Add dev-only deployment of kubeapps-apis (#2819)

* Add dev-only deployment of kubeapps-apis * Update cmd/kubeapps-apis/Dockerfile with docker/dockerfile:1 Co-authored-by: Antonio Gámez <agamez@vmware.com>
vmware-tanzu · May 18, 2021 · 348fca5 · 348fca5
1 parent b71c381
commit 348fca5
Show file tree

Hide file tree

Showing 9 changed files with 442 additions and 0 deletions.
diff --git a/chart/kubeapps/templates/_helpers.tpl b/chart/kubeapps/templates/_helpers.tpl
@@ -72,6 +72,13 @@ Create proxy_pass for the frontend config
 http://{{ include "kubeapps.kubeops.fullname" . }}:{{ .Values.kubeops.service.port }}
 {{- end -}}
 
+{{/*
+Create name for kubeappsapis based on the fullname
+*/}}
+{{- define "kubeapps.kubeappsapis.fullname" -}}
+{{- printf "%s-internal-kubeappsapis" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create name for the secrets related to oauth2_proxy
 */}}

diff --git a/chart/kubeapps/templates/kubeappsapis/deployment.yaml b/chart/kubeapps/templates/kubeappsapis/deployment.yaml
@@ -0,0 +1,107 @@
+{{- if .Values.featureFlags.kubeappsAPIsServer }}
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ template "kubeapps.kubeappsapis.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/component: kubeappsapis
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.kubeappsapis.replicaCount }}
+  selector:
+    matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+      app.kubernetes.io/component: kubeappsapis
+  template:
+    metadata:
+      {{- if .Values.kubeappsapis.podAnnotations }}
+      annotations: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.podAnnotations "context" $) | nindent 8 }}
+      {{- end }}
+      labels: {{- include "common.labels.standard" . | nindent 8 }}
+        app.kubernetes.io/component: kubeappsapis
+        {{- if .Values.kubeappsapis.podLabels }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.podLabels "context" $) | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- include "kubeapps.imagePullSecrets" . | indent 6 }}
+      serviceAccountName: {{ template "kubeapps.kubeappsapis.fullname" . }}
+      {{- if .Values.kubeappsapis.hostAliases }}
+      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.hostAliases "context" $) | nindent 8 }}
+      {{- end }}
+      # Increase termination timeout to let remaining operations to finish before killing the pods
+      # This is because new releases/upgrades/deletions are synchronous operations
+      {{- if .Values.kubeappsapis.affinity }}
+      affinity: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.affinity "context" $) | nindent 8 }}
+      {{- else }}
+      affinity:
+        podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.kubeappsapis.podAffinityPreset "component" "kubeappsapis" "context" $) | nindent 10 }}
+        podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.kubeappsapis.podAntiAffinityPreset "component" "kubeappsapis" "context" $) | nindent 10 }}
+        nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.kubeappsapis.nodeAffinityPreset.type "key" .Values.kubeappsapis.nodeAffinityPreset.key "values" .Values.kubeappsapis.nodeAffinityPreset.values) | nindent 10 }}
+      {{- end }}
+      {{- if .Values.kubeappsapis.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.kubeappsapis.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.tolerations "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.kubeappsapis.priorityClassName }}
+      priorityClassName: {{ .Values.kubeappsapis.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.kubeappsapis.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.kubeappsapis.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: {{ .Values.kubeappsapis.terminationGracePeriodSeconds }}
+      containers:
+        - name: kubeappsapis
+          image: {{ include "common.images.image" (dict "imageRoot" .Values.kubeappsapis.image "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.kubeappsapis.image.pullPolicy | quote }}
+          {{- if .Values.kubeappsapis.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.kubeappsapis.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          {{- if .Values.kubeappsapis.lifecycleHooks }}
+          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.lifecycleHooks "context" $) | nindent 12 }}
+          {{- end }}
+          command:
+            - /kubeapps-apis
+          args:
+            - --plugin-dir
+            - /plugins/
+          env:
+            - name: PORT
+              value: {{ .Values.kubeappsapis.containerPort | quote }}
+            {{- if .Values.kubeappsapis.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          {{- if or .Values.kubeappsapis.extraEnvVarsCM .Values.kubeappsapis.extraEnvVarsSecret }}
+          envFrom:
+            {{- if .Values.kubeappsapis.extraEnvVarsCM }}
+            - configMapRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.extraEnvVarsCM "context" $) }}
+            {{- end }}
+            {{- if .Values.kubeappsapis.extraEnvVarsSecret }}
+            - secretRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.extraEnvVarsSecret "context" $) }}
+            {{- end }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.kubeappsapis.containerPort }}
+          {{- if .Values.kubeappsapis.livenessProbe.enabled }}
+          livenessProbe: {{- omit .Values.kubeappsapis.livenessProbe "enabled" | toYaml | nindent 12 }}
+          {{- else if .Values.kubeappsapis.customLivenessProbe }}
+          livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.customLivenessProbe "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.kubeappsapis.readinessProbe.enabled }}
+          readinessProbe: {{- omit .Values.kubeappsapis.readinessProbe "enabled" | toYaml | nindent 12 }}
+          {{- else if .Values.kubeappsapis.customReadinessProbe }}
+          readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.customReadinessProbe "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.kubeappsapis.resources }}
+          resources: {{- toYaml .Values.kubeappsapis.resources | nindent 12 }}
+          {{- end }}
+{{- end }}
diff --git a/chart/kubeapps/templates/kubeappsapis/rbac.yaml b/chart/kubeapps/templates/kubeappsapis/rbac.yaml
@@ -0,0 +1,47 @@
+{{- if .Values.featureFlags.kubeappsAPIsServer }}
+{{- if .Values.rbac.create -}}
+# Dev-only RBAC for experimental APIs server until user auth added.
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+kind: ClusterRole
+metadata:
+  name: "kubeapps:controller:kubeapps-apis-dev-{{ .Release.Namespace }}"
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: kubeappsapis
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  # TODO: Remove in favour of user's own creds used for request.
+  - apiGroups:
+      - ""
+      - "package.carvel.dev"
+    resources: ['*']
+    verbs: ['*']
+---
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+kind: ClusterRoleBinding
+metadata:
+  name: "kubeapps:controller:kubeapps-apis-dev-{{ .Release.Namespace }}"
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: kubeappsapis
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "kubeapps:controller:kubeapps-apis-dev-{{ .Release.Namespace }}"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kubeapps.kubeappsapis.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}
diff --git a/chart/kubeapps/templates/kubeappsapis/service.yaml b/chart/kubeapps/templates/kubeappsapis/service.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.featureFlags.kubeappsAPIsServer }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kubeapps.kubeappsapis.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: kubeappsapis
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.kubeappsapis.service.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.kubeappsapis.service.annotations }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.service.annotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.kubeappsapis.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
+    app.kubernetes.io/component: kubeappsapis
+{{- end }}
diff --git a/chart/kubeapps/templates/kubeappsapis/serviceaccount.yaml b/chart/kubeapps/templates/kubeappsapis/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.featureFlags.kubeappsAPIsServer }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kubeapps.kubeappsapis.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: kubeappsapis
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/chart/kubeapps/values.yaml b/chart/kubeapps/values.yaml
@@ -1445,6 +1445,7 @@ clusters:
 ##
 featureFlags:
   invalidateCache: true
+  kubeappsAPIsServer: false
 ## RBAC configuration
 ##
 rbac:

diff --git a/cmd/kubeapps-apis/Dockerfile b/cmd/kubeapps-apis/Dockerfile
@@ -0,0 +1,36 @@
+# syntax = docker/dockerfile:1
+
+FROM bitnami/golang:1.16.3 as builder
+WORKDIR /go/src/github.com/kubeapps/kubeapps
+COPY go.mod go.sum ./
+COPY pkg pkg
+COPY cmd cmd
+# With the trick below, Go's build cache is kept between builds.
+# https://github.com/golang/go/issues/27719#issuecomment-514747274
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build ./cmd/kubeapps-apis
+# Build the current standard plugins
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build \
+    -o /kapp-controller-packages-v1alpha1-plugin.so -buildmode=plugin \
+    ./cmd/kubeapps-apis/plugins/kapp_controller/packages/v1alpha1/main.go
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build \
+    -o /helm-operator-packages-v1alpha1-plugin.so -buildmode=plugin \
+    ./cmd/kubeapps-apis/plugins/helm_operator/packages/v1alpha1/main.go
+
+# Note: unlike the other docker images for go, we cannot use scratch as the plugins
+# are loaded using the dynamic linker.
+FROM bitnami/minideb:buster
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /go/src/github.com/kubeapps/kubeapps/kubeapps-apis /kubeapps-apis
+COPY --from=builder /kapp-controller-packages-v1alpha1-plugin.so /plugins/
+COPY --from=builder /helm-operator-packages-v1alpha1-plugin.so /plugins/
+
+EXPOSE 50051
+USER 1001
+ENTRYPOINT [ "/kubeapps-apis" ]
+CMD [ "--help" ]