a8adb59995
Similar to DRY_RUN, these values should be overwritten in app-interface per namespace. At some point the maintenance specific to the CRC tenant (aws and gcp maintenance) should run in the workers namespace rather than the composer namespace. Granularity is needed for this.
467 lines
14 KiB
YAML
467 lines
14 KiB
YAML
apiVersion: v1
|
|
kind: Template
|
|
metadata:
|
|
name: composer
|
|
annotations:
|
|
openshift.io/display-name: Image-Builder composer service
|
|
description: Composer component of the image-builder serivce
|
|
tags: golang
|
|
iconClass: icon-shadowman
|
|
template.openshift.io/provider-display-name: Red Hat, Inc.
|
|
labels:
|
|
template: composer
|
|
objects:
|
|
- apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
service: image-builder
|
|
name: composer
|
|
spec:
|
|
replicas: 3
|
|
selector:
|
|
matchLabels:
|
|
app: composer
|
|
strategy:
|
|
# Update pods 1 at a time
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
# Create at most 0 extra pod over .spec.replicas
|
|
maxSurge: 0
|
|
# At all times there should be .spec.replicas - 1 available
|
|
maxUnavailable: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: composer
|
|
spec:
|
|
serviceAccountName: image-builder
|
|
containers:
|
|
- image: "${IMAGE_NAME}:${IMAGE_TAG}"
|
|
name: composer
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
exec:
|
|
command:
|
|
- cat
|
|
- /tmp/osbuild-composer-live
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: ${READINESS_URI}
|
|
port: ${{COMPOSER_API_PORT}}
|
|
scheme: HTTP
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
resources:
|
|
requests:
|
|
cpu: "${CPU_REQUEST}"
|
|
memory: "${MEMORY_REQUEST}"
|
|
limits:
|
|
cpu: "${CPU_LIMIT}"
|
|
memory: "${MEMORY_LIMIT}"
|
|
env:
|
|
- name: PGHOST
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.host
|
|
- name: PGPORT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.port
|
|
- name: PGDATABASE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.name
|
|
- name: PGUSER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.user
|
|
- name: PGPASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.password
|
|
- name: PGSSLMODE
|
|
value: "${PGSSLMODE}"
|
|
- name: PGMAXCONNS
|
|
value: "${PGMAXCONNS}"
|
|
- name: SYSLOG_SERVER
|
|
value: "localhost:5140"
|
|
ports:
|
|
- name: composer-api
|
|
protocol: TCP
|
|
containerPort: ${{COMPOSER_API_PORT}}
|
|
- name: worker-api
|
|
protocol: TCP
|
|
containerPort: ${{WORKER_API_PORT}}
|
|
volumeMounts:
|
|
- name: composer-config
|
|
mountPath: "${COMPOSER_CONFIG_DIR}"
|
|
readOnly: true
|
|
- name: state-directory
|
|
mountPath: "/var/lib/osbuild-composer"
|
|
- name: cache-directory
|
|
mountPath: "/var/cache/osbuild-composer"
|
|
- image: "quay.io/app-sre/fluentd-hec:1.2.13"
|
|
name: fluentd-sidecar
|
|
resources:
|
|
requests:
|
|
cpu: "${CPU_REQUEST}"
|
|
memory: "${MEMORY_REQUEST}"
|
|
limits:
|
|
cpu: "${CPU_REQUEST}"
|
|
memory: "${MEMORY_LIMIT}"
|
|
env:
|
|
- name: SPLUNK_HEC_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: splunk
|
|
key: token
|
|
optional: false
|
|
- name: SPLUNK_HEC_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: splunk
|
|
key: url
|
|
optional: false
|
|
volumeMounts:
|
|
- name: fluentd-config
|
|
mountPath: /fluentd/etc
|
|
readOnly: true
|
|
volumes:
|
|
- name: composer-config
|
|
configMap:
|
|
name: composer-config
|
|
- name: db-secrets
|
|
secret:
|
|
secretName: db
|
|
- name: state-directory
|
|
emptyDir: {}
|
|
- name: cache-directory
|
|
emptyDir: {}
|
|
- name: fluentd-config
|
|
configMap:
|
|
name: fluentd-config
|
|
initContainers:
|
|
- name: composer-migrate
|
|
image: "${IMAGE_NAME}:${IMAGE_TAG}"
|
|
command: [ "/opt/migrate/tern", "migrate", "-m", "/opt/migrate/schemas" ]
|
|
env:
|
|
- name: PGHOST
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.host
|
|
- name: PGPORT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.port
