├── venona ├── VERSION ├── .golangci.yml ├── env ├── scripts │ ├── build.sh │ ├── test-fmt.sh │ └── test.sh ├── README.md ├── License ├── .mockery.yaml ├── .mockery.boilerplate ├── build │ └── Dockerfile.tester ├── main.go ├── cmd │ ├── cmdutils.go │ ├── root.go │ └── start_test.go ├── pkg │ ├── errors │ │ └── errors.go │ ├── codefresh │ │ ├── status.go │ │ ├── error.go │ │ └── codefresh_test.go │ ├── logger │ │ └── logger.go │ ├── config │ │ ├── fileinfo_test.go │ │ ├── loader_test.go │ │ └── loader.go │ ├── monitoring │ │ ├── newrelic │ │ │ └── newrelic.go │ │ └── monitoring.go │ ├── runtime │ │ ├── runtime.go │ │ └── runtime_test.go │ ├── workflow │ │ └── workflow.go │ ├── server │ │ └── server.go │ ├── task │ │ └── task.go │ └── queue │ │ └── queue_test.go ├── Dockerfile ├── secrets │ └── minikube.codefresh.runtime.yaml ├── Makefile └── go.mod ├── .github ├── CODEOWNERS ├── pull_request_template.md └── workflows │ └── pr-title.yaml ├── charts └── cf-runtime │ ├── .helmignore │ ├── templates │ ├── other │ │ ├── podMonitor.yaml │ │ ├── serviceMonitor.yaml │ │ └── external-secrets.yaml │ ├── ballast │ │ ├── priority-class.yaml │ │ └── deployment.yaml │ ├── extra │ │ ├── extra-resources.yaml │ │ ├── runtime-images-cm.yaml │ │ └── extra-runtimes.yaml │ ├── runtime │ │ ├── cm-dind-daemon.yaml │ │ ├── secret.yaml │ │ ├── svc-dind.yaml │ │ ├── rbac.yaml │ │ ├── _helpers.tpl │ │ └── cronjob-update-runtimes.yaml │ ├── _components │ │ ├── app-proxy │ │ │ ├── _service.yaml │ │ │ ├── _env-vars.yaml │ │ │ ├── _ingress.yaml │ │ │ ├── _helpers.tpl │ │ │ ├── _rbac.yaml │ │ │ └── _deployment.yaml │ │ ├── monitor │ │ │ ├── _service.yaml │ │ │ ├── _env-vars.yaml │ │ │ ├── _helpers.tpl │ │ │ ├── _rbac.yaml │ │ │ └── _deployment.yaml │ │ ├── event-exporter │ │ │ ├── _serviceMontor.yaml │ │ │ ├── _service.yaml │ │ │ ├── _env-vars.yaml │ │ │ ├── _helpers.tpl │ │ │ ├── _rbac.yaml │ │ │ └── _deployment.yaml │ │ ├── volume-provisioner │ │ │ ├── _secret.yaml │ │ │ ├── _storageclass.yaml │ │ │ ├── _rbac.yaml │ │ │ ├── _cronjob.yaml │ │ │ ├── _deployment.yaml │ │ │ ├── _helpers.tpl │ │ │ ├── _env-vars.yaml │ │ │ └── _daemonset.yaml │ │ ├── ballast │ │ │ ├── _helpers.tpl │ │ │ └── _deployment.yaml │ │ └── runner │ │ │ ├── _helpers.tpl │ │ │ ├── environment-variables │ │ │ ├── _main-container.yaml │ │ │ └── _init-container.yaml │ │ │ ├── _rbac.yaml │ │ │ └── _deployment.yaml │ ├── monitor │ │ ├── rbac.yaml │ │ ├── service.yaml │ │ └── deployment.yaml │ ├── app-proxy │ │ ├── rbac.yaml │ │ ├── ingress.yaml │ │ ├── service.yaml │ │ └── deployment.yaml │ ├── runner │ │ ├── rbac.yaml │ │ └── deployment.yaml │ ├── event-exporter │ │ ├── rbac.yaml │ │ ├── deployment.yaml │ │ └── service.yaml │ ├── volume-provisioner │ │ ├── rbac.yaml │ │ ├── secret.yaml │ │ ├── deployment.yaml │ │ ├── storageclass.yaml │ │ ├── daemonset.yaml │ │ └── cronjob.yaml │ ├── hooks │ │ ├── post-install │ │ │ ├── cm-update-runtime.yaml │ │ │ ├── rbac-gencerts-dind.yaml │ │ │ ├── job-gencerts-dind.yaml │ │ │ └── job-update-runtime.yaml │ │ └── pre-delete │ │ │ ├── rbac-cleanup-resources.yaml │ │ │ └── job-cleanup-resources.yaml │ └── _helpers.tpl │ ├── .ci │ ├── ct.yaml │ ├── image-digests.sh │ ├── helm-docs.sh │ ├── values-ci.yaml │ ├── values-rootless.yaml │ ├── lintconf.yaml │ └── values-system-runtime.yaml │ ├── tests │ ├── values.yaml │ ├── values-private-registry.yaml │ ├── volume-provisioner │ │ ├── dind-lv-monitor_test.yaml │ │ └── cronjob_test.yaml │ └── runtime │ │ ├── runtime_values.yaml │ │ └── runtime_onprem_values.yaml │ ├── files │ ├── cleanup-runtime.sh │ ├── patch-runtime.sh │ ├── create-kubeconfig.sh │ ├── init-runtime.sh │ └── configure-dind-certs.sh │ ├── Chart.yaml │ └── values-rootless.yaml ├── .dockerignore ├── README.md ├── scripts ├── get-all-images.sh ├── output-calculated-values.sh ├── delete-legacy-cli-resources.sh ├── update_re_images.sh ├── generate-changelog.sh └── update_values_with_digests.sh ├── .gitignore └── LICENSE /venona/VERSION: -------------------------------------------------------------------------------- 1 | 2.0.7 2 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | /charts/ @codefresh-io/DevOps 2 | -------------------------------------------------------------------------------- /charts/cf-runtime/.helmignore: -------------------------------------------------------------------------------- 1 | tests/ 2 | .ci/ 3 | test-values/ -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ## What 2 | 3 | ## Why 4 | 5 | ## Notes 6 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | coverage 2 | node_modules 3 | .kube 4 | .envrc* 5 | .vscode 6 | .REST 7 | ./.cover -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | * [venona](venona/README.md) - Codefresh runner process, [official docs](https://codefresh.io/docs/docs/administration/codefresh-runner/). 2 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/other/podMonitor.yaml: -------------------------------------------------------------------------------- 1 | {{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }} 2 | {{- include $templateName . -}} 3 | -------------------------------------------------------------------------------- /venona/.golangci.yml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | linters: 3 | settings: 4 | staticcheck: 5 | checks: 6 | - all 7 | - '-ST1005' 8 | - '-ST1000' 9 | - '-ST1003' -------------------------------------------------------------------------------- /charts/cf-runtime/templates/other/serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | {{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }} 2 | {{- include $templateName . -}} 3 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/other/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }} 2 | {{- include $templateName . -}} 3 | -------------------------------------------------------------------------------- /venona/env: -------------------------------------------------------------------------------- 1 | CODEFRESH_TOKEN=60801b7ba54f6e54add4de76.5025b4cbbc76fc37e3fc5522cdc11880 2 | CODEFRESH_HOST=http://local.codefresh.io 3 | AGENT_NAME=runner 4 | AGENT_ID=minikube_codefresh 5 | VENONA_CONFIG_DIR=/home/codefresh/codefresh/venona/venona/secrets 6 | -------------------------------------------------------------------------------- /venona/scripts/build.sh: -------------------------------------------------------------------------------- 1 | 2 | #!/bin/bash 3 | 4 | set -e 5 | 6 | VERSION=$(cat VERSION) 7 | 8 | echo "Building version $VERSION" 9 | CGO_ENABLED=0 go build -ldflags "-X github.com/codefresh-io/go/venona/cmd.version=$VERSION" -o venona *.go 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/ballast/priority-class.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.ballast.dind.enabled .Values.ballast.engine.enabled -}} 2 | apiVersion: scheduling.k8s.io/v1 3 | kind: PriorityClass 4 | metadata: 5 | name: cf-ballast 6 | value: -1000000 7 | globalDefault: false 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/extra/extra-resources.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | 3 | {{- range .Values.extraResources }} 4 | --- 5 | {{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }} 6 | {{- end }} -------------------------------------------------------------------------------- /charts/cf-runtime/.ci/ct.yaml: -------------------------------------------------------------------------------- 1 | # See https://github.com/helm/chart-testing#configuration 2 | remote: origin 3 | target-branch: main 4 | chart-dirs: 5 | - charts 6 | validate-chart-schema: false 7 | validate-maintainers: true 8 | validate-yaml: true 9 | check-version-increment: true 10 | excluded-charts: 11 | - .ci/ -------------------------------------------------------------------------------- /charts/cf-runtime/.ci/image-digests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eux 3 | MYDIR=$(dirname $0) 4 | REPO_ROOT="${MYDIR}/../../.." 5 | 6 | echo "Update image digests" 7 | docker run \ 8 | -v "$REPO_ROOT:/venona" \ 9 | -u $(id -u) \ 10 | --rm \ 11 | quay.io/codefresh/codefresh-shell:0.0.20 \ 12 | /bin/bash /venona/scripts/update_values_with_digests.sh -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runtime/cm-dind-daemon.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | {{- /* has to be a constant */}} 5 | name: codefresh-dind-config 6 | labels: 7 | {{- include "runtime.labels" . | nindent 4 }} 8 | data: 9 | daemon.json: | 10 | {{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }} 11 | -------------------------------------------------------------------------------- /venona/scripts/test-fmt.sh: -------------------------------------------------------------------------------- 1 | 2 | #!/bin/bash 3 | 4 | set -e 5 | 6 | files=$(find . -type f -name '*.go') 7 | exitcode=0 8 | for f in $files 9 | do 10 | cmd="gofmt -e -l $f | wc -l" 11 | res=$(eval $cmd) 12 | if [ $res -gt 0 ] 13 | then 14 | echo "cmd: \"$cmd\" failed. cmd result = $res" 15 | exitcode=1 16 | fi 17 | done 18 | 19 | exit $exitcode -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runtime/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.global.codefreshToken }} 2 | apiVersion: v1 3 | kind: Secret 4 | type: Opaque 5 | metadata: 6 | name: {{ include "runtime.installation-token-secret-name" . }} 7 | labels: 8 | {{- include "runtime.labels" . | nindent 4 }} 9 | stringData: 10 | codefresh-api-token: {{ .Values.global.codefreshToken }} 11 | {{- end }} -------------------------------------------------------------------------------- /scripts/get-all-images.sh: -------------------------------------------------------------------------------- 1 | MYDIR=$(dirname $0) 2 | CHARTDIR="${MYDIR}/../charts/cf-runtime" 3 | VALUESFILE="${MYDIR}/../charts/cf-runtime/.ci/values-ci.yaml" 4 | OUTPUTFILE=$1 5 | helm dependency update $CHARTDIR 6 | helm template --values $VALUESFILE --set global.runtimeName="dummy" $CHARTDIR | grep -E 'image: | dindImage:' | awk -F ': ' '{print $2}' | tr -d '"' | tr -d "'" | sed 's/@sha256:.*//' | sort | uniq > $OUTPUTFILE 7 | -------------------------------------------------------------------------------- /venona/scripts/test.sh: -------------------------------------------------------------------------------- 1 | 2 | #!/bin/bash 3 | 4 | set -e 5 | 6 | rm -rf cover/ 7 | mkdir cover/ 8 | 9 | echo "running go test" 10 | go test -v -race -coverprofile=cover/cover.out -covermode=atomic ./... 11 | code=$? 12 | echo "go test cmd exited with code $code" 13 | 14 | echo "running go tool cover" 15 | go tool cover -html=cover/cover.out -o=cover/coverage.html 16 | echo "go tool cover exited with code $?" 17 | 18 | exit $code 19 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/app-proxy/_service.yaml: -------------------------------------------------------------------------------- 1 | {{- define "app-proxy.resources.service" -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "app-proxy.fullname" . }} 6 | labels: 7 | {{- include "app-proxy.labels" . | nindent 4 }} 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - name: http 12 | port: 80 13 | protocol: TCP 14 | targetPort: 3000 15 | selector: 16 | {{- include "app-proxy.selectorLabels" . | nindent 4 }} 17 | {{- end -}} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/monitor/_service.yaml: -------------------------------------------------------------------------------- 1 | {{- define "monitor.resources.service" -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "monitor.fullname" . }} 6 | labels: 7 | {{- include "monitor.labels" . | nindent 4 }} 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - name: http 12 | port: 80 13 | protocol: TCP 14 | targetPort: 9020 15 | selector: 16 | {{- include "monitor.selectorLabels" . | nindent 4 }} 17 | {{- end -}} 18 | -------------------------------------------------------------------------------- /scripts/output-calculated-values.sh: -------------------------------------------------------------------------------- 1 | MYDIR=$(dirname $0) 2 | CHARTDIR="${MYDIR}/../charts/cf-runtime" 3 | VALUESFILE="../charts/cf-runtime/.ci/values-ci.yaml" 4 | OUTPUTFILE=$1 5 | ALL_VALUES_TEMPLATE=$(cat <<-END 6 | {{ .Values | toYaml }} 7 | END 8 | ) 9 | 10 | echo $ALL_VALUES_TEMPLATE > $CHARTDIR/templates/all-values.yaml 11 | helm dependency update $CHARTDIR 12 | helm template --values $VALUESFILE --show-only templates/all-values.yaml $CHARTDIR > $OUTPUTFILE 13 | rm $CHARTDIR/templates/all-values.yaml -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/event-exporter/_serviceMontor.yaml: -------------------------------------------------------------------------------- 1 | {{- define "event-exporter.resources.serviceMonitor" -}} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "event-exporter.fullname" . }} 6 | labels: 7 | {{- include "event-exporter.labels" . | nindent 4 }} 8 | spec: 9 | endpoints: 10 | - port: metrics 11 | selector: 12 | matchLabels: 13 | {{- include "event-exporter.selectorLabels" . | nindent 6 }} 14 | {{- end -}} -------------------------------------------------------------------------------- /.github/workflows/pr-title.yaml: -------------------------------------------------------------------------------- 1 | ## Reference: https://github.com/amannn/action-semantic-pull-request 2 | name: "PR Lint" 3 | 4 | on: 5 | pull_request_target: 6 | types: 7 | - opened 8 | - synchronize 9 | - reopened 10 | 11 | jobs: 12 | main: 13 | name: Validate PR title 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: amannn/action-semantic-pull-request@v5 17 | env: 18 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 19 | with: 20 | requireScope: false -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runtime/svc-dind.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | {{- include "runtime.labels" . | nindent 4 }} 6 | app: dind 7 | {{/* has to be a constant */}} 8 | name: dind 9 | spec: 10 | ports: 11 | - name: "dind-port" 12 | port: 1300 13 | protocol: TCP 14 | - name: dind-metrics 15 | port: 9100 16 | protocol: TCP 17 | - name: daemon-metrics 18 | port: 9323 19 | protocol: TCP 20 | clusterIP: None 21 | selector: 22 | app: dind 23 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/event-exporter/_service.yaml: -------------------------------------------------------------------------------- 1 | {{- define "event-exporter.resources.service" -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "event-exporter.fullname" . }} 6 | labels: 7 | {{- include "event-exporter.labels" . | nindent 4 }} 8 | spec: 9 | type: ClusterIP 10 | ports: 11 | - name: metrics 12 | port: 9102 13 | targetPort: metrics 14 | protocol: TCP 15 | selector: 16 | {{- include "event-exporter.selectorLabels" . | nindent 4 }} 17 | {{- end -}} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/monitor/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- $monitorContext := deepCopy . }} 2 | {{- $_ := set $monitorContext "Values" (get .Values "monitor") }} 3 | {{- $_ := set $monitorContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }} 5 | {{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | 7 | {{- if $monitorContext.Values.enabled }} 8 | {{- include "monitor.resources.rbac" $monitorContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/.ci/helm-docs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## Reference: https://github.com/norwoodj/helm-docs 3 | set -eux 4 | REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" 5 | echo "$REPO_ROOT" 6 | 7 | echo "Running Helm-Docs" 8 | docker run \ 9 | -v "$REPO_ROOT:/helm-docs" \ 10 | -u $(id -u) \ 11 | --rm \ 12 | --entrypoint /bin/sh \ 13 | jnorwood/helm-docs:v1.9.1 \ 14 | -c \ 15 | helm-docs \ 16 | --chart-search-root=charts \ 17 | --template-files=./_templates.gotmpl \ 18 | --template-files=README.md.gotmpl \ -------------------------------------------------------------------------------- /charts/cf-runtime/templates/monitor/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $monitorContext := deepCopy . }} 2 | {{- $_ := set $monitorContext "Values" (get .Values "monitor") }} 3 | {{- $_ := set $monitorContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }} 5 | {{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | 7 | {{- if $monitorContext.Values.enabled }} 8 | {{- include "monitor.resources.service" $monitorContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/app-proxy/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- $appProxyContext := deepCopy . }} 2 | {{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} 3 | {{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} 5 | {{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | 7 | {{- if $appProxyContext.Values.enabled }} 8 | {{- include "app-proxy.resources.rbac" $appProxyContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/monitor/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $monitorContext := deepCopy . }} 2 | {{- $_ := set $monitorContext "Values" (get .Values "monitor") }} 3 | {{- $_ := set $monitorContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }} 5 | {{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | 7 | {{- if $monitorContext.Values.enabled }} 8 | {{- include "monitor.resources.deployment" $monitorContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runner/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- $runnerContext := deepCopy . }} 2 | {{- $_ := set $runnerContext "Values" (get .Values "runner") }} 3 | {{- $_ := set $runnerContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 5 | {{- $_ := set $runnerContext.Values "name" (index .Values "runner" "name") }} 6 | 7 | {{- if and $runnerContext.Values.enabled .Values.runtime.agent }} 8 | {{- include "runner.resources.rbac" $runnerContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /venona/README.md: -------------------------------------------------------------------------------- 1 | # Venona 2 | 3 | * venona - the agent process that is running on remote cluster 4 | * cmd - entrypoints to the application 5 | * pkg/agent - call Codefresh API every X ms to get new pipelines to run. Also, report status back to Codefresh 6 | * pkg/codefresh - Codefresh API client 7 | * pkg/config - Interface to load the attached runtimes from the filesystem 8 | * pkg/kubernetes - Interface to Kubernetes 9 | * pkg/logger - logger 10 | * pkg/runtime - Interface that uses Kubernetes API to start the pipeline -------------------------------------------------------------------------------- /charts/cf-runtime/templates/app-proxy/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- $appProxyContext := deepCopy . }} 2 | {{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} 3 | {{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} 5 | {{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | 7 | {{- if $appProxyContext.Values.enabled }} 8 | {{- include "app-proxy.resources.ingress" $appProxyContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/app-proxy/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $appProxyContext := deepCopy . }} 2 | {{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} 3 | {{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} 5 | {{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | 7 | {{- if $appProxyContext.Values.enabled }} 8 | {{- include "app-proxy.resources.service" $appProxyContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/app-proxy/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $appProxyContext := deepCopy . }} 2 | {{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }} 3 | {{- $_ := set $appProxyContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }} 5 | {{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | 7 | {{- if $appProxyContext.Values.enabled }} 8 | {{- include "app-proxy.resources.deployment" $appProxyContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runner/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $runnerContext := deepCopy . }} 2 | {{- $_ := set $runnerContext "Values" (get .Values "runner") }} 3 | {{- $_ := set $runnerContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 5 | {{- $_ := set $runnerContext.Values "name" (index .Values "runner" "name") }} 6 | 7 | {{- if and $runnerContext.Values.enabled .Values.runtime.agent }} 8 | {{- include "runner.resources.deployment" $runnerContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/tests/values.yaml: -------------------------------------------------------------------------------- 1 | # -- workaround for helm unit tests 2 | version: 1.0.0 3 | 4 | appProxy: 5 | enabled: false 6 | 7 | monitor: 8 | enabled: false 9 | 10 | global: 11 | codefreshHost: "https://g.codefresh.io" 12 | accountId: 7890 13 | agentName: my-context_codefresh 14 | runtimeName: my-context/codefresh 15 | context: my-context 16 | 17 | runner: 18 | name: runner 19 | 20 | volumeProvisioner: 21 | name: dind-volume-provisioner 22 | dind-lv-monitor: 23 | name: dind-lv-monitor 24 | dind-volume-cleanup: 25 | name: dind-volume-cleanup 26 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/event-exporter/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- $eventExporterContext := deepCopy . }} 2 | {{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }} 3 | {{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 5 | {{- $_ := set $eventExporterContext.Values "name" (index .Values "event-exporter" "name") }} 6 | 7 | {{- if and $eventExporterContext.Values.enabled }} 8 | {{- include "event-exporter.resources.rbac" $eventExporterContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/event-exporter/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $eventExporterContext := deepCopy . }} 2 | {{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }} 3 | {{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 5 | {{- $_ := set $eventExporterContext.Values "name" (index .Values "event-exporter" "name") }} 6 | 7 | {{- if and $eventExporterContext.Values.enabled }} 8 | {{- include "event-exporter.resources.deployment" $eventExporterContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /venona/License: -------------------------------------------------------------------------------- 1 | Copyright 2020 The Codefresh Authors. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /venona/.mockery.yaml: -------------------------------------------------------------------------------- 1 | boilerplate-file: ".mockery.boilerplate" 2 | dir: "{{.InterfaceDirRelative}}" 3 | filename: "{{.PackageName}}_mock.go" 4 | inpackage: true 5 | with-expecter: true 6 | packages: 7 | github.com/codefresh-io/go/venona/pkg/codefresh: 8 | interfaces: 9 | Codefresh: {} 10 | github.com/codefresh-io/go/venona/pkg/kubernetes: 11 | interfaces: 12 | Kubernetes: {} 13 | github.com/codefresh-io/go/venona/pkg/logger: 14 | interfaces: 15 | Logger: {} 16 | github.com/codefresh-io/go/venona/pkg/metrics: 17 | interfaces: 18 | Metrics: {} 19 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/volume-provisioner/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- $volumeProvisionerContext := deepCopy . }} 2 | {{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} 3 | {{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 5 | {{- $_ := set $volumeProvisionerContext.Values "name" (index .Values "volumeProvisioner" "name") }} 6 | 7 | {{- if $volumeProvisionerContext.Values.enabled }} 8 | {{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /venona/.mockery.boilerplate: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | -------------------------------------------------------------------------------- /venona/build/Dockerfile.tester: -------------------------------------------------------------------------------- 1 | # quay.io/codefresh/venona-tester 2 | FROM golang:1.25-alpine3.22 3 | 4 | RUN apk -U add --no-cache ca-certificates git make gcc g++ bash && update-ca-certificates 5 | RUN go install github.com/client9/misspell/cmd/misspell@v0.3.4 && \ 6 | go install github.com/fzipp/gocyclo/cmd/gocyclo@v0.6.0 && \ 7 | go install github.com/securego/gosec/v2/cmd/gosec@v2.22.8 && \ 8 | go install github.com/google/addlicense@v1.1.1 && \ 9 | go install github.com/github/hub@v2.11.2+incompatible 10 | 11 | RUN apk add curl 12 | RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin 13 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/event-exporter/service.yaml: -------------------------------------------------------------------------------- 1 | {{- $eventExporterContext := deepCopy . }} 2 | {{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }} 3 | {{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 5 | {{- $_ := set $eventExporterContext.Values "name" (index .Values "event-exporter" "name") }} 6 | 7 | {{- if $eventExporterContext.Values.enabled }} 8 | {{- include "event-exporter.resources.service" $eventExporterContext }} 9 | --- 10 | {{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/extra/runtime-images-cm.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{ $images := .Values.runtime.engine.runtimeImages }} 3 | --- 4 | kind: ConfigMap 5 | apiVersion: v1 6 | metadata: 7 | {{- /* dummy template just to list runtime images */}} 8 | name: {{ include "runtime.fullname" . }}-images 9 | labels: 10 | {{- include "runtime.labels" . | nindent 4 }} 11 | data: 12 | images: | 13 | {{- range $key, $val := $images }} 14 | {{- if kindIs "map" $val }} 15 | image: {{ printf "%s/%s:%s@%s" $val.registry $val.repository $val.tag $val.digest }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/volume-provisioner/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- $volumeProvisionerContext := deepCopy . }} 2 | {{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} 3 | {{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} 5 | {{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | {{- $_ := set $volumeProvisionerContext.Values "name" (index .Values "volumeProvisioner" "name") }} 7 | 8 | {{- if $volumeProvisionerContext.Values.enabled }} 9 | {{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/volume-provisioner/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $volumeProvisionerContext := deepCopy . }} 2 | {{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} 3 | {{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} 5 | {{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | {{- $_ := set $volumeProvisionerContext.Values "name" (index .Values "volumeProvisioner" "name") }} 7 | 8 | {{- if $volumeProvisionerContext.Values.enabled }} 9 | {{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/volume-provisioner/storageclass.yaml: -------------------------------------------------------------------------------- 1 | {{- $volumeProvisionerContext := deepCopy . }} 2 | {{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }} 3 | {{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} 4 | {{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} 5 | {{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 6 | {{- $_ := set $volumeProvisionerContext.Values "name" (index .Values "volumeProvisioner" "name") }} 7 | 8 | {{- if $volumeProvisionerContext.Values.enabled }} 9 | {{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /venona/main.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The Codefresh Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package main 18 | 19 | import "github.com/codefresh-io/go/venona/cmd" 20 | 21 | func main() { 22 | cmd.Execute() 23 | } 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | coverage 2 | node_modules 3 | .kube 4 | .envrc* 5 | .vscode 6 | .REST 7 | vcs.xml 8 | Project_Default.xml 9 | modules.xml 10 | misc.xml 11 | venona.iml 12 | encodings.xml 13 | yarn-error.log 14 | .idea/* 15 | telepresence.log 16 | venonalog.json 17 | .venonaconf 18 | .cover 19 | configdir 20 | venona/venona 21 | .runnerconf 22 | 23 | # helm template 24 | **/dry-run/** 25 | 26 | # dependency charts 27 | **/charts/*.tgz 28 | *.tgz 29 | 30 | # lock files 31 | *.lock 32 | 33 | # test values 34 | **/test-values/** 35 | 36 | # only ignore the values.yaml file at the root of the repo 37 | /values.yaml 38 | 39 | # helm charts 40 | **/*.tgz 41 | **/charts/**/charts 42 | **/dry-run.yaml 43 | **/values-dev**.yaml 44 | 45 | # coverage 46 | **/cover 47 | 48 | # debug 49 | **/.debug 50 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/event-exporter/_env-vars.yaml: -------------------------------------------------------------------------------- 1 | {{- define "event-exporter.environment-variables.defaults" }} 2 | {{- end }} 3 | 4 | {{- define "event-exporter.environment-variables.calculated" }} 5 | {{- end }} 6 | 7 | {{- define "event-exporter.environment-variables" }} 8 | {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 9 | {{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }} 10 | {{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }} 11 | {{- $overrides := .Values.env }} 12 | {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} 13 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} 14 | {{- end }} -------------------------------------------------------------------------------- /venona/cmd/cmdutils.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cmd 16 | 17 | import ( 18 | "fmt" 19 | "os" 20 | ) 21 | 22 | func dieOnError(err error) { 23 | if err != nil { 24 | fmt.Println(err.Error()) 25 | os.Exit(1) 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_secret.yaml: -------------------------------------------------------------------------------- 1 | {{- define "dind-volume-provisioner.resources.secret" -}} 2 | {{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }} 3 | apiVersion: v1 4 | kind: Secret 5 | type: Opaque 6 | metadata: 7 | name: {{ include "dind-volume-provisioner.fullname" . }} 8 | labels: 9 | {{- include "dind-volume-provisioner.labels" . | nindent 4 }} 10 | stringData: 11 | {{- with .Values.storage.gcedisk.serviceAccountJson }} 12 | google-service-account.json: | 13 | {{- . | nindent 4 }} 14 | {{- end }} 15 | {{- with .Values.storage.ebs.accessKeyId }} 16 | aws_access_key_id: {{ . }} 17 | {{- end }} 18 | {{- with .Values.storage.ebs.secretAccessKey }} 19 | aws_secret_access_key: {{ . }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end -}} 23 | -------------------------------------------------------------------------------- /venona/pkg/errors/errors.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package errors 16 | 17 | type RetriableError interface { 18 | IsRetriable() bool 19 | } 20 | 21 | func IsRetriable(err error) bool { 22 | e, ok := err.(RetriableError) 23 | return ok && e.IsRetriable() 24 | } 25 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/volume-provisioner/daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- $volumeProvisionerContext := deepCopy . }} 2 | {{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }} 3 | {{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }} 4 | {{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} 5 | {{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} 6 | {{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 7 | {{- $_ := set $volumeProvisionerContext.Values "name" (index .Values "volumeProvisioner" "dind-lv-monitor" "name") }} 8 | 9 | {{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }} 10 | {{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/volume-provisioner/cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- $volumeProvisionerContext := deepCopy . }} 2 | {{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }} 3 | {{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }} 4 | {{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }} 5 | {{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }} 6 | {{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }} 7 | {{- $_ := set $volumeProvisionerContext.Values "name" (index .Values "volumeProvisioner" "dind-volume-cleanup" "name") }} 8 | 9 | {{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }} 10 | {{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /venona/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.25-alpine3.22 AS build 2 | RUN apk -U add --no-cache git make ca-certificates && update-ca-certificates 3 | ENV USER=venona 4 | ENV UID=10001 5 | RUN adduser \ 6 | --disabled-password \ 7 | --gecos "" \ 8 | --home "/nonexistent" \ 9 | --shell "/sbin/nologin" \ 10 | --no-create-home \ 11 | --uid "${UID}" \ 12 | "${USER}" 13 | WORKDIR /venona 14 | COPY . . 15 | RUN go mod download -x 16 | RUN go mod verify 17 | RUN make build 18 | 19 | 20 | FROM alpine:3.22.1 AS prod 21 | COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ 22 | COPY --from=build /etc/passwd /etc/passwd 23 | COPY --from=build /etc/group /etc/group 24 | WORKDIR /home/venona 25 | RUN chown -R venona:venona /home/venona \ 26 | && chmod 755 /home/venona 27 | COPY --from=build /venona/venona /usr/local/bin/venona 28 | USER venona:venona 29 | 30 | ENTRYPOINT [ "venona" ] 31 | CMD [ "start" ] 32 | -------------------------------------------------------------------------------- /charts/cf-runtime/.ci/values-ci.yaml: -------------------------------------------------------------------------------- 1 | # Values used in `helm-chart-ci` pipeline 2 | # All placeholders will be set during ci build 3 | fullnameOverride: cf-runtime-override 4 | global: 5 | codefreshToken: placeholder 6 | accountId: placeholder 7 | context: placeholder 8 | # intentionally empty 9 | runtimeName: "" 10 | agentName: "" 11 | appProxy: 12 | enabled: true 13 | ingress: 14 | class: nginx 15 | host: placeholder 16 | pathPrefix: /app-proxy 17 | monitor: 18 | enabled: true 19 | rbac: 20 | namespaced: true 21 | runtime: 22 | dind: 23 | podLabels: 24 | key: dind 25 | resources: 26 | requests: 27 | cpu: 100m 28 | memory: 128Mi 29 | limits: 30 | cpu: 1000m 31 | memory: 1024Mi 32 | engine: 33 | podLabels: 34 | key: engine 35 | resources: 36 | requests: 37 | cpu: 100m 38 | memory: 128Mi 39 | limits: 40 | cpu: 1000m 41 | memory: 1024Mi 42 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/app-proxy/_env-vars.yaml: -------------------------------------------------------------------------------- 1 | {{- define "app-proxy.environment-variables.defaults" }} 2 | PORT: 3000 3 | {{- end }} 4 | 5 | {{- define "app-proxy.environment-variables.calculated" }} 6 | CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} 7 | {{- with .Values.ingress.pathPrefix }} 8 | API_PATH_PREFIX: {{ . | quote }} 9 | {{- end }} 10 | {{- end }} 11 | 12 | {{- define "app-proxy.environment-variables" }} 13 | {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 14 | {{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }} 15 | {{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }} 16 | {{- $overrides := .Values.env }} 17 | {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} 18 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} 19 | {{- end }} -------------------------------------------------------------------------------- /venona/pkg/codefresh/status.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package codefresh 16 | 17 | import "encoding/json" 18 | 19 | type ( 20 | // AgentStatus is the latest status of the agent 21 | AgentStatus struct { 22 | Message string `json:"message"` 23 | } 24 | ) 25 | 26 | // Marshal status 27 | func (r *AgentStatus) Marshal() ([]byte, error) { 28 | return json.Marshal(r) 29 | } 30 | -------------------------------------------------------------------------------- /charts/cf-runtime/.ci/values-rootless.yaml: -------------------------------------------------------------------------------- 1 | volumeProvisioner: 2 | env: 3 | IS_ROOTLESS: true 4 | dind-lv-monitor: 5 | image: 6 | tag: 1.30.0-rootless 7 | digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479 8 | containerSecurityContext: 9 | runAsUser: 1000 10 | podSecurityContext: 11 | fsGroup: 1000 12 | fsGroupChangePolicy: "OnRootMismatch" 13 | volumePermissions: 14 | enabled: true 15 | 16 | runtime: 17 | dind: 18 | image: 19 | tag: 28.5.1-3.0.5-rootless 20 | digest: sha256:49d77f61e754db1329c7969cc20d2e6b6d034faa33b7303835eff318223e85ed 21 | userVolumeMounts: 22 | dind: 23 | name: dind 24 | mountPath: /home/rootless/.local/share/docker 25 | containerSecurityContext: 26 | privileged: true 27 | runAsUser: 1000 28 | podSecurityContext: 29 | fsGroup: 1000 30 | fsGroupChangePolicy: "OnRootMismatch" 31 | volumePermissions: 32 | enabled: true 33 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/hooks/post-install/cm-update-runtime.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{ $values := .Values.runtime.patch }} 3 | {{- if $values.enabled }} 4 | {{- $runtimeFile := printf "%s.yaml" (include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .))) }} 5 | --- 6 | kind: ConfigMap 7 | apiVersion: v1 8 | metadata: 9 | name: {{ include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .)) }}-runtime-config 10 | labels: 11 | {{- include "runtime.labels" . | nindent 4 }} 12 | annotations: 13 | {{- with $values.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | data: 17 | {{ $runtimeFile }}: | 18 | {{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /scripts/delete-legacy-cli-resources.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAMESPACE=${1} 4 | 5 | if [ -z "$NAMESPACE" ]; then 6 | echo "Usage: $0 " 7 | exit 1 8 | fi 9 | 10 | KINDS=( 11 | "deployment" 12 | "daemonset" 13 | "configmap" 14 | "secret" 15 | "serviceaccount" 16 | "role" 17 | "rolebinding" 18 | "clusterrole" 19 | "clusterrolebinding" 20 | "storageclass" 21 | ) 22 | 23 | for kind in "${KINDS[@]}"; do 24 | echo "Deleting $kind resources in namespace: $NAMESPACE" 25 | kubectl delete "$kind" -n "$NAMESPACE" -l 'app in (runner, venona, dind-volume-provisioner, dind-lv-monitor, app-proxy)' --ignore-not-found 26 | done 27 | 28 | # Delete unlabeled resources 29 | kubectl -n $NAMESPACE delete secret $(kubectl get sa runner -o json | jq -r '.secrets.[].name') 30 | kubectl -n $NAMESPACE delete runnerconf 31 | kubectl -n $NAMESPACE delete sa runner 32 | kubectl -n $NAMESPACE delete role codefresh-engine runner 33 | kubectl -n $NAMESPACE delete rolebinding codefresh-engine runner 34 | -------------------------------------------------------------------------------- /venona/pkg/codefresh/error.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package codefresh 16 | 17 | import "fmt" 18 | 19 | type ( 20 | // Error is an error that may be thrown from Codefresh API 21 | Error struct { 22 | Message string 23 | APIStatusCode int 24 | } 25 | ) 26 | 27 | func (c Error) Error() string { 28 | return fmt.Sprintf("HTTP request to Codefresh API rejected. Status-Code: %d. Message: %s", c.APIStatusCode, c.Message) 29 | } 30 | -------------------------------------------------------------------------------- /charts/cf-runtime/files/cleanup-runtime.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "-----" 4 | echo "API_HOST: ${API_HOST}" 5 | echo "AGENT_NAME: ${AGENT_NAME}" 6 | echo "RUNTIME_NAME: ${RUNTIME_NAME}" 7 | echo "AGENT: ${AGENT}" 8 | echo "AGENT_SECRET_NAME: ${AGENT_SECRET_NAME}" 9 | echo "DIND_SECRET_NAME: ${DIND_SECRET_NAME}" 10 | echo "-----" 11 | 12 | auth() { 13 | codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST} 14 | } 15 | 16 | remove_runtime() { 17 | if [ "$AGENT" == "true" ]; then 18 | codefresh delete re ${RUNTIME_NAME} || true 19 | else 20 | codefresh delete sys-re ${RUNTIME_NAME} || true 21 | fi 22 | } 23 | 24 | remove_agent() { 25 | codefresh delete agent ${AGENT_NAME} || true 26 | } 27 | 28 | remove_secrets() { 29 | kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true 30 | kubectl delete secret $AGENT_SECRET_NAME || true 31 | kubectl delete secret $DIND_SECRET_NAME || true 32 | } 33 | 34 | auth 35 | remove_runtime 36 | remove_agent 37 | remove_secrets -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Codefresh, Inc 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /venona/cmd/root.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cmd 16 | 17 | import "github.com/spf13/cobra" 18 | 19 | const ( 20 | // AppName holds the name of the application, to be used in monitoring tools 21 | AppName = "Codefresh-Runner" 22 | ) 23 | 24 | var version string 25 | 26 | var rootCmd = &cobra.Command{ 27 | Use: "venona", 28 | Version: version, 29 | Long: "Codefresh agent process", 30 | } 31 | 32 | // Execute - execute the root command 33 | func Execute() { 34 | err := rootCmd.Execute() 35 | dieOnError(err) 36 | } 37 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/app-proxy/_ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- define "app-proxy.resources.ingress" -}} 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: {{ include "app-proxy.fullname" . }} 6 | labels: {{- include "app-proxy.labels" . | nindent 4 }} 7 | {{- with .Values.ingress.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | {{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} 13 | ingressClassName: {{ .Values.ingress.class }} 14 | {{- end }} 15 | {{- if .Values.ingress.tlsSecret }} 16 | tls: 17 | - hosts: 18 | - {{ .Values.ingress.host }} 19 | secretName: {{ .Values.ingress.tlsSecret }} 20 | {{- end }} 21 | rules: 22 | - host: {{ .Values.ingress.host }} 23 | http: 24 | paths: 25 | - path: {{ .Values.ingress.pathPrefix | default "/" }} 26 | pathType: ImplementationSpecific 27 | backend: 28 | service: 29 | name: {{ include "app-proxy.fullname" . }} 30 | port: 31 | number: 80 32 | {{- end -}} 33 | -------------------------------------------------------------------------------- /charts/cf-runtime/.ci/lintconf.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | rules: 3 | braces: 4 | min-spaces-inside: 0 5 | max-spaces-inside: 0 6 | min-spaces-inside-empty: -1 7 | max-spaces-inside-empty: -1 8 | brackets: 9 | min-spaces-inside: 0 10 | max-spaces-inside: 0 11 | min-spaces-inside-empty: -1 12 | max-spaces-inside-empty: -1 13 | colons: 14 | max-spaces-before: 0 15 | max-spaces-after: 1 16 | commas: 17 | max-spaces-before: 0 18 | min-spaces-after: 1 19 | max-spaces-after: 1 20 | comments: 21 | require-starting-space: true 22 | min-spaces-from-content: 1 23 | document-end: disable 24 | document-start: disable # No --- to start a file 25 | empty-lines: 26 | max: 2 27 | max-start: 0 28 | max-end: 0 29 | hyphens: 30 | max-spaces-after: 1 31 | indentation: 32 | spaces: consistent 33 | indent-sequences: whatever # - list indentation will handle both indentation and without 34 | check-multi-line-strings: false 35 | key-duplicates: enable 36 | line-length: disable # Lines can be any length 37 | new-line-at-end-of-file: enable 38 | new-lines: 39 | type: unix 40 | trailing-spaces: enable 41 | truthy: 42 | level: warning -------------------------------------------------------------------------------- /charts/cf-runtime/.ci/values-system-runtime.