Merge pull request #94 from nrwl/steve/chore/nx-agents-chart

chore(charts): begin adding a distinct chart for Nx Agents

.gitignore

@@ -1,2 +1,6 @@
 .idea
-.DS_Store
+.DS_Store
+
+# We copy this over on automated testing but for local we need to copy it in so ignore
+# if someone forgets to delete before pushing
+charts/nx-cloud/templates/secret.yml

charts/nx-agents/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: nx-agents
+description: Nx Cloud Agents Helm Chart
+type: application
+version: 1.0.0-rc.1
+maintainers:
+  - name: nx
+    url: "https://nx.app/"
+appVersion: "v1.alpha"

charts/nx-agents/ci/basic-values.yaml

@@ -0,0 +1,62 @@
+global:
+  imageRegistry: 'us-east1-docker.pkg.dev/nxcloudoperations'
+  imageTag: ''
+  imageRepository: 'nx-cloud-enterprise-public'
+  namespace: 'nx-cloud-workflows'
+
+naming:
+  nameOverride: ''
+  fullNameOverride: ''
+
+serviceAccounts:
+  controller:
+    annotations: {}
+  runner:
+    annotations: {}
+
+controller:
+  deployment:
+    port: 9000
+    annotations: {}
+  service:
+    port: 9000
+    type: ClusterIP
+    loadBalancerIP: ''
+    loadBalancerSourceRanges: []
+    annotations: {}
+  env: {}
+  image:
+    registry: ''
+    imageName: nx-cloud-workflow-controller
+    repository: ''
+    tag: test.0219162846
+    pullPolicy: Always
+  resources:
+    limits:
+      memory: '1Gi'
+      cpu: '1.0'
+    requests:
+      memory: '0.5Gi'
+      cpu: '0.5'
+
+executor:
+  env: {}
+
+daemonset:
+  enabled: true
+  script: |
+    #!/bin/bash
+    set -e
+
+    # change the file-watcher max-count on each node to 1048576
+
+    # insert the new value into the system config
+    sysctl -w fs.inotify.max_user_watches=1048576
+
+    # check that the new value was applied
+    cat /proc/sys/fs/inotify/max_user_watches
+
+secret:
+  name: 'cloudsecret'
+  awsS3AccessKeyId: 'ABC123556'
+  awsS3SecretAccessKey: 'BBBAAA1234'

charts/nx-agents/templates/_helpers.tpl

@@ -0,0 +1,30 @@
+{{- define "nxCloud.app.name" }}
+{{- default .Chart.Name .Values.naming.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "nxCloud.app.chartName" }}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "nxCloud.app.selectorLabels" }}
+app.kubernetes.io/name: {{ include "nxCloud.app.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{/*
+Common labels
+*/}}
+{{- define "nxCloud.app.labels" }}
+helm.sh/chart: {{ include "nxCloud.app.chartName" . }}
+{{- include "nxCloud.app.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}

charts/nx-agents/templates/_images.yml

@@ -0,0 +1,35 @@
+{{/*
+Return the proper image name
+Helper copied from bitnami/common: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_images.tpl
+and modified to support global imageTag
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "image" .Values.image ) }}
+*/}}
+{{- define "nxCloud.images.common" }}
+{{- $registryName := .imageRoot.registry }}
+{{- $repositoryName := default .imageRoot.repository .global.imageRepository }}
+{{- $imageName := .imageRoot.imageName }}
+{{- $separator := ":" }}
+{{- $termination := default .global.imageTag .imageRoot.tag | toString }}
+{{- if .global }}
+    {{- if .global.imageRegistry }}
+     {{- $registryName = .global.imageRegistry }}
+    {{- end }}
+{{- end }}
+{{- if .imageRoot.digest }}
+    {{- $separator = "@" }}
+    {{- $termination = .imageRoot.digest | toString }}
+{{- end }}
+{{- if $registryName }}
+    {{- printf "%s/%s/%s%s%s" $registryName $repositoryName $imageName $separator $termination }}
+{{- else }}
+    {{- printf "%s/%s%s%s"  $repositoryName $imageName $separator $termination }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Return proper nx-cloud-workflow-controller image name
+*/}}
+{{- define "nxCloud.images.workflowController.image" }}
+{{- include "nxCloud.images.common" (dict "imageRoot" .Values.controller.image "global" .Values.global) }}
+{{- end }}

charts/nx-agents/templates/daemonset.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.daemonset.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nx-cloud-workflows-daemon
+  namespace: {{ .Values.global.namespace }}
+  labels:
+    k8s-app: nx-cloud-workflows-daemon
+spec:
+  selector:
+    matchLabels:
+      name: nx-cloud-workflows-daemon
+  template:
+    metadata:
+      labels:
+        name: nx-cloud-workflows-daemon
+    spec:
+      containers:
+      - name: nx-cloud-workflows-daemon
+        image: ubuntu:22.04
+        command: ["/bin/sh","-c"]
+        args: ["/script/daemon.sh; while true; do echo Sleeping && sleep 3600; done"]
+        volumeMounts:
+          - name: nx-cloud-workflows-daemon-script
+            mountPath: /script
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+      volumes:
+        - name: nx-cloud-workflows-daemon-script
+          configMap:
+            name: nx-cloud-workflows-daemon-script
+            defaultMode: 0755
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nx-cloud-workflows-daemon-script
+  namespace: {{ .Values.global.namespace }}
+data:
+  daemon.sh: |
+  {{- .Values.daemonset.script | nindent 4 }}
+{{- end }}

charts/nx-cloud/templates/nx-cloud-workflow-controller-deployment.yaml → charts/nx-agents/templates/deployment.yaml

