diff --git a/k8s/templates/puppetserver-deployment.yaml b/k8s/templates/puppetserver-deployment.yaml index f8927c9c..3250f015 100644 --- a/k8s/templates/puppetserver-deployment.yaml +++ b/k8s/templates/puppetserver-deployment.yaml @@ -109,6 +109,79 @@ spec: mountPath: /etc/puppetlabs/puppet/ - name: puppet-serverdata-storage mountPath: /opt/puppetlabs/server/data/puppetserver/ + + {{- if .Values.puppetserver.puppeturl }} + # r10k Code Sidecar + - name: r10k-code + image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" + imagePullPolicy: "{{.Values.r10k.pullPolicy}}" + securityContext: + runAsUser: 0 + resources: + {{- toYaml .Values.r10k.code.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.r10k.code.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + command: + - /opt/r10k.entrypoint.sh + volumeMounts: + {{- with .Values.r10k.code.viaSsh.credentials }} + {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} + - name: r10k-code-secret + mountPath: /home/puppet/.ssh + {{- end }} + {{- end }} + - name: r10k-code-volume + mountPath: /opt/r10k.cronjob.sh + subPath: "r10k.cronjob.sh" + - name: r10k-code-volume + mountPath: /opt/r10k.entrypoint.sh + subPath: "r10k.entrypoint.sh" + - name: r10k-code-volume + mountPath: /etc/puppetlabs/puppet/r10k.yaml + subPath: r10k.yaml + - name: puppet-code-storage + mountPath: /etc/puppetlabs/code/ + {{- end }} + + {{- if .Values.hiera.hieradataurl }} + # r10k Hiera Sidecar + - name: r10k-hiera + image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" + imagePullPolicy: "{{.Values.r10k.pullPolicy}}" + securityContext: + runAsUser: 0 + resources: + {{- toYaml .Values.r10k.hiera.resources | nindent 12 }} + env: + {{- range $key, $value := .Values.r10k.hiera.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + command: + - /opt/r10k.entrypoint.sh + volumeMounts: + {{- with .Values.r10k.hiera.viaSsh.credentials }} + {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} + - name: r10k-hiera-secret + mountPath: /home/puppet/.ssh + {{- end }} + {{- end }} + - name: r10k-hiera-volume + mountPath: /opt/r10k.cronjob.sh + subPath: "r10k.cronjob.sh" + - name: r10k-hiera-volume + mountPath: /opt/r10k.entrypoint.sh + subPath: "r10k.entrypoint.sh" + - name: r10k-hiera-volume + mountPath: /etc/puppetlabs/puppet/r10k.yaml + subPath: r10k.yaml + - name: puppet-code-storage + mountPath: /etc/puppetlabs/code/ + {{- end }} + volumes: - name: puppet-code-storage persistentVolumeClaim: @@ -142,6 +215,28 @@ spec: configMap: name: {{ template "puppetserver.hiera.privateMap" . }} {{- end }} + - name: r10k-code-volume + configMap: + name: r10k-code-config + defaultMode: 0777 + {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }} + - name: r10k-code-secret + secret: + secretName: {{ template "r10k.code.secret" . }} + defaultMode: 288 # = mode 0440 + fsGroup: 999 # "puppet" GID + {{- end }} + - name: r10k-hiera-volume + configMap: + name: r10k-hiera-config + defaultMode: 0777 + {{- if or (.Values.r10k.hiera.viaSsh.credentials.existingSecret) (and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value)) }} + - name: r10k-hiera-secret + secret: + secretName: {{ template "r10k.hiera.secret" . }} + defaultMode: 288 # = mode 0440 + fsGroup: 999 # "puppet" GID + {{- end }} {{- if (or (.Values.nodeSelector.allPods) (.Values.nodeSelector.commonStoragePods)) }} nodeSelector: {{- if (.Values.nodeSelector.allPods) }} diff --git a/k8s/templates/r10k-code.configmap.yaml b/k8s/templates/r10k-code.configmap.yaml index 64625912..9dfa8b59 100644 --- a/k8s/templates/r10k-code.configmap.yaml +++ b/k8s/templates/r10k-code.configmap.yaml @@ -16,13 +16,57 @@ data: :puppet_repo: remote: '{{.Values.puppetserver.puppeturl}}' basedir: '/etc/puppetlabs/code/environments' - :git: - provider: 'rugged' # Either 'shellgit' or 'rugged', defaults to 'shellgit' - {{- with .Values.r10k.code.viaSsh.credentials }} - {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} - private_key: '/home/puppet/.ssh/id_rsa' + + r10k.cronjob.sh: | + #!/bin/sh + + # not needed anymore, as crond handels this - .startingDeadlineSeconds: {{ .startingDeadlineSeconds }} + # not needed anymore, as crond handels this - .activeDeadlineSeconds: {{ .activeDeadlineSeconds }} + + {{- if .Values.r10k.code.cronJob.concurrencyPolicy }} + {{- if eq .Values.r10k.code.cronJob.concurrencyPolicy "Forbid" }} + if [ -e /run/r10k.cronjob.pid ] && pgrep $( /run/r10k.cronjob.pid + + # extra_args="{{ .Values.r10k.code.extraArgs }}" # parsing yaml-maps to bash? + /docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k.yaml --puppetfile + + echo $? + + rm /run/r10k.cronjob.pid + + {{- if .Values.r10k.code.cronJob.restartPolicy }} + {{- if eq .Values.r10k.code.cronJob.restartPolicy "OnFailure" }} + if (( $? != 0 )); then + /bin/sh -c /r10k.cronjob.sh + fi + {{- else if eq .Values.r10k.code.cronJob.restartPolicy "Never" }} + # Never restart? No, this is a cron sidecar, we want this to run forever + {{- else if eq .Values.r10k.code.cronJob.restartPolicy "Always" }} + # Always restart? Yes, this is a cron sidecar, we want this to run forever + {{- end }} {{- end }} - repositories: - - remote: '{{.Values.puppetserver.puppeturl}}' + + r10k.entrypoint.sh: | + #!/bin/sh + + apk add --update busybox-suid + touch /tmp/script.log + + /usr/bin/crontab - <<'EOF' + {{ .Values.r10k.code.cronJob.schedule }} /bin/sh -c /opt/r10k.cronjob.sh >> /var/log/script.log + EOF + + crond + tail -f /tmp/script.log + {{- end }} diff --git a/k8s/templates/r10k-code.cronjob.yaml b/k8s/templates/r10k-code.cronjob.yaml deleted file mode 100644 index dfc9043f..00000000 --- a/k8s/templates/r10k-code.cronjob.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{- if .Values.puppetserver.puppeturl }} -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: {{ template "puppetserver.name" . }}-r10k-code-deploy - labels: - {{- include "puppetserver.r10k.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "puppetserver.r10k.matchLabels" . | nindent 6 }} -{{- with .Values.r10k.code.cronJob }} - schedule: "{{.schedule}}" -{{- if .concurrencyPolicy }} - concurrencyPolicy: {{ .concurrencyPolicy }} -{{- end }} -{{- if .startingDeadlineSeconds }} - startingDeadlineSeconds: {{ .startingDeadlineSeconds }} -{{- end }} -{{- end }} - jobTemplate: - spec: - template: - metadata: - labels: - {{- include "puppetserver.r10k.labels" . | nindent 12 }} - {{- if .Values.podAnnotations }} - annotations: - {{- toYaml .Values.podAnnotations | nindent 12 }} - {{- end }} - spec: - containers: - - name: r10k-code - image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" - imagePullPolicy: "{{.Values.r10k.pullPolicy}}" - resources: - {{- toYaml .Values.r10k.code.resources | nindent 16 }} - env: - {{- range $key, $value := .Values.r10k.code.extraEnv }} - - name: {{ $key }} - value: {{ $value }} - {{- end }} - args: - - deploy - - environment - - --config - - /etc/puppetlabs/puppet/r10k.yaml - - --puppetfile - {{- range $key, $value := .Values.r10k.code.extraArgs }} - - {{ $value }} - {{- end }} - volumeMounts: - {{- with .Values.r10k.code.viaSsh.credentials }} - {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} - - name: r10k-code-secret - mountPath: /home/puppet/.ssh - {{- end }} - {{- end }} - - name: r10k-volume - mountPath: /etc/puppetlabs/puppet/r10k.yaml - subPath: r10k.yaml - - name: puppet-code-storage - mountPath: /etc/puppetlabs/code/ - securityContext: - runAsUser: 999 # "puppet" UID - fsGroup: 999 # "puppet" GID - {{- with .Values.r10k.code.cronJob }} - {{- if .restartPolicy }} - restartPolicy: {{ .restartPolicy }} - {{- end }} - {{- if .activeDeadlineSeconds }} - activeDeadlineSeconds: {{ .activeDeadlineSeconds }} - {{- end }} - {{- end }} - volumes: - - name: puppet-code-storage - persistentVolumeClaim: - claimName: puppet-code-claim - - name: r10k-volume - configMap: - name: r10k-code-config - {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }} - - name: r10k-code-secret - secret: - secretName: {{ template "r10k.code.secret" . }} - defaultMode: 288 # = mode 0440 - fsGroup: 999 # "puppet" GID - {{- end }} - {{- if (or (.Values.nodeSelector.allPods) (.Values.nodeSelector.commonStoragePods)) }} - nodeSelector: - {{- if (.Values.nodeSelector.allPods) }} - {{ toYaml .Values.nodeSelector.allPods | nindent 14 }} - {{- end }} - {{- if (.Values.nodeSelector.commonStoragePods) }} - {{ toYaml .Values.nodeSelector.commonStoragePods | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.r10k.affinity }} - affinity: - {{ toYaml .Values.r10k.affinity | nindent 14 }} - {{- else if .Values.affinity }} - affinity: - {{ toYaml .Values.affinity | nindent 14 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: - {{ toYaml .Values.tolerations| nindent 14 }} - {{- end }} - {{- if and (.Capabilities.APIVersions.Has "scheduling.k8s.io/v1beta1") (.Values.priorityClassName) }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} -{{- end }} diff --git a/k8s/templates/r10k-hiera.configmap.yaml b/k8s/templates/r10k-hiera.configmap.yaml index db78da62..840ecb72 100644 --- a/k8s/templates/r10k-hiera.configmap.yaml +++ b/k8s/templates/r10k-hiera.configmap.yaml @@ -18,14 +18,57 @@ data: remote: '{{.Values.hiera.hieradataurl}}' basedir: '/etc/puppetlabs/code/hiera-data' - :git: - provider: 'rugged' # Either 'shellgit' or 'rugged', defaults to 'shellgit' - {{- with .Values.r10k.hiera.viaSsh.credentials }} - {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} - private_key: '/home/puppet/.ssh/id_rsa' + r10k.cronjob.sh: | + #!/bin/sh + + # not needed anymore, as crond handels this - .startingDeadlineSeconds: {{ .startingDeadlineSeconds }} + # not needed anymore, as crond handels this - .activeDeadlineSeconds: {{ .activeDeadlineSeconds }} + + {{- if .Values.r10k.hiera.cronJob.concurrencyPolicy }} + {{- if eq .Values.r10k.hiera.cronJob.concurrencyPolicy "Forbid" }} + if [ -e /run/r10k.cronjob.pid ] && pgrep $( /run/r10k.cronjob.pid + + # extra_args="{{ .Values.r10k.hiera.extraArgs }}" # parsing yaml-maps to bash? + /docker-entrypoint.sh deploy environment --config /etc/puppetlabs/puppet/r10k.yaml --puppetfile + + echo $? + + rm /run/r10k.cronjob.pid + + {{- if .Values.r10k.hiera.cronJob.restartPolicy }} + {{- if eq .Values.r10k.hiera.cronJob.restartPolicy "OnFailure" }} + if (( $? != 0 )); then + /bin/sh -c /r10k.cronjob.sh + fi + {{- else if eq .Values.r10k.hiera.cronJob.restartPolicy "Never" }} + # Never restart? No, this is a cron sidecar, we want this to run forever + {{- else if eq .Values.r10k.hiera.cronJob.restartPolicy "Always" }} + # Always restart? Yes, this is a cron sidecar, we want this to run forever + {{- end }} {{- end }} - repositories: - - remote: '{{.Values.hiera.hieradataurl}}' + + r10k.entrypoint.sh: | + #!/bin/sh + + apk add --update busybox-suid + touch /tmp/script.log + + /usr/bin/crontab - <<'EOF' + {{ .Values.r10k.hiera.cronJob.schedule }} /bin/sh -c /opt/r10k.cronjob.sh >> /var/log/script.log + EOF + + crond + tail -f /tmp/script.log + {{- end }} diff --git a/k8s/templates/r10k-hiera.cronjob.yaml b/k8s/templates/r10k-hiera.cronjob.yaml deleted file mode 100644 index f51f089f..00000000 --- a/k8s/templates/r10k-hiera.cronjob.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{- if .Values.hiera.hieradataurl }} -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: {{ template "puppetserver.name" . }}-r10k-hiera-deploy - labels: - {{- include "puppetserver.r10k.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "puppetserver.r10k.matchLabels" . | nindent 6 }} -{{- with .Values.r10k.hiera.cronJob }} - schedule: "{{.schedule}}" -{{- if .concurrencyPolicy }} - concurrencyPolicy: {{ .concurrencyPolicy }} -{{- end }} -{{- if .startingDeadlineSeconds }} - startingDeadlineSeconds: {{ .startingDeadlineSeconds }} -{{- end }} -{{- end }} - jobTemplate: - spec: - template: - metadata: - labels: - {{- include "puppetserver.r10k.labels" . | nindent 12 }} - {{- if .Values.podAnnotations }} - annotations: - {{- toYaml .Values.podAnnotations | nindent 12 }} - {{- end }} - spec: - containers: - - name: r10k-hiera - image: "{{.Values.r10k.image}}:{{.Values.r10k.tag}}" - imagePullPolicy: "{{.Values.r10k.pullPolicy}}" - resources: - {{- toYaml .Values.r10k.hiera.resources | nindent 16 }} - env: - {{- range $key, $value := .Values.r10k.hiera.extraEnv }} - - name: {{ $key }} - value: {{ $value }} - {{- end }} - args: - - deploy - - environment - - --config - - /etc/puppetlabs/puppet/r10k.yaml - - --puppetfile - {{- range $key, $value := .Values.r10k.hiera.extraArgs }} - - {{ $value }} - {{- end }} - volumeMounts: - {{- with .Values.r10k.hiera.viaSsh.credentials }} - {{- if or (.existingSecret) (and (.ssh.value) (.known_hosts.value)) }} - - name: r10k-hiera-secret - mountPath: /home/puppet/.ssh - {{- end }} - {{- end }} - - name: r10k-volume - mountPath: /etc/puppetlabs/puppet/r10k.yaml - subPath: r10k.yaml - - name: puppet-code-storage - mountPath: /etc/puppetlabs/code/ - securityContext: - runAsUser: 999 # "puppet" UID - fsGroup: 999 # "puppet" GID - {{- with .Values.r10k.hiera.cronJob }} - {{- if .restartPolicy }} - restartPolicy: {{ .restartPolicy }} - {{- end }} - {{- if .activeDeadlineSeconds }} - activeDeadlineSeconds: {{ .activeDeadlineSeconds }} - {{- end }} - {{- end }} - volumes: - - name: puppet-code-storage - persistentVolumeClaim: - claimName: puppet-code-claim - - name: r10k-volume - configMap: - name: r10k-hiera-config - {{- if or (.Values.r10k.hiera.viaSsh.credentials.existingSecret) (and (.Values.r10k.hiera.viaSsh.credentials.ssh.value) (.Values.r10k.hiera.viaSsh.credentials.known_hosts.value)) }} - - name: r10k-hiera-secret - secret: - secretName: {{ template "r10k.hiera.secret" . }} - defaultMode: 288 # = mode 0440 - fsGroup: 999 # "puppet" GID - {{- end }} - {{- if (or (.Values.nodeSelector.allPods) (.Values.nodeSelector.commonStoragePods)) }} - nodeSelector: - {{- if (.Values.nodeSelector.allPods) }} - {{ toYaml .Values.nodeSelector.allPods | nindent 14 }} - {{- end }} - {{- if (.Values.nodeSelector.commonStoragePods) }} - {{ toYaml .Values.nodeSelector.commonStoragePods | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.r10k.affinity }} - affinity: - {{ toYaml .Values.r10k.affinity | nindent 14 }} - {{- else if .Values.affinity }} - affinity: - {{ toYaml .Values.affinity | nindent 14 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: - {{ toYaml .Values.tolerations| nindent 14 }} - {{- end }} - {{- if and (.Capabilities.APIVersions.Has "scheduling.k8s.io/v1beta1") (.Values.priorityClassName) }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} -{{- end }}