Add image puller to pull images before installing or upgrading the he…

…lm chart (#80)

*Motivation*

Make sure the images are ready before upgrading the helm chart

charts/pulsar/templates/image-puller/_daemonset-helper.yaml

@@ -0,0 +1,153 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- /*
+Returns an image-puller daemonset. Two daemonsets will be created like this.
+- hook-image-puller: for pre helm upgrade image pulling (lives temporarily)
+- continuous-image-puller: for newly added nodes image pulling
+*/}}
+{{- define "pulsar.imagePuller.daemonset" -}}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ template "pulsar.fullname" . }}-{{ print .componentPrefix "image-puller" }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+  {{- if .hook }}
+  annotations:
+    {{- /*
+    Allows the daemonset to be deleted when the image-awaiter job is completed.
+    */}}
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "pulsar.matchLabels" . | nindent 6 }}
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 100%
+  template:
+    metadata:
+      labels:
+        {{- /* Changes here will cause the DaemonSet to restart the pods. */}}
+        {{- include "pulsar.template.labels" . | nindent 8 }}
+    spec:
+      initContainers:
+        {{- with .Values.images }}
+        - name: image-pull-zookeeper
+          image: {{ .zookeeper.repository }}:{{ .zookeeper.tag }}
+          imagePullPolicy: {{ .zookeeper.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-bookie
+          image: {{ .bookie.repository }}:{{ .bookie.tag }}
+          imagePullPolicy: {{ .bookie.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-presto
+          image: {{ .presto.repository }}:{{ .presto.tag }}
+          imagePullPolicy: {{ .presto.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-autorecovery
+          image: {{ .autorecovery.repository }}:{{ .autorecovery.tag }}
+          imagePullPolicy: {{ .autorecovery.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-broker
+          image: {{ .broker.repository }}:{{ .broker.tag }}
+          imagePullPolicy: {{ .broker.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-proxy
+          image: {{ .proxy.repository }}:{{ .proxy.tag }}
+          imagePullPolicy: {{ .proxy.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-functions
+          image: {{ .functions.repository }}:{{ .functions.tag }}
+          imagePullPolicy: {{ .functions.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-prometheus
+          image: {{ .prometheus.repository }}:{{ .prometheus.tag }}
+          imagePullPolicy: {{ .prometheus.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-alert-manager
+          image: {{ .alert_manager.repository }}:{{ .alert_manager.tag }}
+          imagePullPolicy: {{ .alert_manager.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-grafana
+          image: {{ .grafana.repository }}:{{ .grafana.tag }}
+          imagePullPolicy: {{ .grafana.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-pulsar-manager
+          image: {{ .pulsar_manager.repository }}:{{ .pulsar_manager.tag }}
+          imagePullPolicy: {{ .pulsar_manager.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-node-exporter
+          image: {{ .node_exporter.repository }}:{{ .node_exporter.tag }}
+          imagePullPolicy: {{ .node_exporter.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        - name: image-pull-nginx-ingress-controller
+          image: {{ .nginx_ingress_controller.repository }}:{{ .nginx_ingress_controller.tag }}
+          imagePullPolicy: {{ .nginx_ingress_controller.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        {{- end }}
+      containers:
+        - name: pause
+          image: {{ .Values.imagePuller.pause.image.name }}:{{ .Values.imagePuller.pause.image.tag }}
+{{- end }}

charts/pulsar/templates/image-puller/daemonset.yaml

@@ -0,0 +1,39 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- /*
+The hook-image-puller daemonset will be created with the highest priority during
+helm upgrades. It's task is to pull the required images on all nodes. When the
+image-awaiter job confirms the required images to be pulled, the daemonset is
+deleted. Only then will the actual helm upgrade start.
+*/}}
+{{- if .Values.imagePuller.hook.enabled }}
+{{- $_ := merge (dict "hook" true "componentPrefix" "hook-") . }}
+{{- include "pulsar.imagePuller.daemonset" $_ }}
+{{- end }}
+---
+{{- /*
+The continuous-image-puller daemonset task is to pull required images to nodes
+that are added in between helm upgrades, for example by manually adding a node
+or by the cluster autoscaler.
+*/}}
+{{- if .Values.imagePuller.continuous.enabled }}
+{{- $_ := merge (dict "hook" false "componentPrefix" "continuous-") . }}
+{{ include "pulsar.imagePuller.daemonset" $_ }}
+{{- end }}