|
|
- name: PGDATABASE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.name
|
|
- name: PGUSER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.user
|
|
- name: PGPASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: composer-db
|
|
key: db.password
|
|
- name: PGSSLMODE
|
|
value: "${PGSSLMODE}"
|
|
|
|
- apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: image-builder
|
|
imagePullSecrets:
|
|
- name: quay.io
|
|
|
|
- apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: image-builder-composer
|
|
labels:
|
|
app: composer
|
|
port: composer-api
|
|
spec:
|
|
ports:
|
|
- name: composer-api
|
|
protocol: TCP
|
|
port: 80
|
|
targetPort: ${{COMPOSER_API_PORT}}
|
|
selector:
|
|
app: composer
|
|
|
|
- apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: image-builder-worker
|
|
labels:
|
|
app: composer
|
|
port: worker-api
|
|
spec:
|
|
ports:
|
|
- name: worker-api
|
|
protocol: TCP
|
|
port: 80
|
|
targetPort: ${{WORKER_API_PORT}}
|
|
selector:
|
|
app: composer
|
|
|
|
# This map should probably move to app-intf
|
|
- apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: composer-config
|
|
data:
|
|
acl.yml: |
|
|
- claim: rh-org-id
|
|
pattern: ^(${ACL_ORG_ID_TENANTS})$
|
|
- claim: account_id
|
|
pattern: ^(${ACL_ACCOUNT_ID_TENANTS})$
|
|
osbuild-composer.toml: |
|
|
log_level = "info"
|
|
[koji]
|
|
enable_tls = false
|
|
enable_mtls = false
|
|
enable_jwt = true
|
|
jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs", "${MAS_SSO_BASE_URL}/protocol/openid-connect/certs"]
|
|
jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"
|
|
jwt_tenant_provider_fields = ["rh-org-id", "account_id"]
|
|
[koji.aws_config]
|
|
bucket = "${COMPOSER_CONFIG_BUCKET_NAME}"
|
|
[worker]
|
|
request_job_timeout = "20s"
|
|
base_path = "/api/image-builder-worker/v1"
|
|
enable_artifacts = false
|
|
enable_tls = false
|
|
enable_mtls = false
|
|
enable_jwt = true
|
|
jwt_keys_urls = ["${RH_SSO_BASE_URL}/protocol/openid-connect/certs", "${MAS_SSO_BASE_URL}/protocol/openid-connect/certs"]
|
|
jwt_acl_file = "${COMPOSER_CONFIG_DIR}/acl.yml"
|
|
jwt_tenant_provider_fields = ["rh-org-id", "account_id"]
|
|
- apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: fluentd-config
|
|
data:
|
|
fluent.conf: |
|
|
<source>
|
|
@type syslog
|
|
port 5140
|
|
bind 127.0.0.1
|
|
<transport tcp>
|
|
</transport>
|
|
tag osbuild-composer
|
|
<parse>
|
|
time_format %Y-%m-%dT%H:%M:%SZ
|
|
</parse>
|
|
</source>
|
|
|
|
<match **>
|
|
@type splunk_hec
|
|
hec_host "#{ENV['SPLUNK_HEC_URL']}"
|
|
hec_port 8088
|
|
hec_token "#{ENV['SPLUNK_HEC_TOKEN']}"
|
|
</match>
|
|
- apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
labels:
|
|
service: image-builder
|
|
name: composer-maintenance
|
|
spec:
|
|
# run maintenance job at midnight
|
|
schedule: 0 0 * * *
|
|
concurrencyPolicy: Forbid
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
serviceAccountName: image-builder
|
|
restartPolicy: Never
|
|
containers:
|
|
- image: "${MAINTENANCE_IMAGE_NAME}:${IMAGE_TAG}"
|
|
name: composer-maintenance
|
|
resources:
|
|
requests:
|
|
cpu: "${CPU_REQUEST}"
|
|
memory: "${MEMORY_REQUEST}"
|
|
limits:
|
|
cpu: "${CPU_LIMIT}"
|
|
memory: "${MEMORY_LIMIT}"
|
|
env:
|
|
- name: GCP_AUTH_PROVIDER_X509_CERT_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: auth_provider_x509_cert_url
|
|
- name: GCP_AUTH_URI
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: auth_uri
|
|
- name: GCP_CLIENT_EMAIL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: client_email
|
|
- name: GCP_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: client_id
|
|
- name: GCP_CLIENT_X509_CERT_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: client_x509_cert_url
|
|
- name: GCP_PRIVATE_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: private_key
|
|
- name: GCP_PRIVATE_KEY_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: private_key_id