@@ -1,12 +1,15 @@
-{{- if .Values.nxCloudWorkflows.enabled }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: nx-cloud-workflow-controller
-  namespace: {{ .Values.nxCloudWorkflows.namespace | quote }}
+  namespace: {{ .Values.global.namespace | quote }}
   labels:
     {{- include "nxCloud.app.labels" . | indent 4 }}
+  {{- if .Values.controller.deployment.annotations }}
+  annotations:
+    {{- toYaml .Values.controller.deployment.annotations | nindent 4 }}
+  {{- end }}
 spec:
   selector:
     matchLabels:
@@ -22,17 +25,16 @@ spec:
       containers:
         - command:
           - /nx-cloud-workflow-controller
-          - --namespace={{ .Values.nxCloudWorkflows.namespace }}
+          - --namespace={{ .Values.global.namespace }}
           - --in-cluster=true
-          - --image=nxprivatecloud/nx-cloud-build-tools:{{ .Values.nxCloudWorkflows.buildToolsImageTag }}
-          {{- range $key, $value := .Values.nxCloudWorkflows.executorEnv }}
+          {{- range $key, $value := .Values.executor.env }}
           - --executor-env={{ $key }}={{ $value }}
           {{- end }}
           - --workflow-service-address=http://nx-cloud-workflow-controller-service:9000
-          image: {{ include "nxCloud.images.nxCloudWorkflowController.image" . }}
-          imagePullPolicy: {{ .Values.nxApi.image.pullPolicy | quote }}
-          {{- if .Values.nxApi.resources }}
-          resources: {{- toYaml .Values.nxApi.resources | nindent 12 }}
+          image: {{ include "nxCloud.images.workflowController.image" . }}
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy | quote }}
+          {{- if .Values.controller.resources }}
+          resources: {{- toYaml .Values.controller.resources | nindent 12 }}
           {{- end }}
           name: nx-cloud-workflow-controller
           securityContext:
@@ -41,21 +43,29 @@ spec:
             capabilities:
               drop:
                 - 'ALL'
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
           livenessProbe:
             httpGet:
               path: /healthz
-              port: 9000
+              port: {{ .Values.controller.deployment.port }}
+              scheme: HTTP
             initialDelaySeconds: 15
             periodSeconds: 20
+            successThreshold: 1
+            timeoutSeconds: 1
           readinessProbe:
             httpGet:
               path: /readyz
-              port: 9000
+              port: {{ .Values.controller.deployment.port }}
+              scheme: HTTP
             initialDelaySeconds: 5
             periodSeconds: 10
-          {{- if gt (len .Values.nxCloudWorkflows.controllerEnv) 0 }}
+            successThreshold: 1
+            timeoutSeconds: 1
+          {{- if gt (len .Values.controller.env) 0 }}
           env:
-          {{- range $key, $value := .Values.nxCloudWorkflows.controllerEnv }}
+          {{- range $key, $value := .Values.controller.env }}
           - name: {{ $key | quote }}
             value: {{ $value | quote }}
           {{- end }}
@@ -72,15 +82,9 @@ spec:
               secretKeyRef:
                 name: {{ .name }}
                 key: {{ .awsS3SecretAccessKey }}
-          {{- else }}
-          - name: SECRET_FILE_AWS_S3_ACCESS_KEY_ID
-            value: {{ .awsS3AccessKeyId }}
-          - name: SECRET_FILE_AWS_S3_SECRET_ACCESS_KEY
-            value: {{ .awsS3SecretAccessKey }}
           {{- end }}
           {{- end }}
           {{- end }}
           {{- end }}
       serviceAccountName: nx-cloud-workflow-controller
       terminationGracePeriodSeconds: 10
-{{- end }}

charts/nx-agents/templates/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.global.namespace }}
+  labels:
+    {{- include "nxCloud.app.labels" . | indent 4 }}

charts/nx-agents/templates/rolebinding.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    {{- include "nxCloud.app.labels" . | indent 4 }}
+  name: nx-cloud-workflow-controller-rolebinding
+  namespace: {{ .Values.global.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nx-cloud-workflow-controller-role
+subjects:
+  - kind: ServiceAccount
+    name: nx-cloud-workflow-controller
+    namespace: {{ .Values.global.namespace }}

charts/nx-agents/templates/roles.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: nx-cloud-workflow-controller-role
+  namespace: {{ .Values.global.namespace }}
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - services
+    - pods
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - apps
+  resources:
+    - deployments
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - ''
+  resources:
+    - secrets
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - batch
+  resources:
+    - jobs
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - batch
+  resources:
+    - jobs/status
+  verbs:
+    - get