Merge branch 'lagoon_v222' into bump-ssh-portal

uselagoon · Oct 21, 2024 · 0c57d15 · 0c57d15
2 parents 66c72c6 + b4b982d
commit 0c57d15
Show file tree

Hide file tree

Showing 23 changed files with 366 additions and 174 deletions.
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -95,10 +95,10 @@ jobs:
         ct install --config ./default.ct.yaml --helm-extra-args "--timeout 30m"
       if: ${{ contains(github.event.pull_request.labels.*.name, 'next-release') }}
 
-    - name: Run chart-testing (upgrade changed next-release only)
-      run: |
-        ct install --upgrade --config ./default.ct.yaml --helm-extra-args "--timeout 30m"
-      if: ${{ contains(github.event.pull_request.labels.*.name, 'next-release') }}
+    # - name: Run chart-testing (upgrade changed next-release only)
+    #   run: |
+    #     ct install --upgrade --config ./default.ct.yaml --helm-extra-args "--timeout 30m"
+    #   if: ${{ contains(github.event.pull_request.labels.*.name, 'next-release') }}
 
     - name: Run chart-testing (install all charts when required)
       run: ct install --config ./default.ct.yaml  --helm-extra-args "--timeout 30m" --all

diff --git a/charts/lagoon-core/Chart.lock b/charts/lagoon-core/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: nats
   repository: https://nats-io.github.io/k8s/helm/charts/
-  version: 0.19.17
-digest: sha256:9c58fc4ddeec7b86f5ef2cf1996a48a7e09d9bd4aa149971e2525a6f05649bf8
-generated: "2023-07-28T09:49:46.220986689+08:00"
+  version: 1.2.5
+digest: sha256:9ef2d1dfe07187fbf9680ee525bced5d5a460349cd3b1fd06fc32b843481e238
+generated: "2024-10-18T11:48:49.486819359+11:00"
diff --git a/charts/lagoon-core/Chart.yaml b/charts/lagoon-core/Chart.yaml
@@ -31,7 +31,7 @@ appVersion: v2.21.0
 
 dependencies:
 - name: nats
-  version: ~0.19.0
+  version: ~1.2.0
   repository: https://nats-io.github.io/k8s/helm/charts/
   condition: nats.enabled
 
@@ -45,3 +45,5 @@ annotations:
       links:
         - name: lagoon-ssh-portal releases
           url: https://github.com/uselagoon/lagoon-ssh-portal/releases
+    - kind: changed
+      description: update NATS chart dependency to v1.2.x
diff --git a/charts/lagoon-core/ci/linter-values.yaml b/charts/lagoon-core/ci/linter-values.yaml
@@ -267,9 +267,10 @@ workflows:
 # enable nats cluster (and optionally natsbox debugger)
 nats:
   enabled: true
-  cluster:
-    name: lagoon-core-ci-example
-  # natsbox:
+  config:
+    cluster:
+      name: lagoon-core-ci-example
+  # natsBox:
   #   enabled: true
   #   # additional labels are required due to the network policy
   #   additionalLabels:
@@ -297,7 +298,7 @@ natsConfig:
         iYmI+nuDxvSE7s/u5hhmh+wCIQDXoxiQvQuokI06j6W1K5UgR6h9dUoKeTFQIqXp
         uKPLhg==
         -----END CERTIFICATE-----
-      server.crt: |
+      tls.crt: |
         -----BEGIN CERTIFICATE-----
         MIICGDCCAb6gAwIBAgIUJC6a9n2zJYl7nOZ2AutYhyjVmQswCgYIKoZIzj0EAwIw
         HjEcMBoGA1UEAxMTbmF0cy1jYS5leGFtcGxlLmNvbTAeFw0yNDA0MTUwNDA4MDBa
@@ -312,7 +313,7 @@ natsConfig:
         CaKsntUSiMDTZSYvEtLb+ZxOn71RnDYP4JUCIG6TZVFfMiYPZ0gGLMRMf666E3bB
         0U5vgRqQhghJPbpM
         -----END CERTIFICATE-----
-      server.key: |
+      tls.key: |
         -----BEGIN EC PRIVATE KEY-----
         MHcCAQEEIBqSIJXbR9H4WChftIW2QwJmGD+5QjlfwBCkspRBcsSHoAoGCCqGSM49
         AwEHoUQDQgAENf2wtlM9sSu330UXgZTkAOZBRkH2V6YZG7rB/7pTtO0yKQmIfr+l

diff --git a/charts/lagoon-core/templates/_helpers.tpl b/charts/lagoon-core/templates/_helpers.tpl
@@ -622,10 +622,11 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 
 {{/*
-Create a default fully qualified app name for the nats subchart.
+Create a definition that matches the fully qualified app name for the nats
+subchart.
 */}}
 {{- define "lagoon-core.nats.fullname" -}}
-{{- include "lagoon-core.fullname" . }}-nats
+{{- include "lagoon-core.fullname" . }}-{{ .Values.nats.nameOverride | default "nats" }}
 {{- end }}
 
