From 3810fc386e33387870d51f57bc2a1b04f5aba631 Mon Sep 17 00:00:00 2001 From: John Slivka Date: Thu, 14 Mar 2024 13:49:31 -0500 Subject: [PATCH] [stable/insights-agent] FWI-5698 Right-sizer rebrand (#1425) * modify right-sizer to include new right-sizer + oomkill-detection --- stable/insights-agent/CHANGELOG.md | 18 ++ stable/insights-agent/Chart.yaml | 2 +- stable/insights-agent/README.md | 3 + stable/insights-agent/ci/test-values.yaml | 14 ++ stable/insights-agent/requirements.yaml | 5 + stable/insights-agent/templates/_helpers.tpl | 1 - .../templates/right-sizer/agent-rbac.yaml | 9 - .../templates/right-sizer/configmap.yaml | 26 ++ .../right-sizer/controller-clusterrole.yaml | 63 +++++ .../controller-clusterrolebinding.yaml | 44 ++++ .../right-sizer/controller-deployment.yaml | 124 +++++---- .../right-sizer/controller-rbac.yaml | 153 ----------- ....yaml => oom-detection-agent-cronjob.yaml} | 9 +- .../oom-detection-controller-deployment.yaml | 81 ++++++ .../oom-detection-controller-rbac.yaml | 127 ++++++++++ .../templates/right-sizer/serviceaccount.yaml | 10 + .../templates/token-secret.yaml | 1 + stable/insights-agent/values.yaml | 237 ++++++++++++------ 18 files changed, 629 insertions(+), 298 deletions(-) delete mode 100644 stable/insights-agent/templates/right-sizer/agent-rbac.yaml create mode 100644 stable/insights-agent/templates/right-sizer/configmap.yaml create mode 100644 stable/insights-agent/templates/right-sizer/controller-clusterrole.yaml create mode 100644 stable/insights-agent/templates/right-sizer/controller-clusterrolebinding.yaml delete mode 100644 stable/insights-agent/templates/right-sizer/controller-rbac.yaml rename stable/insights-agent/templates/right-sizer/{agent-cronjob.yaml => oom-detection-agent-cronjob.yaml} (62%) create mode 100644 stable/insights-agent/templates/right-sizer/oom-detection-controller-deployment.yaml create mode 100644 stable/insights-agent/templates/right-sizer/oom-detection-controller-rbac.yaml create mode 100644 stable/insights-agent/templates/right-sizer/serviceaccount.yaml diff --git a/stable/insights-agent/CHANGELOG.md b/stable/insights-agent/CHANGELOG.md index a23a54811..444d4ab66 100644 --- a/stable/insights-agent/CHANGELOG.md +++ b/stable/insights-agent/CHANGELOG.md @@ -1,5 +1,23 @@ # Changelog +## 4.0.0 +* `right-sizer` has been renamed to `oom-detection`, which is a component of the new Insights right-sizer. The `right-sizer` prior to this release will be referred to as `oom-detection` going forward. These binaries may be further consolidated in a future release to avoid confusion. Configuration for `right-sizer` in your `values.yaml` will now be under `right-sizer.oom-detection`. e.g.: + +```yaml +# old +right-sizer: + enabled: true + schedule: "rand * * * *" + timeout: 300 +# new +right-sizer: + enabled: true + oom-detection: + enabled: true + schedule: "rand * * * *" + timeout: 300 +``` + ## 3.1.7 * Updated changelog diff --git a/stable/insights-agent/Chart.yaml b/stable/insights-agent/Chart.yaml index 2011e242b..e4ec582f9 100644 --- a/stable/insights-agent/Chart.yaml +++ b/stable/insights-agent/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: A Helm chart to run the Fairwinds Insights agent name: insights-agent -version: 3.1.7 +version: 4.0.0 appVersion: 9.2.1 kubeVersion: ">= 1.22.0-0" icon: https://raw.githubusercontent.com/FairwindsOps/charts/master/stable/insights-agent/icon.png diff --git a/stable/insights-agent/README.md b/stable/insights-agent/README.md index d1ff0814d..016330b47 100644 --- a/stable/insights-agent/README.md +++ b/stable/insights-agent/README.md @@ -143,6 +143,9 @@ Parameter | Description | Default ## Breaking Changes +### Version 4.0 +The 4.0 release of insights-agent contains breaking changes to `right-sizer`. This component has been rebranded to refer to Insights automated right sizing. The `right-sizer` prior to this release will be referred to as `oom-detection` going forward. These will be further