diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index ebf81bbe..561e3d00 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -1,7 +1,7 @@ --- name: Issue Report about: Create a report to help us improve -title: '[ISSUE] Brief Description of Issue' +title: 'Brief Description of Issue' labels: bug assignees: '' diff --git a/.github/ISSUE_TEMPLATE/enhancement.md b/.github/ISSUE_TEMPLATE/enhancement.md index ee50bdf7..38240df4 100644 --- a/.github/ISSUE_TEMPLATE/enhancement.md +++ b/.github/ISSUE_TEMPLATE/enhancement.md @@ -1,7 +1,7 @@ --- name: Enhancement Suggestion about: Suggest an idea for this project -title: '[ENHANCEMENT] Brief Description of Enhancement' +title: 'Brief Description of Enhancement' labels: enhancement assignees: '' @@ -15,13 +15,11 @@ assignees: '' ### Motivation *Explain why this enhancement would be useful to the project or users.* +*Describe the potential benefits of the enhancement, including possible impacts on performance, usability, and efficiency.* ### Detailed Explanation *Provide a detailed explanation of the proposed enhancement. Include any preliminary ideas you have about the implementation, and how it integrates with existing functionalities.* -### Benefits -*Describe the potential benefits of the enhancement, including possible impacts on performance, usability, and efficiency.* - ### Possible Drawbacks *Consider any possible drawbacks or issues that might arise with the implementation of this enhancement.* diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 182ae402..42258a29 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,12 +14,6 @@ jobs: with: fetch-depth: 0 - - name: Install Task - uses: arduino/setup-task@v1 - with: - version: 3.x - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Write required vault files run: | mkdir -p terraform/vault/cluster/.tls @@ -27,8 +21,14 @@ jobs: echo 'keep' > terraform/vault/cluster/.tls/vault-key.pem echo 'keep' > terraform/vault/cluster/.tls/ca-chain.pem - - name: pre-commit checks - run: task pre-commit + - name: Validate Terraform Opentofu configuration + uses: dagger/dagger-for-github@v5 + with: + version: "latest" + verb: call + module: github.com/Smana/daggerverse/pre-commit-tf@pre-commit-tf/v0.0.1 + args: run --dir "." --tf-binary="tofu" + cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }} kubernetes-validation: name: Kubernetes validation โ˜ธ diff --git a/README.md b/README.md index 9532a586..5c0c3fb2 100644 --- a/README.md +++ b/README.md @@ -16,12 +16,11 @@ This repository provides a comprehensive guide and set of tools for building, ma - [๐Ÿ”— VPN connection using Tailscale](#-vpn-connection-using-tailscale) - [๐Ÿ”‘ Private PKI with Vault](#-private-pki-with-vault) - [๐Ÿงช CI](#-ci) - - [๐Ÿšง Transition to Dagger](#-transition-to-dagger) - - [Overview](#overview) - - [Goal](#goal) + - [Overview](#overview) - [๐Ÿ  Using Self-Hosted Runners](#-using-self-hosted-runners) - [Overview](#overview-1) - [Enabling Self-Hosted Runners](#enabling-self-hosted-runners) + - [Dagger example with Self-Hosted Runners](#dagger-example-with-self-hosted-runners) ## ๐ŸŒŸ Overview @@ -125,21 +124,12 @@ The Vault creation is made in 2 steps: ## ๐Ÿงช CI -### ๐Ÿšง Transition to Dagger +### Overview -#### Overview -Our CI currently supports two ways of declaring tasks. We are in the process of transitioning to using [Dagger](https://dagger.io/) exclusively. Here's a breakdown of the current methods: - -1. **[Task](https://taskfile.dev/installation/)**: - - Utilized for Terraform code quality, conformance, and security. - - Integrates with [pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform) to ensure best practices and security standards are met. - -2. **[Dagger](https://dagger.io/)**: - - Used for Kustomize and Kubernetes conformance. - - Employs `kubeconform` for Kubernetes configuration validation. +We leverage **[Dagger](https://dagger.io/)** for all our CI tasks. Here's what is currently run: -#### Goal -We aim to standardize our CI tasks using Dagger across all processes. This transition is currently a work in progress. +* Validation of Kubernetes and Kustomize manifests using `kubeconform` +* Validation of Terraform/Opentofu configurations using the [pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform) ### ๐Ÿ  Using Self-Hosted Runners @@ -152,4 +142,35 @@ This feature can be enabled within the `tooling` kustomization. By leveraging se - **Access to Private Endpoints**: Directly interact with internal resources that are not publicly accessible. - **Increased Security**: Run CI tasks within our secure internal environment. -For detailed information on setting up and using GitHub Self-Hosted Runners, please refer to this [documentation](https://docs.github.com/en/actions/hosting-your-own-runners). \ No newline at end of file +For detailed information on setting up and using GitHub Self-Hosted Runners, please refer to this [documentation](https://docs.github.com/en/actions/hosting-your-own-runners). + +#### Dagger example with Self-Hosted Runners + +```yaml +name: Cache testing + +on: + pull_request: + push: + branches: ["main"] + +jobs: + + test-cache: + name: Testing in-cluster cache + runs-on: dagger-gha-runner-scale-set + container: + image: smana/dagger-cli:v0.11.9 + env: + _EXPERIMENTAL_DAGGER_RUNNER_HOST: "tcp://dagger-engine:8080" + cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }} + + steps: + - name: Simulate a build with heavy packages + uses: dagger/dagger-for-github@v5 + with: + version: "latest" + verb: call + module: github.com/shykes/daggerverse.git/wolfi@dfb1f91fa463b779021d65011f0060f7decda0ba + args: container --packages "python3,py3-pip,go,rust,clang" +``` \ No newline at end of file diff --git a/clusters/mycluster-0/observability.yaml b/clusters/mycluster-0/observability.yaml index a811d511..2d83c161 100644 --- a/clusters/mycluster-0/observability.yaml +++ b/clusters/mycluster-0/observability.yaml @@ -24,11 +24,11 @@ spec: kind: HelmRelease name: kube-prometheus-stack namespace: observability - - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - name: loki - namespace: observability - - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - name: vector-agent - namespace: observability + # - apiVersion: helm.toolkit.fluxcd.io/v2 + # kind: HelmRelease + # name: loki + # namespace: observability + # - apiVersion: helm.toolkit.fluxcd.io/v2 + # kind: HelmRelease + # name: vector-agent + # namespace: observability diff --git a/observability/mycluster-0/kustomization.yaml b/observability/mycluster-0/kustomization.yaml index 162e6798..20b3dbc1 100644 --- a/observability/mycluster-0/kustomization.yaml +++ b/observability/mycluster-0/kustomization.yaml @@ -3,5 +3,6 @@ kind: Kustomization resources: - ../base/kube-prometheus-stack - - ../base/loki - - ../base/vector-agent + # Enabling the logging stack only when neeeded + # - ../base/loki + # - ../base/vector-agent diff --git a/security/base/cert-manager/vault-clusterissuer.yaml b/security/base/cert-manager/vault-clusterissuer.yaml index e20229e1..174c24a1 100644 --- a/security/base/cert-manager/vault-clusterissuer.yaml +++ b/security/base/cert-manager/vault-clusterissuer.yaml @@ -11,7 +11,7 @@ spec: auth: appRole: path: approle - roleId: c9800133-dada-d5dd-3968-8196f1edc921 # !! This value changes each time I recreate the whole platform + roleId: 028010a8-49d4-c1af-71ce-6a0dff557f22 # !! This value changes each time I recreate the whole platform secretRef: name: cert-manager-vault-approle key: secretId diff --git a/taskfile.yaml b/taskfile.yaml deleted file mode 100644 index 79c71348..00000000 --- a/taskfile.yaml +++ /dev/null @@ -1,25 +0,0 @@ -env: - DOCKER_IMG: "ghcr.io/antonbabenko/pre-commit-terraform" - DOCKER_TAG: "v1.89.1" - REPO_NAME: "action-terraform-ci" - -version: "3" - -tasks: - check: - cmds: - - task: pre-commit - - task: flux-validate - - clean: - cmds: - - find . -type d -name "*.terraform" -or -name "*.terraform.lock.hcl" | sudo xargs rm -rf - - pre-commit: - deps: [clean] - cmds: - - defer: {task: clean} - - | - USERID=$(id -u) - GROUPID=$(id -g) - docker run -e "USER=${USERID}:${GROUPID}" -v {{.USER_WORKING_DIR}}:/lint -w /lint $DOCKER_IMG:$DOCKER_TAG run -a diff --git a/terraform/eks/README.md b/terraform/eks/README.md index ead0054b..fc134c57 100644 --- a/terraform/eks/README.md +++ b/terraform/eks/README.md @@ -27,6 +27,18 @@ tags = { GithubRepo = "demo-cloud-native-ref" GithubOrg = "Smana" } + + +karpenter_limits = { + "default" = { + cpu = "20" + memory = "64Gi" + } + "io" = { + cpu = "20" + memory = "64Gi" + } +} ``` 3. Apply with `tofu apply -var-file variables.tfvars` diff --git a/terraform/eks/data.tf b/terraform/eks/data.tf index 9ce80f85..57455629 100644 --- a/terraform/eks/data.tf +++ b/terraform/eks/data.tf @@ -76,3 +76,12 @@ data "http" "gateway_api_crds" { count = length(local.gateway_api_crds_urls) url = local.gateway_api_crds_urls[count.index] } + +# Kubernetes manifests +data "kubectl_filename_list" "karpenter_default" { + pattern = "${path.module}/kubernetes-manifests/karpenter/default-*.yaml" +} + +data "kubectl_filename_list" "karpenter_io" { + pattern = "${path.module}/kubernetes-manifests/karpenter/io-*.yaml" +} diff --git a/terraform/eks/karpenter.tf b/terraform/eks/karpenter.tf index 4e3a2d4d..28dd466f 100644 --- a/terraform/eks/karpenter.tf +++ b/terraform/eks/karpenter.tf @@ -19,70 +19,26 @@ resource "aws_eks_pod_identity_association" "karpenter" { role_arn = module.karpenter.iam_role_arn } -resource "kubectl_manifest" "karpenter_nodepool" { - yaml_body = <<-YAML - apiVersion: karpenter.sh/v1beta1 - kind: NodePool - metadata: - name: default - spec: - template: - spec: - nodeClassRef: - name: default - requirements: - - key: "kubernetes.io/arch" - operator: In - values: ["amd64"] - - key: karpenter.sh/capacity-type - operator: In - values: ["spot"] - - key: "karpenter.k8s.aws/instance-category" - operator: In - values: ["c", "m", "r"] - - key: "karpenter.k8s.aws/instance-cpu" - operator: In - values: ["4", "8", "16", "32"] - - key: "karpenter.k8s.aws/instance-hypervisor" - operator: In - values: ["nitro"] - - key: "karpenter.k8s.aws/instance-generation" - operator: Gt - values: ["2"] - # - key: "karpenter.k8s.aws/instance-local-nvme" - # operator: Gt - # values: ["150"] - limits: - cpu: 200 - disruption: - consolidationPolicy: WhenEmpty - consolidateAfter: 30s - YAML - - depends_on = [ - helm_release.karpenter - ] -} - -resource "kubectl_manifest" "karpenter_ec2_nodeclass" { - yaml_body = <<-YAML - apiVersion: karpenter.k8s.aws/v1beta1 - kind: EC2NodeClass - metadata: - name: default - spec: - amiFamily: "AL2" - # instanceStorePolicy: "RAID0" - role: ${module.karpenter.node_iam_role_name} - subnetSelectorTerms: - - tags: - karpenter.sh/discovery: ${var.env} - securityGroupSelectorTerms: - - tags: - karpenter.sh/discovery: ${module.eks.cluster_name} - tags: - karpenter.sh/discovery: ${module.eks.cluster_name} - YAML +resource "kubectl_manifest" "karpenter" { + for_each = { + for file_name in flatten([ + data.kubectl_filename_list.karpenter_default.matches, + data.kubectl_filename_list.karpenter_io.matches + ]) : file_name => file_name + } + + yaml_body = templatefile( + each.key, + { + cluster_name = module.eks.cluster_name, + env = var.env, + karpenter_node_iam_role_name = module.karpenter.node_iam_role_name + default_nodepool_cpu_limits = var.karpenter_limits.default.cpu + default_nodepool_memory_limits = var.karpenter_limits.default.memory + io_nodepool_cpu_limits = var.karpenter_limits.io.cpu + io_nodepool_memory_limits = var.karpenter_limits.io.memory + } + ) depends_on = [ helm_release.karpenter diff --git a/terraform/eks/kubernetes-manifests/karpenter/default-ec2nc.yaml b/terraform/eks/kubernetes-manifests/karpenter/default-ec2nc.yaml new file mode 100644 index 00000000..16af676f --- /dev/null +++ b/terraform/eks/kubernetes-manifests/karpenter/default-ec2nc.yaml @@ -0,0 +1,15 @@ +apiVersion: karpenter.k8s.aws/v1beta1 +kind: EC2NodeClass +metadata: + name: default +spec: + amiFamily: "AL2" + role: ${karpenter_node_iam_role_name} + subnetSelectorTerms: + - tags: + karpenter.sh/discovery: ${env} + securityGroupSelectorTerms: + - tags: + karpenter.sh/discovery: ${cluster_name} + tags: + karpenter.sh/discovery: ${cluster_name} diff --git a/terraform/eks/kubernetes-manifests/karpenter/default-nodepool.yaml b/terraform/eks/kubernetes-manifests/karpenter/default-nodepool.yaml new file mode 100644 index 00000000..78ad9c20 --- /dev/null +++ b/terraform/eks/kubernetes-manifests/karpenter/default-nodepool.yaml @@ -0,0 +1,29 @@ +apiVersion: karpenter.sh/v1beta1 +kind: NodePool +metadata: + name: default +spec: + template: + spec: + nodeClassRef: + name: default + requirements: + - key: "kubernetes.io/arch" + operator: In + values: ["amd64"] + - key: karpenter.sh/capacity-type + operator: In + values: ["spot"] + # Do not select big instance types in order to avoid blast radius + - key: karpenter.k8s.aws/instance-cpu + operator: Lt + values: ["26"] + - key: karpenter.k8s.aws/instance-memory + operator: Lt + values: ["50001"] + disruption: + consolidationPolicy: WhenEmpty + consolidateAfter: 30s + limits: + cpu: ${default_nodepool_cpu_limits} + memory: ${default_nodepool_memory_limits} diff --git a/terraform/eks/kubernetes-manifests/karpenter/io-ec2nc.yaml b/terraform/eks/kubernetes-manifests/karpenter/io-ec2nc.yaml new file mode 100644 index 00000000..7385f4de --- /dev/null +++ b/terraform/eks/kubernetes-manifests/karpenter/io-ec2nc.yaml @@ -0,0 +1,19 @@ +apiVersion: karpenter.k8s.aws/v1beta1 +kind: EC2NodeClass +metadata: + name: io +spec: + amiFamily: "AL2" + instanceStorePolicy: "RAID0" + role: ${karpenter_node_iam_role_name} + subnetSelectorTerms: + - tags: + karpenter.sh/discovery: ${env} + securityGroupSelectorTerms: + - tags: + karpenter.sh/discovery: ${cluster_name} + userData: | + #!/bin/bash + /usr/bin/setup-local-disks raid0 + tags: + karpenter.sh/discovery: ${cluster_name} diff --git a/terraform/eks/kubernetes-manifests/karpenter/io-nodepool.yaml b/terraform/eks/kubernetes-manifests/karpenter/io-nodepool.yaml new file mode 100644 index 00000000..6f5cefb3 --- /dev/null +++ b/terraform/eks/kubernetes-manifests/karpenter/io-nodepool.yaml @@ -0,0 +1,39 @@ +apiVersion: karpenter.sh/v1beta1 +kind: NodePool +metadata: + name: io +spec: + template: + spec: + nodeClassRef: + apiVersion: karpenter.k8s.aws/v1beta1 + kind: EC2NodeClass + name: io + requirements: + - key: karpenter.sh/capacity-type + operator: In + values: ["spot", "on-demand"] + - key: kubernetes.io/arch + operator: In + values: ["amd64"] + - key: karpenter.k8s.aws/instance-cpu + operator: Lt + values: ["26"] + - key: karpenter.k8s.aws/instance-memory + operator: Lt + values: ["50001"] + - key: karpenter.k8s.aws/instance-local-nvme + operator: Gt + values: ["100"] + - key: karpenter.k8s.aws/instance-category + operator: In + values: ["c", "i", "m", "r"] + taints: + - key: ogenki/io + value: "true" + effect: NoSchedule + disruption: + consolidationPolicy: WhenUnderutilized + limits: + cpu: ${io_nodepool_cpu_limits} + memory: ${io_nodepool_memory_limits} diff --git a/terraform/eks/variables.tf b/terraform/eks/variables.tf index bd8eebbe..d82d3e3e 100644 --- a/terraform/eks/variables.tf +++ b/terraform/eks/variables.tf @@ -45,6 +45,17 @@ variable "karpenter_version" { type = string } +variable "karpenter_limits" { + description = "Define limits for Karpenter per node pool." + type = map(object( + { + cpu = optional(number, 50), + memory = optional(string, "50Gi") + } + ) + ) +} + variable "ebs_csi_driver_chart_version" { description = "EBS CSI Driver Helm chart version" default = "2.25.0" diff --git a/tooling/base/dagger-engine/configmap.yaml b/tooling/base/dagger-engine/configmap.yaml new file mode 100644 index 00000000..b1cdcef6 --- /dev/null +++ b/tooling/base/dagger-engine/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: dagger-engine + labels: + app.kubernetes.io/name: dagger-engine + app.kubernetes.io/version: "v0.11.9" +data: + engine.toml: | + debug = true diff --git a/tooling/base/dagger-engine/deployment.yaml b/tooling/base/dagger-engine/deployment.yaml new file mode 100644 index 00000000..4145a42f --- /dev/null +++ b/tooling/base/dagger-engine/deployment.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dagger-engine + annotations: + karpenter.sh/do-not-disrupt: "true" + labels: + app.kubernetes.io/name: dagger-engine +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: dagger-engine + template: + metadata: + labels: + app.kubernetes.io/name: dagger-engine + spec: + securityContext: + runAsUser: 0 + runAsGroup: 1001 + fsGroup: 1001 + fsGroupChangePolicy: "OnRootMismatch" + serviceAccountName: default + containers: + - name: dagger-engine + image: registry.dagger.io/engine:v0.11.9 + imagePullPolicy: IfNotPresent + args: + - --addr + - tcp://0.0.0.0:8080 + - --oci-max-parallelism + - num-cpu + ports: + - containerPort: 8080 + securityContext: + privileged: true + capabilities: + add: + - ALL + resources: + limits: + memory: 8Gi + ephemeral-storage: 100Gi + requests: + cpu: 4 + memory: 8Gi + ephemeral-storage: 100Gi + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + volumeMounts: + - name: dagger-engine-config + mountPath: /etc/dagger/engine.toml + subPath: engine.toml + - name: varlibdagger + mountPath: /var/lib/dagger + - name: varrundagger + mountPath: /var/run/buildkit + terminationGracePeriodSeconds: 300 + volumes: + - name: dagger-engine-config + configMap: + name: dagger-engine + items: + - key: engine.toml + path: engine.toml + - name: varlibdagger + ephemeral: + volumeClaimTemplate: + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi + - name: varrundagger + ephemeral: + volumeClaimTemplate: + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 90Gi + tolerations: + - effect: NoSchedule + key: ogenki/io + operator: Exists + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: karpenter.sh/nodepool + operator: In + values: + - io + # - matchExpressions: + # - key: karpenter.sh/capacity-type + # operator: In + # values: + # - on-demand diff --git a/tooling/base/dagger-engine/kustomization.yaml