[okmeter] pull and update image based on tag

ee/fe/modules/500-okmeter/hooks/common_test.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2021 Flant JSC
+Licensed under the Deckhouse Platform Enterprise Edition (EE) license. See https://github.com/deckhouse/deckhouse/blob/main/ee/LICENSE
+*/
+
+package hooks
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func Test(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "")
+}

ee/fe/modules/500-okmeter/hooks/update_agent_image.go

@@ -0,0 +1,61 @@
+/*
+Copyright 2021 Flant JSC
+Licensed under the Deckhouse Platform Enterprise Edition (EE) license. See https://github.com/deckhouse/deckhouse/blob/main/ee/LICENSE
+*/
+
+package hooks
+
+import (
+	"fmt"
+
+	"github.com/flant/addon-operator/pkg/module_manager/go_hook"
+	"github.com/flant/addon-operator/sdk"
+
+	"github.com/deckhouse/deckhouse/go_lib/dependency"
+	"github.com/deckhouse/deckhouse/go_lib/dependency/cr"
+)
+
+var _ = sdk.RegisterFunc(&go_hook.HookConfig{
+	Queue:        "/modules/okmeter/check_release",
+	OnBeforeHelm: &go_hook.OrderedConfig{Order: 5},
+	Schedule: []go_hook.ScheduleConfig{
+		{
+			Name:    "check_okmeter_release",
+			Crontab: "* * * * *", // every minute
+		},
+	},
+}, dependency.WithExternalDependencies(checkRelease))
+
+func checkRelease(input *go_hook.HookInput, dc dependency.Container) error {
+	repo := input.ConfigValues.Get("okmeter.image.repository").String()
+	if repo == "" {
+		repo = "registry.okmeter.io/agent/okagent"
+	}
+	tag := input.ConfigValues.Get("okmeter.image.tag").String()
+	if tag == "" {
+		tag = "latest"
+	}
+
+	regCli, err := dc.GetRegistryClient(repo, cr.WithDisabledAuth())
+	if err != nil {
+		return err
+	}
+
+	imageHash, err := regCli.Digest(tag)
+	if err != nil {
+		return err
+	}
+
+	previousHash := input.Values.Get("okmeter.internal.currentReleaseImageHash").String()
+
+	if previousHash == imageHash {
+		return nil
+	}
+
+	currentImage := fmt.Sprintf("%s@%s", repo, imageHash)
+
+	input.Values.Set("okmeter.internal.currentReleaseImage", currentImage)
+	input.Values.Set("okmeter.internal.currentReleaseImageHash", imageHash)
+
+	return nil
+}

ee/fe/modules/500-okmeter/monitoring/prometheus-rules/alerting.yaml

@@ -0,0 +1,21 @@
+- name: d8.okmeter.availability
+  rules:
+    - alert: D8OkmeterAgentPodIsNotReady
+      expr: |
+        min by (pod) (
+          kube_controller_pod{namespace="d8-okmeter", controller_type="DaemonSet", controller_name="okmeter"}
+          * on (pod) group_right() kube_pod_status_ready{condition="true", namespace="d8-okmeter"}
+        ) != 1
+      for: 1m
+      labels:
+        severity_level: "6"
+        tier: cluster
+        d8_module: okmeter
+        d8_component: agent
+      annotations:
+        plk_protocol_version: "1"
+        plk_markup_format: "markdown"
+        plk_pending_until_firing_for: "5m"
+        plk_grouped_by__d8_okmeter_unavailable: "D8OkmeterUnavailable,tier=cluster,prometheus=deckhouse"
+        plk_labels_as_annotations: "pod"
+        summary: Okmeter agent is not Ready

ee/fe/modules/500-okmeter/openapi/config-values.yaml

@@ -1,5 +1,5 @@
 type: object
-required: [apiKey]
+required: [apiKey, image]
 properties:
   apiKey:
     type: string
@@ -38,3 +38,16 @@ properties:
           format: int64
         value:
           type: string
+  image:
+    type: object
+    default: {}
+    required: [repository, tag]
+    properties:
+      repository:
+        type: string
+        default: 'registry.okmeter.io/agent/okagent'
+        description: Docker repository for okmeter agent image.
+      tag:
+        type: string
+        default: 'latest'
+        description: Okmeter agent image tag.

ee/fe/modules/500-okmeter/openapi/doc-ru-config-values.yaml

@@ -14,3 +14,8 @@ properties:
       Структура, аналогичная  `spec.tolerations` в Kubernetes Pod.
 
