salt, build: automate catalogd install

scality · Dec 12, 2024 · e495890 · e495890
1 parent c16ea0f
commit e495890
Show file tree

Hide file tree

Showing 11 changed files with 926 additions and 0 deletions.
diff --git a/buildchain/buildchain/constants.py b/buildchain/buildchain/constants.py
@@ -32,6 +32,15 @@
 PROMETHEUS_REPOSITORY: str = "quay.io/prometheus"
 THANOS_REPOSITORY: str = "quay.io/thanos"
 CERT_MANAGER_REPOSITORY: str = "quay.io/jetstack"
+OPERATOR_FRAMEWORK_REPOSITORYT: str = "quay.io/operator-framework"
+# this repository will disappear in early 2025,
+# for now it is used by OLMv1 but most likely they will
+# stop using it after they upgrade their version of `kubebuilder`
+# cf. https://github.com/kubernetes-sigs/kubebuilder/discussions/3907
+# cf. https://github.com/operator-framework/catalogd/pull/460
+# therefore if you see this comment later in 2025,
+# you may not be able to build this. sorry.
+KUBE_BUILDER_REPOSITORY: str = "gcr.io/kubebuilder"
 
 # Paths {{{
 

diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py
@@ -217,6 +217,12 @@ def _local_image(name: str, **kwargs: Any) -> targets.LocalImage:
         "cert-manager-cainjector",
         "cert-manager-acmesolver",
     ],
+    constants.OPERATOR_FRAMEWORK_REPOSITORYT: [
+        "catalogd",
+    ],
+    constants.KUBE_BUILDER_REPOSITORY: [
+        "kube-rbac-proxy",
+    ],
 }
 
 REMOTE_NAMES: Dict[str, str] = {

diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
@@ -344,6 +344,12 @@ def task(self) -> types.TaskDict:
         file_dep=[METALK8S_OPERATOR_MANIFESTS],
     ),
     Path("salt/metalk8s/addons/metalk8s-operator/deployed/init.sls"),
+    Path("salt/metalk8s/addons/olm/catalogd/deployed/catalogd.sls"),
+    Path("salt/metalk8s/addons/olm/catalogd/deployed/cert.sls"),
+    Path("salt/metalk8s/addons/olm/catalogd/deployed/crds.sls"),
+    Path("salt/metalk8s/addons/olm/catalogd/deployed/init.sls"),
+    Path("salt/metalk8s/addons/olm/catalogd/deployed/rbac.sls"),
+    Path("salt/metalk8s/addons/olm/catalogd/deployed/webhook.sls"),
     Path("salt/metalk8s/addons/prometheus-adapter/deployed/chart.sls"),
     Path("salt/metalk8s/addons/prometheus-adapter/deployed/init.sls"),
     Path("salt/metalk8s/addons/prometheus-operator/macros.j2"),

diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py
@@ -32,6 +32,8 @@
 CONTAINERD_RELEASE: str = "1"
 SOSREPORT_RELEASE: str = "2"
 
+OLM_VERSION: str = "1.0.0"
+
 
 def load_version_information() -> None:
     """Load version information from `VERSION`."""
@@ -225,6 +227,16 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
         version="v0.36.1",
         digest="sha256:e542959e1b36d5046083d1b64a7049c356b68a44a173c58b3ae7c0c9ada932d5",
     ),
+    Image(
+        name="catalogd",
+        version=_version_prefix(OLM_VERSION),
+        digest="sha256:f74153f1e83cf3066f6ba1179fa09466e6b1defcbaf628c42c02aca500acd73d",
+    ),
+    Image(
+        name="kube-rbac-proxy",
+        version="v0.15.0",
+        digest="sha256:d8cc6ffb98190e8dd403bfe67ddcb454e6127d32b87acc237b3e5240f70a20fb",
+    ),
     # Local images
     Image(
         name="metalk8s-alert-logger",

diff --git a/salt/metalk8s/addons/olm/catalogd/deployed/catalogd.sls b/salt/metalk8s/addons/olm/catalogd/deployed/catalogd.sls
@@ -0,0 +1,160 @@
+#!jinja | metalk8s_kubernetes
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: catalogd
+    app.kubernetes.io/part-of: olm
+  name: catalogd-service
+  namespace: olmv1-system
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 8443
+  - name: webhook
+    port: 9443
+    protocol: TCP
+    targetPort: 9443
+  - name: metrics
+    port: 7443
+    protocol: TCP
+    targetPort: 7443
+  selector:
+    control-plane: catalogd-controller-manager
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kubectl.kubernetes.io/default-logs-container: manager
+  labels:
+    control-plane: catalogd-controller-manager
+  name: catalogd-controller-manager
+  namespace: olmv1-system
+spec:
+  minReadySeconds: 5
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: catalogd-controller-manager
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+      labels:
+        control-plane: catalogd-controller-manager
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+        node-role.kubernetes.io/infra: ""
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/bootstrap
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/infra
+          operator: Exists
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+                - arm64
+                - ppc64le
+                - s390x
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
+      containers:
+      - args:
+        - --secure-listen-address=0.0.0.0:7443
+        - --http2-disable
+        - --upstream=http://127.0.0.1:8080/
+        - --logtostderr=true
+        image: {{ build_image_name("kube-rbac-proxy") }}
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 7443
+          name: https
+          protocol: TCP
+        resources:
+          requests:
+            cpu: 5m
+            memory: 64Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        terminationMessagePolicy: FallbackToLogsOnError
+      - args:
+        - --leader-elect
+        - --metrics-bind-address=127.0.0.1:8080
+        - --external-address=catalogd-service.olmv1-system.svc
+        - --tls-cert=/var/certs/tls.crt
+        - --tls-key=/var/certs/tls.key
+        - --ca-certs-dir=/var/ca-certs
+        command:
+        - ./manager
+        image: {{ build_image_name("catalogd") }}
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        name: manager
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /var/cache/
+          name: cache
+        - mountPath: /var/certs
+          name: catalogserver-certs
+        - mountPath: /var/ca-certs/
+          name: olmv1-certificate
+          readOnly: true
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: catalogd-controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - emptyDir: {}
+        name: cache
+      - name: catalogserver-certs
+        secret:
+          secretName: catalogd-service-cert-v1.0.0
+      - name: olmv1-certificate
+        secret:
+          items:
+          - key: ca.crt
+            path: olm-ca.crt
+          optional: false
+          secretName: catalogd-service-cert-v1.0.0
diff --git a/salt/metalk8s/addons/olm/catalogd/deployed/cert.sls b/salt/metalk8s/addons/olm/catalogd/deployed/cert.sls
@@ -0,0 +1,54 @@
+#!jinja | metalk8s_kubernetes
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: olmv1-ca
+  namespace: metalk8s-certs
+spec:
+  commonName: olmv1-ca
+  isCA: true
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: self-sign-issuer
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  secretName: olmv1-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: catalogd-catalogserver-cert
+  namespace: olmv1-system
+spec:
+  dnsNames:
+  - localhost
+  - catalogd-catalogserver.olmv1-system.svc
+  - catalogd-catalogserver.olmv1-system.svc.cluster.local
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: olmv1-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  secretName: catalogd-catalogserver-cert
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: olmv1-ca
+spec:
+  ca:
+    secretName: olmv1-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: self-sign-issuer
+  namespace: metalk8s-certs
+spec:
+  selfSigned: {}