Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] V2 low-level operator implementation #626

Merged
merged 17 commits into from
Sep 6, 2024
Merged

[WIP] V2 low-level operator implementation #626

merged 17 commits into from
Sep 6, 2024

Conversation

EronWright
Copy link
Contributor

@EronWright EronWright commented Aug 8, 2024
edited
Loading

Proposed changes

This PR implements the auto.pulumi.com API Group, including the Workspace and Update types.

Integration tests for the workspace controller are included.

Example

apiVersion: auto.pulumi.com/v1alpha1
kind: Workspace
metadata:
  name: random-yaml-1e2fc47
spec:
  image: pulumi/pulumi:3.128.0-nonroot
  securityProfile: restricted  
  serviceAccountName: default
  git:
    url: https://github.com/pulumi/examples.git
    revision: 1e2fc471709448f3c9f7a250f28f1eafcde7017b
    dir: random-yaml
  env:
  - name: PULUMI_ACCESS_TOKEN
    valueFrom:
      secretKeyRef:
        name: pulumi-api-secret
        key: accessToken
  resources:
    requests:
      cpu: 1
      memory: 512Mi
    limits:
      cpu: 1
      memory: 512Mi

  # various extension points shown here.
  # - custom pod labels
  # - pod tolerations
  # - extra init container(s)
  # - extra volume(s) and volume mounts onto the 'pulumi' container
  podTemplate:
    metadata:
      labels:
        example.com/mylabel: bar
    spec:
      terminationGracePeriodSeconds: 3600
      tolerations:
        - key: "example.com/foo"
          operator: "Exists"
          effect: "NoSchedule"
      initContainers:
      - name: extra
        image: busybox
        command: ["sh", "-c", "echo 'Hello, extra init container!'"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
        volumeMounts:
          - name: share
            mountPath: /share
      containers:
      - name: pulumi
        volumeMounts:
          - name: secret-volume
            mountPath: /etc/secret-volume
            readOnly: true
      volumes:
        - name: secret-volume
          secret:
            secretName: test-secret

Specific Changes

  • (agent) git source support
  • (operator) scaffolding
  • (operator) workspace api and controller and tests
  • (operator) update api and controller
  • (experimental) configuration block in Environment spec
  • (experimental) dockerfile for non-root pu/pu

Related issues (optional)

Closes #619

@EronWright EronWright changed the title V2 low-level operator implementation [WIP] V2 low-level operator implementation Aug 8, 2024
@codecov Codecov
Copy link

codecov bot commented Aug 8, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 22.15517% with 903 lines in your changes missing coverage. Please review.

Please upload report for BASE (v2@5b5d8a7). Learn more about missing BASE report.

Files with missing lines Patch % Lines
operator/internal/controller/update_controller.go 0.00% 318 Missing ⚠️
operator/api/v1alpha1/zz_generated.deepcopy.go 0.00% 241 Missing ⚠️
...erator/internal/controller/workspace_controller.go 66.40% 117 Missing and 11 partials ⚠️
operator/cmd/main.go 0.00% 72 Missing ⚠️
operator/test/utils/utils.go 0.00% 62 Missing ⚠️
agent/cmd/init.go 0.00% 40 Missing ⚠️
operator/internal/controller/utils.go 0.00% 38 Missing ⚠️
agent/cmd/serve.go 0.00% 3 Missing ⚠️
agent/cmd/root.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@          Coverage Diff          @@
##             v2     #626   +/-   ##
=====================================
  Coverage      ?   18.98%           
=====================================
  Files         ?       16           
  Lines         ?     3123           
  Branches      ?        0           
=====================================
  Hits          ?      593           
  Misses        ?     2438           
  Partials      ?       92

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@EronWright EronWright added the impact/no-changelog-required This issue doesn't require a CHANGELOG update label Aug 12, 2024
@EronWright EronWright mentioned this pull request Aug 12, 2024
Closed
@mjeffryes mjeffryes added this to the 0.108 milestone Aug 16, 2024
@mikhailshilkov mikhailshilkov removed this from the 0.108 milestone Aug 22, 2024
@EronWright EronWright marked this pull request as ready for review August 23, 2024 00:07
@EronWright EronWright requested review from blampe and rquitales August 23, 2024 01:03
rquitales
rquitales reviewed Aug 23, 2024
View reviewed changes
operator/test/utils/utils.go Show resolved Hide resolved
operator/.DS_Store Outdated Show resolved Hide resolved
agent/cmd/serve.go Outdated Show resolved Hide resolved
operator/api/v1alpha1/update_types.go Show resolved Hide resolved
@EronWright EronWright requested a review from rquitales August 26, 2024 21:32
blampe
blampe approved these changes Aug 30, 2024
View reviewed changes
Copy link
Contributor

@blampe blampe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing blocking!

operator/.golangci.yml
linters:
- dupl
- lll
linters:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we keep this consistent with the linter's we're using in p-k?

agent/cmd/init.go
}
// Configure authentication strategy to access the source
authData := map[string][]byte{}
authOpts, err := git.NewAuthOptions(*u, authData)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So does this just support simple user:password auth?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I intend to support the same options, but I was waiting to see how containerization would impact the options. e.g., the ability to mount the git credentials.

operator/Dockerfile
Comment on lines +23 to +28
# Build
# the GOARCH has not a default value to allow the binary be built according to the host where the command
# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing this is boilerplate? It's a little odd.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is entirely boilerplate from kubebuilder v.latest.

operator/cmd/main.go
Comment on lines +79 to +88
// if the enable-http2 flag is false (the default), http/2 should be disabled
// due to its vulnerabilities. More specifically, disabling http/2 will
// prevent from being vulnerable to the HTTP/2 Stream Cancelation and
// Rapid Reset CVEs. For more information see:
// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
// - https://github.com/advisories/GHSA-4374-p667-p6c8
disableHTTP2 := func(c *tls.Config) {
setupLog.Info("disabling http/2")
c.NextProtos = []string{"http/1.1"}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't needed anymore - we're using unaffected versions of x/net and grpc.

operator/cmd/main.go
WebhookServer: webhookServer,
HealthProbeBindAddress: probeAddr,
LeaderElection: enableLeaderElection,
LeaderElectionID: "30fa952a.pulumi.com",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
LeaderElectionID: "30fa952a.pulumi.com",
LeaderElectionID: "operator.pulumi.com",

@EronWright EronWright merged commit a21e0e4 into v2 Sep 6, 2024
6 checks passed
@EronWright EronWright deleted the v2-operator branch September 6, 2024 18:12
@EronWright EronWright restored the v2-operator branch September 6, 2024 18:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blampe blampe blampe approved these changes

@rquitales rquitales Awaiting requested review from rquitales

Assignees

@EronWright EronWright

Labels
impact/no-changelog-required This issue doesn't require a CHANGELOG update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@EronWright @blampe @rquitales @mjeffryes @mikhailshilkov