Merge pull request #440 from kmala/charts

feat(charts): Add helm charts for builder

Author: kmala

charts/builder/Chart.yaml

@@ -0,0 +1,7 @@
+name: builder
+home: https://github.com/deis/builder
+version: <Will be populated by the ci before publishing the chart>
+description: Git server and application builder for Deis Workflow.
+maintainers:
+  - name: Deis Team
+    email: engineering@deis.com

charts/builder/templates/builder-controller-secret-key-auth.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: builder-key-auth
+  labels:
+    heritage: deis
+  annotations:
+    "helm.sh/hook": pre-install
+type: Opaque
+data:
+  builder-key: {{ randAlphaNum 64 | b64enc }}

charts/builder/templates/builder-deployment.yaml

@@ -0,0 +1,128 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: deis-builder
+  labels:
+    heritage: deis
+  annotations:
+    component.deis.io/version: {{ .Values.docker_tag }}
+spec:
+  replicas: 1
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: deis-builder
+  template:
+    metadata:
+      labels:
+        app: deis-builder
+    spec:
+      serviceAccount: deis-builder
+      containers:
+        - name: deis-builder
+          image: quay.io/{{.Values.org}}/builder:{{.Values.docker_tag}}
+          imagePullPolicy: {{.Values.pull_policy}}
+          ports:
+            - containerPort: 2223
+              name: ssh
+            - containerPort: 8092
+              name: healthsrv
+{{- if or (.Values.limits_cpu) (.Values.limits_memory)}}
+          resources:
+            limits:
+{{- if (.Values.limits_cpu) }}
+              cpu: {{.Values.limits_cpu}}
+{{- end}}
+{{- if (.Values.limits_memory) }}
+              memory: {{.Values.limits_memory}}
+{{- end}}
+{{- end}}
+          env:
+            # NOTE(bacongobbler): use deis/registry_proxy to work around Docker --insecure-registry requirements
+            - name: "DEIS_REGISTRY_SERVICE_HOST"
+              value: "localhost"
+            - name: "DEIS_REGISTRY_SERVICE_PORT"
+              value: "{{ .Values.global.host_port }}"
+            - name: "HEALTH_SERVER_PORT"
+              value: "8092"
+            - name: "EXTERNAL_PORT"
+              value: "2223"
+            - name: BUILDER_STORAGE
+              value: "{{ .Values.global.storage }}"
+            - name: "DEIS_REGISTRY_LOCATION"
+              value: "{{ .Values.global.registry_location }}"
+            - name: "DEIS_REGISTRY_SECRET_PREFIX"
+              value: "{{ .Values.global.secret_prefix }}"
+            # Set GIT_LOCK_TIMEOUT to number of minutes you want to wait to git push again to the same repository
+            - name: "GIT_LOCK_TIMEOUT"
+              value: "10"
+            - name: "SLUGBUILDER_IMAGE_NAME"
+              valueFrom:
+                configMapKeyRef:
+                  name: slugbuilder-config
+                  key: image
+            - name: SLUG_BUILDER_IMAGE_PULL_POLICY
+              valueFrom:
+                configMapKeyRef:
+                  name: slugbuilder-config
+                  key: pullPolicy
+            - name: "DOCKERBUILDER_IMAGE_NAME"
+              valueFrom:
+                configMapKeyRef:
+                  name: dockerbuilder-config
+                  key: image
+            - name: DOCKER_BUILDER_IMAGE_PULL_POLICY
+              valueFrom:
+                configMapKeyRef:
+                  name: dockerbuilder-config
+                  key: pullPolicy
+            # This var needs to be passed so that the minio client (https://github.com/minio/mc) will work in Alpine linux
+            - name: "DOCKERIMAGE"
+              value: "1"
+            - name: "DEIS_DEBUG"
+              value: "false"
+            - name: "POD_NAMESPACE"
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: DEIS_BUILDER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: builder-key-auth
+                  key: builder-key
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8092
+            initialDelaySeconds: 30
+            timeoutSeconds: 1
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 8092
+            initialDelaySeconds: 30
+            timeoutSeconds: 1
+          volumeMounts:
+            - name: builder-key-auth
+              mountPath: /var/run/secrets/api/auth
+              readOnly: true
+            - name: builder-ssh-private-keys
+              mountPath: /var/run/secrets/deis/builder/ssh
+              readOnly: true
+            - name: objectstore-creds
+              mountPath: /var/run/secrets/deis/objectstore/creds
+              readOnly: true
+      volumes:
+        - name: builder-key-auth
+          secret:
+            secretName: builder-key-auth
+        - name: builder-ssh-private-keys
+          secret:
+            secretName: builder-ssh-private-keys
+        - name: objectstore-creds
+          secret:
+            secretName: objectstorage-keyfile