       Если ничего не указано или указано `false` — будет [использоваться автоматика](https://deckhouse.io/ru/documentation/v1/#выделение-узлов-под-определенный-вид-нагрузки).
+  image:
+    repository:
+      description: Репозиторий с образом для okmeter agent.
+    tag:
+      description: Tag образа для okmeter agent.

ee/fe/modules/500-okmeter/openapi/values.yaml

@@ -5,3 +5,9 @@ properties:
   internal:
     type: object
     default: {}
+    properties:
+      currentReleaseImage:
+        type: string
+        default: 'registry.okmeter.io/agent/okagent:stub'
+      currentReleaseImageHash:
+        type: string

ee/fe/modules/500-okmeter/templates/daemonset.yaml

@@ -42,8 +42,6 @@ spec:
       labels:
         name: okmeter
     spec:
-      imagePullSecrets:
-      - name: deckhouse-registry
       serviceAccountName: okmeter
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
@@ -57,7 +55,7 @@ spec:
       containers:
       - name: okagent
         {{- include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . | nindent 8 }}
-        image: {{ $.Values.global.modulesImages.registry }}:{{ $.Values.global.modulesImages.tags.okmeter.okagent }}
+        image: {{ $.Values.okmeter.internal.currentReleaseImage }}
         env:
         - name: OKMETER_API_TOKEN
           valueFrom:

go_lib/dependency/cr/cr.go

@@ -43,23 +43,29 @@ type Client interface {
 type client struct {
 	registryURL string
 	authConfig  authn.AuthConfig
-	ca          string
-	isHTTP      bool
+	options     *registryOptions
 }
 
 // NewClient creates container registry client using `repo` as prefix for tags passed to methods. If insecure flag is set to true, then no cert validation is performed.
 // Repo example: "cr.example.com/ns/app"
-func NewClient(repo, ca string, isHTTP bool) (Client, error) {
-	authConfig, err := readAuthConfig("/etc/registrysecret/.dockerconfigjson")
-	if err != nil {
-		return nil, err
+func NewClient(repo string, options ...Option) (Client, error) {
+	opts := &registryOptions{}
+
+	for _, opt := range options {
+		opt(opts)
 	}
 
 	r := &client{
 		registryURL: repo,
-		authConfig:  authConfig,
-		ca:          ca,
-		isHTTP:      isHTTP,
+		options:     opts,
+	}
+
+	if !opts.withoutAuth {
+		authConfig, err := readAuthConfig("/etc/registrysecret/.dockerconfigjson")
+		if err != nil {
+			return nil, err
+		}
+		r.authConfig = authConfig
 	}
 
 	return r, nil
@@ -69,7 +75,7 @@ func (r *client) Image(tag string) (v1.Image, error) {
 	imageURL := r.registryURL + ":" + tag
 
 	var nameOpts []name.Option
-	if r.isHTTP {
+	if r.options.useHTTP {
 		nameOpts = append(nameOpts, name.Insecure)
 	}
 
@@ -78,10 +84,17 @@ func (r *client) Image(tag string) (v1.Image, error) {
 		return nil, err
 	}
 
+	imageOptions := make([]remote.Option, 0)
+	if !r.options.withoutAuth {
+		imageOptions = append(imageOptions, remote.WithAuth(authn.FromConfig(r.authConfig)))
+	}
+	if r.options.ca != "" {
+		imageOptions = append(imageOptions, remote.WithTransport(GetHTTPTransport(r.options.ca)))
+	}
+
 	return remote.Image(
 		ref,
-		remote.WithAuth(authn.FromConfig(r.authConfig)),
-		remote.WithTransport(GetHTTPTransport(r.ca)),
+		imageOptions...,
 	)
 }
 