charts/pulsar/templates/image-puller/job.yaml

@@ -0,0 +1,63 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- /*
+This job has a part to play in a helm upgrade process. It simply waits for the
+hook-image-puller daemonset which is started slightly before this job to get
+its' pods running. If all those pods are running they must have pulled all the
+required images on all nodes as they are used as init containers with a dummy
+command.
+*/}}
+{{- if .Values.imagePuller.hook.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "pulsar.fullname" . }}-hook-image-awaiter
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+    component: {{ .Values.imagePuller.component }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "10"
+spec:
+  template:
+    metadata:
+      labels:
+        {{- /* Changes here will cause the Job to restart the pods. */}}
+        {{- include "pulsar.matchLabels" . | nindent 8 }}
+        component: {{ .Values.imagePuller.component }}
+    spec:
+      restartPolicy: Never
+      {{- if .Values.imagePuller.rbac.enabled }}
+      serviceAccountName: {{ template "pulsar.fullname" . }}-hook-image-awaiter
+      {{- end }}
+      containers:
+        - image: {{ .Values.imagePuller.hook.image.name }}:{{ .Values.imagePuller.hook.image.tag }}
+          name: hook-image-awaiter
+          imagePullPolicy: IfNotPresent
+          command:
+            - /image-awaiter
+            - -ca-path=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+            - -auth-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
+            - -api-server-address=https://$(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT)
+            - -namespace={{ .Values.namespace }}
+            - -daemonset={{ template "pulsar.fullname" . }}-hook-image-puller
+{{- end }}

charts/pulsar/templates/image-puller/rbac.yaml

@@ -0,0 +1,82 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+{{- /*
+Permissions to be used by the hook-image-awaiter job
+*/}}
+{{- if .Values.imagePuller.hook.enabled }}
+{{- if .Values.imagePuller.rbac.enabled }}
+{{- /*
+This service account...
+*/ -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "pulsar.fullname" . }}-hook-image-awaiter
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "0"
+---
+{{- /*
+... will be used by this role...
+*/}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-hook-image-awaiter
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "0"
+rules:
+  - apiGroups: ["apps"]       # "" indicates the core API group
+    resources: ["daemonsets"]
+    verbs: ["get"]
+---
+{{- /*
+... as declared by this binding.
+*/}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "pulsar.fullname" . }}-hook-image-awaiter
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "pulsar.standardLabels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "0"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "pulsar.fullname" . }}-hook-image-awaiter
+    namespace: {{ .Values.namespace }}
+roleRef:
+  kind: Role
+  name: {{ template "pulsar.fullname" . }}-hook-image-awaiter
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}

charts/pulsar/values.yaml

@@ -152,6 +152,7 @@ images:
     # tag: 2.5.0
     repository: streamnative/platform
     tag: v1.0.0
+    pullPolicy: IfNotPresent
   prometheus:
     repository: prom/prometheus
     tag: v2.17.2
@@ -358,6 +359,25 @@ ingress:
       enabled: false
     annotations: {}
 
+imagePuller:
+  component: image-puller
+  pullSecret:
+    enabled: false
+  hook:
+    enabled: false
+    image:
+      name: streamnative/k8s-image-awaiter
+      tag: '0.1.0'
+  rbac:
+    enabled: true
+  continuous:
+    enabled: false
+  pause:
+    image:
+      name: gcr.io/google_containers/pause
+      tag: '3.1'
+
+
 ######################################################################
 # Below are settings for each component
 ######################################################################