fetch artifact from s3 (#6)

* fetch artifact for init container from s3
* adjust helm chart for artifachub.io

Author: Leonid Podolinskiy

.github/workflows/init_container.yaml

@@ -15,6 +15,12 @@ on:
 
 jobs:  
   set_image_tag_variable:
+    strategy:
+      matrix:
+        agents: [
+          {file: "agent.zip", platform: "linux"},
+          {file: "agent-alpine.zip", platform: "alpine"}
+        ]
     runs-on: ubuntu-latest
     name: Build and push Docker image
     steps:
@@ -33,30 +39,26 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USER }}
         password: ${{ secrets.DOCKERHUB_PASS }}
+    
 
-    - name: Build and push linux container
-      uses: docker/build-push-action@v3
+    - name: Configure AWS credentials for artifacts bucket
+      uses: aws-actions/configure-aws-credentials@v1
       with:
-        context: .
-        file: ./lightrun-init-agent/Dockerfile
-        push: true
-        tags: "lightruncom/k8s-operator-init-java-agent-linux:${{steps.set_tag.outputs.TAG_NAME}}"
-        secrets: |
-          GITHUB_TOKEN=${{ secrets.PRETTY_GITHUB_READ_TOKEN }}
-        build-args: |
-          VERSION=${{ inputs.release_tag }}
-          FILE=agent.zip
+        aws-access-key-id: ${{ secrets.RELEASE_ARTIFACTS_MANAGER_KEY }}
+        aws-secret-access-key: ${{ secrets.RELEASE_ARTIFACTS_MANAGER_SECRET }}
+        aws-region: us-east-1
+
+    - name: Download agent artifacts
+      run: |
+        aws s3 cp s3://${{ secrets.RELEASE_ARTIFACTS_BUCKET }}/artifacts/${{ inputs.release_tag }}/${{ matrix.agents.file }} ./lightrun-init-agent/
+
 
-    - name: Build and push alpine container
+    - name: Build and push ${{ matrix.agents.platform }} container
       uses: docker/build-push-action@v3
       with:
         context: .
         file: ./lightrun-init-agent/Dockerfile
         push: true
-        tags: "lightruncom/k8s-operator-init-java-agent-alpine:${{steps.set_tag.outputs.TAG_NAME}}"
-        secrets: |
-          GITHUB_TOKEN=${{ secrets.PRETTY_GITHUB_READ_TOKEN }}
+        tags: "lightruncom/k8s-operator-init-java-agent-${{ matrix.agents.platform }}:${{steps.set_tag.outputs.TAG_NAME}}"
         build-args: |
-          VERSION=${{ inputs.release_tag }}
-          FILE=agent-alpine.zip
-          
+          FILE=${{ matrix.agents.file }}

.github/workflows/required_check.yaml

@@ -0,0 +1,18 @@
+# Due to https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks
+name: dummy_check
+on:
+  pull_request: 
+    branches:
+      - main
+    paths:
+      - 'lightrun-init-agent/**'
+      - '.github/**'
+      - 'docs/**'
+      - 'grafana/**'
+jobs:
+  build:
+    if: false  # always skip
+    name: Build controller and install helm chart # name have to be as the real job name
+    runs-on: ubuntu-latest
+    steps:
+      - run: 'echo "No build required"'

helm-chart/Chart.yaml

@@ -10,6 +10,7 @@ description: A Helm chart for Lightrun k8s operator
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
+icon: https://lightrun-public.s3.amazonaws.com/img/lightrun-logo.png
 
 ## Kubeversion due to "seccompProfile" in the controller deployment
 kubeVersion: ">= 1.19.0"
@@ -18,3 +19,61 @@ kubeVersion: ">= 1.19.0"
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.1.0 # Will be updated by CI pipeline
+
+
+
+# ArtifactHub.io annotations
+annotations:
+  artifacthub.io/crds: |
+    - kind: LightrunJavaAgent
+      version: v1beta
+      name: lightrunjavaagent
+      shortName: lrja
+      description: Custom resource describing Lightrun agent version, configuration and deployment that will be patched. Dependend on secret with few Lightrun key
+  artifacthub.io/crdsExamples: |
+      apiVersion: agents.lightrun.com/v1beta
+      kind: LightrunJavaAgent
+      metadata:
+        name: example-cr 
+      spec:
+        initContainer:  
+          image: "lightruncom/k8s-operator-init-java-agent-linux:1.8.5-init.1"
+          sharedVolumeName: lightrun-agent-init
+          sharedVolumeMountPath: "/lightrun"
+        deploymentName: app  
+        secretName: lightrun-secrets 
+        serverHostname: app.lightrun.com
+        agentEnvVarName: JAVA_TOOL_OPTIONS
+        agentConfig:
+          max_log_cpu_cost: "2"
+        agentTags:
+          - operator
+          - example
+          - 1.8.3
+        containerSelector:
+          - app
+      ---
+      apiVersion: v1
+      metadata: 
+        name: lightrun-secrets
+      stringData:
+        lightrun_key: <lightrun_key_from_ui>
+        pinned_cert_hash: <pinned_cert_hash>
+      kind: Secret
+      type: Opaque
+
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/links: |
+    - name: Operator repo
+      url: https://github.com/lightrun-platform/lightrun-k8s-operator
+    - name: CR example with explanation
+      url: https://github.com/lightrun-platform/lightrun-k8s-operator/blob/main/examples/lightrunjavaagent.yaml
+  artifacthub.io/maintainers: |
+    - name: Lightrun devops team
+      email: [email protected] 
+    - name: LeonidP
+      email: [email protected] 
+  artifacthub.io/operator: "true"
+  artifacthub.io/operatorCapabilities: Basic Install
+  artifacthub.io/prerelease: "false"
+  

