feat: rbac rolebinding in helm chart (#20)

.github/workflows/on-pr-update.yaml

@@ -25,6 +25,7 @@ jobs:
         canary-container:
           - './.github/workflows/on-pr-update.yaml'
           - 'containers/canary/**'
+          - 'src/**'
         canary-chart:
           - './.github/workflows/on-pr-update.yaml'
           - 'charts/canary/**'

.github/workflows/on-release.yaml

@@ -24,6 +24,7 @@ jobs:
         canary-container:
           - './.github/workflows/on-release.yaml'
           - 'containers/canary/**'
+          - 'src/**'
         canary-chart:
           - './.github/workflows/on-release.yaml'
           - 'charts/canary/**'

charts/canary/crds/http-monitor.yaml

@@ -19,17 +19,10 @@ spec:
                 url:
                   type: string
                 interval:
-                  type: int #seconds
-                expect:
-                  type: array
-                  items:
-                    type: object
-                    properties:
-                      status:
-                        type: int
-                        default: 200
-                    required:
-                      - status
+                  type: integer #seconds
+                status:
+                  type: integer
+                  default: 200
   scope: Cluster
   names:
     plural: canaryhttpmonitors

charts/canary/templates/controller/deployment.yaml

@@ -39,82 +39,21 @@ spec:
 
   template:
     metadata:
-
-      annotations:
-        {{- if .Values.canary.podAnnotations }}
-        {{- toYaml .Values.canary.podAnnotations | nindent 8 }}
-        {{- end }}
-        {{- if .Values.controller.podAnnotations }}
-        {{- toYaml .Values.controller.podAnnotations | nindent 8 }}
-        {{- end }}
-
       labels:
         app: {{ include "canary.labels.app" . }}
         component: controller
         release: {{ .Release.Name }}
-        {{- if .Values.controller.podLabels }}
-        {{- toYaml .Values.controller.podLabels | nindent 8 }}
-        {{- end }}
 
     spec:
       restartPolicy: Always
 
-      {{- if .Values.controller.image.pullSecret }}
-      imagePullSecrets:
-        - name: {{ .Values.controller.image.pullSecret }}
-      {{- end }}
-
-      {{- if $podNodeSelector }}
-      nodeSelector:
-        {{- $podNodeSelector | nindent 8 }}
-      {{- end }}
-
-      {{- if $podAffinity }}
-      affinity:
-        {{- $podAffinity | nindent 8 }}
-      {{- end }}
-
-      {{- if $podTolerations }}
-      tolerations:
-        {{- $podTolerations | nindent 8 }}
-      {{- end }}
-
-      {{- if $podSecurityContext }}
-      securityContext:
-        {{- $podSecurityContext | nindent 8 }}
-      {{- end }}
-
-      {{- if $volumes }}
-      volumes:
-        {{- $volumes | indent 8 }}
-      {{- end }}
-
       containers:
         - name: controller
           {{- include "canary.image" (dict "image" .Values.controller.image) | indent 10 }}
 
-          {{- if $volumeMounts }}
-          volumeMounts:
-            {{- $volumeMounts | indent 12 }}
-          {{- end }}
-
-          envFrom:
-            {{- if $envFrom }}
-            {{- $envFrom | indent 12 }}
-            {{- end }}
-
           env:
             - name: CANARY_PROMETHEUS_HOSTNAME
               value: "{{ .Values.canary.prometheus.hostname }}"
+      serviceAccountName: canaryhttpmonitor
 
-            {{- if $env }}
-            {{- $env | indent 12 }}
-            {{- end }}
-
-          resources:
-            {{- toYaml .Values.controller.resources | nindent 12 }}
-
-        {{- if $containers }}
-        {{- $containers | nindent 8 }}
-        {{- end }}
 {{- end }}

charts/canary/templates/monitors/example-monitor.yaml

@@ -5,5 +5,4 @@ metadata:
 spec:
   url: https://api.github.com/octocat
   interval: 30 #seconds
-  expect:
-    status: 200
+

charts/canary/templates/rbac/role.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "canaryhttpmonitor"
+rules:
+  - apiGroups: [ "", "canary.ukserp.ac.uk" ]
+    resources: [ "canaryhttpmonitors" ]
+    verbs: [ "get", "watch", "list" ]

charts/canary/templates/rbac/rolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: canaryhttpmonitor
+subjects:
+- kind: ServiceAccount
+  name: canaryhttpmonitor
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role #this must be Role or ClusterRole
+  name: canaryhttpmonitor # this must match the name of the Role or ClusterRole you wish to bind to
+  apiGroup: rbac.authorization.k8s.io

charts/canary/templates/rbac/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: canaryhttpmonitor

charts/canary/values.yaml

@@ -46,3 +46,11 @@ controller:
   extraContainers: []
   extraVolumeMounts: []
   extraVolumes: []
+
+serviceAccount:
+  create: true
+  annotations: {}
+
+service:
+  type: NodePort
+  port: 80

src/canary.py

@@ -1,9 +1,11 @@
 import asyncio
 import aiohttp
 
-import random
+# import random
 import logging
 import click
+from kubernetes_asyncio import client, config
+from kubernetes_asyncio.client.api_client import ApiClient
 
 
 logging.basicConfig(
@@ -54,66 +56,61 @@ async def monitor_url(name, url, interval, statuses):
 
 
 async def watch_events(*args, **kwargs):
+    config.load_incluster_config()
+
     logging.info("starting watcher")
     logging.debug(args)
     logging.debug(kwargs)
-    monitors = [
-        {
-            "name": "airflow",
-            "url": "https://airflow.sail-teleport.dk.serp.ac.uk",
-            "interval": 10,
-            "expect": {"status": [200]},
-        },
-        {
-            "name": "rabbitmq",
-            "url": "https://rabbitmq.sail-teleport.dk.serp.ac.uk",
-            "interval": 10,
-            "expect": {"status": [200]},
-        },
-    ]
 
     logging.info("listening for events")
     tasks = dict()
 
     try:
         # Created monitors for current objects
         # TODO Query kubes for existing CanaryHTTPMonitor objects that are visible and iterate over them
-        for monitor in monitors:
-            # Get monitor (simulated)
-            name = monitor["name"]
-            url = monitor["url"]
-            statuses = monitor["expect"]["status"]
-            interval = monitor["interval"] + random.randint(0, 10)
-            logging.info(f"spawning monitor [{name=}]")
-            tasks[name] = asyncio.create_task(
-                monitor_url(name, url, interval, statuses)
-            )
-
-        # Consume events
-        # TODO Subscript to kubes event queue for changes to CanaryHTTPMonitor objects that are visible
-        while True:
-            # Get event (simulated)
-            await asyncio.sleep(30)
-            monitor = random.choice(monitors)
-            name = monitor["name"]
-            url = monitor["url"]
-            statuses = monitor["expect"]["status"]
-            interval = monitor["interval"] + random.randint(0, 10)
-            event = "UPDATED"
-
-            # Cancel the task if it already exists
-            if name in tasks:
-                logging.info(f"cancelling monitor [{name=}]")
-                tasks[name].cancel()
-                await tasks[name]
-
-            # Create a new task at the desired interval
-            if event in ["ADDED", "UPDATED"]:
-                logging.info(f"spawning monitor [{name=}]")
+        # use the context manager to close http sessions automatically
+        async with ApiClient() as api:
+            crds = client.CustomObjectsApi(api)
+            rawmonitors = await crds.list_cluster_custom_object(group="canary.ukserp.ac.uk", version="v1", plural="canaryhttpmonitors")
+            rawmonitors = rawmonitors["items"]
+            for monitor in rawmonitors:
+                name = monitor["metadata"]["name"]
+                url = monitor["spec"]["url"]
+                interval = monitor["spec"]["interval"]
+                if type(monitor["spec"]["status"]) is not list:
+                    statuses = []
+                    statuses.append(monitor["spec"]["status"])
+                else:
+                    statuses = monitor["spec"]["status"]
                 tasks[name] = asyncio.create_task(
                     monitor_url(name, url, interval, statuses)
                 )
 
+        # Consume events
+        # TODO Subscript to kubes event queue for changes to CanaryHTTPMonitor objects that are visible
+        # while True:
+        #     # Get event (simulated)
+        #     await asyncio.sleep(30)
+        #     monitor = random.choice(monitors)
+        #     name = monitor["name"]
+        #     url = monitor["url"]
+        #     statuses = monitor["expect"]["status"]
+        #     interval = monitor["interval"] + random.randint(0, 10)
+        #     event = "UPDATED"
+        #
+        #     # Cancel the task if it already exists
+        #     if name in tasks:
+        #         logging.info(f"cancelling monitor [{name=}]")
+        #         tasks[name].cancel()
+        #         await tasks[name]
+        #
+        #     # Create a new task at the desired interval
+        #     if event in ["ADDED", "UPDATED"]:
+        #         logging.info(f"spawning monitor [{name=}]")
+        #         tasks[name] = asyncio.create_task(
+        #             monitor_url(name, url, interval, statuses)
+        #         )
+
     except asyncio.CancelledError:
         logging.info("cancelled watcher")
         for task in tasks.values():