Changes the K8s-cronjob to a sidecar

Fixes puppetlabs#204 by migrating the r10k cronjobs to sidecars The sidecar is using crond, while still respecting all values.yaml options from the cronjob
syseleven · Feb 20, 2020 · c68d8ea · c68d8ea
1 parent 4fe9a72
commit c68d8ea
Show file tree

Hide file tree

Showing 5 changed files with 196 additions and 238 deletions.
diff --git a/k8s/templates/puppetserver-deployment.yaml b/k8s/templates/puppetserver-deployment.yaml
@@ -109,6 +109,79 @@ spec:
               mountPath: /etc/puppetlabs/puppet/
             - name: puppet-serverdata-storage
               mountPath: /opt/puppetlabs/server/data/puppetserver/
+
+        {{- if .Values.puppetserver.puppeturl }}
+        # r10k Code Sidecar
+        - name: r10k-code
+          image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}"
+          imagePullPolicy: "{{.Values.r10k.pullPolicy}}"
+          securityContext:
+            runAsUser: 0
+          resources:
+            {{- toYaml .Values.r10k.code.resources | nindent 12 }}
+          env:
+          {{- range $key, $value := .Values.r10k.code.extraEnv }}
+          - name: {{ $key }}
+            value: {{ $value }}
+          {{- end }}
+          command:
+            - /opt/r10k.entrypoint.sh
+          volumeMounts:
+          {{- with .Values.r10k.code.viaSsh.credentials }}
+          {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }}
+          - name: r10k-code-secret
+            mountPath: /home/puppet/.ssh
+          {{- end }}
+          {{- end }}
+          - name: r10k-code-volume
+            mountPath: /opt/r10k.cronjob.sh
+            subPath: "r10k.cronjob.sh"
+          - name: r10k-code-volume
+            mountPath: /opt/r10k.entrypoint.sh
+            subPath: "r10k.entrypoint.sh"
+          - name: r10k-code-volume
+            mountPath: /etc/puppetlabs/puppet/r10k.yaml
+            subPath: r10k.yaml
+          - name: puppet-code-storage
+            mountPath: /etc/puppetlabs/code/
+        {{- end }}
+
+        {{- if .Values.hiera.hieradataurl }}
+        # r10k Hiera Sidecar
+        - name: r10k-hiera
+          image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}"
+          imagePullPolicy: "{{.Values.r10k.pullPolicy}}"
+          securityContext:
+            runAsUser: 0
+          resources:
+            {{- toYaml .Values.r10k.hiera.resources | nindent 12 }}
+          env:
+          {{- range $key, $value := .Values.r10k.hiera.extraEnv }}
+          - name: {{ $key }}
+            value: {{ $value }}
+          {{- end }}
+          command:
+            - /opt/r10k.entrypoint.sh
+          volumeMounts:
+          {{- with .Values.r10k.hiera.viaSsh.credentials }}
+          {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }}
+          - name: r10k-hiera-secret
+            mountPath: /home/puppet/.ssh
+          {{- end }}
+          {{- end }}
+          - name: r10k-hiera-volume
+            mountPath: /opt/r10k.cronjob.sh
+            subPath: "r10k.cronjob.sh"
+          - name: r10k-hiera-volume
+            mountPath: /opt/r10k.entrypoint.sh
+            subPath: "r10k.entrypoint.sh"
+          - name: r10k-hiera-volume
+            mountPath: /etc/puppetlabs/puppet/r10k.yaml
+            subPath: r10k.yaml
+          - name: puppet-code-storage
+            mountPath: /etc/puppetlabs/code/
+        {{- end }}
+
       volumes:
         - name: puppet-code-storage
           persistentVolumeClaim:
@@ -142,6 +215,28 @@ spec:
           configMap:
             name: {{ template "puppetserver.hiera.privateMap" . }}
       {{- end }}
+        - name: r10k-code-volume
+          configMap:
+            name: r10k-code-config
+            defaultMode: 0777
+      {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }}
+        - name: r10k-code-secret
+          secret:
+            secretName: {{ template "r10k.code.secret" . }}
+            defaultMode: 288 # = mode 0440
+            fsGroup: 999   # "puppet" GID
+      {{- end }}
+        - name: r10k-hiera-volume
+          configMap:
+            name: r10k-hiera-config
+            defaultMode: 0777
+      {{- if or (.Values.r10k.hiera.viaSsh.credentials.existingSecret) (and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value)) }}
+        - name: r10k-hiera-secret
+          secret:
+            secretName: {{ template "r10k.hiera.secret" . }}
+            defaultMode: 288 # = mode 0440
+            fsGroup: 999   # "puppet" GID
+      {{- end }}
     {{- if (or (.Values.nodeSelector.allPods) (.Values.nodeSelector.commonStoragePods)) }}
       nodeSelector:
       {{- if (.Values.nodeSelector.allPods) }}

diff --git a/k8s/templates/r10k-code.configmap.yaml b/k8s/templates/r10k-code.configmap.yaml
@@ -16,13 +16,57 @@ data:
       :puppet_repo:
         remote: '{{.Values.puppetserver.puppeturl}}'
         basedir: '/etc/puppetlabs/code/environments'
-    :git:
-      provider: 'rugged' # Either 'shellgit' or 'rugged', defaults to 'shellgit'
-    {{- with .Values.r10k.code.viaSsh.credentials }}
-    {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }}
-      private_key: '/home/puppet/.ssh/id_rsa'
+
+  r10k.cronjob.sh: |
+    #!/bin/sh
+
+    # not needed anymore, as crond handels this - .startingDeadlineSeconds: {{ .startingDeadlineSeconds }}
+    # not needed anymore, as crond handels this - .activeDeadlineSeconds: {{ .activeDeadlineSeconds }}
+
+    {{- if .Values.r10k.code.cronJob.concurrencyPolicy }}
+      {{- if eq .Values.r10k.code.cronJob.concurrencyPolicy "Forbid" }}
+        if [ -e /run/r10k.cronjob.pid ] && pgrep $(</run/r10k.cronjob.pid); then
+          exit 0
+        fi
+      {{- else if eq .Values.r10k.code.cronJob.concurrencyPolicy "Replace" }}
+        if [ -e /run/r10k.cronjob.pid ]; then
+          pkill $(</run/r10k.cronjob.pid)
+        fi
+      {{- end }}
     {{- end }}
+
+    echo $PPID > /run/r10k.cronjob.pid
+
+    # extra_args="{{ .Values.r10k.code.extraArgs }}"  # parsing yaml-maps to bash?
+    /docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k.yaml --puppetfile
+
+    echo $?
+
+    rm /run/r10k.cronjob.pid
+
+    {{- if .Values.r10k.code.cronJob.restartPolicy }}
+      {{- if eq .Values.r10k.code.cronJob.restartPolicy "OnFailure" }}
+        if (( $? != 0 )); then
+          /bin/sh -c /r10k.cronjob.sh
+        fi
+      {{- else if eq .Values.r10k.code.cronJob.restartPolicy "Never" }}
+        # Never restart? No, this is a cron sidecar, we want this to run forever
+      {{- else if eq .Values.r10k.code.cronJob.restartPolicy "Always" }}
+        # Always restart? Yes, this is a cron sidecar, we want this to run forever
+      {{- end }}
     {{- end }}
-      repositories:
-        - remote: '{{.Values.puppetserver.puppeturl}}'
+
+  r10k.entrypoint.sh: |
+    #!/bin/sh
+
+    apk add --update busybox-suid
+    touch /tmp/script.log
+
+    /usr/bin/crontab - <<'EOF'
+      {{ .Values.r10k.code.cronJob.schedule }} /bin/sh -c /opt/r10k.cronjob.sh >> /var/log/script.log
+    EOF
+
+    crond
+    tail -f /tmp/script.log
+
 {{- end }}
diff --git a/k8s/templates/r10k-code.cronjob.yaml b/k8s/templates/r10k-code.cronjob.yaml
diff --git a/k8s/templates/r10k-hiera.configmap.yaml b/k8s/templates/r10k-hiera.configmap.yaml
@@ -18,14 +18,57 @@ data:
         remote: '{{.Values.hiera.hieradataurl}}'
         basedir: '/etc/puppetlabs/code/hiera-data'
 
-    :git:
-      provider: 'rugged' # Either 'shellgit' or 'rugged', defaults to 'shellgit'
-    {{- with .Values.r10k.hiera.viaSsh.credentials }}
-    {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }}
-      private_key: '/home/puppet/.ssh/id_rsa'
+  r10k.cronjob.sh: |
+    #!/bin/sh
+
+    # not needed anymore, as crond handels this - .startingDeadlineSeconds: {{ .startingDeadlineSeconds }}
+    # not needed anymore, as crond handels this - .activeDeadlineSeconds: {{ .activeDeadlineSeconds }}
+
+    {{- if .Values.r10k.hiera.cronJob.concurrencyPolicy }}
+      {{- if eq .Values.r10k.hiera.cronJob.concurrencyPolicy "Forbid" }}
+        if [ -e /run/r10k.cronjob.pid ] && pgrep $(</run/r10k.cronjob.pid); then
+          exit 0
+        fi
+      {{- else if eq .Values.r10k.hiera.cronJob.concurrencyPolicy "Replace" }}
+        if [ -e /run/r10k.cronjob.pid ]; then
+          pkill $(</run/r10k.cronjob.pid)
+        fi
+      {{- end }}
     {{- end }}
+
+    echo $PPID > /run/r10k.cronjob.pid
+
+    # extra_args="{{ .Values.r10k.hiera.extraArgs }}"  # parsing yaml-maps to bash?
+    /docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k.yaml --puppetfile
+
+    echo $?
+
+    rm /run/r10k.cronjob.pid
+
+    {{- if .Values.r10k.hiera.cronJob.restartPolicy }}
+      {{- if eq .Values.r10k.hiera.cronJob.restartPolicy "OnFailure" }}
+        if (( $? != 0 )); then
+          /bin/sh -c /r10k.cronjob.sh
+        fi
+      {{- else if eq .Values.r10k.hiera.cronJob.restartPolicy "Never" }}
+        # Never restart? No, this is a cron sidecar, we want this to run forever
+      {{- else if eq .Values.r10k.hiera.cronJob.restartPolicy "Always" }}
+        # Always restart? Yes, this is a cron sidecar, we want this to run forever
+      {{- end }}
     {{- end }}
-      repositories:
-        - remote: '{{.Values.hiera.hieradataurl}}'
+
+  r10k.entrypoint.sh: |
+    #!/bin/sh
+
+    apk add --update busybox-suid
+    touch /tmp/script.log
+
+    /usr/bin/crontab - <<'EOF'
+      {{ .Values.r10k.hiera.cronJob.schedule }} /bin/sh -c /opt/r10k.cronjob.sh >> /var/log/script.log
+    EOF
+
+    crond
+    tail -f /tmp/script.log
+
 {{- end }}