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | runtimeName: system/test-ci-runtime 3 | 4 | runtime: 5 | agent: false 6 | inCluster: false 7 | description: "Test runtime created by venona-helm-chart-ci pipeline" 8 | kubeconfigFilePath: /opt/codefresh/kubeconfigs/prod-ue1-runtime-free-1/kubeconfig 9 | kubeconfigName: prod-ue1-runtime-free-1 10 | dind: 11 | pvcs: 12 | dind: 13 | storageClassName: dind-ebs-csi-us-east-1a-workflows 14 | nodeSelector: 15 | node-type: dind 16 | topology.kubernetes.io/zone: us-east-1a 17 | tolerations: 18 | - key: codefresh.io 19 | operator: Equal 20 | value: dinds 21 | effect: NoSchedule 22 | schedulerName: default-scheduler 23 | engine: 24 | nodeSelector: 25 | node-type: engine 26 | topology.kubernetes.io/zone: us-east-1a 27 | tolerations: 28 | - key: codefresh.io 29 | operator: Equal 30 | value: engines 31 | effect: NoSchedule 32 | schedulerName: default-scheduler 33 | accounts: 34 | - 5672d8deb6724b6e359adf62 # codefresh-inc 35 | 36 | volumeProvisioner: 37 | enabled: false 38 | 39 | monitor: 40 | enabled: false 41 | 42 | appProxy: 43 | enabled: false 44 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/ballast/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- range $key, $val := .Values.ballast }} 2 | --- 3 | {{- $ballastContext := deepCopy $ }} 4 | {{- $_ := set $ballastContext "Values" $val }} 5 | {{- $_ := set $ballastContext.Values "global" (get $.Values "global") }} 6 | {{- $_ := set $ballastContext.Values "nameOverride" (get $.Values "nameOverride") }} 7 | {{- $_ := set $ballastContext.Values "fullnameOverride" (get $.Values "fullnameOverride") }} 8 | {{- $_ := set $ballastContext.Values "name" $key }} 9 | {{- $_ := set $ballastContext.Values "nodeSelector" (get (index $ "Values" "runtime" $key) "nodeSelector") }} 10 | {{- $_ := set $ballastContext.Values "affinity" (get (index $ "Values" "runtime" $key) "affinity") }} 11 | {{- $_ := set $ballastContext.Values "tolerations" (get (index $ "Values" "runtime" $key) "tolerations") }} 12 | {{- $_ := set $ballastContext.Values "schedulerName" (get (index $ "Values" "runtime" $key) "schedulerName") }} 13 | {{- $_ := set $ballastContext.Values "resources" (coalesce (index $val.resources) (get (index $ "Values" "runtime" $key) "resources")) }} 14 | 15 | {{- if $ballastContext.Values.enabled }} 16 | {{- include "ballast.resources.deployment" $ballastContext }} 17 | {{- end }} 18 | 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/monitor/_env-vars.yaml: -------------------------------------------------------------------------------- 1 | {{- define "monitor.environment-variables.defaults" }} 2 | SERVICE_NAME: {{ include "monitor.fullname" . }} 3 | PORT: 9020 4 | HELM3: true 5 | NODE_OPTIONS: "--max_old_space_size=4096" 6 | {{- end }} 7 | 8 | {{- define "monitor.environment-variables.calculated" }} 9 | API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }} 10 | CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }} 11 | API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events 12 | ACCOUNT_ID: {{ .Values.global.accountId }} 13 | NAMESPACE: {{ .Release.Namespace }} 14 | {{- if .Values.rbac.namespaced }} 15 | ROLE_BINDING: true 16 | {{- end }} 17 | {{- end }} 18 | 19 | {{- define "monitor.environment-variables" }} 20 | {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 21 | {{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }} 22 | {{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }} 23 | {{- $overrides := .Values.env }} 24 | {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} 25 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} 26 | {{- end }} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runtime/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{ $values := .Values.runtime }} 2 | --- 3 | {{- if or $values.serviceAccount.create }} 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | {{- /* has to be a constant */}} 8 | name: codefresh-engine 9 | labels: 10 | {{- include "runtime.labels" . | nindent 4 }} 11 | {{- with $values.serviceAccount.annotations }} 12 | annotations: 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | --- 17 | {{- if $values.rbac.create }} 18 | kind: Role 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | metadata: 21 | name: codefresh-engine 22 | labels: 23 | {{- include "runner.labels" . | nindent 4 }} 24 | rules: 25 | - apiGroups: [ "" ] 26 | resources: [ "secrets" ] 27 | verbs: [ "get" ] 28 | {{- with $values.rbac.rules }} 29 | {{ toYaml . | nindent 2 }} 30 | {{- end }} 31 | {{- end }} 32 | --- 33 | {{- if and $values.serviceAccount.create $values.rbac.create }} 34 | kind: RoleBinding 35 | apiVersion: rbac.authorization.k8s.io/v1 36 | metadata: 37 | name: codefresh-engine 38 | labels: 39 | {{- include "runner.labels" . | nindent 4 }} 40 | subjects: 41 | - kind: ServiceAccount 42 | name: codefresh-engine 43 | roleRef: 44 | kind: Role 45 | name: codefresh-engine 46 | apiGroup: rbac.authorization.k8s.io 47 | {{- end }} 48 | 49 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/ballast/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "ballast.name" -}} 5 | {{- printf "%s-%s" (include "cf-runtime.name" .) "ballast" | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "ballast.fullname" -}} 14 | {{- printf "%s-%s" .Values.name "ballast" | trunc 63 | trimSuffix "-" }} 15 | {{- end }} 16 | 17 | {{/* 18 | Common labels 19 | */}} 20 | {{- define "ballast.labels" -}} 21 | {{ include "cf-runtime.labels" . }} 22 | codefresh.io/application: ballast 23 | {{- end }} 24 | 25 | {{/* 26 | Selector labels 27 | */}} 28 | {{- define "ballast.selectorLabels" -}} 29 | {{ include "cf-runtime.selectorLabels" . }} 30 | codefresh.io/application: ballast 31 | {{- end }} 32 | 33 | {{/* 34 | Create the name of the service account to use 35 | */}} 36 | {{- define "ballast.serviceAccountName" -}} 37 | {{- if .Values.serviceAccount.create }} 38 | {{- default (include "ballast.fullname" .) .Values.serviceAccount.name }} 39 | {{- else }} 40 | {{- default "default" .Values.serviceAccount.name }} 41 | {{- end }} 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /venona/pkg/logger/logger.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package logger 16 | 17 | import ( 18 | log "github.com/inconshreveable/log15" 19 | ) 20 | 21 | type ( 22 | // Logger interface 23 | Logger interface { 24 | log.Logger 25 | } 26 | 27 | // Options for logger 28 | Options struct { 29 | Verbose bool 30 | } 31 | ) 32 | 33 | // New creates new logger 34 | func New(o Options) Logger { 35 | l := log.New(log.Ctx{}) 36 | handlers := []log.Handler{} 37 | lvl := log.LvlInfo 38 | if o.Verbose { 39 | lvl = log.LvlDebug 40 | } 41 | 42 | verboseHandler := log.LvlFilterHandler(lvl, log.StdoutHandler) 43 | handlers = append(handlers, verboseHandler) 44 | l.SetHandler(log.MultiHandler(handlers...)) 45 | return l 46 | } 47 | -------------------------------------------------------------------------------- /venona/pkg/config/fileinfo_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package config 16 | 17 | import ( 18 | "os" 19 | "time" 20 | ) 21 | 22 | type ( 23 | info struct { 24 | name string 25 | size int64 26 | mode os.FileMode 27 | modTime time.Time 28 | isDir bool 29 | sys interface{} 30 | } 31 | ) 32 | 33 | func (i info) Name() string { 34 | return i.name 35 | } 36 | 37 | func (i info) Size() int64 { 38 | return i.size 39 | } 40 | 41 | func (i info) Mode() os.FileMode { 42 | return i.mode 43 | } 44 | 45 | func (i info) ModTime() time.Time { 46 | return i.modTime 47 | } 48 | 49 | func (i info) IsDir() bool { 50 | return i.isDir 51 | } 52 | 53 | func (i info) Sys() interface{} { 54 | return i.sys 55 | } 56 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/monitor/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "monitor.name" -}} 5 | {{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "monitor.fullname" -}} 14 | {{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }} 15 | {{- end }} 16 | 17 | {{/* 18 | Common labels 19 | */}} 20 | {{- define "monitor.labels" -}} 21 | {{ include "cf-runtime.labels" . }} 22 | codefresh.io/application: monitor 23 | {{- end }} 24 | 25 | {{/* 26 | Selector labels 27 | */}} 28 | {{- define "monitor.selectorLabels" -}} 29 | {{ include "cf-runtime.selectorLabels" . }} 30 | codefresh.io/application: monitor 31 | {{- end }} 32 | 33 | {{/* 34 | Create the name of the service account to use 35 | */}} 36 | {{- define "monitor.serviceAccountName" -}} 37 | {{- if .Values.serviceAccount.create }} 38 | {{- default (include "monitor.fullname" .) .Values.serviceAccount.name }} 39 | {{- else }} 40 | {{- default "default" .Values.serviceAccount.name }} 41 | {{- end }} 42 | {{- end }} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/runner/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "runner.name" -}} 5 | {{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "runner.fullname" -}} 14 | {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-") }} 15 | {{- end }} 16 | 17 | {{/* 18 | Common labels 19 | */}} 20 | {{- define "runner.labels" -}} 21 | {{ include "cf-runtime.labels" . }} 22 | codefresh.io/application: runner 23 | {{- end }} 24 | 25 | {{/* 26 | Selector labels 27 | */}} 28 | {{- define "runner.selectorLabels" -}} 29 | {{ include "cf-runtime.selectorLabels" . }} 30 | codefresh.io/application: runner 31 | {{- end }} 32 | 33 | {{/* 34 | Create the name of the service account to use 35 | */}} 36 | {{- define "runner.serviceAccountName" -}} 37 | {{- if .Values.serviceAccount.create }} 38 | {{- default (include "runner.fullname" .) .Values.serviceAccount.name }} 39 | {{- else }} 40 | {{- default "default" .Values.serviceAccount.name }} 41 | {{- end }} 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/app-proxy/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "app-proxy.name" -}} 5 | {{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "app-proxy.fullname" -}} 14 | {{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }} 15 | {{- end }} 16 | 17 | {{/* 18 | Common labels 19 | */}} 20 | {{- define "app-proxy.labels" -}} 21 | {{ include "cf-runtime.labels" . }} 22 | codefresh.io/application: app-proxy 23 | {{- end }} 24 | 25 | {{/* 26 | Selector labels 27 | */}} 28 | {{- define "app-proxy.selectorLabels" -}} 29 | {{ include "cf-runtime.selectorLabels" . }} 30 | codefresh.io/application: app-proxy 31 | {{- end }} 32 | 33 | 34 | {{/* 35 | Create the name of the service account to use 36 | */}} 37 | {{- define "app-proxy.serviceAccountName" -}} 38 | {{- if .Values.serviceAccount.create }} 39 | {{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }} 40 | {{- else }} 41 | {{- default "default" .Values.serviceAccount.name }} 42 | {{- end }} 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /charts/cf-runtime/files/patch-runtime.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | 5 | (set +x; codefresh auth create-context --api-key $API_KEY --url $API_HOST) 6 | 7 | if [[ "$AGENT" == "true" ]]; then 8 | patch_type="re" 9 | else 10 | patch_type="sys-re" 11 | fi 12 | 13 | modify_accounts() { 14 | local runtime_name_encoded 15 | runtime_name_encoded=$(yq '.metadata.name' "$1" | jq -r @uri) 16 | local accounts 17 | accounts=$(yq '.accounts' "$1") 18 | 19 | if [[ -n $accounts ]]; then 20 | local payload 21 | payload=$(echo "$accounts" | jq '{accounts: .}') 22 | set +x 23 | curl -X PUT \ 24 | -H "Content-Type: application/json" \ 25 | -H "Authorization: $API_KEY" \ 26 | -d "$payload" \ 27 | "$API_HOST/api/admin/runtime-environments/account/modify/$runtime_name_encoded" 28 | else 29 | echo "No accounts to add for $1" 30 | fi 31 | } 32 | 33 | for runtime in /opt/codefresh/*.yaml; do 34 | if [[ -f $runtime ]]; then 35 | codefresh patch $patch_type -f $runtime 36 | if [[ "$AGENT" == "false" ]]; then 37 | modify_accounts "$runtime" 38 | fi 39 | fi 40 | done 41 | 42 | for runtime in /opt/codefresh/runtime.d/system/*.yaml; do 43 | if [[ -f $runtime ]]; then 44 | codefresh patch sys-re -f $runtime 45 | modify_accounts "$runtime" 46 | fi 47 | done 48 | -------------------------------------------------------------------------------- /scripts/update_re_images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | MYDIR=$(dirname $0) 4 | CHARTDIR="${MYDIR}/../charts/cf-runtime" 5 | 6 | < $1\e[0m"; } 20 | err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; } 21 | 22 | runtimeJson=$(mktemp) 23 | codefresh get sys-re system/root --extend -o json > $runtimeJson 24 | 25 | RUNTIME_IMAGES=( 26 | ENGINE_IMAGE 27 | DIND_IMAGE 28 | CONTAINER_LOGGER_IMAGE 29 | DOCKER_PUSHER_IMAGE 30 | DOCKER_TAG_PUSHER_IMAGE 31 | DOCKER_PULLER_IMAGE 32 | DOCKER_BUILDER_IMAGE 33 | GIT_CLONE_IMAGE 34 | COMPOSE_IMAGE 35 | KUBE_DEPLOY 36 | FS_OPS_IMAGE 37 | TEMPLATE_ENGINE 38 | PIPELINE_DEBUGGER_IMAGE 39 | ) 40 | 41 | filename=$CHARTDIR/values.yaml 42 | 43 | for k in ${RUNTIME_IMAGES[@]}; do 44 | image="$(jq -er .runtimeScheduler.envVars.$k $runtimeJson)" 45 | patch "$filename" <<< $(diff -U0 -w -b --ignore-blank-lines $filename <(yq eval ".runtime.engine.runtimeImages.\"$k\" = \"$image\"" $filename)) || true 46 | done 47 | 48 | msg "The list of updated runtime images:\n" 49 | echo -e "\e[33m$(cat $CHARTDIR/values.yaml)\e[0m" -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/event-exporter/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "event-exporter.name" -}} 5 | {{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "event-exporter.fullname" -}} 14 | {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-") }} 15 | {{- end }} 16 | 17 | {{/* 18 | Common labels 19 | */}} 20 | {{- define "event-exporter.labels" -}} 21 | {{ include "cf-runtime.labels" . }} 22 | app: event-exporter 23 | {{- end }} 24 | 25 | {{/* 26 | Selector labels 27 | */}} 28 | {{- define "event-exporter.selectorLabels" -}} 29 | {{ include "cf-runtime.selectorLabels" . }} 30 | app: event-exporter 31 | {{- end }} 32 | 33 | 34 | {{/* 35 | Create the name of the service account to use 36 | */}} 37 | {{- define "event-exporter.serviceAccountName" -}} 38 | {{- if .Values.serviceAccount.create }} 39 | {{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }} 40 | {{- else }} 41 | {{- default "default" .Values.serviceAccount.name }} 42 | {{- end }} 43 | {{- end }} 44 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/runner/environment-variables/_main-container.yaml: -------------------------------------------------------------------------------- 1 | {{- define "runner.environment-variables.defaults" }} 2 | AGENT_MODE: InCluster 3 | SELF_DEPLOYMENT_NAME: 4 | valueFrom: 5 | fieldRef: 6 | fieldPath: metadata.name 7 | {{- end }} 8 | 9 | {{- define "runner.environment-variables.calculated" }} 10 | AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }} 11 | CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} 12 | CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }} 13 | CODEFRESH_TOKEN: 14 | valueFrom: 15 | secretKeyRef: 16 | name: {{ include "runner.fullname" . }} 17 | key: agent-codefresh-token 18 | DOCKER_REGISTRY: {{ .Values.global.imageRegistry }} 19 | RUNTIME_CHART_VERSION: {{ .Chart.Version }} 20 | {{- end }} 21 | 22 | {{- define "runner.environment-variables" }} 23 | {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 24 | {{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }} 25 | {{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }} 26 | {{- $overrides := .Values.env }} 27 | {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} 28 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /charts/cf-runtime/tests/values-private-registry.yaml: -------------------------------------------------------------------------------- 1 | global: 2 | imageRegistry: somedomain.io 3 | 4 | runtime: 5 | # just locking tags for unit test 6 | engine: 7 | image: 8 | tag: tagoverride 9 | digest: "" 10 | runtimeImages: 11 | compose: 12 | tag: tagoverride 13 | digest: "" 14 | container-logger: 15 | tag: tagoverride 16 | digest: "" 17 | default-qemu: 18 | tag: tagoverride 19 | digest: "" 20 | docker-builder: 21 | tag: tagoverride 22 | digest: "" 23 | docker-puller: 24 | tag: tagoverride 25 | digest: "" 26 | docker-pusher: 27 | tag: tagoverride 28 | digest: "" 29 | docker-tag-pusher: 30 | tag: tagoverride 31 | digest: "" 32 | fs-ops: 33 | tag: tagoverride 34 | digest: "" 35 | git-cloner: 36 | tag: tagoverride 37 | digest: "" 38 | kube-deploy: 39 | tag: tagoverride 40 | digest: "" 41 | pipeline-debugger: 42 | tag: tagoverride 43 | digest: "" 44 | template-engine: 45 | tag: tagoverride 46 | digest: "" 47 | alpine: 48 | tag: tagoverride 49 | digest: "" 50 | gc-builder: 51 | tag: tagoverride 52 | digest: "" 53 | cosign-image-signer: 54 | tag: tagoverride 55 | digest: "" 56 | 57 | dind: 58 | image: 59 | tag: tagoverride 60 | digest: "" 61 | -------------------------------------------------------------------------------- /charts/cf-runtime/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | description: A Helm chart for Codefresh Runner 3 | name: cf-runtime 4 | version: 9.0.3 5 | keywords: 6 | - codefresh 7 | - runner 8 | home: https://codefresh.io/ 9 | icon: https://avatars1.githubusercontent.com/u/11412079?v=3 10 | sources: 11 | - https://github.com/codefresh-io/venona 12 | maintainers: 13 | - name: codefresh 14 | url: https://codefresh-io.github.io/ 15 | annotations: 16 | # 💡 Do not forget to update this annotation: 17 | artifacthub.io/containsSecurityUpdates: "true" 18 | # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: 19 | artifacthub.io/changes: | 20 | - kind: changed 21 | description: "Update \"engine\" to 2.1.0." 22 | - kind: fixed 23 | description: "Prevent \"on_finish\" and \"on_elected\" pipeline hooks from executing in the middle if paused for \"pending-approval\" step." 24 | - kind: deprecated 25 | description: "Print deprecation warning in build logs if Docker daemon is running on cgroup v1" 26 | links: 27 | - name: Docker cgroup v1 deprecation notice 28 | url: https://docs.docker.com/engine/deprecated/#support-for-cgroup-v1 29 | - kind: changed 30 | description: "Update \"cf-docker-builder\" to 1.5.3." 31 | - kind: security 32 | description: "Fix various security vulnerabilities in \"cf-docker-builder\"." 33 | dependencies: 34 | - name: cf-common 35 | repository: oci://quay.io/codefresh/charts 36 | version: 0.21.0 37 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/hooks/post-install/rbac-gencerts-dind.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{ $values := .Values.runtime.gencerts }} 3 | {{- if and $values.enabled }} 4 | --- 5 | apiVersion: v1 6 | kind: ServiceAccount 7 | metadata: 8 | name: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 9 | namespace: {{ .Release.Namespace }} 10 | --- 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: Role 13 | metadata: 14 | name: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 15 | namespace: {{ .Release.Namespace }} 16 | rules: 17 | - apiGroups: 18 | - "" 19 | resources: 20 | - secrets 21 | - configmaps 22 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: RoleBinding 26 | metadata: 27 | name: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 28 | namespace: {{ .Release.Namespace }} 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: Role 32 | name: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 33 | subjects: 34 | - kind: ServiceAccount 35 | name: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 36 | namespace: {{ .Release.Namespace }} 37 | {{ end }} 38 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/event-exporter/_rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- define "event-exporter.resources.rbac" -}} 2 | {{- if .Values.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "event-exporter.serviceAccountName" . }} 7 | labels: 8 | {{- include "event-exporter.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | --- 15 | {{- if .Values.rbac.create }} 16 | kind: ClusterRole 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: {{ include "event-exporter.fullname" . }} 20 | labels: 21 | {{- include "event-exporter.labels" . | nindent 4 }} 22 | rules: 23 | - apiGroups: [""] 24 | resources: [events] 25 | verbs: [get, list, watch] 26 | {{- with .Values.rbac.rules }} 27 | {{ toYaml . | nindent 2 }} 28 | {{- end }} 29 | {{- end }} 30 | --- 31 | {{- if and .Values.serviceAccount.create .Values.rbac.create }} 32 | kind: ClusterRoleBinding 33 | apiVersion: rbac.authorization.k8s.io/v1 34 | metadata: 35 | name: {{ include "event-exporter.fullname" . }} 36 | labels: 37 | {{- include "event-exporter.labels" . | nindent 4 }} 38 | subjects: 39 | - kind: ServiceAccount 40 | name: {{ include "event-exporter.serviceAccountName" . }} 41 | namespace: {{ .Release.Namespace }} 42 | roleRef: 43 | kind: ClusterRole 44 | name: {{ include "event-exporter.fullname" . }} 45 | apiGroup: rbac.authorization.k8s.io 46 | {{- end }} 47 | {{- end -}} 48 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/hooks/pre-delete/rbac-cleanup-resources.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{ $values := .Values.runtime.patch }} 3 | {{- if and $values.enabled }} 4 | --- 5 | apiVersion: v1 6 | kind: ServiceAccount 7 | metadata: 8 | name: {{ include "runtime.fullname" . }}-cleanup 9 | namespace: {{ .Release.Namespace }} 10 | annotations: 11 | "helm.sh/hook": pre-delete 12 | "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed 13 | --- 14 | apiVersion: rbac.authorization.k8s.io/v1 15 | kind: Role 16 | metadata: 17 | name: {{ include "runtime.fullname" . }}-cleanup 18 | namespace: {{ .Release.Namespace }} 19 | annotations: 20 | "helm.sh/hook": pre-delete 21 | "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed 22 | rules: 23 | - apiGroups: 24 | - "*" 25 | resources: 26 | - "*" 27 | verbs: 28 | - "*" 29 | --- 30 | apiVersion: rbac.authorization.k8s.io/v1 31 | kind: RoleBinding 32 | metadata: 33 | name: {{ include "runtime.fullname" . }}-cleanup 34 | namespace: {{ .Release.Namespace }} 35 | annotations: 36 | "helm.sh/hook": pre-delete 37 | "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed 38 | roleRef: 39 | apiGroup: rbac.authorization.k8s.io 40 | kind: Role 41 | name: {{ include "runtime.fullname" . }}-cleanup 42 | subjects: 43 | - kind: ServiceAccount 44 | name: {{ include "runtime.fullname" . }}-cleanup 45 | namespace: {{ .Release.Namespace }} 46 | {{ end }} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/app-proxy/_rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- define "app-proxy.resources.rbac" -}} 2 | {{- if .Values.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "app-proxy.serviceAccountName" . }} 7 | labels: 8 | {{- include "app-proxy.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | --- 15 | {{- if .Values.rbac.create }} 16 | kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }} 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: {{ include "app-proxy.fullname" . }} 20 | labels: 21 | {{- include "app-proxy.labels" . | nindent 4 }} 22 | rules: 23 | - apiGroups: [ "" ] 24 | resources: [ "secrets" ] 25 | verbs: [ "get" ] 26 | {{- with .Values.rbac.rules }} 27 | {{ toYaml . | nindent 2 }} 28 | {{- end }} 29 | {{- end }} 30 | --- 31 | {{- if and .Values.serviceAccount.create .Values.rbac.create }} 32 | kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }} 33 | apiVersion: rbac.authorization.k8s.io/v1 34 | metadata: 35 | name: {{ include "app-proxy.fullname" . }} 36 | labels: 37 | {{- include "app-proxy.labels" . | nindent 4 }} 38 | subjects: 39 | - kind: ServiceAccount 40 | name: {{ include "app-proxy.serviceAccountName" . }} 41 | namespace: {{ .Release.Namespace }} 42 | roleRef: 43 | kind: Role 44 | name: {{ include "app-proxy.fullname" . }} 45 | apiGroup: rbac.authorization.k8s.io 46 | {{- end }} 47 | {{- end -}} 48 | -------------------------------------------------------------------------------- /charts/cf-runtime/values-rootless.yaml: -------------------------------------------------------------------------------- 1 | volumeProvisioner: 2 | env: 3 | IS_ROOTLESS: true 4 | # -- Only if local volumes are used as backend storage (ignored for ebs/ebs-csi disks) 5 | dind-lv-monitor: 6 | image: 7 | tag: 1.30.0-rootless 8 | digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479 9 | containerSecurityContext: 10 | runAsUser: 1000 11 | podSecurityContext: 12 | fsGroup: 1000 13 | # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods 14 | fsGroupChangePolicy: "OnRootMismatch" 15 | # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes 16 | volumePermissions: 17 | enabled: false 18 | 19 | runtime: 20 | dind: 21 | image: 22 | tag: 28.5.1-3.0.5-rootless 23 | digest: sha256:49d77f61e754db1329c7969cc20d2e6b6d034faa33b7303835eff318223e85ed 24 | userVolumeMounts: 25 | dind: 26 | name: dind 27 | mountPath: /home/rootless/.local/share/docker 28 | containerSecurityContext: 29 | privileged: true 30 | runAsUser: 1000 31 | podSecurityContext: 32 | fsGroup: 1000 33 | # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods 34 | fsGroupChangePolicy: "OnRootMismatch" 35 | # -- Enable initContainer to run chmod for /home/rootless in DinD pod 36 | # !!! Will slow down dind pod startup 37 | volumePermissions: 38 | enabled: true 39 | -------------------------------------------------------------------------------- /charts/cf-runtime/files/create-kubeconfig.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | 5 | NAMESPACE=$1 6 | if [ -z "$NAMESPACE" ]; then 7 | echo "Usage: $0 " 8 | exit 1 9 | fi 10 | CLUSTER_NAME=$2 11 | if [ -z "$CLUSTER_NAME" ]; then 12 | echo "Usage: $0 " 13 | exit 1 14 | fi 15 | CURRENT_CONTEXT=$(kubectl config current-context) 16 | 17 | USER_TOKEN_VALUE=$(kubectl -n $NAMESPACE get secret/codefresh-runtime-user-token -o=go-template='{{.data.token}}' | base64 --decode) 18 | CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}') 19 | CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}') 20 | CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}') 21 | 22 | export -p USER_TOKEN_VALUE CURRENT_CONTEXT CURRENT_CLUSTER CLUSTER_CA CLUSTER_SERVER CLUSTER_NAME 23 | 24 | cat << EOF > $CLUSTER_NAME-kubeconfig 25 | apiVersion: v1 26 | kind: Config 27 | current-context: ${CLUSTER_NAME} 28 | contexts: 29 | - name: ${CLUSTER_NAME} 30 | context: 31 | cluster: ${CLUSTER_NAME} 32 | user: codefresh-runtime-user 33 | namespace: ${NAMESPACE} 34 | clusters: 35 | - name: ${CLUSTER_NAME} 36 | cluster: 37 | certificate-authority-data: ${CLUSTER_CA} 38 | server: ${CLUSTER_SERVER} 39 | users: 40 | - name: codefresh-runtime-user 41 | user: 42 | token: ${USER_TOKEN_VALUE} 43 | EOF 44 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/runner/environment-variables/_init-container.yaml: -------------------------------------------------------------------------------- 1 | {{- define "runner-init.environment-variables.defaults" }} 2 | HOME: /tmp 3 | {{- end }} 4 | 5 | {{- define "runner-init.environment-variables.calculated" }} 6 | AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }} 7 | API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} 8 | AGENT_CODEFRESH_TOKEN: 9 | valueFrom: 10 | secretKeyRef: 11 | name: {{ include "runner.fullname" . }} 12 | key: agent-codefresh-token 13 | optional: true 14 | EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }} 15 | KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }} 16 | KUBE_NAMESPACE: {{ .Release.Namespace }} 17 | OWNER_NAME: {{ include "runner.fullname" . }} 18 | RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }} 19 | SECRET_NAME: {{ include "runner.fullname" . }} 20 | USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }} 21 | {{- end }} 22 | 23 | {{- define "runner-init.environment-variables" }} 24 | {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 25 | {{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }} 26 | {{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }} 27 | {{- $overrides := .Values.env }} 28 | {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} 29 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/runner/_rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- define "runner.resources.rbac" -}} 2 | {{- if .Values.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "runner.serviceAccountName" . }} 7 | labels: 8 | {{- include "runner.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | --- 15 | {{- if .Values.rbac.create }} 16 | kind: Role 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: {{ include "runner.fullname" . }} 20 | labels: 21 | {{- include "runner.labels" . | nindent 4 }} 22 | rules: 23 | - apiGroups: [ "" ] 24 | resources: [ "pods", "persistentvolumeclaims" ] 25 | verbs: [ "get", "create", "delete", patch ] 26 | - apiGroups: [ "" ] 27 | resources: [ "configmaps", "secrets" ] 28 | verbs: [ "get", "create", "update", patch ] 29 | - apiGroups: [ "apps" ] 30 | resources: [ "deployments" ] 31 | verbs: [ "get" ] 32 | {{- with .Values.rbac.rules }} 33 | {{ toYaml . | nindent 2 }} 34 | {{- end }} 35 | {{- end }} 36 | --- 37 | {{- if and .Values.serviceAccount.create .Values.rbac.create }} 38 | kind: RoleBinding 39 | apiVersion: rbac.authorization.k8s.io/v1 40 | metadata: 41 | name: {{ include "runner.fullname" . }} 42 | labels: 43 | {{- include "runner.labels" . | nindent 4 }} 44 | subjects: 45 | - kind: ServiceAccount 46 | name: {{ include "runner.serviceAccountName" . }} 47 | namespace: {{ .Release.Namespace }} 48 | roleRef: 49 | kind: Role 50 | name: {{ include "runner.fullname" . }} 51 | apiGroup: rbac.authorization.k8s.io 52 | {{- end }} 53 | {{- end -}} 54 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "cf-runtime.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "cf-runtime.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "cf-runtime.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "cf-runtime.labels" -}} 37 | helm.sh/chart: {{ include "cf-runtime.chart" . }} 38 | {{ include "cf-runtime.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "cf-runtime.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "cf-runtime.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | -------------------------------------------------------------------------------- /charts/cf-runtime/tests/volume-provisioner/dind-lv-monitor_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/quintush/helm-unittest/master/schema/helm-testsuite.json 2 | suite: dind-lv-monitor test 3 | values: 4 | - ../values.yaml 5 | templates: 6 | - templates/**.yaml 7 | release: 8 | name: cf-runtime 9 | namespace: codefresh 10 | revision: 1 11 | upgrade: true 12 | chart: 13 | appVersion: 1.0.0 14 | tests: 15 | - it: Test dind-lv-monitor default metadata 16 | template: templates/volume-provisioner/daemonset.yaml 17 | set: 18 | storage.backend: local 19 | asserts: 20 | - hasDocuments: 21 | count: 1 22 | - isKind: 23 | of: DaemonSet 24 | - isNull: 25 | path: metadata.annotations 26 | - isSubset: 27 | path: metadata.labels 28 | content: 29 | app.kubernetes.io/instance: cf-runtime 30 | app.kubernetes.io/managed-by: Helm 31 | app.kubernetes.io/name: cf-runtime 32 | codefresh.io/application: lv-monitor 33 | - equal: 34 | path: metadata.name 35 | value: dind-lv-monitor 36 | 37 | - it: Test no dind-lv-monitor is storage no local 38 | template: templates/volume-provisioner/daemonset.yaml 39 | set: 40 | storage.backend: ebs 41 | asserts: 42 | - hasDocuments: 43 | count: 0 44 | 45 | - it: Test dind-lv-monitor initContainer 46 | template: templates/volume-provisioner/daemonset.yaml 47 | set: 48 | storage.backend: local 49 | volumeProvisioner: 50 | dind-lv-monitor: 51 | volumePermissions: 52 | enabled: true 53 | asserts: 54 | - isNotNull: 55 | path: spec.template.spec.initContainers 56 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/extra/extra-runtimes.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{- $extraRuntimes := .Values.extraRuntimes }} 3 | 4 | {{- range $runtimeIndex, $runtimeItem := $extraRuntimes }} 5 | {{- $rootContext := deepCopy $ }} 6 | {{- $_ := set $rootContext.Values.runtime "accounts" (list) }} 7 | {{- $runtimeItem = (mergeOverwrite $rootContext.Values.runtime $runtimeItem) }} 8 | {{- $_ := set $rootContext.Values "runtime" $runtimeItem }} 9 | 10 | {{- $runtimeName := required "runtimeName is required for extra runtime" $runtimeItem.runtimeName }} 11 | {{- if eq $runtimeName $rootContext.Values.global.runtimeName }} 12 | {{- fail "extra runtimeName cannot be the same as global.runtimeName" }} 13 | {{- else }} 14 | {{- $_ := set $rootContext.Values.global "runtimeName" $runtimeItem.runtimeName }} 15 | {{- end }} 16 | 17 | {{- if or (not (kindIs "slice" $runtimeItem.runtimeExtends)) (eq (len $runtimeItem.runtimeExtends) 0) }} 18 | {{- fail "runtimeExtends must be a non-empty list" }} 19 | {{- end }} 20 | 21 | {{- if not (hasPrefix "system/" $runtimeItem.runtimeName) }} 22 | {{- fail "extra runtime name must start with 'system/'" }} 23 | {{- end }} 24 | 25 | {{- $runtimeFile := printf "%s.yaml" (include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName)) }} 26 | --- 27 | kind: ConfigMap 28 | apiVersion: v1 29 | metadata: 30 | name: {{ printf "%s-runtime-config" ( trimPrefix "system/" $runtimeItem.runtimeName | replace "_" "-" ) }} 31 | labels: 32 | {{- include "runtime.labels" $ | nindent 4 }} 33 | data: 34 | {{ $runtimeFile }}: | 35 | {{ include "runtime.runtime-environment-spec.template" $rootContext | nindent 4 | trim }} 36 | {{- end -}} 37 | -------------------------------------------------------------------------------- /scripts/generate-changelog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if the correct number of arguments is provided 4 | if [ "$#" -ne 2 ]; then 5 | echo "Usage: $0 " 6 | exit 1 7 | fi 8 | 9 | # Assign input arguments to variables 10 | CHART_YAML="$1" 11 | CHANGELOG_FILE="$2" 12 | 13 | # Check if the Chart.yaml file exists 14 | if [ ! -f "$CHART_YAML" ]; then 15 | echo "Error: Chart.yaml file not found at $CHART_YAML" 16 | exit 1 17 | fi 18 | 19 | # Extract the artifacthub.io/changes section from the Chart.yaml 20 | CHANGES=$(sed -n '/artifacthub.io\/changes: |/,/^dependencies:/p' "$CHART_YAML" | sed '1d;$d') 21 | 22 | echo $CHANGES 23 | 24 | # Create associative arrays to store changes by kind 25 | declare -A changes_by_kind 26 | 27 | # Iterate through the changes and group them by kind 28 | current_kind="" 29 | while read -r line; do 30 | if [[ $line == *"- kind:"* ]]; then 31 | current_kind=$(echo "$line" | sed 's/.*kind: //') 32 | # Initialize an empty array for the kind if it doesn't exist 33 | if [[ -z "${changes_by_kind[$current_kind]}" ]]; then 34 | changes_by_kind[$current_kind]="" 35 | fi 36 | elif [[ $line == *"description:"* ]]; then 37 | description=$(echo "$line" | sed 's/.*description: "//;s/"//') 38 | # Append the description to the corresponding kind 39 | changes_by_kind[$current_kind]+="- $description"$'\n' 40 | fi 41 | done <<< "$CHANGES" 42 | 43 | # Create the CHANGELOG.md file and write the header 44 | echo "# Changelog" > "$CHANGELOG_FILE" 45 | echo "" >> "$CHANGELOG_FILE" 46 | 47 | # Write the changes grouped by kind to the CHANGELOG.md file 48 | for kind in "${!changes_by_kind[@]}"; do 49 | if [[ -n "${changes_by_kind[$kind]}" ]]; then 50 | echo "## $kind" >> "$CHANGELOG_FILE" 51 | echo "${changes_by_kind[$kind]}" >> "$CHANGELOG_FILE" 52 | fi 53 | done 54 | -------------------------------------------------------------------------------- /scripts/update_values_with_digests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -eou xtrace 3 | 4 | MYDIR=$(dirname $0) 5 | CHARTDIR="${MYDIR}/../charts/cf-runtime" 6 | VALUES_FILE="${CHARTDIR}/values.yaml" 7 | 8 | get_image_digest() { 9 | local registry=$1 10 | local repository=$2 11 | local tag=$3 12 | 13 | digest=$(regctl manifest digest "${registry}/${repository}:${tag}" 2>/dev/null) 14 | 15 | if [[ $? -ne 0 ]]; then 16 | echo "Failed to get digest for ${registry}/${repository}:${tag}" 17 | echo "" 18 | else 19 | echo "$digest" 20 | fi 21 | } 22 | 23 | # find paths to all maps having registry/repository/tag 24 | yq -o=json '.. | select(type == "!!map" and has("registry") and has("repository") and has("tag")) | path' "$VALUES_FILE" | 25 | jq -c '.' | 26 | while IFS= read -r path_json; do 27 | # build yq path expression 28 | yq_path="" 29 | for key in $(echo "$path_json" | jq -r '.[]'); do 30 | if [[ "$key" =~ ^[0-9]+$ ]]; then 31 | yq_path+="[$key]" 32 | else 33 | yq_path+=".$key" 34 | fi 35 | done 36 | 37 | # extract registry/repo/tag at this path 38 | registry=$(yq -r "${yq_path}.registry" "$VALUES_FILE") 39 | repository=$(yq -r "${yq_path}.repository" "$VALUES_FILE") 40 | tag=$(yq -r "${yq_path}.tag" "$VALUES_FILE") 41 | 42 | # skip if any are missing 43 | if [[ -z "$registry" || -z "$repository" || -z "$tag" || "$registry" == "null" || "$repository" == "null" || "$tag" == "null" ]]; then 44 | echo "⚠️ Skipping incomplete entry at $yq_path" 45 | continue 46 | fi 47 | 48 | image="${registry}/${repository}:${tag}" 49 | echo "🔎 Checking image: $image" 50 | 51 | if digest=$(regctl image digest "$image" 2>/dev/null); then 52 | echo "✅ Digest: $digest" 53 | else 54 | echo "❌ Failed to get digest for $image" 55 | exit 1 56 | fi 57 | 58 | # write back to YAML 59 | echo "✍️ Writing digest back at $yq_path" 60 | yq -i "${yq_path}.digest = \"$digest\"" "$VALUES_FILE" 61 | done 62 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/monitor/_rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- define "monitor.resources.rbac" -}} 2 | {{- if .Values.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "monitor.serviceAccountName" . }} 7 | labels: 8 | {{- include "monitor.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | --- 15 | {{- if .Values.rbac.create }} 16 | kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }} 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: {{ include "monitor.fullname" . }} 20 | labels: 21 | {{- include "monitor.labels" . | nindent 4 }} 22 | rules: 23 | - apiGroups: [ "" ] 24 | resources: [ "*" ] 25 | verbs: [ "get", "list", "watch", "create", "delete" ] 26 | - apiGroups: [ "" ] 27 | resources: [ "pods" ] 28 | verbs: [ "get", "list", "watch", "create", "deletecollection" ] 29 | - apiGroups: [ "extensions" ] 30 | resources: [ "*" ] 31 | verbs: [ "get", "list", "watch" ] 32 | - apiGroups: [ "apps" ] 33 | resources: [ "*" ] 34 | verbs: [ "get", "list", "watch" ] 35 | {{- with .Values.rbac.rules }} 36 | {{ toYaml . | nindent 2 }} 37 | {{- end }} 38 | {{- end }} 39 | --- 40 | {{- if and .Values.serviceAccount.create .Values.rbac.create }} 41 | kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }} 42 | apiVersion: rbac.authorization.k8s.io/v1 43 | metadata: 44 | name: {{ include "monitor.fullname" . }} 45 | labels: 46 | {{- include "monitor.labels" . | nindent 4 }} 47 | subjects: 48 | - kind: ServiceAccount 49 | name: {{ include "monitor.serviceAccountName" . }} 50 | namespace: {{ .Release.Namespace }} 51 | roleRef: 52 | kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }} 53 | name: {{ include "monitor.fullname" . }} 54 | apiGroup: rbac.authorization.k8s.io 55 | {{- end }} 56 | {{- end -}} 57 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/ballast/_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- define "ballast.resources.deployment" -}} 2 | {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | {{- $name := .Values.name }} 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: {{ include "ballast.fullname" . }} 8 | labels: 9 | {{- include "ballast.labels" . | nindent 4 }} 10 | spec: 11 | replicas: {{ .Values.replicasCount }} 12 | selector: 13 | matchLabels: 14 | {{- include "ballast.selectorLabels" . | nindent 6 }} 15 | app.kubernetes.io/component: {{ $name }} 16 | template: 17 | metadata: 18 | labels: 19 | {{- include "ballast.selectorLabels" . | nindent 8 }} 20 | app.kubernetes.io/component: {{ $name }} 21 | {{- with .Values.podAnnotations }} 22 | annotations: 23 | {{- toYaml . | nindent 8 }} 24 | {{- end }} 25 | spec: 26 | priorityClassName: cf-ballast 27 | {{- if .Values.schedulerName }} 28 | schedulerName: {{ .Values.schedulerName }} 29 | {{- end }} 30 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver) . | nindent 8 }} 31 | {{- if .Values.podSecurityContext.enabled }} 32 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} 33 | {{- end }} 34 | containers: 35 | - name: pause 36 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver) (dict "image" .Values.image "context" .) }} 37 | imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} 38 | resources: 39 | {{- toYaml .Values.resources | nindent 12 }} 40 | {{- with .Values.nodeSelector }} 41 | nodeSelector: 42 | {{- toYaml . | nindent 8 }} 43 | {{- end }} 44 | {{- with .Values.affinity }} 45 | affinity: 46 | {{- toYaml . | nindent 8 }} 47 | {{- end }} 48 | {{- with .Values.tolerations }} 49 | tolerations: 50 | {{- toYaml . | nindent 6 }} 51 | {{- end }} 52 | {{- end -}} 53 | -------------------------------------------------------------------------------- /venona/secrets/minikube.codefresh.runtime.yaml: -------------------------------------------------------------------------------- 1 | crt: | 2 | -----BEGIN CERTIFICATE----- 3 | MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p 4 | a3ViZUNBMB4XDTIxMDQwNTA3MDExMloXDTMxMDQwNDA3MDExMlowFTETMBEGA1UE 5 | AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMn4 6 | fckTNjMs0QzLBymfV8GNNmwg5iU5asR7YhCAFB4f2cBErGMk1ohTW5kA2iqY5Bgv 7 | H9TbyX/n9xSTD0WGKZw1eO5/UAyvOxiw0oLKjqX/hbFJMjybGvh3WKTnjs+YPln+ 8 | hHEHGFnZPb+4qMUYtJoMazwsAZphk85lihkfQ+BkKhlHQ5K7g/CS41DGpTCc2rWn 9 | Qdc8ItkfhDDniPUnYi5GI2/L4godpqQ8KYc/Dt0k/bD+A+DMs/daZAjQMpA6BJjz 10 | TKtCuXfkk1Ly/SfqgEnFbbfbZjJ/Vsdnd+la/+I8i1cAknMmVGDjBInIxrvzzQBN 11 | /bwdG2MQnvpZvYokFVsCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW 12 | MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW 13 | BBRvRmnNCQ/3b7oxesLWa8pA6k9O3zANBgkqhkiG9w0BAQsFAAOCAQEAAoiSQv3K 14 | FO8VvbuOXZS2umxDqg4sbmOGkyoZHj2d5iZZetuXIFb0Bjy/2pPsjLTiJJyjCxmx 15 | YWPr84O6YY15vNII5B4wlcE8WbLWtp3h6LZvlsMN+UW3j9Jbaol3GKUB8c3KYWn7 16 | WEmtcnV1SC6ordAW40EhEVM1aYkEMRZk43zojUVm3xhFnYJNwpq7nJGU++Bx1zte 17 | fEZE77NC+rHGtAh4Ti6naUZ3+ti8kQQ6EJ33Vs6lhMpjKqmS+b1AtDGkUcw8s0jX 18 | KIdwvVjmwi9OCQP699VBWLYRUmezS7EnKdWuZfspmn8o5bhN1D6QlbCliIbQMBbs 19 | LtTWqnJeOsKp7A== 20 | -----END CERTIFICATE----- 21 | token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im5ZZWpQTGMwOGtGdzBWVG4xQ096QTFxOVQ2TFZpWkFIQl9uQW1YV3NONmcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjb2RlZnJlc2giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoicnVubmVyLXRva2VuLXZzMnI5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InJ1bm5lciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjllNzE2Mjk2LTUzZjgtNDAyMi04OTI3LWExZTUyYjNiMjU1MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjb2RlZnJlc2g6cnVubmVyIn0.kqMD8Fn0Uii8kIIHM0V4LIKsXWgP7U7m9emLS0kA3jvA6w7hp41xOAQB5xNo166_rqJcWodLnLr8fiQcnHkAuAl2wdalKcnLT-3HbApUo0DG7sHywdMsiuxidSe6-tguP5lJ4ReCu_ucQ97bu9Cz5uacFbvWx3ZTGfkiK1C4pe71OZfQqUhCbSn1UerUJPxpI1xepD69RN31UjZYegPZpEyzDUqpI8IUVxay15LvWNdTqUqVrGVMp7MURVInuFpwtM6MNLArQtyU9JOC9WKjvAmmOdMbmi6EJQjEnifPmvfPA8L3Uo8VG4h5woTEMX1bHmm4KNjcXmIbeki2jEl6Ug 22 | host: https://192.168.0.157:8443 23 | name: minikube/codefresh 24 | type: runtime 25 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_storageclass.yaml: -------------------------------------------------------------------------------- 1 | {{- define "dind-volume-provisioner.resources.storageclass" -}} 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | {{/* has to be exactly that */}} 6 | name: {{ include "dind-volume-provisioner.storageClassName" . }} 7 | labels: 8 | {{- include "dind-volume-provisioner.labels" . | nindent 4 }} 9 | provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }} 10 | parameters: 11 | {{- if eq .Values.storage.backend "local" }} 12 | volumeBackend: local 13 | volumeParentDir: {{ .Values.storage.local.volumeParentDir }} 14 | {{- else if eq .Values.storage.backend "gcedisk" }} 15 | volumeBackend: {{ .Values.storage.backend }} 16 | type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }} 17 | zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }} 18 | fsType: {{ .Values.storage.fsType | default "ext4" }} 19 | {{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}} 20 | volumeBackend: {{ .Values.storage.backend }} 21 | VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }} 22 | AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }} 23 | fsType: {{ .Values.storage.fsType | default "ext4" }} 24 | encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }} 25 | {{- with .Values.storage.ebs.kmsKeyId }} 26 | kmsKeyId: {{ . | quote }} 27 | {{- end }} 28 | {{- with .Values.storage.ebs.iops }} 29 | iops: {{ . | quote }} 30 | {{- end }} 31 | {{- with .Values.storage.ebs.throughput }} 32 | throughput: {{ . | quote }} 33 | {{- end }} 34 | {{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}} 35 | volumeBackend: {{ .Values.storage.backend }} 36 | kind: managed 37 | skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }} 38 | fsType: {{ .Values.storage.fsType | default "ext4" }} 39 | cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }} 40 | {{- with .Values.storage.azuredisk.availabilityZone }} 41 | availabilityZone: {{ . | quote }} 42 | {{- end }} 43 | {{- with .Values.storage.azuredisk.resourceGroup }} 44 | resourceGroup: {{ . | quote }} 45 | {{- end }} 46 | {{- end }} 47 | {{- end -}} -------------------------------------------------------------------------------- /venona/Makefile: -------------------------------------------------------------------------------- 1 | ifndef GOBIN 2 | ifndef GOPATH 3 | $(error GOPATH is not set, please make sure you set your GOPATH correctly!) 4 | endif 5 | GOBIN=$(GOPATH)/bin 6 | ifndef GOBIN 7 | $(error GOBIN is not set, please make sure you set your GOBIN correctly!) 8 | endif 9 | endif 10 | 11 | .PHONY: build 12 | build: 13 | @sh ./scripts/build.sh 14 | 15 | .PHONY: run 16 | run: build 17 | ./venona start 18 | 19 | .PHONY: debug 20 | debug: build 21 | ./venona start --verbose 22 | 23 | .PHONY: test-all 24 | test-all: test test-fmt spellcheck gocyclo lint security-check license 25 | 26 | .PHONY: test 27 | test: 28 | @sh ./scripts/test.sh 29 | 30 | .PHONY: test-fmt 31 | test-fmt: 32 | @sh ./scripts/test-fmt.sh 33 | 34 | # spellcheck Finds commonly misspelled English words 35 | .PHONY: spellcheck 36 | spellcheck: 37 | @misspell -error . 38 | 39 | # Gocyclo calculates cyclomatic complexities of functions in Go source code. 40 | # The cyclomatic complexity of a function is calculated according to the following rules: 41 | # 1 is the base complexity of a function +1 for each 'if', 'for', 'case', '&&' or '||' 42 | # Go Report Card warns on functions with cyclomatic complexity > 15. 43 | .PHONY: gocyclo 44 | gocyclo: 45 | @gocyclo -over 15 . 46 | 47 | .PHONY: lint 48 | lint: $(GOBIN)/golangci-lint 49 | @echo linting go code... 50 | @$(GOBIN)/golangci-lint run --fix --timeout 10m 51 | 52 | .PHONY: security-check 53 | security-check: 54 | @gosec ./... -nosec 55 | 56 | .PHONY: docker-security-scan 57 | docker-security-scan: 58 | @trivy image --clear-cache 59 | @trivy image codefresh/venona:$(TAG) 60 | 61 | ## License check all the golang files to have the license 62 | .PHONY: license 63 | license: 64 | @addlicense -check -f License **/**/*.go 65 | 66 | # Fix fmt errors in file 67 | .PHONY: fmt 68 | fmt: 69 | go fmt ./... 70 | 71 | # Generate mock struct from interface 72 | # example: make mock PKG=./pkg/runtime NAME=Runtime 73 | .PHONY: mock 74 | mock: $(GOBIN)/mockery 75 | @mockery 76 | 77 | # Runs cript to upload codecov coverage data 78 | .PHONY: upload-coverage 79 | upload-coverage: 80 | @./scripts/codecov.sh -t $(CODECOV_TOKEN) 81 | 82 | $(GOBIN)/mockery: 83 | @go install github.com/vektra/mockery/v2@v2.33.1 84 | @mockery --version 85 | 86 | $(GOBIN)/golangci-lint: 87 | @echo installing: golangci-lint 88 | @curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v2.4.0 89 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/event-exporter/_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- define "event-exporter.resources.deployment" -}} 2 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "event-exporter.fullname" . }} 7 | labels: 8 | {{- include "event-exporter.labels" . | nindent 4 }} 9 | spec: 10 | replicas: {{ .Values.replicasCount }} 11 | strategy: 12 | type: {{ .Values.updateStrategy.type }} 13 | selector: 14 | matchLabels: 15 | {{- include "event-exporter.selectorLabels" . | nindent 6 }} 16 | template: 17 | metadata: 18 | labels: 19 | {{- include "event-exporter.selectorLabels" . | nindent 8 }} 20 | {{- with .Values.podAnnotations }} 21 | annotations: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} 26 | serviceAccountName: {{ include "event-exporter.serviceAccountName" . }} 27 | {{- if .Values.podSecurityContext.enabled }} 28 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} 29 | {{- end }} 30 | containers: 31 | - name: event-exporter 32 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} 33 | imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} 34 | args: [--running-in-cluster=true] 35 | env: 36 | {{- include "event-exporter.environment-variables" . | nindent 8 }} 37 | ports: 38 | - name: metrics 39 | containerPort: 9102 40 | resources: 41 | {{- toYaml .Values.resources | nindent 12 }} 42 | volumeMounts: 43 | {{- with .Values.extraVolumeMounts }} 44 | {{- toYaml . | nindent 8 }} 45 | {{- end }} 46 | {{- with .Values.nodeSelector }} 47 | nodeSelector: 48 | {{- toYaml . | nindent 8 }} 49 | {{- end }} 50 | {{- with .Values.affinity }} 51 | affinity: 52 | {{- toYaml . | nindent 8 }} 53 | {{- end }} 54 | {{- with .Values.tolerations }} 55 | tolerations: 56 | {{- toYaml . | nindent 6 }} 57 | {{- end }} 58 | volumes: 59 | {{- with .Values.extraVolumes }} 60 | {{- toYaml . | nindent 6 }} 61 | {{- end }} 62 | {{- end -}} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- define "dind-volume-provisioner.resources.rbac" -}} 2 | {{- if .Values.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "dind-volume-provisioner.serviceAccountName" . }} 7 | labels: 8 | {{- include "dind-volume-provisioner.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | --- 15 | {{- if .Values.rbac.create }} 16 | kind: ClusterRole 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: {{ include "dind-volume-provisioner.fullname" . }} 20 | labels: 21 | {{- include "dind-volume-provisioner.labels" . | nindent 4 }} 22 | rules: 23 | - apiGroups: [ "" ] 24 | resources: [ "persistentvolumes" ] 25 | verbs: [ "get", "list", "watch", "create", "delete", "patch" ] 26 | - apiGroups: [ "" ] 27 | resources: [ "persistentvolumeclaims" ] 28 | verbs: [ "get", "list", "watch", "update", "delete" ] 29 | - apiGroups: [ "storage.k8s.io" ] 30 | resources: [ "storageclasses" ] 31 | verbs: [ "get", "list", "watch" ] 32 | - apiGroups: [ "" ] 33 | resources: [ "events" ] 34 | verbs: [ "list", "watch", "create", "update", "patch" ] 35 | - apiGroups: [ "" ] 36 | resources: [ "secrets" ] 37 | verbs: [ "get", "list" ] 38 | - apiGroups: [ "" ] 39 | resources: [ "nodes" ] 40 | verbs: [ "get", "list", "watch" ] 41 | - apiGroups: [ "" ] 42 | resources: [ "pods" ] 43 | verbs: [ "get", "list", "watch", "create", "delete", "patch" ] 44 | - apiGroups: [ "" ] 45 | resources: [ "endpoints" ] 46 | verbs: [ "get", "list", "watch", "create", "update", "delete" ] 47 | - apiGroups: [ "coordination.k8s.io" ] 48 | resources: [ "leases" ] 49 | verbs: [ "get", "create", "update" ] 50 | {{- with .Values.rbac.rules }} 51 | {{ toYaml . | nindent 2 }} 52 | {{- end }} 53 | {{- end }} 54 | --- 55 | {{- if and .Values.serviceAccount.create .Values.rbac.create }} 56 | kind: ClusterRoleBinding 57 | apiVersion: rbac.authorization.k8s.io/v1 58 | metadata: 59 | name: {{ include "dind-volume-provisioner.fullname" . }} 60 | labels: 61 | {{- include "dind-volume-provisioner.labels" . | nindent 4 }} 62 | subjects: 63 | - kind: ServiceAccount 64 | name: {{ include "dind-volume-provisioner.serviceAccountName" . }} 65 | namespace: {{ .Release.Namespace }} 66 | roleRef: 67 | kind: ClusterRole 68 | name: {{ include "dind-volume-provisioner.fullname" . }} 69 | apiGroup: rbac.authorization.k8s.io 70 | {{- end }} 71 | {{- end -}} 72 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_cronjob.yaml: -------------------------------------------------------------------------------- 1 | {{- define "dind-volume-provisioner.resources.cronjob" -}} 2 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | {{- if not (eq .Values.storage.backend "local") }} 4 | apiVersion: batch/v1 5 | kind: CronJob 6 | metadata: 7 | name: {{ include "dind-volume-cleanup.fullname" . }} 8 | labels: 9 | {{- include "dind-volume-cleanup.labels" . | nindent 4 }} 10 | spec: 11 | concurrencyPolicy: {{ .Values.concurrencyPolicy }} 12 | schedule: {{ .Values.schedule | quote }} 13 | successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }} 14 | failedJobsHistoryLimit: {{ .Values.failedJobsHistory }} 15 | {{- with .Values.suspend }} 16 | suspend: {{ . }} 17 | {{- end }} 18 | jobTemplate: 19 | spec: 20 | template: 21 | metadata: 22 | labels: 23 | {{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }} 24 | {{- with .Values.podAnnotations }} 25 | annotations: 26 | {{- toYaml . | nindent 12 }} 27 | {{- end }} 28 | spec: 29 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }} 30 | serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }} 31 | {{- if .Values.podSecurityContext.enabled }} 32 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }} 33 | {{- end }} 34 | restartPolicy: {{ .Values.restartPolicy | default "Never" }} 35 | containers: 36 | - name: dind-volume-cleanup 37 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} 38 | imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} 39 | env: 40 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }} 41 | - name: PROVISIONED_BY 42 | value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }} 43 | resources: 44 | {{- toYaml .Values.resources | nindent 14 }} 45 | {{- with .Values.nodeSelector }} 46 | nodeSelector: 47 | {{- toYaml . | nindent 12 }} 48 | {{- end }} 49 | {{- with .Values.affinity }} 50 | affinity: 51 | {{- toYaml . | nindent 12 }} 52 | {{- end }} 53 | {{- with .Values.tolerations }} 54 | tolerations: 55 | {{- toYaml . | nindent 10 }} 56 | {{- end }} 57 | {{- end }} 58 | {{- end -}} 59 | -------------------------------------------------------------------------------- /venona/pkg/config/loader_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package config 16 | 17 | import ( 18 | "os" 19 | "path/filepath" 20 | "testing" 21 | 22 | "github.com/codefresh-io/go/venona/pkg/logger" 23 | 24 | "github.com/stretchr/testify/assert" 25 | ) 26 | 27 | func TestLoad(t *testing.T) { 28 | type args struct { 29 | dir string 30 | pattern string 31 | } 32 | tests := map[string]struct { 33 | args args 34 | want map[string]Config 35 | wantErr string 36 | fileReadFunc func(string) ([]byte, error) 37 | walkFileFunc func(string, filepath.WalkFunc) error 38 | }{ 39 | "Success and return empty list when file name does not match": { 40 | args: args{ 41 | dir: "location", 42 | pattern: "some-pattern", 43 | }, 44 | want: map[string]Config{}, 45 | walkFileFunc: func(root string, fn filepath.WalkFunc) error { 46 | return fn("some-path", &info{ 47 | name: "file", 48 | isDir: false, 49 | }, nil) 50 | }, 51 | fileReadFunc: func(string) ([]byte, error) { 52 | return []byte{}, nil 53 | }, 54 | }, 55 | "return config map from matching file": { 56 | args: args{ 57 | dir: "location", 58 | pattern: ".*", 59 | }, 60 | want: map[string]Config{ 61 | "location/file.a.yaml": {}, 62 | }, 63 | walkFileFunc: func(root string, fn filepath.WalkFunc) error { 64 | return fn("location/file.a.yaml", &info{ 65 | name: "file.a.yaml", 66 | isDir: false, 67 | }, nil) 68 | }, 69 | fileReadFunc: func(string) ([]byte, error) { 70 | return []byte{}, nil 71 | }, 72 | }, 73 | } 74 | for name, tt := range tests { 75 | t.Run(name, func(t *testing.T) { 76 | defer func() { 77 | readfile = os.ReadFile 78 | walkFilePath = filepath.Walk 79 | }() 80 | readfile = tt.fileReadFunc 81 | walkFilePath = tt.walkFileFunc 82 | got, err := Load(tt.args.dir, tt.args.pattern, logger.New(logger.Options{})) 83 | if err != nil || tt.wantErr != "" { 84 | assert.EqualError(t, err, tt.wantErr) 85 | return 86 | } 87 | 88 | assert.Equal(t, tt.want, got) 89 | }) 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /charts/cf-runtime/tests/volume-provisioner/cronjob_test.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/quintush/helm-unittest/master/schema/helm-testsuite.json 2 | suite: dind-volume-cleanup test 3 | values: 4 | - ../values.yaml 5 | templates: 6 | - templates/**.yaml 7 | release: 8 | name: cf-runtime 9 | namespace: codefresh 10 | revision: 1 11 | upgrade: true 12 | chart: 13 | appVersion: 1.0.0 14 | tests: 15 | - it: Test dind-volume-cleanup default metadata 16 | template: templates/volume-provisioner/cronjob.yaml 17 | set: 18 | storage.backend: ebs 19 | asserts: 20 | - hasDocuments: 21 | count: 1 22 | - isKind: 23 | of: CronJob 24 | - isNull: 25 | path: metadata.annotations 26 | - isSubset: 27 | path: metadata.labels 28 | content: 29 | app.kubernetes.io/instance: cf-runtime 30 | app.kubernetes.io/managed-by: Helm 31 | app.kubernetes.io/name: cf-runtime 32 | codefresh.io/application: pv-cleanup 33 | - equal: 34 | path: metadata.name 35 | value: dind-volume-cleanup 36 | 37 | - it: Test no dind-volume-cleanup is storage no ebs 38 | template: templates/volume-provisioner/cronjob.yaml 39 | set: 40 | storage.backend: local 41 | asserts: 42 | - hasDocuments: 43 | count: 0 44 | 45 | - it: Test dind-volume-cleanup spec 46 | template: templates/volume-provisioner/cronjob.yaml 47 | set: 48 | storage.backend: ebs 49 | asserts: 50 | - equal: 51 | path: spec.schedule 52 | value: "*/10 * * * *" 53 | - equal: 54 | path: spec.concurrencyPolicy 55 | value: "Forbid" 56 | - equal: 57 | path: spec.successfulJobsHistoryLimit 58 | value: 1 59 | - equal: 60 | path: spec.failedJobsHistoryLimit 61 | value: 1 62 | - equal: 63 | path: spec.jobTemplate.spec.template.spec.securityContext 64 | value: 65 | fsGroup: 3000 66 | runAsGroup: 3000 67 | runAsUser: 3000 68 | 69 | - it: Test dind-volume-cleanup provisioner value match in storage class. 70 | set: 71 | storage.backend: ebs 72 | asserts: 73 | - contains: 74 | path: spec.jobTemplate.spec.template.spec.containers[0].env 75 | content: 76 | name: PROVISIONED_BY 77 | value: "codefresh.io/dind-volume-provisioner-runner-codefresh" 78 | template: templates/volume-provisioner/cronjob.yaml 79 | - equal: 80 | path: provisioner 81 | value: "codefresh.io/dind-volume-provisioner-runner-codefresh" 82 | template: templates/volume-provisioner/storageclass.yaml 83 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- define "dind-volume-provisioner.resources.deployment" -}} 2 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "dind-volume-provisioner.fullname" . }} 7 | labels: 8 | {{- include "dind-volume-provisioner.labels" . | nindent 4 }} 9 | spec: 10 | replicas: {{ .Values.replicasCount }} 11 | strategy: 12 | type: {{ .Values.updateStrategy.type }} 13 | selector: 14 | matchLabels: 15 | {{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }} 16 | template: 17 | metadata: 18 | labels: 19 | {{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }} 20 | {{- with .Values.podAnnotations }} 21 | annotations: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} 26 | serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }} 27 | {{- if .Values.podSecurityContext.enabled }} 28 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} 29 | {{- end }} 30 | containers: 31 | - name: dind-volume-provisioner 32 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} 33 | imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} 34 | command: 35 | - /usr/local/bin/dind-volume-provisioner 36 | - -v=4 37 | - --resync-period=50s 38 | env: 39 | {{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }} 40 | ports: 41 | - name: http 42 | containerPort: 8080 43 | resources: 44 | {{- toYaml .Values.resources | nindent 12 }} 45 | volumeMounts: 46 | {{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }} 47 | {{- with .Values.extraVolumeMounts }} 48 | {{- toYaml . | nindent 8 }} 49 | {{- end }} 50 | {{- with .Values.nodeSelector }} 51 | nodeSelector: 52 | {{- toYaml . | nindent 8 }} 53 | {{- end }} 54 | {{- with .Values.affinity }} 55 | affinity: 56 | {{- toYaml . | nindent 8 }} 57 | {{- end }} 58 | {{- with .Values.tolerations }} 59 | tolerations: 60 | {{- toYaml . | nindent 6 }} 61 | {{- end }} 62 | volumes: 63 | {{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }} 64 | {{- with .Values.extraVolumes }} 65 | {{- toYaml . | nindent 6 }} 66 | {{- end }} 67 | {{- end -}} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/monitor/_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- define "monitor.resources.deployment" -}} 2 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "monitor.fullname" . }} 7 | labels: 8 | {{- include "monitor.labels" . | nindent 4 }} 9 | spec: 10 | replicas: {{ .Values.replicasCount }} 11 | strategy: 12 | type: {{ .Values.updateStrategy.type }} 13 | selector: 14 | matchLabels: 15 | {{- include "monitor.selectorLabels" . | nindent 6 }} 16 | template: 17 | metadata: 18 | labels: 19 | {{- include "monitor.selectorLabels" . | nindent 8 }} 20 | {{- with .Values.podAnnotations }} 21 | annotations: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} 26 | serviceAccountName: {{ include "monitor.serviceAccountName" . }} 27 | {{- if .Values.podSecurityContext.enabled }} 28 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} 29 | {{- end }} 30 | containers: 31 | - name: monitor 32 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} 33 | imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} 34 | env: 35 | {{- include "monitor.environment-variables" . | nindent 8 }} 36 | ports: 37 | - name: http 38 | containerPort: 9020 39 | readinessProbe: 40 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 41 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 42 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 43 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 44 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 45 | httpGet: 46 | path: /api/ping 47 | port: 9020 48 | resources: 49 | {{- toYaml .Values.resources | nindent 12 }} 50 | volumeMounts: 51 | {{- with .Values.extraVolumeMounts }} 52 | {{- toYaml . | nindent 8 }} 53 | {{- end }} 54 | {{- with .Values.nodeSelector }} 55 | nodeSelector: 56 | {{- toYaml . | nindent 8 }} 57 | {{- end }} 58 | {{- with .Values.affinity }} 59 | affinity: 60 | {{- toYaml . | nindent 8 }} 61 | {{- end }} 62 | {{- with .Values.tolerations }} 63 | tolerations: 64 | {{- toYaml . | nindent 6 }} 65 | {{- end }} 66 | volumes: 67 | {{- with .Values.extraVolumes }} 68 | {{- toYaml . | nindent 6 }} 69 | {{- end }} 70 | {{- end -}} -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/app-proxy/_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- define "app-proxy.resources.deployment" -}} 2 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "app-proxy.fullname" . }} 7 | labels: 8 | {{- include "app-proxy.labels" . | nindent 4 }} 9 | spec: 10 | replicas: {{ .Values.replicasCount }} 11 | strategy: 12 | type: {{ .Values.updateStrategy.type }} 13 | selector: 14 | matchLabels: 15 | {{- include "app-proxy.selectorLabels" . | nindent 6 }} 16 | template: 17 | metadata: 18 | labels: 19 | {{- include "app-proxy.selectorLabels" . | nindent 8 }} 20 | {{- with .Values.podAnnotations }} 21 | annotations: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} 26 | serviceAccountName: {{ include "app-proxy.serviceAccountName" . }} 27 | {{- if .Values.podSecurityContext.enabled }} 28 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} 29 | {{- end }} 30 | containers: 31 | - name: app-proxy 32 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} 33 | imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} 34 | env: 35 | {{- include "app-proxy.environment-variables" . | nindent 8 }} 36 | ports: 37 | - name: http 38 | containerPort: 3000 39 | readinessProbe: 40 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 41 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 42 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 43 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 44 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 45 | httpGet: 46 | path: /health 47 | port: http 48 | resources: 49 | {{- toYaml .Values.resources | nindent 12 }} 50 | volumeMounts: 51 | {{- with .Values.extraVolumeMounts }} 52 | {{- toYaml . | nindent 8 }} 53 | {{- end }} 54 | {{- with .Values.nodeSelector }} 55 | nodeSelector: 56 | {{- toYaml . | nindent 8 }} 57 | {{- end }} 58 | {{- with .Values.affinity }} 59 | affinity: 60 | {{- toYaml . | nindent 8 }} 61 | {{- end }} 62 | {{- with .Values.tolerations }} 63 | tolerations: 64 | {{- toYaml . | nindent 6 }} 65 | {{- end }} 66 | volumes: 67 | {{- with .Values.extraVolumes }} 68 | {{- toYaml . | nindent 6 }} 69 | {{- end }} 70 | {{- end -}} 71 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/hooks/post-install/job-gencerts-dind.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{ $values := .Values.runtime.gencerts }} 3 | {{- if and $values.enabled }} 4 | --- 5 | apiVersion: batch/v1 6 | kind: Job 7 | metadata: 8 | name: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 9 | labels: 10 | {{- include "runtime.labels" . | nindent 4 }} 11 | annotations: 12 | helm.sh/hook: post-install,post-upgrade 13 | helm.sh/hook-weight: "3" 14 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 15 | {{- with $values.annotations }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- with $values.ttlSecondsAfterFinished }} 20 | ttlSecondsAfterFinished: {{ . }} 21 | {{- end }} 22 | {{- with $values.backoffLimit }} 23 | backoffLimit: {{ . | int }} 24 | {{- end }} 25 | template: 26 | metadata: 27 | name: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 28 | labels: 29 | {{- include "runtime.labels" . | nindent 8 }} 30 | spec: 31 | {{- if $values.rbac.enabled }} 32 | serviceAccountName: {{ coalesce .Values.runtime.gencerts.name (printf "%s-dind-gencerts" (include "runtime.fullname" .)) }} 33 | {{- end }} 34 | securityContext: 35 | {{- toYaml $values.podSecurityContext | nindent 8 }} 36 | containers: 37 | - name: gencerts-dind 38 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }} 39 | imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }} 40 | command: 41 | - "/bin/bash" 42 | args: 43 | - -ec 44 | - | 45 | {{- .Files.Get "files/configure-dind-certs.sh" | nindent 10 }} 46 | env: 47 | - name: NAMESPACE 48 | value: {{ .Release.Namespace }} 49 | - name: RELEASE 50 | value: {{ .Release.Name }} 51 | - name: CF_API_HOST 52 | value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} 53 | - name: CF_API_TOKEN 54 | {{- include "runtime.installation-token-env-var-value" . | indent 10}} 55 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }} 56 | {{- with $values.nodeSelector }} 57 | nodeSelector: 58 | {{- toYaml . | nindent 8 }} 59 | {{- end }} 60 | {{- with $values.affinity }} 61 | affinity: 62 | {{- toYaml . | nindent 8 }} 63 | {{- end }} 64 | {{- with $values.tolerations }} 65 | tolerations: 66 | {{- toYaml . | nindent 6 }} 67 | {{- end }} 68 | restartPolicy: OnFailure 69 | {{- end }} 70 | -------------------------------------------------------------------------------- /venona/pkg/monitoring/newrelic/newrelic.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package newrelic 16 | 17 | import ( 18 | "context" 19 | "net/http" 20 | 21 | "github.com/codefresh-io/go/venona/pkg/monitoring" 22 | 23 | gorillamux "github.com/gorilla/mux" 24 | "github.com/newrelic/go-agent/v3/integrations/nrgorilla" 25 | nr "github.com/newrelic/go-agent/v3/newrelic" 26 | ) 27 | 28 | type ( 29 | monitor struct { 30 | app *nr.Application 31 | } 32 | 33 | transaction struct { 34 | t *nr.Transaction 35 | } 36 | 37 | segment struct { 38 | s *nr.Segment 39 | } 40 | 41 | externalSegment struct { 42 | s *nr.ExternalSegment 43 | } 44 | ) 45 | 46 | // New creates a new newrelic monitor 47 | func New(conf ...nr.ConfigOption) (monitoring.Monitor, error) { 48 | app, err := nr.NewApplication(conf...) 49 | if err != nil { 50 | return nil, err 51 | } 52 | 53 | return &monitor{app}, nil 54 | } 55 | 56 | // Monitor 57 | func (m *monitor) NewTransaction(name string) monitoring.Transaction { 58 | return &transaction{m.app.StartTransaction(name)} 59 | } 60 | 61 | func (m *monitor) NewTransactionFromContext(ctx context.Context) monitoring.Transaction { 62 | return &transaction{nr.FromContext(ctx)} 63 | } 64 | 65 | func (m *monitor) NewRoundTripper(rt http.RoundTripper) http.RoundTripper { 66 | return nr.NewRoundTripper(rt) 67 | } 68 | 69 | func (m *monitor) NewGorillaMiddleware() gorillamux.MiddlewareFunc { 70 | return nrgorilla.Middleware(m.app) 71 | } 72 | 73 | // Transaction 74 | func (t *transaction) NewSegment(r *http.Request) monitoring.Segment { 75 | return &externalSegment{nr.StartExternalSegment(t.t, r)} 76 | } 77 | 78 | func (t *transaction) NewSegmentByName(name string) monitoring.Segment { 79 | return &segment{t.t.StartSegment(name)} 80 | } 81 | 82 | func (t *transaction) AddAttribute(key string, val interface{}) { 83 | t.t.AddAttribute(key, val) 84 | } 85 | 86 | func (t *transaction) End() { 87 | t.t.End() 88 | } 89 | 90 | func (t *transaction) NoticeError(err error) { 91 | t.t.NoticeError(err) 92 | } 93 | 94 | // Segment 95 | func (s *segment) End() { 96 | s.s.End() 97 | } 98 | 99 | func (s *externalSegment) End() { 100 | s.s.End() 101 | } 102 | -------------------------------------------------------------------------------- /venona/pkg/runtime/runtime.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package runtime 16 | 17 | import ( 18 | "context" 19 | "encoding/json" 20 | "fmt" 21 | 22 | ierrors "github.com/codefresh-io/go/venona/pkg/errors" 23 | "github.com/codefresh-io/go/venona/pkg/kubernetes" 24 | "github.com/codefresh-io/go/venona/pkg/task" 25 | ) 26 | 27 | type ( 28 | // Runtime API client 29 | Runtime interface { 30 | HandleTask(ctx context.Context, t *task.Task) error 31 | } 32 | 33 | // Options for runtime 34 | Options struct { 35 | Kubernetes kubernetes.Kubernetes 36 | } 37 | 38 | runtime struct { 39 | client kubernetes.Kubernetes 40 | } 41 | 42 | HandleTaskError struct { 43 | error 44 | isRetriable bool 45 | } 46 | ) 47 | 48 | func (e HandleTaskError) IsRetriable() bool { 49 | return e.isRetriable 50 | } 51 | 52 | func NewHandleTaskError(err error, isRetriable bool) error { 53 | return &HandleTaskError{ 54 | error: err, 55 | isRetriable: isRetriable, 56 | } 57 | } 58 | 59 | // New creates new Runtime client 60 | func New(opts Options) Runtime { 61 | return &runtime{ 62 | client: opts.Kubernetes, 63 | } 64 | } 65 | 66 | func (r runtime) HandleTask(ctx context.Context, t *task.Task) error { 67 | switch t.Type { 68 | case task.TypeCreatePVC, task.TypeCreatePod: 69 | err := r.client.CreateResource(ctx, t.Type, t.Spec) 70 | if err != nil { 71 | return NewHandleTaskError(fmt.Errorf("failed creating resource: %w", err), ierrors.IsRetriable(err)) // TODO: Return already executed tasks in order to terminate them 72 | } 73 | case task.TypeDeletePVC, task.TypeDeletePod: 74 | opts := kubernetes.DeleteOptions{} 75 | opts.Kind = t.Type 76 | b, err := json.Marshal(t.Spec) 77 | if err != nil { 78 | return NewHandleTaskError(fmt.Errorf("failed to marshal task spec: %w", err), false) 79 | } 80 | 81 | if err := json.Unmarshal(b, &opts); err != nil { 82 | return NewHandleTaskError(fmt.Errorf("failed to unmarshal task spec: %w", err), false) 83 | } 84 | 85 | if err := r.client.DeleteResource(ctx, opts); err != nil { 86 | return NewHandleTaskError(fmt.Errorf("failed deleting resource: %w", err), ierrors.IsRetriable(err)) 87 | } 88 | default: 89 | return NewHandleTaskError(fmt.Errorf("unknown task type \"%s\"", t.Type), false) 90 | } 91 | 92 | return nil 93 | } 94 | -------------------------------------------------------------------------------- /charts/cf-runtime/files/init-runtime.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "-----" 4 | echo "API_HOST: ${API_HOST}" 5 | echo "AGENT_NAME: ${AGENT_NAME}" 6 | echo "KUBE_CONTEXT: ${KUBE_CONTEXT}" 7 | echo "KUBE_NAMESPACE: ${KUBE_NAMESPACE}" 8 | echo "OWNER_NAME: ${OWNER_NAME}" 9 | echo "RUNTIME_NAME: ${RUNTIME_NAME}" 10 | echo "SECRET_NAME: ${SECRET_NAME}" 11 | echo "-----" 12 | 13 | create_agent_secret() { 14 | 15 | kubectl apply -f - < t.Metadata.CreatedAt { 60 | wf.Metadata.CreatedAt = t.Metadata.CreatedAt 61 | } 62 | 63 | wfType := workflowTypeFromTaskType(t.Type) 64 | if wf.Type == workflowTypeNone { 65 | wf.Type = wfType 66 | } else if wf.Type != wfType { 67 | wf.Type = workflowTypeBoth 68 | } 69 | 70 | wf.Tasks = append(wf.Tasks, t) 71 | return nil 72 | } 73 | 74 | func (wf *Workflow) GetLatency() (sinceCreation, inRunner, processed time.Duration) { 75 | end := time.Now() 76 | created, _ := time.Parse(time.RFC3339, wf.Metadata.CreatedAt) 77 | sinceCreation = end.Sub(created) 78 | inRunner, processed = wf.Timeline.GetLatency(end) 79 | return 80 | } 81 | 82 | // Less compares two workflows by their CreatedAt values 83 | func Less(wf1 Workflow, wf2 Workflow) bool { 84 | return wf1.Metadata.CreatedAt < wf2.Metadata.CreatedAt 85 | } 86 | 87 | func workflowTypeFromTaskType(t task.Type) Type { 88 | switch t { 89 | case task.TypeCreatePod, task.TypeCreatePVC: 90 | return workflowTypeCreate 91 | case task.TypeDeletePod, task.TypeDeletePVC: 92 | return workflowTypeTerminate 93 | default: 94 | return workflowTypeNone 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "dind-volume-provisioner.name" -}} 5 | {{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "dind-volume-provisioner.fullname" -}} 14 | {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-") }} 15 | {{- end }} 16 | 17 | {{- define "dind-volume-cleanup.fullname" -}} 18 | {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-") }} 19 | {{- end }} 20 | 21 | {{- define "dind-lv-monitor.fullname" -}} 22 | {{- coalesce .Values.name (printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-") }} 23 | {{- end }} 24 | 25 | {{/* 26 | Provisioner name for storage class 27 | */}} 28 | {{- define "dind-volume-provisioner.volumeProvisionerName" }} 29 | {{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }} 30 | {{- end }} 31 | 32 | {{/* 33 | Common labels for dind-lv-monitor 34 | */}} 35 | {{- define "dind-lv-monitor.labels" -}} 36 | {{ include "cf-runtime.labels" . }} 37 | codefresh.io/application: lv-monitor 38 | {{- end }} 39 | 40 | {{/* 41 | Selector labels for dind-lv-monitor 42 | */}} 43 | {{- define "dind-lv-monitor.selectorLabels" -}} 44 | {{ include "cf-runtime.selectorLabels" . }} 45 | codefresh.io/application: lv-monitor 46 | {{- end }} 47 | 48 | {{/* 49 | Common labels for dind-volume-provisioner 50 | */}} 51 | {{- define "dind-volume-provisioner.labels" -}} 52 | {{ include "cf-runtime.labels" . }} 53 | codefresh.io/application: volume-provisioner 54 | {{- end }} 55 | 56 | {{/* 57 | Selector labels for dind-volume-provisioner 58 | */}} 59 | {{- define "dind-volume-provisioner.selectorLabels" -}} 60 | {{ include "cf-runtime.selectorLabels" . }} 61 | codefresh.io/application: volume-provisioner 62 | {{- end }} 63 | 64 | {{/* 65 | Common labels for dind-volume-cleanup 66 | */}} 67 | {{- define "dind-volume-cleanup.labels" -}} 68 | {{ include "cf-runtime.labels" . }} 69 | codefresh.io/application: pv-cleanup 70 | {{- end }} 71 | 72 | {{/* 73 | Common labels for dind-volume-cleanup 74 | */}} 75 | {{- define "dind-volume-cleanup.selectorLabels" -}} 76 | {{ include "cf-runtime.selectorLabels" . }} 77 | codefresh.io/application: pv-cleanup 78 | {{- end }} 79 | 80 | {{/* 81 | Create the name of the service account to use 82 | */}} 83 | {{- define "dind-volume-provisioner.serviceAccountName" -}} 84 | {{- if .Values.serviceAccount.create }} 85 | {{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }} 86 | {{- else }} 87 | {{- default "default" .Values.serviceAccount.name }} 88 | {{- end }} 89 | {{- end }} 90 | 91 | {{- define "dind-volume-provisioner.storageClassName" }} 92 | {{- coalesce .Values.storage.fullnameOverride (printf "dind-local-volumes-runner-%s" .Release.Namespace) }} 93 | {{- end }} 94 | -------------------------------------------------------------------------------- /venona/pkg/server/server.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package server 16 | 17 | import ( 18 | "context" 19 | "errors" 20 | "net/http" 21 | "time" 22 | 23 | "github.com/codefresh-io/go/venona/pkg/logger" 24 | "github.com/codefresh-io/go/venona/pkg/monitoring" 25 | "github.com/prometheus/client_golang/prometheus" 26 | "github.com/prometheus/client_golang/prometheus/promhttp" 27 | 28 | "github.com/gorilla/mux" 29 | ) 30 | 31 | var ( 32 | errAlreadyRunning = errors.New("Server already running") 33 | errAlreadyStopped = errors.New("Server already stopped") 34 | errLoggerRequired = errors.New("Logger is required") 35 | ) 36 | 37 | type ( 38 | // Options for creating a new server instance 39 | Options struct { 40 | Port string 41 | Logger logger.Logger 42 | Monitor monitoring.Monitor 43 | MetricsRegistry *prometheus.Registry 44 | } 45 | 46 | // Server is an HTTP server that expose API 47 | Server struct { 48 | log logger.Logger 49 | running bool 50 | srv *http.Server 51 | } 52 | ) 53 | 54 | // New returns a new Server instance or an error 55 | func New(opts *Options) (*Server, error) { 56 | if opts.Logger == nil { 57 | return nil, errLoggerRequired 58 | } 59 | log := opts.Logger 60 | 61 | r := mux.NewRouter() 62 | if opts.Monitor != nil { 63 | r.Use(opts.Monitor.NewGorillaMiddleware()) 64 | } 65 | 66 | r.HandleFunc("/health", func(w http.ResponseWriter, _ *http.Request) { 67 | w.WriteHeader(http.StatusOK) 68 | _, _ = w.Write([]byte("OK")) 69 | }) 70 | 71 | r.Handle("/metrics", promhttp.HandlerFor(opts.MetricsRegistry, promhttp.HandlerOpts{Registry: opts.MetricsRegistry})) 72 | 73 | srv := &http.Server{ 74 | Addr: opts.Port, 75 | Handler: r, 76 | ReadHeaderTimeout: 60 * time.Second, 77 | } 78 | 79 | return &Server{ 80 | log, 81 | false, 82 | srv, 83 | }, nil 84 | } 85 | 86 | // Start starts the server and blocks indefinitely unless an error happens 87 | func (s *Server) Start() error { 88 | if s.running { 89 | return errAlreadyRunning 90 | } 91 | 92 | s.running = true 93 | s.log.Info("Starting HTTP server", "addr", s.srv.Addr) 94 | return s.srv.ListenAndServe() 95 | } 96 | 97 | // Stop stops the HTTP server 98 | func (s *Server) Stop(ctx context.Context) error { 99 | if !s.running { 100 | return errAlreadyStopped 101 | } 102 | 103 | s.running = false 104 | s.log.Warn("Received graceful termination request, shutting down...") 105 | err := s.srv.Shutdown(ctx) 106 | if err != nil { 107 | s.log.Error("failed to gracefully terminate server, cause: ", err) 108 | } 109 | 110 | return nil 111 | } 112 | -------------------------------------------------------------------------------- /venona/pkg/monitoring/monitoring.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package monitoring 16 | 17 | import ( 18 | "context" 19 | "net/http" 20 | 21 | gorillamux "github.com/gorilla/mux" 22 | ) 23 | 24 | // Monitor controls monitoring for the application 25 | type Monitor interface { 26 | NewTransaction(name string) Transaction 27 | NewTransactionFromContext(ctx context.Context) Transaction 28 | NewRoundTripper(rt http.RoundTripper) http.RoundTripper 29 | NewGorillaMiddleware() gorillamux.MiddlewareFunc 30 | } 31 | 32 | // Transaction instruments one logical unit of work: either an inbound web request 33 | // or background task. Start a new Transaction with the Monitor.NewTransaction() method 34 | type Transaction interface { 35 | // End finishes the Transaction. After that, subsequent calls to End or 36 | // other Transaction methods have no effect. All segments and 37 | // instrumentation must be completed before End is called. 38 | End() 39 | 40 | // AddAttribute adds a key value pair to the transaction event, errors, 41 | // and traces. 42 | // 43 | // The key must contain fewer than than 255 bytes. The value must be a 44 | // number, string, or boolean. 45 | AddAttribute(key string, value interface{}) 46 | 47 | NewSegment(r *http.Request) Segment 48 | 49 | NewSegmentByName(name string) Segment 50 | 51 | NoticeError(err error) 52 | } 53 | 54 | // Segment is used to instrument functions, methods, and blocks of code 55 | type Segment interface { 56 | End() 57 | } 58 | 59 | // Empty implementation 60 | type monitor struct{} 61 | type transaction struct{} 62 | type segment struct{} 63 | 64 | // NewEmpty a noop monitor implementation 65 | func NewEmpty() Monitor { 66 | return &monitor{} 67 | } 68 | 69 | // Monitor 70 | func (m *monitor) NewTransaction(name string) Transaction { 71 | return &transaction{} 72 | } 73 | 74 | func (m *monitor) NewTransactionFromContext(ctx context.Context) Transaction { 75 | return &transaction{} 76 | } 77 | 78 | func (m *monitor) NewRoundTripper(rt http.RoundTripper) http.RoundTripper { 79 | return rt 80 | } 81 | 82 | func (m *monitor) NewGorillaMiddleware() gorillamux.MiddlewareFunc { 83 | return func(h http.Handler) http.Handler { 84 | return h 85 | } 86 | } 87 | 88 | // Transaction 89 | func (t *transaction) NewSegment(r *http.Request) Segment { 90 | return &segment{} 91 | } 92 | 93 | func (t *transaction) NewSegmentByName(name string) Segment { 94 | return &segment{} 95 | } 96 | 97 | func (t *transaction) AddAttribute(key string, val interface{}) {} 98 | 99 | func (t *transaction) End() {} 100 | 101 | func (t *transaction) NoticeError(err error) {} 102 | 103 | // Segment 104 | func (s *segment) End() {} 105 | -------------------------------------------------------------------------------- /venona/cmd/start_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cmd 16 | 17 | import ( 18 | "context" 19 | "os" 20 | "os/signal" 21 | "syscall" 22 | "testing" 23 | "time" 24 | 25 | "github.com/codefresh-io/go/venona/pkg/logger" 26 | 27 | "github.com/stretchr/testify/assert" 28 | ) 29 | 30 | func Test_handleSignals(t *testing.T) { 31 | tests := map[string]struct { 32 | fakeSigs []os.Signal 33 | expectExit bool 34 | expectForceExit bool 35 | stopDelay time.Duration 36 | }{ 37 | "should start graceful termination on SIGTERM": { 38 | fakeSigs: []os.Signal{syscall.SIGTERM}, 39 | expectExit: true, 40 | expectForceExit: false, 41 | stopDelay: time.Duration(0), 42 | }, 43 | "should start graceful termination on SIGINT": { 44 | fakeSigs: []os.Signal{syscall.SIGINT}, 45 | expectExit: true, 46 | expectForceExit: false, 47 | stopDelay: time.Duration(0), 48 | }, 49 | "should do forced exit when received two SIGINT signals": { 50 | fakeSigs: []os.Signal{syscall.SIGINT, syscall.SIGINT}, 51 | expectExit: true, 52 | expectForceExit: true, 53 | stopDelay: time.Millisecond * 100, 54 | }, 55 | } 56 | for name, tt := range tests { 57 | t.Run(name, func(t *testing.T) { 58 | // prepare mocks 59 | var sigChan chan<- os.Signal 60 | forcedExit := false 61 | serverExit := make(chan struct{}, 1) 62 | agentExit := make(chan struct{}, 1) 63 | 64 | handleSignal = func(c chan<- os.Signal, _ ...os.Signal) { 65 | sigChan = c 66 | } 67 | 68 | serverStopFunc := func(ctx context.Context) error { 69 | select { 70 | case <-ctx.Done(): 71 | forcedExit = true 72 | case <-time.After(tt.stopDelay): // delay exit 73 | } 74 | 75 | serverExit <- struct{}{} 76 | return nil 77 | } 78 | agentStopFunc := func() error { 79 | time.Sleep(tt.stopDelay) // delay the termination 80 | 81 | agentExit <- struct{}{} 82 | return nil 83 | } 84 | 85 | ctx := context.Background() 86 | ctx = withSignals(ctx, serverStopFunc, agentStopFunc, logger.New(logger.Options{})) 87 | 88 | for _, sig := range tt.fakeSigs { 89 | sigChan <- sig 90 | } 91 | 92 | if tt.expectExit { 93 | // wait 94 | <-serverExit 95 | <-agentExit 96 | } 97 | 98 | <-time.After(time.Millisecond * 1000) 99 | select { 100 | case <-ctx.Done(): 101 | assert.True(t, tt.expectExit) 102 | assert.Equal(t, tt.expectForceExit, forcedExit) 103 | default: 104 | assert.False(t, tt.expectExit) 105 | assert.False(t, tt.expectForceExit) 106 | } 107 | }) 108 | } 109 | 110 | // cleanup 111 | handleSignal = signal.Notify 112 | } 113 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/runner/_deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- define "runner.resources.deployment" -}} 2 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "runner.fullname" . }} 7 | labels: 8 | {{- include "runner.labels" . | nindent 4 }} 9 | spec: 10 | replicas: {{ .Values.replicasCount }} 11 | strategy: 12 | type: {{ .Values.updateStrategy.type }} 13 | selector: 14 | matchLabels: 15 | {{- include "runner.selectorLabels" . | nindent 6 }} 16 | template: 17 | metadata: 18 | labels: 19 | {{- include "runner.selectorLabels" . | nindent 8 }} 20 | {{- with .Values.podAnnotations }} 21 | annotations: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} 26 | serviceAccountName: {{ include "runner.serviceAccountName" . }} 27 | {{- if .Values.podSecurityContext.enabled }} 28 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} 29 | {{- end }} 30 | initContainers: 31 | - name: init 32 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }} 33 | imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }} 34 | command: 35 | - /bin/bash 36 | args: 37 | - -ec 38 | - | 39 | {{- .Files.Get "files/init-runtime.sh" | nindent 10 }} 40 | env: 41 | {{- include "runner-init.environment-variables" . | nindent 8 }} 42 | {{- with .Values.init.resources }} 43 | resources: 44 | {{- toYaml . | nindent 10 }} 45 | {{- end }} 46 | containers: 47 | - name: runner 48 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} 49 | imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }} 50 | env: 51 | {{- include "runner.environment-variables" . | nindent 8 }} 52 | ports: 53 | - name: http 54 | containerPort: 8080 55 | readinessProbe: 56 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 57 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 58 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 59 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 60 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 61 | httpGet: 62 | path: /health 63 | port: http 64 | {{- with .Values.resources }} 65 | resources: 66 | {{- toYaml . | nindent 10 }} 67 | {{- end }} 68 | {{- with .Values.extraVolumeMounts }} 69 | volumeMounts: 70 | {{- toYaml . | nindent 8 }} 71 | {{- end }} 72 | {{- with .Values.nodeSelector }} 73 | nodeSelector: 74 | {{- toYaml . | nindent 8 }} 75 | {{- end }} 76 | {{- with .Values.affinity }} 77 | affinity: 78 | {{- toYaml . | nindent 8 }} 79 | {{- end }} 80 | {{- with .Values.tolerations }} 81 | tolerations: 82 | {{- toYaml . | nindent 6 }} 83 | {{- end }} 84 | {{- with .Values.extraVolumes }} 85 | volumes: 86 | {{- toYaml . | nindent 6 }} 87 | {{- end }} 88 | {{- end -}} 89 | -------------------------------------------------------------------------------- /venona/pkg/config/loader.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package config 16 | 17 | import ( 18 | "os" 19 | "path/filepath" 20 | "regexp" 21 | 22 | "github.com/codefresh-io/go/venona/pkg/logger" 23 | 24 | "gopkg.in/yaml.v2" 25 | ) 26 | 27 | var ( 28 | readfile = os.ReadFile 29 | walkFilePath = filepath.Walk 30 | ) 31 | 32 | type ( 33 | // Config used to define the connectivity to remote clusters 34 | Config struct { 35 | Type string `yaml:"type" json:"type"` 36 | Cert string `yaml:"crt" json:"crt"` 37 | Token string `yaml:"token" json:"token"` 38 | Host string `yaml:"host" json:"host"` 39 | Name string `yaml:"name" json:"name"` 40 | } 41 | 42 | // Options to load the config 43 | Options struct { 44 | Logger logger.Logger 45 | Dir string 46 | } 47 | ) 48 | 49 | // Load read the dir and load all the matching files matchig to the config 50 | // In case of conflict, the first matching is used 51 | func Load(dir string, pattern string, logger logger.Logger) (map[string]Config, error) { 52 | regexp, err := regexp.Compile(pattern) 53 | if err != nil { 54 | return nil, err 55 | } 56 | 57 | var files []string 58 | if err := walkFilePath(dir, visit(&files, regexp, logger)); err != nil { 59 | return nil, err 60 | } 61 | 62 | return buildConfigMap(files, logger) 63 | } 64 | 65 | func visit(files *[]string, re *regexp.Regexp, log logger.Logger) filepath.WalkFunc { 66 | return func(path string, info os.FileInfo, err error) error { 67 | if err != nil { 68 | log.Error("Failed to visit", "path", path, "err", err.Error()) 69 | return nil 70 | } 71 | 72 | if info.IsDir() { 73 | log.Debug("Directory ignored, Venona loading only files that are mached to regexp", "regexp", re.String(), "dir", info.Name()) 74 | return nil 75 | } 76 | 77 | if !re.MatchString(info.Name()) { 78 | log.Debug("File ignored, regexp does not match", "regexp", re.String(), "file", info.Name()) 79 | return nil 80 | } 81 | 82 | *files = append(*files, path) 83 | return nil 84 | } 85 | } 86 | 87 | func unmarshalConfig(data []byte) (Config, error) { 88 | cnf := Config{} 89 | if err := yaml.Unmarshal(data, &cnf); err != nil { 90 | return cnf, err 91 | } 92 | 93 | return cnf, nil 94 | } 95 | 96 | func buildConfigMap(files []string, logger logger.Logger) (map[string]Config, error) { 97 | result := map[string]Config{} 98 | for _, file := range files { 99 | b, err := readfile(file) 100 | if err != nil { 101 | logger.Error("Failed to read file content", "file", file, "err", err.Error()) 102 | continue 103 | } 104 | 105 | cnf, err := unmarshalConfig(b) 106 | if err != nil { 107 | logger.Error("Failed to unmarshal file content into struct", "file", file, "err", err.Error()) 108 | continue 109 | } 110 | 111 | result[file] = cnf 112 | } 113 | 114 | return result, nil 115 | } 116 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_env-vars.yaml: -------------------------------------------------------------------------------- 1 | {{- define "dind-volume-provisioner.environment-variables.defaults" }} 2 | {{- end }} 3 | 4 | {{- define "dind-volume-provisioner.environment-variables.calculated" }} 5 | DOCKER_REGISTRY: {{ .Values.global.imageRegistry }} 6 | PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }} 7 | 8 | {{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }} 9 | AWS_ACCESS_KEY_ID: 10 | {{- if .Values.storage.ebs.accessKeyId }} 11 | valueFrom: 12 | secretKeyRef: 13 | name: {{ include "dind-volume-provisioner.fullname" . }} 14 | key: aws_access_key_id 15 | {{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }} 16 | valueFrom: 17 | secretKeyRef: 18 | {{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }} 19 | {{- end }} 20 | {{- end }} 21 | 22 | {{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }} 23 | AWS_SECRET_ACCESS_KEY: 24 | {{- if .Values.storage.ebs.secretAccessKey }} 25 | valueFrom: 26 | secretKeyRef: 27 | name: {{ include "dind-volume-provisioner.fullname" . }} 28 | key: aws_secret_access_key 29 | {{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }} 30 | valueFrom: 31 | secretKeyRef: 32 | {{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }} 33 | {{- end }} 34 | {{- end }} 35 | 36 | {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }} 37 | GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }} 38 | {{- end }} 39 | 40 | {{- if and .Values.storage.mountAzureJson }} 41 | AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json 42 | CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json 43 | {{- end }} 44 | 45 | {{- end }} 46 | 47 | {{- define "dind-volume-provisioner.environment-variables" }} 48 | {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 49 | {{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }} 50 | {{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }} 51 | {{- $overrides := .Values.env }} 52 | {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }} 53 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }} 54 | {{- end }} 55 | 56 | 57 | {{- define "dind-volume-provisioner.volumes.calculated" }} 58 | {{- if .Values.storage.gcedisk.serviceAccountJson }} 59 | - name: credentials 60 | secret: 61 | secretName: {{ include "dind-volume-provisioner.fullname" . }} 62 | optional: true 63 | {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }} 64 | - name: credentials 65 | secret: 66 | secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }} 67 | optional: true 68 | {{- end }} 69 | {{- if .Values.storage.mountAzureJson }} 70 | - name: azure-json 71 | hostPath: 72 | path: /etc/kubernetes/azure.json 73 | type: File 74 | {{- end }} 75 | {{- end }} 76 | 77 | {{- define "dind-volume-provisioner.volumeMounts.calculated" }} 78 | {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }} 79 | - name: credentials 80 | readOnly: true 81 | mountPath: "/etc/dind-volume-provisioner/credentials" 82 | {{- end }} 83 | {{- if .Values.storage.mountAzureJson }} 84 | - name: azure-json 85 | readOnly: true 86 | mountPath: "/etc/kubernetes/azure.json" 87 | {{- end }} 88 | {{- end }} 89 | -------------------------------------------------------------------------------- /venona/pkg/codefresh/codefresh_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package codefresh 16 | 17 | import ( 18 | "net/http" 19 | "net/url" 20 | "testing" 21 | 22 | "github.com/stretchr/testify/assert" 23 | ) 24 | 25 | func mustURL(u string) *url.URL { 26 | r, err := url.Parse(u) 27 | if err != nil { 28 | panic(err) 29 | } 30 | return r 31 | } 32 | 33 | func TestNew(t *testing.T) { 34 | tests := map[string]struct { 35 | opts Options 36 | want Codefresh 37 | }{ 38 | "Build client with default host": { 39 | want: &cf{ 40 | host: defaultHost, 41 | httpClient: &http.Client{}, 42 | }, 43 | }, 44 | "Build client with given host": { 45 | opts: Options{ 46 | Host: "http://host.com", 47 | }, 48 | want: &cf{ 49 | host: "http://host.com", 50 | httpClient: &http.Client{}, 51 | }, 52 | }, 53 | } 54 | for name, tt := range tests { 55 | t.Run(name, func(t *testing.T) { 56 | got := New(tt.opts) 57 | assert.Equal(t, tt.want.Host(), got.Host()) 58 | }) 59 | } 60 | } 61 | 62 | func Test_cf_prepareURL(t *testing.T) { 63 | type args struct { 64 | host string 65 | token string 66 | agentID string 67 | httpClient RequestDoer 68 | } 69 | tests := map[string]struct { 70 | fields args 71 | paths []string 72 | query map[string]string 73 | want *url.URL 74 | wantErr bool 75 | }{ 76 | "Reject when parsing the URL faile": { 77 | fields: args{ 78 | host: "123://sdd", 79 | }, 80 | wantErr: true, 81 | }, 82 | "Append path to the host": { 83 | paths: []string{"123", "123"}, 84 | fields: args{ 85 | host: "http://url", 86 | }, 87 | wantErr: false, 88 | want: mustURL("http://url/123/123"), 89 | }, 90 | "Escape paths": { 91 | paths: []string{"docker:desktop/server"}, 92 | fields: args{ 93 | host: "http://url", 94 | }, 95 | wantErr: false, 96 | want: mustURL("http://url/docker:desktop%2Fserver"), 97 | }, 98 | "Append query": { 99 | query: map[string]string{ 100 | "key": "value", 101 | "keyTwo": "valueTwo", 102 | }, 103 | paths: []string{"docker:desktop/server"}, 104 | fields: args{ 105 | host: "http://url", 106 | }, 107 | wantErr: false, 108 | want: mustURL("http://url/docker:desktop%2Fserver?key=value&keyTwo=valueTwo"), 109 | }, 110 | "Escape query": { 111 | query: map[string]string{ 112 | "ke+y": "va+lu=e", 113 | }, 114 | paths: []string{"docker:desktop/server"}, 115 | fields: args{ 116 | host: "http://url", 117 | }, 118 | wantErr: false, 119 | want: mustURL("http://url/docker:desktop%2Fserver?ke%2By=va%2Blu%3De"), 120 | }, 121 | } 122 | for name, tt := range tests { 123 | t.Run(name, func(t *testing.T) { 124 | c := cf{ 125 | host: tt.fields.host, 126 | token: tt.fields.token, 127 | agentID: tt.fields.agentID, 128 | httpClient: tt.fields.httpClient, 129 | } 130 | url, err := c.prepareURL(tt.query, tt.paths...) 131 | if tt.wantErr { 132 | assert.Error(t, err) 133 | } 134 | if tt.want != nil { 135 | assert.Equal(t, tt.want.String(), url.String()) 136 | } 137 | }) 138 | } 139 | } 140 | -------------------------------------------------------------------------------- /charts/cf-runtime/tests/runtime/runtime_values.yaml: -------------------------------------------------------------------------------- 1 | runtime: 2 | dind: 3 | image: 4 | tag: tagoverride 5 | pullPolicy: Always 6 | digest: "" 7 | resources: 8 | requests: null 9 | limits: 10 | cpu: 1000m 11 | memory: 2048Mi 12 | pvcs: 13 | dind: 14 | name: dind 15 | storageClassName: my-custom-storage-class 16 | volumeSize: 8Gi 17 | reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' 18 | reuseVolumeSortOrder: pipeline_id 19 | env: 20 | ALICE: BOB 21 | INT_AS_STRING: "123" 22 | FLOAT: 12.34 23 | podAnnotations: 24 | karpenter.sh/do-not-evict: 'true' 25 | podLabels: 26 | key: dind 27 | nodeSelector: 28 | topology.kubernetes.io/zone: us-east-1a 29 | affinity: 30 | nodeAffinity: 31 | requiredDuringSchedulingIgnoredDuringExecution: 32 | nodeSelectorTerms: 33 | - matchExpressions: 34 | - key: app 35 | operator: In 36 | values: 37 | - dind 38 | tolerations: 39 | - effect: NoSchedule 40 | key: codefresh.io 41 | operator: Equal 42 | value: dinds 43 | serviceAccount: service-account-override 44 | userVolumeMounts: 45 | my-cert: 46 | name: cert 47 | mountPath: /etc/ssl/cert 48 | readOnly: true 49 | userVolumes: 50 | my-cert: 51 | name: cert 52 | secret: 53 | secretName: tls-secret 54 | 55 | engine: 56 | image: 57 | tag: tagoverride 58 | pullPolicy: Always 59 | digest: "sha256:123" 60 | command: 61 | - one 62 | - two 63 | - three 64 | resources: 65 | requests: 66 | cpu: 200m 67 | memory: 256Mi 68 | limits: 69 | cpu: 200m 70 | memory: 256Mi 71 | runtimeImages: 72 | # check legacy way to specify runtime images 73 | COMPOSE_IMAGE: quay.io/codefresh/compose:tagoverrideold 74 | compose: 75 | tag: tagoverridenew 76 | digest: "" 77 | container-logger: 78 | tag: tagoverride 79 | digest: "sha256:123" 80 | default-qemu: 81 | tag: tagoverride 82 | digest: "" 83 | docker-builder: 84 | tag: tagoverride 85 | digest: "" 86 | docker-puller: 87 | tag: tagoverride 88 | digest: "" 89 | docker-pusher: 90 | tag: tagoverride 91 | digest: "" 92 | docker-tag-pusher: 93 | tag: tagoverride 94 | digest: "" 95 | fs-ops: 96 | tag: tagoverride 97 | digest: "" 98 | git-cloner: 99 | tag: tagoverride 100 | digest: "" 101 | kube-deploy: 102 | tag: tagoverride 103 | digest: "" 104 | pipeline-debugger: 105 | tag: tagoverride 106 | digest: "" 107 | template-engine: 108 | tag: tagoverride 109 | digest: "" 110 | alpine: 111 | tag: tagoverride 112 | digest: "" 113 | gc-builder: 114 | tag: tagoverride 115 | digest: "" 116 | cosign-image-signer: 117 | tag: tagoverride 118 | digest: "" 119 | env: 120 | FOO: BAR 121 | INT_AS_STRING: "123" 122 | FLOAT: 12.34 123 | TRUSTED_QEMU_IMAGES: 'my-registry/tonistiigi/binfmt' 124 | userEnvVars: 125 | - name: ALICE 126 | valueFrom: 127 | secretKeyRef: 128 | name: alice-secret 129 | key: token 130 | podAnnotations: 131 | karpenter.sh/do-not-evict: 'true' 132 | podLabels: 133 | key: engine 134 | nodeSelector: 135 | topology.kubernetes.io/zone: us-east-1a 136 | affinity: 137 | nodeAffinity: 138 | requiredDuringSchedulingIgnoredDuringExecution: 139 | nodeSelectorTerms: 140 | - matchExpressions: 141 | - key: app 142 | operator: In 143 | values: 144 | - engine 145 | tolerations: 146 | - effect: NoSchedule 147 | key: codefresh.io 148 | operator: Equal 149 | value: engine 150 | serviceAccount: service-account-override 151 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- define "dind-volume-provisioner.resources.daemonset" -}} 2 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 3 | {{ $localVolumeParentDir := .Values.storage.local.volumeParentDir }} 4 | {{- if eq .Values.storage.backend "local" }} 5 | --- 6 | apiVersion: apps/v1 7 | kind: DaemonSet 8 | metadata: 9 | name: {{ include "dind-lv-monitor.fullname" . }} 10 | labels: 11 | {{- include "dind-lv-monitor.labels" . | nindent 4 }} 12 | spec: 13 | selector: 14 | matchLabels: 15 | {{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }} 16 | template: 17 | metadata: 18 | labels: 19 | {{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }} 20 | {{- with .Values.podAnnotations }} 21 | annotations: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | spec: 25 | {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }} 26 | serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }} 27 | {{- if .Values.podSecurityContext.enabled }} 28 | securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} 29 | {{- end }} 30 | {{- if .Values.volumePermissions.enabled }} 31 | initContainers: 32 | - name: volume-permissions 33 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }} 34 | imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }} 35 | command: 36 | - /bin/sh 37 | args: 38 | - -ec 39 | - | 40 | chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }} 41 | volumeMounts: 42 | - mountPath: {{ $localVolumeParentDir }} 43 | name: dind-volume-dir 44 | {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} 45 | securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }} 46 | {{- else }} 47 | securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }} 48 | {{- end }} 49 | resources: 50 | {{- toYaml .Values.volumePermissions.resources | nindent 10 }} 51 | {{- end }} 52 | containers: 53 | - name: dind-lv-monitor 54 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }} 55 | imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }} 56 | {{- if .Values.containerSecurityContext.enabled }} 57 | securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} 58 | {{- end }} 59 | command: 60 | - /home/dind-volume-utils/bin/local-volumes-agent 61 | env: 62 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }} 63 | - name: NODE_NAME 64 | valueFrom: 65 | fieldRef: 66 | fieldPath: spec.nodeName 67 | - name: VOLUME_PARENT_DIR 68 | value: {{ $localVolumeParentDir }} 69 | resources: 70 | {{- toYaml .Values.resources | nindent 10 }} 71 | volumeMounts: 72 | - mountPath: {{ $localVolumeParentDir }} 73 | readOnly: false 74 | name: dind-volume-dir 75 | {{- with .Values.extraVolumeMounts }} 76 | {{- toYaml . | nindent 8 }} 77 | {{- end }} 78 | {{- with .Values.nodeSelector }} 79 | nodeSelector: 80 | {{- toYaml . | nindent 8 }} 81 | {{- end }} 82 | {{- with .Values.affinity }} 83 | affinity: 84 | {{- toYaml . | nindent 8 }} 85 | {{- end }} 86 | {{- with .Values.tolerations }} 87 | tolerations: 88 | {{- toYaml . | nindent 6 }} 89 | {{- end }} 90 | volumes: 91 | - name: dind-volume-dir 92 | hostPath: 93 | path: {{ $localVolumeParentDir }} 94 | {{- with .Values.extraVolumes }} 95 | {{- toYaml . | nindent 6 }} 96 | {{- end }} 97 | {{- end }} 98 | {{- end -}} 99 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/hooks/post-install/job-update-runtime.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{ $values := .Values.runtime.patch.hook }} 3 | {{- if and .Values.runtime.patch.enabled $values.enabled }} 4 | --- 5 | apiVersion: batch/v1 6 | kind: Job 7 | metadata: 8 | name: {{ coalesce .Values.runtime.patch.name (printf "%s-runtime-patch" (include "runtime.fullname" .)) }} 9 | labels: 10 | {{- include "runtime.labels" . | nindent 4 }} 11 | annotations: 12 | helm.sh/hook: post-install,post-upgrade 13 | helm.sh/hook-weight: "5" 14 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded 15 | {{- with $values.annotations }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- with $values.ttlSecondsAfterFinished }} 20 | ttlSecondsAfterFinished: {{ . }} 21 | {{- end }} 22 | {{- with $values.backoffLimit }} 23 | backoffLimit: {{ . | int }} 24 | {{- end }} 25 | template: 26 | metadata: 27 | name: {{ coalesce .Values.runtime.patch.name (printf "%s-runtime-patch" (include "runtime.fullname" .)) }} 28 | labels: 29 | {{- include "runtime.labels" . | nindent 8 }} 30 | spec: 31 | securityContext: 32 | {{- toYaml $values.podSecurityContext | nindent 8 }} 33 | containers: 34 | - name: patch-runtime 35 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }} 36 | imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }} 37 | command: 38 | - "/bin/bash" 39 | args: 40 | - -ec 41 | - | 42 | {{- .Files.Get "files/patch-runtime.sh" | nindent 10 }} 43 | env: 44 | - name: API_KEY 45 | {{- include "runtime.installation-token-env-var-value" . | indent 10}} 46 | - name: API_HOST 47 | value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} 48 | - name: AGENT 49 | value: {{ .Values.runtime.agent | quote | default "true" }} 50 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }} 51 | volumeMounts: 52 | - name: runtime-config 53 | mountPath: /opt/codefresh/{{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .)) }} 54 | subPath: {{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .)) }} 55 | {{- range $runtimeIndex, $runtimeItem := .Values.extraRuntimes }} 56 | - name: {{ printf "%s-runtime-config" ( include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) ) }} 57 | mountPath: /opt/codefresh/runtime.d/system/{{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) }} 58 | subPath: {{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) }} 59 | {{- end }} 60 | {{- with $values.nodeSelector }} 61 | nodeSelector: 62 | {{- toYaml . | nindent 8 }} 63 | {{- end }} 64 | {{- with $values.affinity }} 65 | affinity: 66 | {{- toYaml . | nindent 8 }} 67 | {{- end }} 68 | {{- with $values.tolerations }} 69 | tolerations: 70 | {{- toYaml . | nindent 6 }} 71 | {{- end }} 72 | volumes: 73 | - name: runtime-config 74 | configMap: 75 | name: {{ include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .)) }}-runtime-config 76 | {{- range $runtimeIndex, $runtimeItem := .Values.extraRuntimes }} 77 | - name: {{ printf "%s-runtime-config" ( include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) ) }} 78 | configMap: 79 | name: {{ printf "%s-runtime-config" ( include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) ) }} 80 | {{- end }} 81 | restartPolicy: OnFailure 82 | {{- end }} 83 | -------------------------------------------------------------------------------- /venona/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/codefresh-io/go/venona 2 | 3 | go 1.25 4 | 5 | require ( 6 | github.com/gorilla/mux v1.8.1 7 | github.com/hashicorp/go-retryablehttp v0.7.8 8 | github.com/inconshreveable/log15 v2.16.0+incompatible 9 | github.com/newrelic/go-agent/v3 v3.40.1 10 | github.com/newrelic/go-agent/v3/integrations/nrgorilla v1.2.5 11 | github.com/prometheus/client_golang v1.23.2 12 | github.com/spf13/cobra v1.10.1 13 | github.com/spf13/pflag v1.0.10 14 | github.com/spf13/viper v1.21.0 15 | github.com/stretchr/objx v0.5.2 16 | github.com/stretchr/testify v1.11.1 17 | gopkg.in/yaml.v2 v2.4.0 18 | k8s.io/api v0.34.1 19 | k8s.io/apimachinery v0.34.1 20 | k8s.io/client-go v0.34.1 21 | ) 22 | 23 | require ( 24 | github.com/beorn7/perks v1.0.1 // indirect 25 | github.com/cespare/xxhash/v2 v2.3.0 // indirect 26 | github.com/davecgh/go-spew v1.1.1 // indirect 27 | github.com/emicklei/go-restful/v3 v3.13.0 // indirect 28 | github.com/fsnotify/fsnotify v1.9.0 // indirect 29 | github.com/fxamacker/cbor/v2 v2.9.0 // indirect 30 | github.com/go-logr/logr v1.4.3 // indirect 31 | github.com/go-openapi/jsonpointer v0.22.0 // indirect 32 | github.com/go-openapi/jsonreference v0.21.1 // indirect 33 | github.com/go-openapi/swag v0.24.1 // indirect 34 | github.com/go-openapi/swag/cmdutils v0.24.0 // indirect 35 | github.com/go-openapi/swag/conv v0.24.0 // indirect 36 | github.com/go-openapi/swag/fileutils v0.24.0 // indirect 37 | github.com/go-openapi/swag/jsonname v0.24.0 // indirect 38 | github.com/go-openapi/swag/jsonutils v0.24.0 // indirect 39 | github.com/go-openapi/swag/loading v0.24.0 // indirect 40 | github.com/go-openapi/swag/mangling v0.24.0 // indirect 41 | github.com/go-openapi/swag/netutils v0.24.0 // indirect 42 | github.com/go-openapi/swag/stringutils v0.24.0 // indirect 43 | github.com/go-openapi/swag/typeutils v0.24.0 // indirect 44 | github.com/go-openapi/swag/yamlutils v0.24.0 // indirect 45 | github.com/go-stack/stack v1.8.1 // indirect 46 | github.com/go-viper/mapstructure/v2 v2.4.0 // indirect 47 | github.com/gogo/protobuf v1.3.2 // indirect 48 | github.com/google/gnostic-models v0.7.0 // indirect 49 | github.com/google/uuid v1.6.0 // indirect 50 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 51 | github.com/inconshreveable/mousetrap v1.1.0 // indirect 52 | github.com/josharian/intern v1.0.0 // indirect 53 | github.com/json-iterator/go v1.1.12 // indirect 54 | github.com/mailru/easyjson v0.9.0 // indirect 55 | github.com/mattn/go-colorable v0.1.14 // indirect 56 | github.com/mattn/go-isatty v0.0.20 // indirect 57 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 58 | github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect 59 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 60 | github.com/pelletier/go-toml/v2 v2.2.4 // indirect 61 | github.com/pmezard/go-difflib v1.0.0 // indirect 62 | github.com/prometheus/client_model v0.6.2 // indirect 63 | github.com/prometheus/common v0.66.1 // indirect 64 | github.com/prometheus/procfs v0.17.0 // indirect 65 | github.com/sagikazarmark/locafero v0.11.0 // indirect 66 | github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect 67 | github.com/spf13/afero v1.15.0 // indirect 68 | github.com/spf13/cast v1.10.0 // indirect 69 | github.com/subosito/gotenv v1.6.0 // indirect 70 | github.com/x448/float16 v0.8.4 // indirect 71 | go.yaml.in/yaml/v2 v2.4.3 // indirect 72 | go.yaml.in/yaml/v3 v3.0.4 // indirect 73 | golang.org/x/net v0.44.0 // indirect 74 | golang.org/x/oauth2 v0.31.0 // indirect 75 | golang.org/x/sys v0.36.0 // indirect 76 | golang.org/x/term v0.35.0 // indirect 77 | golang.org/x/text v0.29.0 // indirect 78 | golang.org/x/time v0.13.0 // indirect 79 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250908214217-97024824d090 // indirect 80 | google.golang.org/grpc v1.75.1 // indirect 81 | google.golang.org/protobuf v1.36.9 // indirect 82 | gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect 83 | gopkg.in/inf.v0 v0.9.1 // indirect 84 | gopkg.in/yaml.v3 v3.0.1 // indirect 85 | k8s.io/klog/v2 v2.130.1 // indirect 86 | k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect 87 | k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect 88 | sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect 89 | sigs.k8s.io/randfill v1.0.0 // indirect 90 | sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect 91 | sigs.k8s.io/yaml v1.6.0 // indirect 92 | ) 93 | -------------------------------------------------------------------------------- /venona/pkg/task/task.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package task 16 | 17 | import ( 18 | "encoding/json" 19 | "sort" 20 | "time" 21 | 22 | "github.com/codefresh-io/go/venona/pkg/monitoring" 23 | ) 24 | 25 | // Const for task types 26 | const ( 27 | TypeCreatePod Type = "CreatePod" 28 | TypeCreatePVC Type = "CreatePvc" 29 | TypeDeletePod Type = "DeletePod" 30 | TypeDeletePVC Type = "DeletePvc" 31 | TypeAgentTask Type = "AgentTask" 32 | ) 33 | 34 | const ( 35 | StatusSuccess Status = "Success" 36 | StatusError Status = "Error" 37 | ) 38 | 39 | type ( 40 | // Tasks array 41 | Tasks []Task 42 | 43 | // Type of the task 44 | Type string 45 | 46 | // Status : Task status 47 | Status string 48 | 49 | // Task options 50 | Task struct { 51 | Id string `json:"_id"` 52 | Type Type `json:"type"` 53 | Metadata Metadata `json:"metadata"` 54 | Spec interface{} `json:"spec"` 55 | 56 | // only used in AgentTasks 57 | Timeline Timeline 58 | } 59 | 60 | // Metadata options 61 | Metadata struct { 62 | CreatedAt string `json:"createdAt"` 63 | ReName string `json:"reName"` 64 | WorkflowId string `json:"workflowId"` 65 | CurrentStatusRevision int `json:"currentStatusRevision"` 66 | ShouldReportStatus bool `json:"shouldReportStatus"` 67 | } 68 | 69 | // Timeline values 70 | Timeline struct { 71 | Pulled time.Time 72 | Started time.Time 73 | } 74 | 75 | // AgentTask describes a task of type "AgentTask" 76 | AgentTask struct { 77 | Type string `json:"type"` 78 | Params map[string]interface{} `json:"params"` 79 | } 80 | 81 | TaskStatus struct { 82 | Status Status `json:"status"` 83 | OccurredAt time.Time `json:"occurredAt"` 84 | StatusRevision int `json:"statusRevision"` 85 | IsRetriable bool `json:"isRetriable"` 86 | Reason string `json:"reason,omitempty"` 87 | } 88 | ) 89 | 90 | // UnmarshalTasks with json 91 | func UnmarshalTasks(data []byte) (Tasks, error) { 92 | var r Tasks 93 | err := json.Unmarshal(data, &r) 94 | return r, err 95 | } 96 | 97 | // Marshal tasks 98 | func (r *Tasks) Marshal() ([]byte, error) { 99 | return json.Marshal(r) 100 | } 101 | 102 | func (r *TaskStatus) Marshal() ([]byte, error) { 103 | return json.Marshal(r) 104 | } 105 | 106 | // Less compares two tasks by their CreatedAt values 107 | func Less(task1 Task, task2 Task) bool { 108 | return task1.Metadata.CreatedAt < task2.Metadata.CreatedAt 109 | } 110 | 111 | // NewTaskTransaction creates a new transaction with task-specific attributes 112 | func NewTaskTransaction(monitor monitoring.Monitor, m Metadata) monitoring.Transaction { 113 | txn := monitor.NewTransaction("runner-tasks-execution") 114 | txn.AddAttribute("tid", m.WorkflowId) 115 | txn.AddAttribute("runtime-environment", m.ReName) 116 | return txn 117 | } 118 | 119 | // SortByType sorts the tasks in the specified order: TypeCreatePVC, TypeCreatePod, TypeDeletePod, TypeDeletePVC 120 | func SortByType(tasks []*Task) { 121 | sort.SliceStable(tasks, func(i, j int) bool { 122 | order := map[Type]int{ 123 | TypeCreatePVC: 1, 124 | TypeCreatePod: 2, 125 | TypeDeletePod: 3, 126 | TypeDeletePVC: 4, 127 | } 128 | return order[tasks[i].Type] < order[tasks[j].Type] 129 | }) 130 | } 131 | 132 | func (t *Task) GetLatency() (sinceCreation, inRunner, processed time.Duration) { 133 | end := time.Now() 134 | created, _ := time.Parse(time.RFC3339, t.Metadata.CreatedAt) 135 | sinceCreation = end.Sub(created) 136 | inRunner, processed = t.Timeline.GetLatency(end) 137 | return 138 | } 139 | 140 | func (t *Timeline) GetLatency(end time.Time) (inRunner, processed time.Duration) { 141 | inRunner = end.Sub(t.Pulled) 142 | processed = end.Sub(t.Started) 143 | return 144 | } 145 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runtime/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "runtime.name" -}} 5 | {{- printf "%s" (include "cf-runtime.name" .) | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "runtime.fullname" -}} 14 | {{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }} 15 | {{- end }} 16 | 17 | {{/* 18 | Common labels 19 | */}} 20 | {{- define "runtime.labels" -}} 21 | {{ include "cf-runtime.labels" . }} 22 | codefresh.io/application: runtime 23 | {{- end }} 24 | 25 | {{/* 26 | Selector labels 27 | */}} 28 | {{- define "runtime.selectorLabels" -}} 29 | {{ include "cf-runtime.selectorLabels" . }} 30 | codefresh.io/application: runtime 31 | {{- end }} 32 | 33 | {{/* 34 | Return runtime image (classic runtime) with private registry prefix 35 | */}} 36 | {{- define "runtime.runtimeImageName" -}} 37 | {{- if .registry -}} 38 | {{- $imageName := (trimPrefix "quay.io/" .imageFullName) -}} 39 | {{- printf "%s/%s" .registry $imageName -}} 40 | {{- else -}} 41 | {{- printf "%s" .imageFullName -}} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Environment variable value of Codefresh installation token 47 | */}} 48 | {{- define "runtime.installation-token-env-var-value" -}} 49 | {{- if .Values.global.codefreshToken }} 50 | valueFrom: 51 | secretKeyRef: 52 | name: {{ include "runtime.installation-token-secret-name" . }} 53 | key: codefresh-api-token 54 | {{- else if .Values.global.codefreshTokenSecretKeyRef }} 55 | valueFrom: 56 | secretKeyRef: 57 | {{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }} 58 | {{- end }} 59 | {{- end }} 60 | 61 | {{/* 62 | Environment variable value of Codefresh agent token 63 | */}} 64 | {{- define "runtime.agent-token-env-var-value" -}} 65 | {{- if .Values.global.agentToken }} 66 | {{- printf "%s" .Values.global.agentToken | toYaml }} 67 | {{- else if .Values.global.agentTokenSecretKeyRef }} 68 | valueFrom: 69 | secretKeyRef: 70 | {{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }} 71 | {{- end }} 72 | {{- end }} 73 | 74 | {{/* 75 | Print Codefresh API token secret name 76 | */}} 77 | {{- define "runtime.installation-token-secret-name" }} 78 | {{- print "codefresh-user-token" }} 79 | {{- end }} 80 | 81 | {{/* 82 | Print Codefresh host 83 | */}} 84 | {{- define "runtime.runtime-environment-spec.codefresh-host" }} 85 | {{- if and (not .Values.global.codefreshHost) }} 86 | {{- fail "ERROR: .global.codefreshHost is required" }} 87 | {{- else }} 88 | {{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }} 89 | {{- end }} 90 | {{- end }} 91 | 92 | {{/* 93 | Print runtime-environment name 94 | */}} 95 | {{- define "runtime.runtime-environment-spec.runtime-name" }} 96 | {{- if and (not .Values.global.runtimeName) }} 97 | {{- printf "%s/%s" .Values.global.context .Release.Namespace }} 98 | {{- else }} 99 | {{- printf "%s" .Values.global.runtimeName }} 100 | {{- end }} 101 | {{- end }} 102 | 103 | {{/* 104 | Print agent name 105 | */}} 106 | {{- define "runtime.runtime-environment-spec.agent-name" }} 107 | {{- if and (not .Values.global.agentName) }} 108 | {{- printf "%s_%s" .Values.global.context .Release.Namespace }} 109 | {{- else }} 110 | {{- printf "%s" .Values.global.agentName }} 111 | {{- end }} 112 | {{- end }} 113 | 114 | {{/* 115 | Print context 116 | */}} 117 | {{- define "runtime.runtime-environment-spec.context-name" }} 118 | {{- if and (not .Values.global.context) }} 119 | {{- fail "ERROR: .global.context is required" }} 120 | {{- else }} 121 | {{- printf "%s" .Values.global.context }} 122 | {{- end }} 123 | {{- end }} 124 | 125 | {{/* 126 | Print normalized runtime-environment name 127 | Usage: 128 | {{ include "runtime.runtime-environment-spec.runtime-name-normalized" "runtimeName" $runtimeName ) }} 129 | */}} 130 | {{- define "runtime.runtime-environment-spec.runtime-name-normalized" }} 131 | {{- $runtimeName := .runtimeName }} 132 | {{- printf "%s" ( trimPrefix "system/" $runtimeName | replace "_" "-" | replace "/" "-" | lower ) }} 133 | {{- end }} 134 | 135 | {{/* 136 | Print normalized runtime-environment filename 137 | Usage: 138 | {{ include "runtime.runtime-environment-spec.runtime-filename-normalized" "runtimeName" $runtimeName ) }} 139 | */}} 140 | {{- define "runtime.runtime-environment-spec.runtime-filename-normalized" }} 141 | {{- $runtimeName := .runtimeName }} 142 | {{- printf "%s.yaml" ( trimPrefix "system/" $runtimeName | replace "_" "-" | replace "/" "-" | lower ) }} 143 | {{- end }} 144 | -------------------------------------------------------------------------------- /charts/cf-runtime/tests/runtime/runtime_onprem_values.yaml: -------------------------------------------------------------------------------- 1 | # -- workaround for helm unit tests 2 | version: 1.0.0 3 | 4 | global: 5 | codefreshHost: "https://onprem.somedomain.com" 6 | codefreshToken: 1234567890abcdef 7 | 8 | runtimeName: "system/my-runtime" 9 | 10 | runtime: 11 | agent: false 12 | inCluster: true 13 | description: "some description" 14 | runtimeExtends: 15 | - system/default 16 | accounts: 17 | - 59009117c102763beda7ce71 18 | 19 | dind: 20 | image: 21 | tag: tagoverride 22 | digest: "" 23 | resources: 24 | requests: null 25 | limits: 26 | cpu: 1000m 27 | memory: 2048Mi 28 | pvcs: 29 | dind: 30 | name: dind 31 | storageClassName: my-custom-storage-class 32 | volumeSize: 8Gi 33 | reuseVolumeSelector: 'codefresh-app,io.codefresh.accountName' 34 | reuseVolumeSortOrder: pipeline_id 35 | env: 36 | ALICE: BOB 37 | INT: 123 38 | FLOAT_AS_STRING: "12.34" 39 | podAnnotations: 40 | karpenter.sh/do-not-evict: "true" 41 | nodeSelector: 42 | topology.kubernetes.io/zone: us-east-1a 43 | affinity: 44 | nodeAffinity: 45 | requiredDuringSchedulingIgnoredDuringExecution: 46 | nodeSelectorTerms: 47 | - matchExpressions: 48 | - key: app 49 | operator: In 50 | values: 51 | - dind 52 | tolerations: 53 | - effect: NoSchedule 54 | key: codefresh.io 55 | operator: Equal 56 | value: dinds 57 | serviceAccount: service-account-override 58 | userVolumeMounts: 59 | my-cert: 60 | name: cert 61 | mountPath: /etc/ssl/cert 62 | readOnly: true 63 | userVolumes: 64 | my-cert: 65 | name: cert 66 | secret: 67 | secretName: tls-secret 68 | 69 | engine: 70 | image: 71 | tag: tagoverride 72 | digest: "" 73 | command: 74 | - one 75 | - two 76 | - three 77 | resources: 78 | requests: 79 | cpu: 200m 80 | memory: 256Mi 81 | limits: 82 | cpu: 200m 83 | memory: 256Mi 84 | runtimeImages: 85 | compose: 86 | tag: tagoverride 87 | digest: "" 88 | container-logger: 89 | tag: tagoverride 90 | digest: "" 91 | default-qemu: 92 | tag: tagoverride 93 | digest: "" 94 | docker-builder: 95 | tag: tagoverride 96 | digest: "" 97 | docker-puller: 98 | tag: tagoverride 99 | digest: "" 100 | docker-pusher: 101 | tag: tagoverride 102 | digest: "" 103 | docker-tag-pusher: 104 | tag: tagoverride 105 | digest: "" 106 | fs-ops: 107 | tag: tagoverride 108 | digest: "" 109 | git-cloner: 110 | tag: tagoverride 111 | digest: "" 112 | kube-deploy: 113 | tag: tagoverride 114 | digest: "" 115 | pipeline-debugger: 116 | tag: tagoverride 117 | digest: "" 118 | template-engine: 119 | tag: tagoverride 120 | digest: "" 121 | alpine: 122 | tag: tagoverride 123 | digest: "" 124 | gc-builder: 125 | tag: tagoverride 126 | digest: "" 127 | cosign-image-signer: 128 | tag: tagoverride 129 | digest: "" 130 | env: 131 | FOO: BAR 132 | INT: 123 133 | FLOAT_AS_STRING: "12.34" 134 | podAnnotations: 135 | karpenter.sh/do-not-evict: "true" 136 | nodeSelector: 137 | topology.kubernetes.io/zone: us-east-1a 138 | affinity: 139 | nodeAffinity: 140 | requiredDuringSchedulingIgnoredDuringExecution: 141 | nodeSelectorTerms: 142 | - matchExpressions: 143 | - key: app 144 | operator: In 145 | values: 146 | - engine 147 | tolerations: 148 | - effect: NoSchedule 149 | key: codefresh.io 150 | operator: Equal 151 | value: engine 152 | serviceAccount: service-account-override 153 | 154 | extraRuntimes: 155 | system/default-override: 156 | runtimeName: system/default-override 157 | runtimeExtends: 158 | - system/default 159 | description: "default runtime override" 160 | dind: 161 | resources: 162 | requests: null 163 | limits: 164 | cpu: 2000m 165 | memory: 4096Mi 166 | system/default-override-x2: 167 | runtimeName: system/default-override-x2 168 | runtimeExtends: 169 | - system/default 170 | description: "default runtime override x2" 171 | dind: 172 | resources: 173 | requests: null 174 | limits: 175 | cpu: 4000m 176 | memory: 8192Mi 177 | -------------------------------------------------------------------------------- /charts/cf-runtime/files/configure-dind-certs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | 4 | #--- 5 | fatal() { 6 | echo "ERROR: $1" 7 | exit 1 8 | } 9 | 10 | msg() { echo -e "\e[32mINFO ---> $1\e[0m"; } 11 | err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; } 12 | 13 | exit_trap () { 14 | local lc="$BASH_COMMAND" rc=$? 15 | if [ $rc != 0 ]; then 16 | if [[ -n "$SLEEP_ON_ERROR" ]]; then 17 | echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error" 18 | sleep $SLEEP_ON_ERROR 19 | fi 20 | fi 21 | } 22 | trap exit_trap EXIT 23 | 24 | usage() { 25 | echo "Usage: 26 | $0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token 27 | 28 | Example: 29 | $0 -n workflow https://g.codefresh.io 21341234.423141234.412431234 30 | 31 | " 32 | } 33 | 34 | # Args 35 | while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]] 36 | do 37 | key=$1 38 | value=$2 39 | 40 | case $key in 41 | -h|--help) 42 | usage 43 | exit 44 | ;; 45 | -n|--namespace) 46 | NAMESPACE="$value" 47 | shift 48 | ;; 49 | --server-cert-cn) 50 | SERVER_CERT_CN="$value" 51 | shift 52 | ;; 53 | --server-cert-extra-sans) 54 | SERVER_CERT_EXTRA_SANS="$value" 55 | shift 56 | ;; 57 | esac 58 | shift # past argument or value 59 | done 60 | 61 | API_HOST=${1:-"$CF_API_HOST"} 62 | API_TOKEN=${2:-"$CF_API_TOKEN"} 63 | 64 | [[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST" 65 | [[ -z "$API_TOKEN" ]] && usage && fatal "Missing token" 66 | 67 | 68 | API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"} 69 | 70 | NAMESPACE=${NAMESPACE:-default} 71 | RELEASE=${RELEASE:-cf-runtime} 72 | 73 | DIR=$(dirname $0) 74 | TMPDIR=/tmp/codefresh/ 75 | 76 | TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip 77 | TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt 78 | CERTS_DIR=$TMPDIR/ssl 79 | SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem 80 | SRV_TLS_KEY=${CERTS_DIR}/server-key.pem 81 | SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr 82 | SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem 83 | CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem 84 | CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem 85 | mkdir -p $TMPDIR $CERTS_DIR 86 | 87 | K8S_CERT_SECRET_NAME=codefresh-certs-server 88 | echo -e "\n------------------\nGenerating server tls certificates ... " 89 | 90 | SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"} 91 | SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}" 92 | ### 93 | 94 | openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key " 95 | openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR || fatal "Failed to generate openssl csr " 96 | GENERATE_CERTS=true 97 | CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR}) 98 | 99 | SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io" 100 | if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then 101 | SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS} 102 | fi 103 | echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json 104 | 105 | rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP} 106 | 107 | SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \ 108 | -o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} ) 109 | 110 | echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS" 111 | if [[ $SIGN_STATUS != 200 ]]; then 112 | echo "ERROR: Cannot sign certificates" 113 | if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then 114 | mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error 115 | cat ${TMP_CERTS_FILE_ZIP}.error 116 | fi 117 | exit 1 118 | fi 119 | unzip -o -d ${CERTS_DIR}/ ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} " 120 | cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem" 121 | cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem" 122 | 123 | 124 | echo -e "\n------------------\nCreating certificate secret " 125 | 126 | kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \ 127 | --from-file=$SRV_TLS_CA_CERT \ 128 | --from-file=$SRV_TLS_KEY \ 129 | --from-file=$SRV_TLS_CERT \ 130 | --dry-run=client -o yaml | kubectl apply --overwrite -f - 131 | kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true 132 | kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}' 133 | -------------------------------------------------------------------------------- /venona/pkg/runtime/runtime_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package runtime 16 | 17 | import ( 18 | "context" 19 | "errors" 20 | "testing" 21 | 22 | "github.com/codefresh-io/go/venona/pkg/kubernetes" 23 | "github.com/codefresh-io/go/venona/pkg/task" 24 | 25 | "github.com/stretchr/testify/assert" 26 | "github.com/stretchr/testify/mock" 27 | ) 28 | 29 | func Test_runtime_HandleTask(t *testing.T) { 30 | tests := map[string]struct { 31 | task *task.Task 32 | wantErr string 33 | beforeFn func(k *kubernetes.MockKubernetes) 34 | }{ 35 | "should successfully create a resource on TypeCreatePVC task": { 36 | task: &task.Task{ 37 | Type: task.TypeCreatePVC, 38 | Spec: "some spec", 39 | }, 40 | beforeFn: func(k *kubernetes.MockKubernetes) { 41 | k.EXPECT().CreateResource(mock.Anything, task.TypeCreatePVC, "some spec").Return(nil) 42 | }, 43 | }, 44 | "should successfully create a resource on TypeCreatePod task": { 45 | task: &task.Task{ 46 | Type: task.TypeCreatePod, 47 | Spec: "some spec", 48 | }, 49 | beforeFn: func(k *kubernetes.MockKubernetes) { 50 | k.EXPECT().CreateResource(mock.Anything, task.TypeCreatePod, "some spec").Return(nil) 51 | }, 52 | }, 53 | "should successfully delete a resource on TypeDeletePVC task": { 54 | task: &task.Task{ 55 | Type: task.TypeDeletePVC, 56 | Spec: map[string]string{ 57 | "Namespace": "some-namespace", 58 | "Name": "some-name", 59 | }, 60 | }, 61 | beforeFn: func(k *kubernetes.MockKubernetes) { 62 | k.EXPECT().DeleteResource(mock.Anything, kubernetes.DeleteOptions{ 63 | Kind: task.TypeDeletePVC, 64 | Name: "some-name", 65 | Namespace: "some-namespace", 66 | }).Return(nil) 67 | }, 68 | }, 69 | "should successfully delete a resource on TypeDeletePod task": { 70 | task: &task.Task{ 71 | Type: task.TypeDeletePod, 72 | Spec: map[string]string{ 73 | "Namespace": "some-namespace", 74 | "Name": "some-name", 75 | }, 76 | }, 77 | beforeFn: func(k *kubernetes.MockKubernetes) { 78 | k.EXPECT().DeleteResource(mock.Anything, kubernetes.DeleteOptions{ 79 | Kind: task.TypeDeletePod, 80 | Name: "some-name", 81 | Namespace: "some-namespace", 82 | }).Return(nil) 83 | }, 84 | }, 85 | "should fail for unknown type": { 86 | task: &task.Task{ 87 | Type: "some-type", 88 | }, 89 | wantErr: "unknown task type \"some-type\"", 90 | }, 91 | "should fail creating if k8s client fails": { 92 | task: &task.Task{ 93 | Type: task.TypeCreatePod, 94 | Spec: "some spec", 95 | }, 96 | beforeFn: func(k *kubernetes.MockKubernetes) { 97 | k.EXPECT().CreateResource(mock.Anything, task.TypeCreatePod, "some spec").Return(errors.New("some error")) 98 | }, 99 | wantErr: "failed creating resource: some error", 100 | }, 101 | "should fail deleting if json.unmarshal fails": { 102 | task: &task.Task{ 103 | Type: task.TypeDeletePod, 104 | Spec: "bad spec", 105 | }, 106 | wantErr: "failed to unmarshal task spec: json: cannot unmarshal string into Go value of type kubernetes.DeleteOptions", 107 | }, 108 | "should fail deleting if client fails": { 109 | task: &task.Task{ 110 | Type: task.TypeDeletePod, 111 | Spec: map[string]string{ 112 | "Namespace": "some-namespace", 113 | "Name": "some-name", 114 | }, 115 | }, 116 | wantErr: "failed deleting resource: some error", 117 | beforeFn: func(k *kubernetes.MockKubernetes) { 118 | k.EXPECT().DeleteResource(mock.Anything, kubernetes.DeleteOptions{ 119 | Kind: task.TypeDeletePod, 120 | Name: "some-name", 121 | Namespace: "some-namespace", 122 | }).Return(errors.New("some error")) 123 | }, 124 | }, 125 | } 126 | for name, tt := range tests { 127 | t.Run(name, func(t *testing.T) { 128 | mockKubernetes := kubernetes.NewMockKubernetes(t) 129 | if tt.beforeFn != nil { 130 | tt.beforeFn(mockKubernetes) 131 | } 132 | 133 | r := runtime{ 134 | client: mockKubernetes, 135 | } 136 | err := r.HandleTask(context.Background(), tt.task) 137 | if err != nil || tt.wantErr != "" { 138 | assert.EqualError(t, err, tt.wantErr) 139 | } 140 | }) 141 | } 142 | } 143 | -------------------------------------------------------------------------------- /venona/pkg/queue/queue_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2020 The Codefresh Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package queue 16 | 17 | import ( 18 | "context" 19 | "fmt" 20 | "sync" 21 | "testing" 22 | "time" 23 | 24 | "github.com/codefresh-io/go/venona/pkg/kubernetes" 25 | "github.com/codefresh-io/go/venona/pkg/logger" 26 | "github.com/codefresh-io/go/venona/pkg/monitoring" 27 | "github.com/codefresh-io/go/venona/pkg/runtime" 28 | "github.com/codefresh-io/go/venona/pkg/task" 29 | "github.com/codefresh-io/go/venona/pkg/workflow" 30 | "github.com/stretchr/testify/assert" 31 | "github.com/stretchr/testify/mock" 32 | ) 33 | 34 | func makeWorkflow(wfID string, numOfTasks int) *workflow.Workflow { 35 | metadata := task.Metadata{ 36 | WorkflowId: wfID, 37 | ReName: "some-rt", 38 | } 39 | wf := workflow.New(metadata) 40 | for i := 0; i < numOfTasks; i++ { 41 | _ = wf.AddTask(&task.Task{ 42 | Type: task.TypeCreatePod, 43 | Metadata: metadata, 44 | Spec: fmt.Sprintf("%s-%d", wfID, i), 45 | }) 46 | } 47 | 48 | return wf 49 | } 50 | 51 | func TestWorkflowQueue_Enqueue(t *testing.T) { 52 | type wfOrSleep struct { 53 | wf *workflow.Workflow 54 | sleep time.Duration 55 | } 56 | tests := map[string]struct { 57 | workflows []wfOrSleep 58 | concurrency int 59 | want []string 60 | afterFn func(t *testing.T, createdPods []string) 61 | }{ 62 | "should create a single workflow with a single task": { 63 | workflows: []wfOrSleep{ 64 | {wf: makeWorkflow("wf1", 1)}, 65 | }, 66 | concurrency: 1, 67 | want: []string{"wf1-0"}, 68 | }, 69 | "should create a single workflow with several tasks": { 70 | workflows: []wfOrSleep{ 71 | {wf: makeWorkflow("wf1", 3)}, 72 | }, 73 | concurrency: 1, 74 | want: []string{"wf1-0", "wf1-1", "wf1-2"}, 75 | }, 76 | "should create multiple workflows with concurrency 1": { 77 | workflows: []wfOrSleep{ 78 | {wf: makeWorkflow("wf1", 3)}, 79 | {wf: makeWorkflow("wf2", 3)}, 80 | {wf: makeWorkflow("wf3", 3)}, 81 | }, 82 | concurrency: 1, 83 | want: []string{"wf1-0", "wf1-1", "wf1-2", "wf2-0", "wf2-1", "wf2-2", "wf3-0", "wf3-1", "wf3-2"}, 84 | }, 85 | "should create multiple workflows with higher concurrency": { 86 | workflows: []wfOrSleep{ 87 | {wf: makeWorkflow("wf1", 2)}, 88 | {wf: makeWorkflow("wf2", 2)}, 89 | {wf: makeWorkflow("wf3", 2)}, 90 | {wf: makeWorkflow("wf4", 2)}, 91 | {wf: makeWorkflow("wf5", 2)}, 92 | {wf: makeWorkflow("wf6", 2)}, 93 | {sleep: 100}, 94 | {wf: makeWorkflow("wf7", 2)}, 95 | {wf: makeWorkflow("wf8", 2)}, 96 | {wf: makeWorkflow("wf9", 2)}, 97 | }, 98 | concurrency: 3, 99 | want: []string{ 100 | "wf1-0", "wf1-1", "wf2-0", "wf2-1", "wf3-0", "wf3-1", 101 | "wf4-0", "wf4-1", "wf5-0", "wf5-1", "wf6-0", "wf6-1", 102 | "wf7-0", "wf7-1", "wf8-0", "wf8-1", "wf9-0", "wf9-1", 103 | }, 104 | }, 105 | } 106 | for name, tt := range tests { 107 | t.Run(name, func(t *testing.T) { 108 | createdPods := []string{} 109 | testLock := sync.Mutex{} 110 | mockKubernetes := kubernetes.NewMockKubernetes(t) 111 | mockKubernetes.EXPECT().CreateResource(mock.Anything, task.TypeCreatePod, mock.AnythingOfType("string")).RunAndReturn(func(_ context.Context, _ task.Type, spec interface{}) error { 112 | s, _ := spec.(string) 113 | testLock.Lock() 114 | createdPods = append(createdPods, s) 115 | testLock.Unlock() 116 | return nil 117 | }) 118 | runtimes := map[string]runtime.Runtime{ 119 | "some-rt": runtime.New(runtime.Options{ 120 | Kubernetes: mockKubernetes, 121 | }), 122 | } 123 | log := logger.New(logger.Options{}) 124 | wg := &sync.WaitGroup{} 125 | opts := &Options{ 126 | Runtimes: runtimes, 127 | Log: log, 128 | WG: wg, 129 | Monitor: monitoring.NewEmpty(), 130 | Concurrency: tt.concurrency, 131 | BufferSize: 100, 132 | } 133 | tq := New(opts) 134 | tq.Start(context.Background()) 135 | for _, tOrS := range tt.workflows { 136 | if tOrS.wf != nil { 137 | tq.Enqueue(tOrS.wf) 138 | } else { 139 | time.Sleep(tOrS.sleep) 140 | } 141 | } 142 | 143 | tq.Stop() 144 | wg.Wait() 145 | assert.ElementsMatch(t, createdPods, tt.want) 146 | }) 147 | } 148 | } 149 | -------------------------------------------------------------------------------- /charts/cf-runtime/templates/runtime/cronjob-update-runtimes.yaml: -------------------------------------------------------------------------------- 1 | {{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }} 2 | {{ $values := .Values.runtime.patch.cronjob }} 3 | {{- if and .Values.runtime.patch.enabled $values.enabled }} 4 | --- 5 | apiVersion: batch/v1 6 | kind: CronJob 7 | metadata: 8 | name: {{ coalesce .Values.runtime.patch.name (printf "%s-runtime-patch" (include "runtime.fullname" .)) }} 9 | labels: 10 | {{- include "runtime.labels" . | nindent 4 }} 11 | annotations: 12 | {{- with $values.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | spec: 16 | schedule: {{ $values.schedule | default "0 0 * * *" }} 17 | successfulJobsHistoryLimit: {{ $values.successfulJobsHistoryLimit | default 1 }} 18 | failedJobsHistoryLimit: {{ $values.failedJobsHistoryLimit | default 1 }} 19 | concurrencyPolicy: {{ $values.concurrencyPolicy | default "Forbid" }} 20 | suspend: {{ $values.suspend | default false }} 21 | {{- with $values.startingDeadlineSeconds }} 22 | startingDeadlineSeconds: {{ . | int }} 23 | {{- end }} 24 | {{- with $values.activeDeadlineSeconds }} 25 | activeDeadlineSeconds: {{ . | int }} 26 | {{- end }} 27 | {{- with $values.completions }} 28 | completions: {{ . | int }} 29 | {{- end }} 30 | jobTemplate: 31 | spec: 32 | {{- with $values.ttlSecondsAfterFinished }} 33 | ttlSecondsAfterFinished: {{ . }} 34 | {{- end }} 35 | template: 36 | metadata: 37 | name: {{ coalesce .Values.runtime.patch.name (printf "%s-runtime-patch" (include "runtime.fullname" .)) }} 38 | labels: 39 | {{- include "runtime.labels" . | nindent 12 }} 40 | spec: 41 | securityContext: 42 | {{- toYaml $values.podSecurityContext | nindent 12 }} 43 | containers: 44 | - name: patch-runtime 45 | image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }} 46 | imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }} 47 | command: 48 | - "/bin/bash" 49 | args: 50 | - -ec 51 | - | 52 | {{- .Files.Get "files/patch-runtime.sh" | nindent 14 }} 53 | env: 54 | - name: API_KEY 55 | {{- include "runtime.installation-token-env-var-value" . | indent 14 }} 56 | - name: API_HOST 57 | value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }} 58 | - name: AGENT 59 | value: {{ .Values.runtime.agent | quote | default "true" }} 60 | {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 12 }} 61 | volumeMounts: 62 | - name: runtime-config 63 | mountPath: /opt/codefresh/{{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .)) }} 64 | subPath: {{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .)) }} 65 | {{- range $runtimeIndex, $runtimeItem := .Values.extraRuntimes }} 66 | - name: {{ printf "%s-runtime-config" ( include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) ) }} 67 | mountPath: /opt/codefresh/runtime.d/system/{{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) }} 68 | subPath: {{ include "runtime.runtime-environment-spec.runtime-filename-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) }} 69 | {{- end }} 70 | {{- with $values.nodeSelector }} 71 | nodeSelector: 72 | {{- toYaml . | nindent 12 }} 73 | {{- end }} 74 | {{- with $values.affinity }} 75 | affinity: 76 | {{- toYaml . | nindent 12 }} 77 | {{- end }} 78 | {{- with $values.tolerations }} 79 | tolerations: 80 | {{- toYaml . | nindent 10 }} 81 | {{- end }} 82 | volumes: 83 | - name: runtime-config 84 | configMap: 85 | name: {{ include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" (include "runtime.runtime-environment-spec.runtime-name" .)) }}-runtime-config 86 | {{- range $runtimeIndex, $runtimeItem := .Values.extraRuntimes }} 87 | - name: {{ printf "%s-runtime-config" ( include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) ) }} 88 | configMap: 89 | name: {{ printf "%s-runtime-config" ( include "runtime.runtime-environment-spec.runtime-name-normalized" (dict "context" . "runtimeName" $runtimeItem.runtimeName) ) }} 90 | {{- end }} 91 | restartPolicy: Never 92 | {{- end }} 93 | --------------------------------------------------------------------------------