helm-chart/README.md

@@ -0,0 +1,74 @@
+# lightrun-k8s-operator
+
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+A Helm chart for Lightrun k8s operator
+
+## Requirements
+
+Kubernetes: `>= 1.19.0`
+
+
+[Helm chart](../helm-chart/) is available in repository branch `helm-repo`  
+- Add the repo to your Helm repository list
+```sh 
+helm repo add lightrun-k8s-operator https://lightrun-platform.github.io/lightrun-k8s-operator
+```
+
+- Install the Helm chart:   
+> _Using default [values](../helm-chart/values.yaml)_  
+  
+```sh
+helm install lightrun-k8s-operator/lightrun-k8s-operator  -n lightrun-operator --create-namespace
+```  
+
+  > _Using custom values file_
+
+```sh
+helm install lightrun-k8s-operator/lightrun-k8s-operator  -f <values file>  -n lightrun-operator --create-namespace
+```
+> `helm upgrade --install` or `helm install --dry-run` may not work properly due to limitations of how Helm work with CRDs.
+You can find more info [here](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/)
+
+
+- Uninstall the Helm chart.
+```sh
+helm delete lightrun-k8s-operator
+```
+> `CRDs` will not be deleted due to Helm CRDs limitations. You can learn more about the limitations [here](https://helm.sh/docs/topics/charts/#limitations-on-crds).
+
+### Chart version vs controller version
+For the sake of simplicity, we are keeping the convention of the same version for both the controller image and the Helm chart. This helps to ensure that controller actions are aligned with CRDs preventing failed resource validation errors.
+
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| controllerManager.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` |  |
+| controllerManager.kubeRbacProxy.image.tag | string | `"v0.11.0"` |  |
+| controllerManager.kubeRbacProxy.resources.limits.cpu | string | `"500m"` |  |
+| controllerManager.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` |  |
+| controllerManager.kubeRbacProxy.resources.requests.cpu | string | `"5m"` |  |
+| controllerManager.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` |  |
+| controllerManager.manager.image.repository | string | `"lightruncom/lightrun-k8s-operator"` |  |
+| controllerManager.manager.image.tag | string | `"latest"` | For simplicity of version compatibilities we are keeping the same controller and chart versions So the most safe approach is to use same version as the Chart. When installing chart from the helm repo, every helm package version will have controller image set to chart version |
+| controllerManager.manager.nodeSelector | object | `{}` |  |
+| controllerManager.manager.resources.limits.cpu | string | `"500m"` |  |
+| controllerManager.manager.resources.limits.memory | string | `"128Mi"` |  |
+| controllerManager.manager.resources.requests.cpu | string | `"10m"` |  |
+| controllerManager.manager.resources.requests.memory | string | `"64Mi"` |  |
+| controllerManager.manager.tolerations | list | `[]` |  |
+| controllerManager.replicas | int | `1` |  |
+| managerConfig.controllerManagerConfigYaml.health.healthProbeBindAddress | string | `":8081"` |  |
+| managerConfig.controllerManagerConfigYaml.leaderElection.leaderElect | bool | `true` |  |
+| managerConfig.controllerManagerConfigYaml.leaderElection.resourceName | string | `"5b425f09.lightrun.com"` |  |
+| managerConfig.controllerManagerConfigYaml.metrics.bindAddress | string | `"127.0.0.1:8080"` |  |
+| managerConfig.controllerManagerConfigYaml.webhook.port | int | `9443` |  |
+| managerConfig.logLevel | string | `"info"` | Log level: 1 - 5 Higher number - more logs Documentation of logr module https://pkg.go.dev/github.com/go-logr/[email protected]#hdr-Verbosity On level info (0) (default) you'll see only deployments that are being added or deleted and errors On level 1 you'll see 1 additional log per every successful reconciliation loop run On level 2 you'll see all debug prints with intermediate steps while patching deployment per every reconciliation loop run |
+| managerConfig.operatorScope | object | `{"namespacedScope":false,"namespaces":["default"]}` | Operator may work in 2 scopes: cluster and namespaced Cluster scope will give permissions to operator to watch and patch deployment in the whole cluster With namespaced scope you need to provide list of namespaces that operator will be able to watch. Namespaced scope implemented by both controller code and creation of the appropriate Roles by the chart Any change to the list of namespaces will cause restart of the operator controller pod. |
+| metricsService | object | `{"ports":[{"name":"https","port":8443,"protocol":"TCP","targetPort":8443}],"type":"ClusterIP"}` | Metrics service for prometheus compatible poller |
+| nameOverride | string | `"lightrun-k8s-operator"` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

