
-digest: sha256:5ee1051f508c6145b0cb89b75b6d337f77094f11d2f5c17330b038f325c7ceaf
-generated: "2023-12-18T12:14:56.909036+02:00"
+- name: copadmission
+  repository: https://catalog.stg.intelcloud.cnvrg.io/stage
+  version: 1.0.0
+digest: sha256:cc71158e2f162d2cb8ee872ef0f25147933956d87bc5513aee3f0393d15a1249
+generated: "2023-12-21T18:03:21.468301+02:00"
diff --git a/charts/cnvrg-all-in-one/Chart.yaml b/charts/cnvrg-all-in-one/Chart.yaml
@@ -8,4 +8,8 @@ dependencies:
   - name: domainpool
     version: 0.1.2
     repository: https://catalog.stg.intelcloud.cnvrg.io/stage
-    condition: domainpool.enabled
+    condition: domainpool.enabled
+  - name: copadmission
+    version: 1.0.0
+    repository: https://catalog.stg.intelcloud.cnvrg.io/stage
+    condition: copadmission.enabled
diff --git a/charts/cnvrg-all-in-one/charts/copadmission-1.0.0.tgz b/charts/cnvrg-all-in-one/charts/copadmission-1.0.0.tgz
diff --git a/charts/cnvrg-all-in-one/values.yaml b/charts/cnvrg-all-in-one/values.yaml
@@ -4,6 +4,17 @@ domainpool:
   baseDomain: stg.intelcloud.cnvrg.io
   annotations:
     "helm.sh/hook": "pre-install"
+copadmission:
+  enabled: true
+  admissionHook:
+    annotations:
+      "helm.sh/hook": "pre-install"
+      "helm.sh/hook-weight": "-5"
+  startupJob:
+    enabled: true
+    annotations:
+      "helm.sh/hook": "pre-install"
+      "helm.sh/hook-weight": "0"
 clusterDomain: ''
 clusterInternalDomain: cluster.local
 imageHub: docker.io/cnvrg

diff --git a/charts/copctl-admission/Chart.yaml b/charts/copctl-admission/Chart.yaml
diff --git a/charts/copctl-admission/templates/svc.yaml b/charts/copctl-admission/templates/svc.yaml
diff --git a/charts/copctl-admission/values.yaml b/charts/copctl-admission/values.yaml
diff --git a/cmd/copctl/cmd/create/webhook.go b/cmd/copctl/cmd/create/webhook.go
@@ -37,7 +37,7 @@ func init() {
 }
 
 var webhookCmd = &cobra.Command{
-	Use:     "webhook-certs",
+	Use:     "webhook",
 	Aliases: []string{"w"},
 	Short:   "Generate certs for Admission Webhook",
 	Run: func(cmd *cobra.Command, args []string) {
@@ -87,7 +87,7 @@ func (h *Webhook) run() {
 func (h *Webhook) commonNameToNsAndSvc() (ns string, svc string) {
 	endpoint := strings.Split(h.CommonName, ".")
 	if len(endpoint) < 3 {
-		zap.S().Error("wrong common name, expected format: <svc-name>.<ns-name>.svc ")
+		zap.S().Fatalf("wrong common name, expected format: <svc-name>.<ns-name>.svc ")
 	}
 	return endpoint[1], endpoint[0]
 }
@@ -186,6 +186,7 @@ func (h *Webhook) dumpToDisk(caCrt, serverCrt, serverKey *bytes.Buffer) {
 }
 
 func (h *Webhook) createMutatingWebhookCfg(hookCfg *admissionv1.MutatingWebhookConfiguration) {
+
 	zap.S().Infof("creating webhook: %s", hookCfg.Name)
 
 	err := clientset().

diff --git a/cmd/copctl/cmd/start/admission.go b/cmd/copctl/cmd/start/admission.go
@@ -53,16 +53,19 @@ var admissionCtrlCmd = &cobra.Command{
 		}
 
 		// Handler for CnvrgCap clusterDomain deployed on AI Cloud
-		//http.HandleFunc("/cap/clusterdomain/mutate", admission.MutateCnvrgAppClusterDomainHandler)
 		aiCloudDomainDiscoveryHandler := admission.NewAICloudDomainHandler()
+		readiness := admission.NewReadinessHandler()
 		http.HandleFunc(aiCloudDomainDiscoveryHandler.HandlerPath(), aiCloudDomainDiscoveryHandler.Handler)
+		http.HandleFunc(readiness.HandlerPath(), readiness.Handler)
+
+		addr := "0.0.0.0:8080"
 
 		// Create HTTPS server configuration
 		s := &http.Server{
-			Addr:      "0.0.0.0:8080",
+			Addr:      addr,
 			TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}},
 		}
-		zap.S().Info("Admission controller started")
+		zap.S().Infof("admission controller started on %s", addr)
 		zap.S().Fatal(s.ListenAndServeTLS("", ""))
 	},
 }
diff --git a/pkg/admission/readiness.go b/pkg/admission/readiness.go
@@ -0,0 +1,21 @@
+package admission
+
+import (
+	"net/http"
+)
+
+type ReadinessHandler struct{}
+
+func NewReadinessHandler() *ReadinessHandler {
+	return &ReadinessHandler{}
+}
+
+func (h *ReadinessHandler) Handler(w http.ResponseWriter, r *http.Request) {
+
+	resp := []byte("ready")
+	endWithOk(resp, w)
+}
+
+func (h *ReadinessHandler) HandlerPath() string {
+	return "/ready"
+}