 

diff --git a/charts/lagoon-core/templates/nats-concentrator.service.yaml b/charts/lagoon-core/templates/nats-concentrator.service.yaml
@@ -13,5 +13,5 @@ spec:
     protocol: TCP
     targetPort: 7422
   selector:
-    app.kubernetes.io/name: nats
+    app.kubernetes.io/name: {{ .Values.nats.nameOverride | default "nats" | quote }}
 {{- end }}
diff --git a/charts/lagoon-core/templates/nats.secret.yaml b/charts/lagoon-core/templates/nats.secret.yaml
@@ -30,7 +30,7 @@ metadata:
   labels:
     {{- include "lagoon-core.labels" . | nindent 4 }}
 stringData:
-  lagoon-core.conf: |
+  accounts.conf: |
     accounts: {
       lagoonRemote: {
         LAGOON_REMOTE = {
@@ -56,26 +56,16 @@ stringData:
       }
     }
     no_auth_user: "lagoon-core-local"
-    leafnodes: {
-      listen: "0.0.0.0:7422"
-      no_advertise: true
-      authorization: {
-        users: [
-        {{- range .Values.natsConfig.users.lagoonRemote }}
-          {
-            user: {{ .user | quote }}
-            password: {{ .password | quote }}
-            account: lagoonRemote
-          },
-        {{- end }}
-        ]
-      }
-      tls: {
-        {{- if .Values.natsConfig.tls.secretData }}
-        ca_file: "/etc/lagoon-core-nats-tls/ca.crt"
-        {{- end }}
-        cert_file: "/etc/lagoon-core-nats-tls/server.crt"
-        key_file: "/etc/lagoon-core-nats-tls/server.key"
-      }
+  leafnodesAuthorization.conf: |
+    authorization: {
+      users: [
+      {{- range .Values.natsConfig.users.lagoonRemote }}
+        {
+          user: {{ .user | quote }}
+          password: {{ .password | quote }}
+          account: lagoonRemote
+        },
+      {{- end }}
+      ]
     }
 {{- end }}
diff --git a/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml b/charts/lagoon-core/templates/ssh-portal-api.deployment.yaml
@@ -25,7 +25,7 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       labels:
-        {{ include "lagoon-core.fullname" . }}-nats-client: "true"
+        lagoon-core-nats-client: "true"
         {{- include "lagoon-core.sshPortalAPI.selectorLabels" . | nindent 8 }}
     spec:
       securityContext:
@@ -61,7 +61,7 @@ spec:
               name: {{ include "lagoon-core.keycloak.fullname" . }}
               key: KEYCLOAK_SERVICE_API_CLIENT_SECRET
         - name: NATS_URL
-          value: nats://{{ include "lagoon-core.fullname" . }}-nats
+          value: nats://{{ include "lagoon-core.nats.fullname" . }}
         - name: API_DB_ADDRESS
           value: {{ include "lagoon-core.apiDB.fullname" . }}
         - name: API_DB_PASSWORD

diff --git a/charts/lagoon-core/values.yaml b/charts/lagoon-core/values.yaml
@@ -815,37 +815,111 @@ workflows:
     targetCPUUtilizationPercentage: 80
     # targetMemoryUtilizationPercentage: 80
 