b/tooling/base/dagger-engine/kustomization.yaml new file mode 100644 index 00000000..4a400063 --- /dev/null +++ b/tooling/base/dagger-engine/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: tooling + +resources: + - configmap.yaml + - deployment.yaml + - pdb.yaml + - service.yaml + - network-policy.yaml diff --git a/tooling/base/dagger-engine/network-policy.yaml b/tooling/base/dagger-engine/network-policy.yaml new file mode 100644 index 00000000..54f11ffa --- /dev/null +++ b/tooling/base/dagger-engine/network-policy.yaml @@ -0,0 +1,39 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: dagger-engine +spec: + description: "Allow internal traffic to the Dagger Engine service." + endpointSelector: + matchLabels: + k8s:app.kubernetes.io/name: dagger-engine + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + - toEntities: + - world + toPorts: + - ports: + - port: "80" + protocol: TCP + - port: "443" + protocol: TCP + ingress: + - fromEndpoints: + - matchLabels: + k8s:actions.github.com/scale-set-name: default-gha-runner-scale-set + - fromEndpoints: + - matchLabels: + k8s:actions.github.com/scale-set-name: dagger-gha-runner-scale-set + toPorts: + - ports: + - port: "8080" + protocol: TCP diff --git a/tooling/base/dagger-engine/pdb.yaml b/tooling/base/dagger-engine/pdb.yaml new file mode 100644 index 00000000..59f16446 --- /dev/null +++ b/tooling/base/dagger-engine/pdb.yaml @@ -0,0 +1,9 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: dagger-engine +spec: + minAvailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: dagger-engine diff --git a/tooling/base/dagger-engine/service.yaml b/tooling/base/dagger-engine/service.yaml new file mode 100644 index 00000000..cce57726 --- /dev/null +++ b/tooling/base/dagger-engine/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: dagger-engine + labels: + app.kubernetes.io/name: dagger-engine +spec: + selector: + app.kubernetes.io/name: dagger-engine + ports: + - protocol: TCP + port: 8080 + targetPort: 8080 diff --git a/tooling/base/arc/controller-helmrelease.yaml b/tooling/base/gha-runners/controller-helmrelease.yaml similarity index 100% rename from tooling/base/arc/controller-helmrelease.yaml rename to tooling/base/gha-runners/controller-helmrelease.yaml diff --git a/tooling/base/gha-runners/dagger-scale-set-helmrelease.yaml b/tooling/base/gha-runners/dagger-scale-set-helmrelease.yaml new file mode 100644 index 00000000..e5720112 --- /dev/null +++ b/tooling/base/gha-runners/dagger-scale-set-helmrelease.yaml @@ -0,0 +1,25 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: dagger-gha-runner-scale-set +spec: + releaseName: dagger-gha-runner-scale-set + chart: + spec: + chart: gha-runner-scale-set + version: "0.9.2" + sourceRef: + kind: HelmRepository + name: gha-runner-scale-set + interval: 10m0s + install: + remediation: + retries: 3 + values: + runnerGroup: "default" + githubConfigUrl: "https://github.com/Smana/demo-cloud-native-ref" + githubConfigSecret: gha-runner-scale-set + maxRunners: 5 + + containerMode: + type: "dind" diff --git a/tooling/base/arc/default-scale-set-helmrelease.yaml b/tooling/base/gha-runners/default-scale-set-helmrelease.yaml similarity index 93% rename from tooling/base/arc/default-scale-set-helmrelease.yaml rename to tooling/base/gha-runners/default-scale-set-helmrelease.yaml index d1dd35b1..d071404e 100644 --- a/tooling/base/arc/default-scale-set-helmrelease.yaml +++ b/tooling/base/gha-runners/default-scale-set-helmrelease.yaml @@ -2,7 +2,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: default-gha-runner-scale-set - namespace: tooling spec: releaseName: default-gha-runner-scale-set chart: @@ -19,7 +18,7 @@ spec: values: runnerGroup: "default" githubConfigUrl: "https://github.com/Smana/demo-cloud-native-ref" - githubConfigSecret: default-gha-runner-scale-set + githubConfigSecret: gha-runner-scale-set maxRunners: 5 ## We'll probably want to use our internal PKI for this. diff --git a/tooling/base/arc/externalsecret.yaml b/tooling/base/gha-runners/externalsecret.yaml similarity index 82% rename from tooling/base/arc/externalsecret.yaml rename to tooling/base/gha-runners/externalsecret.yaml index cd0400a4..4b91173f 100644 --- a/tooling/base/arc/externalsecret.yaml +++ b/tooling/base/gha-runners/externalsecret.yaml @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: default-gha-runner-scale-set + name: gha-runner-scale-set spec: dataFrom: - extract: @@ -14,4 +14,4 @@ spec: target: creationPolicy: Owner deletionPolicy: Retain - name: default-gha-runner-scale-set + name: gha-runner-scale-set diff --git a/tooling/base/arc/kustomization.yaml b/tooling/base/gha-runners/kustomization.yaml similarity index 85% rename from tooling/base/arc/kustomization.yaml rename to tooling/base/gha-runners/kustomization.yaml index 1096cf48..93c65c14 100644 --- a/tooling/base/arc/kustomization.yaml +++ b/tooling/base/gha-runners/kustomization.yaml @@ -4,6 +4,7 @@ namespace: tooling resources: - controller-helmrelease.yaml + - dagger-scale-set-helmrelease.yaml - default-scale-set-helmrelease.yaml - externalsecret.yaml - network-policy.yaml diff --git a/tooling/base/arc/network-policy.yaml b/tooling/base/gha-runners/network-policy.yaml similarity index 55% rename from tooling/base/arc/network-policy.yaml rename to tooling/base/gha-runners/network-policy.yaml index 1ddf838a..577aeb47 100644 --- a/tooling/base/arc/network-policy.yaml +++ b/tooling/base/gha-runners/network-policy.yaml @@ -3,10 +3,14 @@ kind: CiliumNetworkPolicy metadata: name: gha-runner-scale-set spec: - description: "Deny all traffic for the Github Actions Runners, except for HTTP traffic to the internet." + description: "Restrict internal traffic to the GitHub Actions runner scale set." endpointSelector: - matchLabels: - k8s:actions.github.com/scale-set-name: default-gha-runner-scale-set + matchExpressions: + - key: k8s:actions.github.com/scale-set-name + operator: In + values: + - default-gha-runner-scale-set + - dagger-gha-runner-scale-set egress: - toEndpoints: - matchLabels: @@ -18,6 +22,13 @@ spec: protocol: UDP - port: "53" protocol: TCP + - toEndpoints: + - matchLabels: + k8s:app.kubernetes.io/name: dagger-engine + toPorts: + - ports: + - port: "8080" + protocol: TCP - toEntities: - world toPorts: diff --git a/tooling/base/arc/source.yaml b/tooling/base/gha-runners/source.yaml similarity index 90% rename from tooling/base/arc/source.yaml rename to tooling/base/gha-runners/source.yaml index 871874e9..b20be38e 100644 --- a/tooling/base/arc/source.yaml +++ b/tooling/base/gha-runners/source.yaml @@ -2,7 +2,6 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: gha-runner-scale-set - namespace: default spec: type: "oci" interval: 5m0s diff --git a/tooling/mycluster-0/kustomization.yaml b/tooling/mycluster-0/kustomization.yaml index ebc774f0..fcf63793 100644 --- a/tooling/mycluster-0/kustomization.yaml +++ b/tooling/mycluster-0/kustomization.yaml @@ -1,7 +1,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] -# Uncomment the following resources to include them in the kustomization -# - ../base/arc -# - ../base/harbor +resources: + [] + # Uncomment the following resources to include them in the kustomization + # - ../base/dagger-engine + # - ../base/gha-runners + # - ../base/harbor