helm-chart/values.yaml

@@ -20,9 +20,9 @@ controllerManager:
   manager:
     image:
       repository: lightruncom/lightrun-k8s-operator
-      ## For simplicity of version compatibilities we are keeping the same controller and chart versions
-      ## So the most safe approach is to use same version as the Chart.
-      ## When installing chart from the helm repo, every helm package version will have controller image set to chart version
+      # -- For simplicity of version compatibilities we are keeping the same controller and chart versions
+      # So the most safe approach is to use same version as the Chart.
+      # When installing chart from the helm repo, every helm package version will have controller image set to chart version
       tag: latest
     resources:
       limits:
@@ -51,12 +51,12 @@ controllerManager:
 
 ## Controller configuration  
 managerConfig:
-  ## Log level: 1 - 5
-  ## Higher number - more logs
-  ## Documentation of logr module https://pkg.go.dev/github.com/go-logr/[email protected]#hdr-Verbosity
-  ## On level info (0) (default) you'll see only deployments that are being added or deleted and errors
-  ## On level 1 you'll see 1 additional log per every successful reconciliation loop run
-  ## On level 2 you'll see all debug prints with intermediate steps while patching deployment per every reconciliation loop run
+  # -- Log level: 1 - 5
+  # Higher number - more logs
+  # Documentation of logr module https://pkg.go.dev/github.com/go-logr/[email protected]#hdr-Verbosity
+  # On level info (0) (default) you'll see only deployments that are being added or deleted and errors
+  # On level 1 you'll see 1 additional log per every successful reconciliation loop run
+  # On level 2 you'll see all debug prints with intermediate steps while patching deployment per every reconciliation loop run
   logLevel: info
 
   ## Default values of the container inside pod. In most cases you don't need to change those
@@ -70,17 +70,17 @@ managerConfig:
       bindAddress: 127.0.0.1:8080
     webhook:
       port: 9443
-  ## Operator may work in 2 scopes: cluster and namespaced
-  ## Cluster scope will give permissions to operator to watch and patch deployment in the whole cluster
-  ## With namespaced scope you need to provide list of namespaces that operator will be able to watch.
-  ## Namespaced scope implemented by both controller code and creation of the appropriate Roles by the chart
-  ## Any change to the list of namespaces will cause restart of the operator controller pod.
+  # -- Operator may work in 2 scopes: cluster and namespaced
+  # Cluster scope will give permissions to operator to watch and patch deployment in the whole cluster
+  # With namespaced scope you need to provide list of namespaces that operator will be able to watch.
+  # Namespaced scope implemented by both controller code and creation of the appropriate Roles by the chart
+  # Any change to the list of namespaces will cause restart of the operator controller pod.
   operatorScope:
     namespaces:
       - default
     namespacedScope: false
 
-## Metrics service for prometheus compatible poller
+# -- Metrics service for prometheus compatible poller
 metricsService:
   ports:
     - name: https

lightrun-init-agent/Dockerfile

@@ -1,28 +1,18 @@
 FROM --platform=linux/amd64 alpine:latest
 
-ARG VERSION 
 ARG FILE 
 
-RUN apk --no-cache add jq \
-                       wget
-RUN --mount=type=secret,id=GITHUB_TOKEN \
-    GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) \
-    export REPO="lightrun-platform/athena"; \
-    # curl inside alpine can't properly forward cookies when downloading asset, hence wget
-    wget -q --auth-no-challenge --header='Accept:application/octet-stream' \
-    https://$GITHUB_TOKEN:@api.github.com/repos/$REPO/releases/assets/`wget -q -O- --auth-no-challenge --header "Accept: application/vnd.github+json"  https://$GITHUB_TOKEN:@api.github.com/repos/$REPO/releases | jq ". | map(select(.tag_name == \"$VERSION\"))[0].assets | map(select(.name == \"$FILE\"))[0].id"` \
-    -O /tmp/agent.zip; \
-    mkdir /agent ;\
-    unzip -o /tmp/agent.zip -d /agent ;\
-    rm -rf /tmp/agent.zip && \
+COPY lightrun-init-agent/$FILE /tmp/$FILE
+
+RUN unzip -o /tmp/$FILE -d /agent ;\
+    rm -rf /tmp/$FILE && \
     # Erase default values
     sed -i.bak "s|com.lightrun.secret=.*|com.lightrun.secret=|" /agent/agent.config && rm /agent/agent.config.bak && \
     sed -i.bak "s|pinned_certs=.*|pinned_certs=|" /agent/agent.config && rm /agent/agent.config.bak && \
-    # In openshift UID will be dynamic per project, hence chmo and not chown
+    # In openshift UID will be dynamic per project, hence chmod and not chown
     chmod -R 777 /agent 
 
 USER 1000
-
 COPY lightrun-init-agent/update_config.sh /update_config.sh
 
 CMD [ "/bin/sh", "/update_config.sh" ]