Merge pull request #51 from cybozu-go/application-controller-sharding

Support Sharding in Application Controller
cybozu-go · Mar 25, 2024 · b4b552c · b4b552c
2 parents a986479 + 032d896
commit b4b552c
Show file tree

Hide file tree

Showing 37 changed files with 1,024 additions and 40 deletions.
diff --git a/.github/actions/aqua/action.yaml b/.github/actions/aqua/action.yaml
@@ -7,8 +7,8 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: aquaproj/aqua-installer@36dc5833b04eb63f06e3bb818aa6b7a6e6db99a9 # v2.1.2
+    - uses: aquaproj/aqua-installer@7c7338067bdb97d5bea2acc82b5870afca470d18 # v2.3.0
       with:
-        aqua_version: v2.9.0
+        aqua_version: v2.22.0
       env:
         GITHUB_TOKEN: ${{ inputs.github_token }}
diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ Cattage is a Kubernetes controller that enhances the multi-tenancy of [Argo CD][
 - Management of root-namespaces for tenants. Tenant users will be able to create sub-namespaces in those root-namespaces.
 - When a tenant user creates a sub-namespace, the AppProject will be automatically updated accordingly. Tenant users will be able to deploy applications with Argo CD to the namespaces.
 - The ownership of sub-namespaces can be changed between tenants.
+- Sharding application-controller instances.
 
 ## Supported Version
 

diff --git a/Tiltfile b/Tiltfile
@@ -23,7 +23,6 @@ watch_file('./config/')
 k8s_yaml(kustomize('./config/dev'))
 k8s_resource(new_name='Cattage Resources', objects=[
     'cattage:namespace',
-    'tenants.cattage.cybozu.io:customresourcedefinition',
     'cattage-mutating-webhook-configuration:mutatingwebhookconfiguration',
     'cattage-controller-manager:serviceaccount',
     'cattage-leader-election-role:role',

diff --git a/api/v1beta1/tenant_types.go b/api/v1beta1/tenant_types.go
@@ -18,6 +18,11 @@ type TenantSpec struct {
 	// Delegates is a list of other tenants that are delegated access to this tenant.
 	// +optional
 	Delegates []DelegateSpec `json:"delegates,omitempty"`
+
+	// ControllerName is the name of the application-controller that manages this tenant's applications.
+	// If not specified, the default controller is used.
+	// +optional
+	ControllerName string `json:"controllerName,omitempty"`
 }
 
 // RootNamespaceSpec defines the desired state of Namespace.

diff --git a/charts/cattage/Chart.yaml b/charts/cattage/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.0-chart-patch-version-placeholder
+version: 0.6.0-chart-patch-version-placeholder
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/cattage/crds/tenant.yaml b/charts/cattage/crds/tenant.yaml
@@ -53,6 +53,11 @@ spec:
                         type: string
                       type: array
                   type: object
+                controllerName:
+                  description: |-
+                    ControllerName is the name of the application-controller that manages this tenant's applications.
+                    If not specified, the default controller is used.
+                  type: string
                 delegates:
                   description: Delegates is a list of other tenants that are delegated access to this tenant.
                   items:

diff --git a/charts/cattage/templates/configmap.yaml b/charts/cattage/templates/configmap.yaml
@@ -18,3 +18,4 @@ data:
     argocd:
       namespace: {{ required ".Values.controller.config.argocd.namespace required!" .Values.controller.config.argocd.namespace }}
       appProjectTemplate: {{ required ".Values.controller.config.argocd.appProjectTemplate required!" .Values.controller.config.argocd.appProjectTemplate | toYaml | nindent 8 }}
+      preventAppCreationInArgoCDNamespace: {{ required ".Values.controller.config.argocd.preventAppCreationInArgoCDNamespace required!" .Values.controller.config.argocd.preventAppCreationInArgoCDNamespace }} 
diff --git a/charts/cattage/templates/generated.yaml b/charts/cattage/templates/generated.yaml
@@ -62,6 +62,18 @@ metadata:
     helm.sh/chart: '{{ include "cattage.chart" . }}'
   name: '{{ template "cattage.fullname" . }}-manager-role'
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups:
       - ""
     resources:
@@ -282,6 +294,26 @@ metadata:
     helm.sh/chart: '{{ include "cattage.chart" . }}'
   name: '{{ template "cattage.fullname" . }}-validating-webhook-configuration'
 webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: '{{ template "cattage.fullname" . }}-webhook-service'
+        namespace: '{{ .Release.Namespace }}'
+        path: /validate-argoproj-io-application
+    failurePolicy: Fail
+    name: vapplication.kb.io
+    rules:
+      - apiGroups:
+          - argoproj.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - applications
+    sideEffects: None
   - admissionReviewVersions:
       - v1
     clientConfig:

diff --git a/charts/cattage/values.yaml b/charts/cattage/values.yaml
@@ -81,3 +81,4 @@ controller:
             {{- else }}
             - '*'
             {{- end }}
+      preventAppCreationInArgoCDNamespace: false
diff --git a/cmd/cattage-controller/sub/run.go b/cmd/cattage-controller/sub/run.go
@@ -82,6 +82,7 @@ func subMain(ns, addr string, port int) error {
 	}
 
 	hooks.SetupTenantWebhook(mgr, admission.NewDecoder(scheme), cfg)
+	hooks.SetupApplicationWebhook(mgr, admission.NewDecoder(scheme), cfg)
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

diff --git a/config/crd/bases/cattage.cybozu.io_tenants.yaml b/config/crd/bases/cattage.cybozu.io_tenants.yaml
@@ -53,6 +53,11 @@ spec:
                       type: string
                     type: array
                 type: object
+              controllerName:
+                description: |-
+                  ControllerName is the name of the application-controller that manages this tenant's applications.
+                  If not specified, the default controller is used.
+                type: string
               delegates:
                 description: Delegates is a list of other tenants that are delegated
                   access to this tenant.

diff --git a/config/manager/configmap.yaml b/config/manager/configmap.yaml
@@ -65,3 +65,4 @@ data:
             {{- else }}
             - '*'
             {{- end }}
+      preventAppCreationInArgoCDNamespace: true
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,6 +4,18 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:

diff --git a/config/samples/tenant.yaml b/config/samples/tenant.yaml
@@ -5,6 +5,7 @@ metadata:
 spec:
   rootNamespaces:
     - name: app-a
+  controllerName: second
 ---
 apiVersion: cattage.cybozu.io/v1beta1
 kind: Tenant

diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -30,6 +30,26 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
 webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-argoproj-io-application
+  failurePolicy: Fail
+  name: vapplication.kb.io
+  rules:
+  - apiGroups:
+    - argoproj.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - applications
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig: