Enrichment process templates and values (#14)

* add enrichment manifests

Author: ilia-medvedev-codefresh

charts/gitops-runtime/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: v0.0.1
 description: A Helm chart for Codefresh gitops runtime
 name: gitops-runtime
-version: 0.2.0-alpha-6
+version: 0.2.0-alpha-7
 home: https://github.com/codefresh-io/gitops-runtime-helm
 keywords:
   - codefresh

charts/gitops-runtime/README.md

@@ -1,6 +1,6 @@
 # gitops-runtime
 
-![Version: 0.2.0-alpha-6](https://img.shields.io/badge/Version-0.2.0--alpha--6-informational?style=flat-square) ![AppVersion: v0.0.1](https://img.shields.io/badge/AppVersion-v0.0.1-informational?style=flat-square)
+![Version: 0.2.0-alpha-7](https://img.shields.io/badge/Version-0.2.0--alpha--7-informational?style=flat-square) ![AppVersion: v0.0.1](https://img.shields.io/badge/AppVersion-v0.0.1-informational?style=flat-square)
 
 A Helm chart for Codefresh gitops runtime
 
@@ -33,6 +33,19 @@ A Helm chart for Codefresh gitops runtime
 | app-proxy.config.env | string | `"production"` |  |
 | app-proxy.env | object | `{}` |  |
 | app-proxy.fullnameOverride | string | `"cap-app-proxy"` |  |
+| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration |
+| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow |
+| app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds | int | `5` | Client heartbeat interval in seconds for image enrichemnt workflow |
+| app-proxy.image-enrichment.config.concurrencyCmKey | string | `"imageReportExecutor"` | The name of the key in the configmap to use as synchronization semaphore |
+| app-proxy.image-enrichment.config.concurrencyCmName | string | `"workflow-synchronization-semaphores"` | The name of the configmap to use as synchronization semaphore, see https://argoproj.github.io/argo-workflows/synchronization/ |
+| app-proxy.image-enrichment.config.podGcStrategy | string | `"OnWorkflowCompletion"` | Pod grabage collection strategy. By default all pods will be deleted when the enrichment workflow completes. |
+| app-proxy.image-enrichment.config.ttlActiveInSeconds | int | `900` | Maximum allowed runtime for the enrichment workflow |
+| app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds | int | `86400` | Number of seconds to live after completion |
+| app-proxy.image-enrichment.enabled | bool | `true` | Enable or disable enrichment process. Please note that for enrichemnt, argo-workflows has to be enabled as well. |
+| app-proxy.image-enrichment.serviceAccount | object | `{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}` | Service account that will be used for enrichemnt process |
+| app-proxy.image-enrichment.serviceAccount.annotations | string | `nil` | Annotations on the service account |
+| app-proxy.image-enrichment.serviceAccount.create | bool | `true` | Whether to create the service account or use an existing one |
+| app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use |
 | app-proxy.image.pullPolicy | string | `"IfNotPresent"` |  |
 | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` |  |
 | app-proxy.image.tag | string | `"1.2142.0"` |  |

charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml

@@ -10,5 +10,16 @@ data:
   argoCdUsername: {{ .Values.config.argoCdUsername }}
   argoWorkflowsInsecure: {{ .Values.config.argoWorkflowsInsecure | quote }}
   env: {{ .Values.config.env }}
+  argoWorkflowsUrl: {{ default "" .Values.config.argoWorkflowsUrl }}
   runtimeName: {{ .Values.global.runtime.name }}
+  {{- $enrichmentValues := get .Values "image-enrichment" }}
+  {{- if $enrichmentValues.enabled }}
+  enrichmentConcurrencyCmName: {{ $enrichmentValues.config.concurrencyCmName }}
+  enrichmentConcurrencyCmKey: {{ $enrichmentValues.config.concurrencyCmKey }}
+  enrichmentServiceAccountName: {{ $enrichmentValues.serviceAccount.name }}
+  enrichmentPodGcStrategy: {{ $enrichmentValues.config.podGcStrategy }}
+  enrichmentTtlAfterCompletionInSeconds: {{ $enrichmentValues.config.ttlAfterCompletionInSeconds }}
+  enrichmentTtlActiveInSeconds: {{ $enrichmentValues.config.ttlActiveInSeconds }}
+  enrichmentClientHeartbeatIntervalInSeconds: {{ $enrichmentValues.config.clientHeartbeatIntervalInSeconds }}
+  {{- end }}
 {{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/enrichment/_enrichment-rb.yaml

@@ -0,0 +1,16 @@
+{{- define "cap-app-proxy.image-enrichment.resources.role-binding" }}
+ {{- $enrichmentValues := get .Values "image-enrichment" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cap-app-proxy.fullname" . }}-enrichment
+  labels:
+    {{- include "cap-app-proxy.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: ""
+  kind: Role
+  name: {{ include "cap-app-proxy.fullname" . }}-enrichment
+subjects:
+  - kind: ServiceAccount
+    name: {{ $enrichmentValues.serviceAccount.name }}
+{{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/enrichment/_enrichment-role.yaml

@@ -0,0 +1,15 @@
+{{- define "cap-app-proxy.image-enrichment.resources.role" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "cap-app-proxy.fullname" . }}-enrichment
+  labels:
+    {{- include "cap-app-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+{{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/enrichment/_enrichment-sa.yaml

@@ -0,0 +1,15 @@
+ {{- define "cap-app-proxy.image-enrichment.resources.sa" }}
+  {{- $enrichmentValues := get .Values "image-enrichment" }}
+  {{- if $enrichmentValues.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $enrichmentValues.serviceAccount.name }}
+  labels:
+    {{- include "cap-app-proxy.labels" . | nindent 4 }}
+    {{- with $enrichmentValues.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml

@@ -103,6 +103,48 @@ STRIP_PREFIX:
       name: cap-app-proxy-cm
       key: stripPrefix
       optional: true
+IRW_SERVICE_ACCOUNT:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: enrichmentServiceAccountName
+      optional: true
+IRW_CONCURRENCY_CM_NAME:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: enrichmentConcurrencyCmName
+      optional: true
+IRW_CONCURRENCY_CM_KEY:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: enrichmentConcurrencyCmKey
+      optional: true
+IRW_POD_GC_STRATEGY:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: enrichmentPodGcStrategy
+      optional: true
+IRW_TTL_AFTER_COMPLETION_IN_SECONDS:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: enrichmentTtlAfterCompletionInSeconds
+      optional: true
+IRW_TTL_ACTIVE_IN_SECONDS:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: enrichmentTtlActiveInSeconds
+      optional: true
+IRW_HEARTBEAT_INTERVAL_IN_SECONDS:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: enrichmentClientHeartbeatIntervalInSeconds
+      optional: true
 NODE_EXTRA_CA_CERTS: /app/config/all/all.cer
 {{- end -}}
 

charts/gitops-runtime/templates/_helpers.tpl

@@ -136,8 +136,12 @@ Determine argo worklofws server name
 Determine argo workflows server url. Must be called with chart root context
 */}}
 {{- define "codefresh-gitops-runtime.argo-workflows.server.url" -}}
+{{- $protocol := "http" }}
+{{- if index (get .Values "argo-workflows") "server" "secure" }}
+{{- $protocol = "https" }}
+{{- end -}}
 {{/* For now use template from Argo workflows chart until better approach */}}
-{{- printf "https://%s:2746" (include "codefresh-gitops-runtime.argo-workflows.server.name" .) }}
+{{- printf "%s://%s:2746" $protocol (include "codefresh-gitops-runtime.argo-workflows.server.name" .) }}
 {{- end }}
 
 {{/*

charts/gitops-runtime/templates/app-proxy/config.yaml

@@ -4,4 +4,8 @@
 {{ $_ := set $appProxyContext "Values" (get .Values "app-proxy") }}
 {{ $_ := set $appProxyContext.Values "global" (get .Values "global") }}
 {{ $_ := set $appProxyContext.Values.config "argoCdUrl" $argoCdUrl }}
+{{- if index (get .Values "argo-workflows") "enabled" }}
+  {{- $argoWorkflowsUrl := include "codefresh-gitops-runtime.argo-workflows.server.url" . }}
+  {{- $_ := set $appProxyContext.Values.config "argoWorkflowsUrl" $argoWorkflowsUrl }}
+{{- end}}
 {{- include "cap-app-proxy.resources.configmap" $appProxyContext }}

charts/gitops-runtime/templates/app-proxy/enrichment/enforce-workflows-enabled.yaml

@@ -0,0 +1,3 @@
+{{- if and (index (get .Values "app-proxy") "image-enrichment" "enabled") (not (index (get .Values "argo-workflows") "enabled")) }}
+  {{- fail "ERROR: app-proxy.image-enrichment is enabled but argo-workflows is disabled. This is not suppurted. Either disable erichment or enable workflows"}}
+{{- end }}

charts/gitops-runtime/templates/app-proxy/enrichment/rbac.yaml

@@ -0,0 +1,8 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "app-proxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- if (index  (get $appProxyContext "Values") "image-enrichment" "enabled") }}
+{{- include "cap-app-proxy.image-enrichment.resources.role" $appProxyContext }}
+---
+{{- include "cap-app-proxy.image-enrichment.resources.role-binding" $appProxyContext }}
+{{- end }}

charts/gitops-runtime/templates/app-proxy/enrichment/sa.yaml

@@ -0,0 +1,6 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "app-proxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- if (index  (get $appProxyContext "Values") "image-enrichment" "enabled") }}
+{{- include "cap-app-proxy.image-enrichment.resources.sa" $appProxyContext }}
+{{- end }}