+# nats subchart is configured for use by lagoon-core
 nats:
   enabled: false
-  # inject additional config
-  additionalVolumes:
-  - name: lagoon-core-nats-tls
-    secret:
-      secretName: lagoon-core-nats-tls
-  additionalVolumeMounts:
-  - name: lagoon-core-nats-tls
-    mountPath: /etc/lagoon-core-nats-tls
-  nats:
-    config:
-    - name: lagoon-core
-      secret:
-        secretName: lagoon-core-nats-conf
-  cluster:
+  # nameOverride provides compatibility for upgrading nats chart versions.
+  # modifying or setting this in local values.yaml will completely recreate
+  # all the nats resources.
+  nameOverride: nats1
+  tlsCA:
     enabled: true
-    name: lagoon-core
-    # internal cluster IPs are not routable, so don't advertise them
-    noAdvertise: true
-  natsbox:
+    secretName: lagoon-core-nats-tls
+  # Uncomment this block to enable monitoring if you have Prometheus Operator
+  # installed.
+  # promExporter:
+  #   enabled: true
+  #   podMonitor:
+  #     enabled: true
+  #     # fromNamespaces restricts the namespaces from which monitoring can occur
+  #     # via the NetworkPolicy. At least one namespace name must be listed.
+  #     fromNamespaces:
+  #     - monitoring
+  natsBox:
     enabled: false
+  config:
+    cluster:
+      enabled: true
+      name: lagoon-core
+      # internal cluster IPs are not routable, so don't advertise them
+      noAdvertise: true
+    leafnodes:
+      enabled: true
+      tls:
+        enabled: true
+        secretName: lagoon-core-nats-tls
+        merge:
+          verify: true
+      merge:
+        00$include: ./lagoon-core/leafnodesAuthorization.conf
+    merge:
+      00$include: ./lagoon-core/accounts.conf
+  # Uncomment this block if upgrading from lagoon-core <v1.36.0.
+  # statefulSet:
+  #   patch:
+  #   - op: remove
+  #     path: /spec/selector/matchLabels/app.kubernetes.io~1component
+  podTemplate:
+    patch:
+    - op: add
+      path: /spec/volumes/-
+      value:
+        name: lagoon-core-nats-conf
+        secret:
+          secretName: lagoon-core-nats-conf
+  container:
+    patch:
+    - op: add
+      path: /volumeMounts/-
+      value:
+        name: lagoon-core-nats-conf
+        mountPath: /etc/nats-config/lagoon-core
   # to connect to nats, pods must have the right label
-  networkPolicy:
-    enabled: true
-    allowExternal: false
-    # allow inbound leaf connections
-    extraIngress:
-    - ports:
-      - port: 7422
-        protocol: TCP
+  extraResources:
+  - apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name:
+        $tplYaml: >
+          {{ include "nats.fullname" $ | quote }}
+      labels:
+        $tplYaml: |
+          {{ include "nats.labels" $ }}
+    spec:
+      policyTypes:
+      - Ingress
+      podSelector:
+        matchLabels:
+          $tplYaml: |
+            {{- include "nats.selectorLabels" $ }}
+      ingress:
+      - from:
+        # pods in this namespace with the correct label can access NATS pods
+        - podSelector:
+            matchLabels:
+              lagoon-core-nats-client: "true"
+        # NATS inter-pod communication is allowed
+        - podSelector:
+            matchLabels:
+              $tplYaml: |
+                {{- include "nats.selectorLabels" $ }}
+      - ports:
+        # allow external inbound leaf node connections (these are authenticated)
+        - port: 7422
+          protocol: TCP
+      # conditionally allow metrics collection
+      - $tplYamlSpread: |
+          {{- if and .Values.promExporter.enabled .Values.promExporter.podMonitor.enabled }}
+          - from:
+            {{- range .Values.promExporter.podMonitor.fromNamespaces }}
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: {{ . | quote }}
+            {{- end }}
+            ports:
+            - port: 7777
+              protocol: TCP
+          {{- end }}
 
 natsService:
   # this service is enabled via nats.enabled
@@ -865,18 +939,22 @@ natsConfig:
     # If the lagoon-core-nats-tls secret should be created by the lagoon-core
     # chart, certificate values can be specified directly in secretData.
     # Configuring TLS this way also allows specifying a custom ca.crt.
+    # The chart expects expects secretData to be specified unless
+    # nats.tlsCA.enabled is set to false.
     #
     # secretData:
     #   ca.crt: |
     #     ...
-    #   server.crt: |
+    #   tls.crt: |
     #     ...
-    #   server.key: |
+    #   tls.key: |
     #     ...
     #
     # If the TLS secret is created outside the lagoon-core chart, it should be
     # named lagoon-core-nats-tls. This secret should contain fields tls.crt and
     # tls.key, and the certificate should be issued by a public authority.
+    # `nats.tlsCA.enabled: false` should be set in this case (it is true by
+    # default).
 
 sshPortalAPI:
   enabled: false

diff --git a/charts/lagoon-docker-host/Chart.yaml b/charts/lagoon-docker-host/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each
 # time you make changes to the chart and its templates, including the app
 # version.
-version: 0.3.1
+version: 0.4.0
 
 appVersion: v3.5.0
 
@@ -26,4 +26,4 @@ appVersion: v3.5.0
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: configure network policy for CI
+      description: changed docker-host to statefulset from deployment
diff --git a/charts/lagoon-docker-host/templates/docker-host.pvc.yaml b/charts/lagoon-docker-host/templates/docker-host.pvc.yaml
diff --git a/charts/lagoon-docker-host/templates/docker-host.service.yaml b/charts/lagoon-docker-host/templates/docker-host.service.yaml
@@ -13,3 +13,32 @@ spec:
       name: docker-daemon
   selector:
     {{- include "lagoon-docker-host.dockerHost.selectorLabels" . | nindent 4 }}
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 14400 # 4 hours
+{{- $name := include "lagoon-docker-host.dockerHost.fullname" . -}}
+{{- $labels := include "lagoon-docker-host.dockerHost.labels" .  -}}
+{{- $stype := .Values.service.type -}}
+{{- $sport := .Values.service.port -}}
+{{- $replicaCount := .Values.replicaCount | int -}}
+{{- range $index0 := until $replicaCount -}}
+{{- $index1 := $index0 | add1 }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: docker-host-{{ $index0 }}
+  labels:
+{{ $labels | indent 4 }}
+spec:
+  type: {{ $stype }}
+  ports:
+    - port: {{ $sport }}
+      targetPort: docker-daemon
+      protocol: TCP
+      name: docker-daemon
+  sessionAffinity: ClientIP
+  selector:
+    statefulset.kubernetes.io/pod-name: {{ $name }}-{{ $index0 }}
+{{- end }}