charts/builder/templates/builder-secret-ssh-private-keys.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: builder-ssh-private-keys
+  labels:
+    heritage: deis
+  annotations:
+    "helm.sh/hook": pre-install
+type: Opaque
+data:
+  ssh-host-rsa-key: "{{genPrivateKey "rsa" | b64enc}}"
+  ssh-host-dsa-key: "{{genPrivateKey "dsa" | b64enc}}"
+  ssh-host-ecdsa-key: "{{genPrivateKey "ecdsa" | b64enc}}"

charts/builder/templates/builder-service-account.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: deis-builder
+  labels:
+    heritage: deis

charts/builder/templates/builder-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: deis-builder
+  labels:
+    heritage: deis
+spec:
+  ports:
+    - name: ssh
+      port: 2222
+      targetPort: 2223
+  selector:
+    app: deis-builder

charts/builder/templates/builder-storage-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: objectstorage-keyfile
+  labels:
+    heritage: deis
+  annotations:
+    deis.io/objectstorage: "{{ .Values.global.storage }}"
+type: Opaque
+data: {{ if eq .Values.global.storage "gcs"}}
+  key.json: {{.Values.gcs.key_json | b64enc}}
+  builder-bucket: {{.Values.gcs.builder_bucket | b64enc }}{{ else if eq .Values.global.storage "azure"}}
+  accountname: {{.Values.azure.accountname | b64enc }}
+  accountkey: {{ .Values.azure.accountkey | b64enc }}
+  builder-container: {{ .Values.azure.builder_container | b64enc }}{{ else if eq .Values.global.storage "s3"}}
+  accesskey: {{ .Values.s3.accesskey | b64enc }}
+  secretkey: {{ .Values.s3.secretkey | b64enc }}
+  region: {{ .Values.s3.region | b64enc }}
+  builder-bucket: {{ .Values.s3.builder_bucket | b64enc }}{{ else if eq .Values.global.storage "swift"}}
+  username: {{ .swift.username | b64enc }}
+  password: {{ .swift.password | b64enc }}
+  authurl: {{ .swift.authurl | b64enc }}
+  tenant: {{ .swift.tenant | b64enc }}
+  authversion: {{ .swift.authversion | b64enc }}
+  builder-container: {{ .swift.builder_container | b64enc }}{{else if eq .Values.global.storage "minio"}}
+  accesskey: OFRaUlkySlJXTVBUNlVNWFI2STU=
+  secretkey: Z2JzdHJPdm90TU1jZzJzTWZHVWhBNWE2RXQvRUk1QUx0SUhzb2JZaw=={{ end }}

charts/builder/values.yaml

@@ -0,0 +1,58 @@
+org: "deisci"
+pull_policy: "Always"
+docker_tag: canary
+# limits_cpu: "100m"
+# limits_memory: "50Mi"
+
+global:
+  # Set the storage backend
+  #
+  # Valid values are:
+  # - s3: Store persistent data in AWS S3 (configure in S3 section)
+  # - azure: Store persistent data in Azure's object storage
+  # - gcs: Store persistent data in Google Cloud Storage
+  # - minio: Store persistent data on in-cluster Minio server
+  storage: minio
+
+  # Set the location of Workflow's Registry
+  #
+  # Valid values are:
+  # - on-cluster: Run registry within the Kubernetes cluster
+  # - off-cluster: Use registry outside the Kubernetes cluster (example: dockerhub,quay.io,self-hosted)
+  # - ecr: Use Amazon's ECR
+  # - gcr: Use Google's GCR
+  registry_location: "on-cluster"
+  # The host port to which registry proxy binds to
+  host_port: 5555
+  # Prefix for the imagepull secret created when using private registry
+  secret_prefix: "private-registry"
+
+s3:
+  # Your AWS access key. Leave it empty if you want to use IAM credentials.
+  accesskey: ""
+  # Your AWS secret key. Leave it empty if you want to use IAM credentials.
+  secretkey: ""
+  # Any S3 region
+  region: "us-west-1"
+  # Your buckets.
+  builder_bucket: "your-builder-bucket-name"
+
+azure:
+  accountname: "YOUR ACCOUNT NAME"
+  accountkey: "YOUR ACCOUNT KEY"
+  builder_container: "your-builder-container-name"
+
+gcs:
+  # key_json is expanded into a JSON file on the remote server. It must be
+  # well-formatted JSON data.
+  key_json: ''
+  builder_bucket: "your-builder-bucket-name"
+
+swift:
+  username: "Your OpenStack Swift Username"
+  password: "Your OpenStack Swift Password"
+  authurl: "Swift auth URL for obtaining an auth token"
+  # Your OpenStack tenant name if you are using auth version 2 or 3.
+  tenant: ""
+  authversion: "Your OpenStack swift auth version"
+  builder_container: "your-builder-container-name"