@@ -144,3 +157,32 @@ func GetHTTPTransport(ca string) (transport http.RoundTripper) {
 		TLSNextProto:          make(map[string]func(authority string, c *tls.Conn) http.RoundTripper),
 	}
 }
+
+type registryOptions struct {
+	ca          string
+	useHTTP     bool
+	withoutAuth bool
+}
+
+type Option func(options *registryOptions)
+
+// WithCA use custom CA certificate
+func WithCA(ca string) Option {
+	return func(options *registryOptions) {
+		options.ca = ca
+	}
+}
+
+// WithInsecureSchema use http schema instead of https
+func WithInsecureSchema(insecure bool) Option {
+	return func(options *registryOptions) {
+		options.useHTTP = insecure
+	}
+}
+
+// WithDisabledAuth dont use authConfig
+func WithDisabledAuth() Option {
+	return func(options *registryOptions) {
+		options.withoutAuth = true
+	}
+}

go_lib/dependency/dependency.go

@@ -41,7 +41,7 @@ type Container interface {
 	MustGetEtcdClient(endpoints []string, options ...etcd.Option) etcd.Client
 	GetK8sClient(options ...k8s.Option) (k8s.Client, error)
 	MustGetK8sClient(options ...k8s.Option) k8s.Client
-	GetRegistryClient(repo, ca string, isHTTP bool) (cr.Client, error)
+	GetRegistryClient(repo string, options ...cr.Option) (cr.Client, error)
 }
 
 var (
@@ -160,17 +160,17 @@ func (dc *dependencyContainer) MustGetK8sClient(options ...k8s.Option) k8s.Clien
 	return client
 }
 
-func (dc *dependencyContainer) GetRegistryClient(repo, ca string, isHTTP bool) (cr.Client, error) {
+func (dc *dependencyContainer) GetRegistryClient(repo string, options ...cr.Option) (cr.Client, error) {
 	if dc.isTestEnvironment() {
-		return TestDC.GetRegistryClient(repo, ca, isHTTP)
+		return TestDC.GetRegistryClient(repo, options...)
 	}
 
 	// Maybe we should use multitone here
 	// if dc.crClient != nil {
 	// 	return dc.crClient, nil
 	// }
 
-	client, err := cr.NewClient(repo, ca, isHTTP)
+	client, err := cr.NewClient(repo, options...)
 	if err != nil {
 		return nil, err
 	}
@@ -220,7 +220,7 @@ func (mdc *mockedDependencyContainer) MustGetK8sClient(options ...k8s.Option) k8
 	return k
 }
 
-func (mdc *mockedDependencyContainer) GetRegistryClient(string, string, bool) (cr.Client, error) {
+func (mdc *mockedDependencyContainer) GetRegistryClient(string, ...cr.Option) (cr.Client, error) {
 	if mdc.CRClient != nil {
 		return mdc.CRClient, nil
 	}

modules/020-deckhouse/hooks/check_deckhouse_release.go

@@ -250,11 +250,11 @@ type canarySettings struct {
 	Interval Duration `json:"interval"` // in minutes
 }
 
-func GetCA(input *go_hook.HookInput) string {
+func getCA(input *go_hook.HookInput) string {
 	return input.Values.Get("global.modulesImages.registryCA").String()
 }
 
-func IsHTTP(input *go_hook.HookInput) bool {
+func isHTTP(input *go_hook.HookInput) bool {
 	registryScheme := input.Values.Get("global.modulesImages.registryScheme").String()
 	return registryScheme == "http"
 }
@@ -321,7 +321,7 @@ func NewDeckhouseReleaseChecker(input *go_hook.HookInput, dc dependency.Containe
 	repo := input.Values.Get("global.modulesImages.registry").String() // host/ns/repo
 
 	// registry.deckhouse.io/deckhouse/ce/release-channel:$release-channel
-	regCli, err := dc.GetRegistryClient(path.Join(repo, "release-channel"), GetCA(input), IsHTTP(input))
+	regCli, err := dc.GetRegistryClient(path.Join(repo, "release-channel"), cr.WithCA(getCA(input)), cr.WithInsecureSchema(isHTTP(input)))
 	if err != nil {
 		return nil, err
 	}

modules/020-deckhouse/hooks/set_module_image_value.go

@@ -24,6 +24,7 @@ import (
 	"github.com/flant/shell-operator/pkg/kube_events_manager/types"
 	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/utils/pointer"
 )
 
 func getDeploymentImage(obj *unstructured.Unstructured) (go_hook.FilterResult, error) {
@@ -51,7 +52,8 @@ var _ = sdk.RegisterFunc(&go_hook.HookConfig{
 			NameSelector: &types.NameSelector{
 				MatchNames: []string{"deckhouse"},
 			},
-			FilterFunc: getDeploymentImage,
+			ExecuteHookOnEvents: pointer.BoolPtr(false),
+			FilterFunc:          getDeploymentImage,
 		},
 	},
 }, parseDeckhouseImage)