|
|
- name: GCP_PROJECT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: project_id
|
|
- name: GCP_TOKEN_URI
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: token_uri
|
|
- name: GCP_TYPE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gcp-service-account
|
|
key: type
|
|
- name: AWS_ACCESS_KEY_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: aws-account
|
|
key: access_key_id
|
|
- name: AWS_SECRET_ACCESS_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: aws-account
|
|
key: secret_access_key
|
|
- name: DRY_RUN
|
|
value: "${MAINTENANCE_DRY_RUN}"
|
|
- name: ENABLE_AWS_MAINTENANCE
|
|
value: "${ENABLE_AWS_MAINTENANCE}"
|
|
- name: ENABLE_GCP_MAINTENANCE
|
|
value: "${ENABLE_GCP_MAINTENANCE}"
|
|
- name: ENABLE_DB_MAINTENANCE
|
|
value: "${ENABLE_DB_MAINTENANCE}"
|
|
- name: MAX_CONCURRENT_REQUESTS
|
|
value: "${MAINTENANCE_MAX_CONCURRENT_REQUESTS}"
|
|
|
|
parameters:
|
|
- description: composer image name
|
|
name: IMAGE_NAME
|
|
value: quay.io/app-sre/composer
|
|
required: true
|
|
- description: composer image tag
|
|
name: IMAGE_TAG
|
|
required: true
|
|
- description: postgres sslmode to use when connecting to the db
|
|
name: PGSSLMODE
|
|
value: "require"
|
|
- description: postgres maximum connections per pod
|
|
name: PGMAXCONNS
|
|
value: "20"
|
|
- description: base sso url
|
|
name: RH_SSO_BASE_URL
|
|
required: true
|
|
value: "https://sso.redhat.com/auth/realms/redhat-external"
|
|
- description: base sso url
|
|
name: MAS_SSO_BASE_URL
|
|
required: true
|
|
value: "https://identity.api.openshift.com/auth/realms/rhoas"
|
|
- description: base sso url
|
|
name: COMPOSER_CONFIG_DIR
|
|
required: true
|
|
value: "/etc/osbuild-composer"
|
|
- description: Bucket to store aws artifacts
|
|
name: COMPOSER_CONFIG_BUCKET_NAME
|
|
required: true
|
|
value: "imagebuilder.service.staging"
|
|
- description: Allowed tenants based on org id
|
|
name: ACL_ORG_ID_TENANTS
|
|
value: "15842261|15877963|15885990"
|
|
- description: Allowed tenants based on account id
|
|
name: ACL_ACCOUNT_ID_TENANTS
|
|
value: "15842261"
|
|
- description: composer-api port
|
|
name: COMPOSER_API_PORT
|
|
required: true
|
|
value: "8080"
|
|
- description: worker-api port
|
|
name: WORKER_API_PORT
|
|
required: true
|
|
value: "8700"
|
|
- name: READINESS_URI
|
|
description: URI to query for the readiness check
|
|
value: "/api/image-builder-composer/v2/openapi"
|
|
- name: CPU_REQUEST
|
|
description: CPU request per container
|
|
value: "200m"
|
|
- name: CPU_LIMIT
|
|
description: CPU limit per container
|
|
value: "1"
|
|
- name: MEMORY_REQUEST
|
|
description: Memory request per container
|
|
value: "256Mi"
|
|
- name: MEMORY_LIMIT
|
|
description: Memory limit per container
|
|
value: "512Mi"
|
|
# maintenance image variables
|
|
- description: composer-maintenance image name
|
|
name: MAINTENANCE_IMAGE_NAME
|
|
value: quay.io/app-sre/composer-maintenance
|
|
required: true
|
|
- description: composer-maintenance dry run
|
|
name: MAINTENANCE_DRY_RUN
|
|
# don't change this value, overwrite it in app-interface for a specific namespace
|
|
value: "true"
|
|
required: true
|
|
- description: Enable AWS maintenance
|
|
name: ENABLE_AWS_MAINTENANCE
|
|
# don't change this value, overwrite it in app-interface for a specific namespace
|
|
value: "false"
|
|
required: true
|
|
- description: Enable GPC maintenance
|
|
name: ENABLE_GCP_MAINTENANCE
|
|
# don't change this value, overwrite it in app-interface for a specific namespace
|
|
value: "false"
|
|
required: true
|
|
- description: Enable DB maintenance
|
|
name: ENABLE_DB_MAINTENANCE
|
|
# don't change this value, overwrite it in app-interface for a specific namespace
|
|
value: "false"
|
|
required: true
|
|
- description: composer-maintenance max concurrent requests
|
|
name: MAINTENANCE_MAX_CONCURRENT_REQUESTS
|
|
value: "10"
|
|
required: true
|