charts/gitops-runtime/tests/app-proxy-image-enrichemnt_test.yaml

@@ -0,0 +1,158 @@
+suite: Test integration of outputs from Argo Project templates with components that use them in the runtime chart
+templates:
+  - app-proxy/deployment.yaml
+  - app-proxy/config.yaml
+  - app-proxy/enrichment/sa.yaml
+  - app-proxy/enrichment/rbac.yaml
+  - app-proxy/enrichment/enforce-workflows-enabled.yaml
+tests:
+- it: Fail template if enrichment is enabled and workflows disabled
+  template: 'app-proxy/enrichment/enforce-workflows-enabled.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    argo-workflows.enabled: false
+    app-proxy.image-enrichment.enabled: true
+  asserts:
+  - failedTemplate:
+      errorMessage: 'app-proxy.image-enrichment is enabled but argo-workflows is disabled. This is not suppurted. Either disable erichment or enable workflows'
+
+- it: Set correct values in app-proxy configmap
+  template: 'app-proxy/config.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    app-proxy.image-enrichment.enabled: true
+    app-proxy.image-enrichment.config.concurrencyCmName: test
+    app-proxy.image-enrichment.config.concurrencyCmKey: test
+    app-proxy.image-enrichment.config.podGcStrategy: test
+    app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds: 1
+    app-proxy.image-enrichment.config.ttlActiveInSeconds: 1
+    app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds: 1
+    app-proxy.image-enrichment.serviceAccount.name: test
+  asserts:
+  - equal:
+      path: data.enrichmentConcurrencyCmName
+      value: test
+  - equal:
+      path: data.enrichmentConcurrencyCmKey
+      value: test
+  - equal:
+      path: data.enrichmentPodGcStrategy
+      value: test
+  - equal:
+      path: data.enrichmentTtlAfterCompletionInSeconds
+      value: 1
+  - equal:
+      path: data.enrichmentTtlActiveInSeconds
+      value: 1
+  - equal: 
+      path: data.enrichmentClientHeartbeatIntervalInSeconds
+      value: 1
+  - equal: 
+      path: data.enrichmentServiceAccountName
+      value: test
+
+- it: app proxy environment variables set for enrichemnt and match the values in the configmap
+  template: 'app-proxy/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    app-proxy.image-enrichment.enabled: true
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: IRW_CONCURRENCY_CM_NAME
+        valueFrom:
+          configMapKeyRef:
+            name: cap-app-proxy-cm
+            key: enrichmentConcurrencyCmName
+            optional: true
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: IRW_CONCURRENCY_CM_KEY
+        valueFrom:
+          configMapKeyRef:
+            name: cap-app-proxy-cm
+            key: enrichmentConcurrencyCmKey
+            optional: true
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: IRW_POD_GC_STRATEGY
+        valueFrom:
+          configMapKeyRef:
+            name: cap-app-proxy-cm
+            key: enrichmentPodGcStrategy
+            optional: true
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: IRW_TTL_AFTER_COMPLETION_IN_SECONDS
+        valueFrom:
+          configMapKeyRef:
+            name: cap-app-proxy-cm
+            key: enrichmentTtlAfterCompletionInSeconds
+            optional: true
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: IRW_TTL_ACTIVE_IN_SECONDS
+        valueFrom:
+          configMapKeyRef:
+            name: cap-app-proxy-cm
+            key: enrichmentTtlActiveInSeconds
+            optional: true
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: IRW_HEARTBEAT_INTERVAL_IN_SECONDS
+        valueFrom:
+          configMapKeyRef:
+            name: cap-app-proxy-cm
+            key: enrichmentClientHeartbeatIntervalInSeconds
+            optional: true
+  - contains:
+      path: spec.template.spec.containers[0].env
+      content:
+        name: IRW_SERVICE_ACCOUNT
+        valueFrom:
+          configMapKeyRef:
+            name: cap-app-proxy-cm
+            key: enrichmentServiceAccountName
+            optional: true
+
+- it: Verify correct name of serviceAccount
+  template: 'app-proxy/enrichment/sa.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    app-proxy.image-enrichment.serviceAccount.name: test
+  asserts:
+    - equal:
+        path: metadata.name
+        value: test
+
+- it: Correct serviceaccount is set in role binding
+  template: 'app-proxy/enrichment/rbac.yaml'
+  documentIndex: 1
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    app-proxy.image-enrichment.serviceAccount.name: test
+  asserts:
+  - contains:
+      path: subjects
+      content:
+        kind: ServiceAccount
+        name: test
+  - equal:
+      path: roleRef.name
+      value: cap-app-proxy-enrichment
+        
+  
+
+
+