consolidated in a future release to avoid confusion. + ### Version 2.0 The 2.0 release of insights-agent contains several breaking changes to help simplify the installation and adoption of new tools. diff --git a/stable/insights-agent/ci/test-values.yaml b/stable/insights-agent/ci/test-values.yaml index 465004283..9c0314f0c 100644 --- a/stable/insights-agent/ci/test-values.yaml +++ b/stable/insights-agent/ci/test-values.yaml @@ -181,3 +181,17 @@ installReporter: additionalAnnotations: "argocd.argoproj.io/hook": PostSync "argocd.argoproj.io/hook-delete-policy": HookSucceeded + +right-sizer: + enabled: true + oom-detection: + enabled: true +right-sizer-vpa: + admissionController: + enabled: false + metrics-server: + enabled: true + apiService: + insecureSkipTLSVerify: true + args: + - "--kubelet-insecure-tls" diff --git a/stable/insights-agent/requirements.yaml b/stable/insights-agent/requirements.yaml index da84c564c..e8af4a14f 100644 --- a/stable/insights-agent/requirements.yaml +++ b/stable/insights-agent/requirements.yaml @@ -16,3 +16,8 @@ dependencies: version: '1.17.0' condition: falco.installFalco alias: falcosecurity +- name: vpa + version: '4.4.5' + repository: https://charts.fairwinds.com/stable + condition: right-sizer.enabled + alias: right-sizer-vpa \ No newline at end of file diff --git a/stable/insights-agent/templates/_helpers.tpl b/stable/insights-agent/templates/_helpers.tpl index 492d84402..d8c8385cb 100644 --- a/stable/insights-agent/templates/_helpers.tpl +++ b/stable/insights-agent/templates/_helpers.tpl @@ -30,4 +30,3 @@ Create chart name and version as used by the chart label. {{- define "insights-agent.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} - diff --git a/stable/insights-agent/templates/right-sizer/agent-rbac.yaml b/stable/insights-agent/templates/right-sizer/agent-rbac.yaml deleted file mode 100644 index ead549a09..000000000 --- a/stable/insights-agent/templates/right-sizer/agent-rbac.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if and (index .Values "right-sizer" "enabled") (not .Values.rbac.disabled) -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer - labels: - app: insights-agent -# This ServiceAccount currently needs no permissions. -{{- end -}} diff --git a/stable/insights-agent/templates/right-sizer/configmap.yaml b/stable/insights-agent/templates/right-sizer/configmap.yaml new file mode 100644 index 000000000..0c7c6c123 --- /dev/null +++ b/stable/insights-agent/templates/right-sizer/configmap.yaml @@ -0,0 +1,26 @@ +{{- if (index .Values "right-sizer" "enabled") }} +{{- with (index .Values "right-sizer" "config") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "insights-agent.fullname" $ }}-right-sizer + labels: + component: right-sizer + app: insights-agent + {{- if (index $.Values "right-sizer" "controller" "deployment" "annotations") }} + annotations: + {{- toYaml (index $.Values "right-sizer" "controller" "deployment" "annotations") | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- if kindIs "map" . }} + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- end }} + {{- end }} + {{- if kindIs "string" . }} + {{- . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/insights-agent/templates/right-sizer/controller-clusterrole.yaml b/stable/insights-agent/templates/right-sizer/controller-clusterrole.yaml new file mode 100644 index 000000000..28de4bf2e --- /dev/null +++ b/stable/insights-agent/templates/right-sizer/controller-clusterrole.yaml @@ -0,0 +1,63 @@ +{{- if and (index .Values "right-sizer" "controller" "rbac" "create") (index .Values "right-sizer" "enabled") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-controller + {{- if (index .Values "right-sizer" "controller" "deployment" "annotations") }} + annotations: + {{- toYaml (index .Values "right-sizer" "controller" "deployment" "annotations") | nindent 4 }} + {{- end }} + labels: + component: right-sizer + app: insights-agent +rules: + - apiGroups: + - 'apps' + resources: + - '*' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - 'batch' + resources: + - 'cronjobs' + - 'jobs' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - '' + resources: + - 'namespaces' + - 'pods' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - 'autoscaling.k8s.io' + resources: + - 'verticalpodautoscalers' + verbs: + - 'get' + - 'list' + - 'create' + - 'delete' + - 'update' + {{- if (index .Values "right-sizer" "controller" "rbac" "enableArgoproj") }} + - apiGroups: + - 'argoproj.io' + resources: + - rollouts + verbs: + - 'get' + - 'list' + - 'watch' + {{- end }} + {{- if (index .Values "right-sizer" "controller" "rbac" "extraRules") -}} + {{ toYaml (index .Values "right-sizer" "controller" "rbac" "extraRules") | nindent 2 }} + {{- end }} +{{- end }} diff --git a/stable/insights-agent/templates/right-sizer/controller-clusterrolebinding.yaml b/stable/insights-agent/templates/right-sizer/controller-clusterrolebinding.yaml new file mode 100644 index 000000000..0337c55db --- /dev/null +++ b/stable/insights-agent/templates/right-sizer/controller-clusterrolebinding.yaml @@ -0,0 +1,44 @@ +{{- if and (index .Values "right-sizer" "controller" "rbac" "create") (index .Values "right-sizer" "enabled") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-controller + {{- if (index .Values "right-sizer" "controller" "deployment" "annotations") }} + annotations: + {{- toYaml (index .Values "right-sizer" "controller" "deployment" "annotations") | nindent 4 }} + {{- end }} + labels: + component: right-sizer + app: insights-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "insights-agent.fullname" . }}-right-sizer-controller +subjects: + - kind: ServiceAccount + name: {{ include "insights-agent.fullname" . }}-right-sizer-controller + namespace: {{ .Release.Namespace }} + +{{- range (index .Values "right-sizer" "controller" "rbac" "extraClusterRoleBindings" )}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "insights-agent.fullname" $ }}-right-sizer-controller-{{ . }} + {{- if (index $.Values "right-sizer" "controller" "deployment" "annotations") }} + annotations: + {{- toYaml (index $.Values "right-sizer" "controller" "deployment" "annotations") | nindent 4 }} + {{- end }} + labels: + component: right-sizer + app: insights-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ include "insights-agent.fullname" $ }}-right-sizer-controller + namespace: {{ $.Release.Namespace }} +{{- end }} +{{- end }} diff --git a/stable/insights-agent/templates/right-sizer/controller-deployment.yaml b/stable/insights-agent/templates/right-sizer/controller-deployment.yaml index 1b3a16fb8..ac721e022 100644 --- a/stable/insights-agent/templates/right-sizer/controller-deployment.yaml +++ b/stable/insights-agent/templates/right-sizer/controller-deployment.yaml @@ -1,4 +1,4 @@ -{{- if (index .Values "right-sizer" "enabled") -}} +{{- if (index .Values "right-sizer" "enabled") }} apiVersion: apps/v1 kind: Deployment metadata: @@ -11,71 +11,95 @@ metadata: component: right-sizer app: insights-agent spec: + replicas: 1 + revisionHistoryLimit: {{ (index .Values "right-sizer" "controller" "revisionHistoryLimit") }} selector: matchLabels: - component: right-sizer - app: insights-agent + app.kubernetes.io/name: {{ include "insights-agent.fullname" . }}-right-sizer-controller + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: right-sizer template: metadata: labels: - component: right-sizer - app: insights-agent - {{- if (index .Values "right-sizer" "workloadAnnotations") }} + app.kubernetes.io/name: {{ include "insights-agent.fullname" . }}-right-sizer-controller + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: right-sizer + {{- if (index .Values "right-sizer" "controller" "deployment" "additionalLabels") }} + {{ toYaml (index .Values "right-sizer" "controller" "deployment" "additionalLabels") | nindent 8 }} + {{- end }} + {{- with (index .Values "right-sizer" "controller" "deployment" "podAnnotations") }} annotations: - {{- toYaml (index .Values "right-sizer" "workloadAnnotations") | nindent 8 }} + {{- toYaml . | nindent 8 }} + {{- with (index .Values "right-sizer" "config") }} + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} {{- end }} spec: {{- with (index .Values "right-sizer" "imagePullSecrets") }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + serviceAccountName: {{ include "insights-agent.fullname" . }}-right-sizer-controller + securityContext: + {{- toYaml (index .Values "right-sizer" "controller" "podSecurityContext") | nindent 8 }} containers: - - name: {{ .Chart.Name }}-right-sizer-controller - ports: - - containerPort: 8080 - env: - {{ include "proxy-env-spec" . | indent 12 | trim }} - securityContext: - {{- toYaml (index .Values "right-sizer" "containerSecurityContext") | nindent 12 }} + - name: {{ .Chart.Name }} image: "{{ (index .Values "right-sizer" "image" "repository") }}:{{ (index .Values "right-sizer" "image" "tag") }}" imagePullPolicy: {{ (index .Values "right-sizer" "image" "pullPolicy") }} command: - - "right-sizer" - - "--state-configmap-namespace" - - "{{ .Release.Namespace }}" - - "--state-configmap-name" - - "{{ (index .Values "right-sizer" "stateconfigmapname") }}" - {{- range (index .Values "right-sizer" "namespaces") }} - - "--namespace" - - "{{ . }}" + - /insights-right-sizer + - controller + - -v{{ (index .Values "right-sizer" "controller" "logVerbosity") }} + {{- range $name, $value := (index .Values "right-sizer" "controller" "flags") }} + - --{{ $name }}={{ $value }} + {{- end }} + {{- with (index .Values "right-sizer" "config") }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if (index .Values "right-sizer" "controller" "securityContext") }} + securityContext: + {{- toYaml (index .Values "right-sizer" "controller" "securityContext") | nindent 12 }} + {{- end }} + resources: + {{- toYaml (index .Values "right-sizer" "controller" "resources") | nindent 12 }} + {{- if or (index .Values "right-sizer" "config") (index .Values "right-sizer" "controller" "deployment" "extraVolumeMounts") }} + volumeMounts: {{- end }} - {{- if (index .Values "right-sizer" "updateMemoryLimits" "enabled") }} - - "--update-memory-limits" - - "--update-memory-limits-increment" - - "{{ (index .Values "right-sizer" "updateMemoryLimits" "increment") }}" - - "--update-memory-limits-max" - - "{{ (index .Values "right-sizer" "updateMemoryLimits" "max") }}" - - "--update-memory-limits-min-ooms" - - "{{ (index .Values "right-sizer" "updateMemoryLimits" "minOOMs") }}" - {{- range (index .Values "right-sizer" "updateMemoryLimits" "namespaces") }} - - "--update-memory-limits-namespace" - - "{{ . }}" + {{- with (index .Values "right-sizer" "config") }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true {{- end }} -{{- end }} - - "--reset-ooms-window" - - "{{ (index .Values "right-sizer" "resetOOMsWindow") }}" - {{- range (index .Values "right-sizer" "extraArgs") }} - - "{{ . }}" + {{- if (index .Values "right-sizer" "controller" "deployment" "extraVolumeMounts") }} + {{ toYaml (index .Values "right-sizer" "controller" "deployment" "extraVolumeMounts") | nindent 12 }} {{- end }} - readinessProbe: - httpGet: - path: /healthz - port: 8080 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - resources: - {{- toYaml (index .Values "right-sizer" "resources") | nindent 12 }} - serviceAccountName: {{ (index .Values "right-sizer" "serviceAccountName") }} -{{- end -}} +{{- if or (index .Values "right-sizer" "config") (index .Values "right-sizer" "controller" "deployment" "extraVolumes") }} + volumes: +{{- if (index .Values "right-sizer" "controller" "deployment" "extraVolumes") }} +{{ toYaml (index .Values "right-sizer" "controller" "deployment" "extraVolumes") | indent 8}} +{{- end }} + {{- with (index .Values "right-sizer" "config") }} + - name: config + configMap: + name: {{ include "insights-agent.fullname" $ }}-right-sizer + {{- end }} +{{- end }} + {{- with (index .Values "right-sizer" "controller" "nodeSelector") }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (index .Values "right-sizer" "controller" "affinity") }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (index .Values "right-sizer" "controller" "tolerations") }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (index .Values "right-sizer" "controller" "topologySpreadConstraints") }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/stable/insights-agent/templates/right-sizer/controller-rbac.yaml b/stable/insights-agent/templates/right-sizer/controller-rbac.yaml deleted file mode 100644 index fd4a2aa19..000000000 --- a/stable/insights-agent/templates/right-sizer/controller-rbac.yaml +++ /dev/null @@ -1,153 +0,0 @@ -{{- if and (index .Values "right-sizer" "enabled") (not .Values.rbac.disabled) -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ (index .Values "right-sizer" "serviceAccountName") }} - labels: - app: insights-agent ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-events - labels: - app: insights-agent -rules: - - apiGroups: - - '' - resources: - - 'events' - verbs: - - 'create' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-state - namespace: {{ .Release.Namespace }} - labels: - app: insights-agent -rules: - - apiGroups: - - '' - resources: - - 'configmaps' - resourceNames: - - '{{ (index .Values "right-sizer" "stateconfigmapname") }}' - verbs: - - 'get' - - 'update' - - apiGroups: - - '' - resources: - - 'configmaps' - verbs: - - 'create' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-view - labels: - app: insights-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: - - kind: ServiceAccount - name: {{ (index .Values "right-sizer" "serviceAccountName") }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-events - labels: - app: insights-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-events -subjects: - - kind: ServiceAccount - name: {{ (index .Values "right-sizer" "serviceAccountName") }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-state - labels: - app: insights-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-state -subjects: - - kind: ServiceAccount - name: {{ (index .Values "right-sizer" "serviceAccountName") }} - namespace: {{ .Release.Namespace }} -{{ if (index .Values "right-sizer" "updateMemoryLimits" "enabled") -}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-update-memory-limits - labels: - app: insights-agent -rules: - - apiGroups: - - 'apps' - resources: - - 'pods' - - 'deployments' - - 'statefulsets' - - 'daemonsets' - - 'replicasets' - verbs: - - 'update' - - 'patch' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-update-memory-limits - labels: - app: insights-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-update-memory-limits -subjects: - - kind: ServiceAccount - name: {{ (index .Values "right-sizer" "serviceAccountName") }} - namespace: {{ .Release.Namespace }} -{{ end -}} -{{ if (index .Values "right-sizer" "rbac" "additionalAccess") -}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-additional-access - labels: - app: insights-agent -rules: -{{ toYaml (index .Values "right-sizer" "rbac" "additionalAccess") }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-additional-access - labels: - app: insights-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "insights-agent.fullname" . }}-right-sizer-controller-additional-access -subjects: -- kind: ServiceAccount - name: {{ (index .Values "right-sizer" "serviceAccountName") }} - namespace: {{ .Release.Namespace }} -{{ end }} -{{- end -}} diff --git a/stable/insights-agent/templates/right-sizer/agent-cronjob.yaml b/stable/insights-agent/templates/right-sizer/oom-detection-agent-cronjob.yaml similarity index 62% rename from stable/insights-agent/templates/right-sizer/agent-cronjob.yaml rename to stable/insights-agent/templates/right-sizer/oom-detection-agent-cronjob.yaml index fef508c5b..baa942a3a 100644 --- a/stable/insights-agent/templates/right-sizer/agent-cronjob.yaml +++ b/stable/insights-agent/templates/right-sizer/oom-detection-agent-cronjob.yaml @@ -1,9 +1,6 @@ -{{ if hasKey .Values "rightsizer" }} -{{ fail "rightsizer has been renamed to right-sizer in version 2.0. See breaking changes at https://github.com/FairwindsOps/charts/blob/master/stable/insights-agent/README.md" }} -{{ end }} -{{- if (index .Values "right-sizer" "enabled") -}} +{{- if (index .Values "right-sizer" "oom-detection" "enabled") -}} {{- $_ := set . "Label" "right-sizer" }} -{{- $_ := set . "Config" (index .Values "right-sizer") }} +{{- $_ := set . "Config" (index .Values "right-sizer" "oom-detection") }} {{- include "cronjob" . }} spec: {{ include "cronjob-spec" . | nindent 2 | trim }} @@ -17,7 +14,7 @@ spec: volumes: - name: output configMap: - name: {{ (index .Values "right-sizer" "stateconfigmapname")}} + name: {{ (index .Values "right-sizer" "oom-detection" "stateconfigmapname")}} items: - key: report path: right-sizer.json diff --git a/stable/insights-agent/templates/right-sizer/oom-detection-controller-deployment.yaml b/stable/insights-agent/templates/right-sizer/oom-detection-controller-deployment.yaml new file mode 100644 index 000000000..834e69c3b --- /dev/null +++ b/stable/insights-agent/templates/right-sizer/oom-detection-controller-deployment.yaml @@ -0,0 +1,81 @@ +{{- if (index .Values "right-sizer" "oom-detection" "enabled") -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller + {{- if (index .Values "right-sizer" "oom-detection" "annotations") }} + annotations: + {{- toYaml (index .Values "right-sizer" "oom-detection" "annotations") | nindent 4 }} + {{- end }} + labels: + component: right-sizer + app: insights-agent +spec: + selector: + matchLabels: + component: right-sizer + app: insights-agent + template: + metadata: + labels: + component: right-sizer + app: insights-agent + {{- if (index .Values "right-sizer" "oom-detection" "annotations") }} + annotations: + {{- toYaml (index .Values "right-sizer" "oom-detection" "annotations") | nindent 8 }} + {{- end }} + spec: + {{- with (index .Values "right-sizer" "oom-detection" "imagePullSecrets") }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }}-right-sizer-oom-detection-controller + ports: + - containerPort: 8080 + env: + {{ include "proxy-env-spec" . | indent 12 | trim }} + securityContext: + {{- toYaml (index .Values "right-sizer" "oom-detection" "containerSecurityContext") | nindent 12 }} + image: "{{ (index .Values "right-sizer" "oom-detection" "image" "repository") }}:{{ (index .Values "right-sizer" "oom-detection" "image" "tag") }}" + imagePullPolicy: {{ (index .Values "right-sizer" "oom-detection" "image" "pullPolicy") }} + command: + - "right-sizer" + - "--state-configmap-namespace" + - "{{ .Release.Namespace }}" + - "--state-configmap-name" + - "{{ (index .Values "right-sizer" "oom-detection" "stateconfigmapname") }}" + {{- range (index .Values "right-sizer" "oom-detection" "namespaces") }} + - "--namespace" + - "{{ . }}" + {{- end }} + {{- if (index .Values "right-sizer" "oom-detection" "updateMemoryLimits" "enabled") }} + - "--update-memory-limits" + - "--update-memory-limits-increment" + - "{{ (index .Values "right-sizer" "oom-detection" "updateMemoryLimits" "increment") }}" + - "--update-memory-limits-max" + - "{{ (index .Values "right-sizer" "oom-detection" "updateMemoryLimits" "max") }}" + - "--update-memory-limits-min-ooms" + - "{{ (index .Values "right-sizer" "oom-detection" "updateMemoryLimits" "minOOMs") }}" + {{- range (index .Values "right-sizer" "oom-detection" "updateMemoryLimits" "namespaces") }} + - "--update-memory-limits-namespace" + - "{{ . }}" + {{- end }} +{{- end }} + - "--reset-ooms-window" + - "{{ (index .Values "right-sizer" "oom-detection" "resetOOMsWindow") }}" + {{- range (index .Values "right-sizer" "oom-detection" "extraArgs") }} + - "{{ . }}" + {{- end }} + readinessProbe: + httpGet: + path: /healthz + port: 8080 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + resources: + {{- toYaml (index .Values "right-sizer" "oom-detection" "resources") | nindent 12 }} + serviceAccountName: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller +{{- end -}} diff --git a/stable/insights-agent/templates/right-sizer/oom-detection-controller-rbac.yaml b/stable/insights-agent/templates/right-sizer/oom-detection-controller-rbac.yaml new file mode 100644 index 000000000..551089eb8 --- /dev/null +++ b/stable/insights-agent/templates/right-sizer/oom-detection-controller-rbac.yaml @@ -0,0 +1,127 @@ +{{- if and (index .Values "right-sizer" "oom-detection" "enabled") (not .Values.rbac.disabled) -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller + labels: + app: insights-agent +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-events + labels: + app: insights-agent +rules: + - apiGroups: + - '' + resources: + - 'events' + verbs: + - 'create' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-state + namespace: {{ .Release.Namespace }} + labels: + app: insights-agent +rules: + - apiGroups: + - '' + resources: + - 'configmaps' + resourceNames: + - '{{ (index .Values "right-sizer" "oom-detection" "stateconfigmapname") }}' + verbs: + - 'get' + - 'update' + - apiGroups: + - '' + resources: + - 'configmaps' + verbs: + - 'create' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-view + labels: + app: insights-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-events + labels: + app: insights-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-events +subjects: + - kind: ServiceAccount + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-state + labels: + app: insights-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-state +subjects: + - kind: ServiceAccount + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller + namespace: {{ .Release.Namespace }} +{{ if (index .Values "right-sizer" "oom-detection" "updateMemoryLimits" "enabled") -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-update-memory-limits + labels: + app: insights-agent +rules: + - apiGroups: + - 'apps' + resources: + - 'pods' + - 'deployments' + - 'statefulsets' + - 'daemonsets' + - 'replicasets' + verbs: + - 'update' + - 'patch' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-update-memory-limits + labels: + app: insights-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller-update-memory-limits +subjects: + - kind: ServiceAccount + name: {{ include "insights-agent.fullname" . }}-right-sizer-oom-detection-controller + namespace: {{ .Release.Namespace }} +{{ end -}} +{{ end -}} \ No newline at end of file diff --git a/stable/insights-agent/templates/right-sizer/serviceaccount.yaml b/stable/insights-agent/templates/right-sizer/serviceaccount.yaml new file mode 100644 index 000000000..9a651645d --- /dev/null +++ b/stable/insights-agent/templates/right-sizer/serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- if and (index .Values "right-sizer" "controller" "rbac" "create") (index .Values "right-sizer" "enabled") }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "insights-agent.fullname" . }}-right-sizer-controller + namespace: {{ .Release.Namespace }} + labels: + component: right-sizer + app: insights-agent +{{- end }} \ No newline at end of file diff --git a/stable/insights-agent/templates/token-secret.yaml b/stable/insights-agent/templates/token-secret.yaml index f4a488531..c3cf5a8b8 100644 --- a/stable/insights-agent/templates/token-secret.yaml +++ b/stable/insights-agent/templates/token-secret.yaml @@ -5,4 +5,5 @@ metadata: name: {{ include "insights-agent.fullname" . }}-token data: token: {{ required "You must set base64token or tokenSecretName" .Values.insights.base64token | quote }} + INSIGHTS_TOKEN: {{ required "You must set base64token or tokenSecretName" .Values.insights.base64token | quote }} {{ end }} diff --git a/stable/insights-agent/values.yaml b/stable/insights-agent/values.yaml index 1bcf296ef..2db27ebbc 100644 --- a/stable/insights-agent/values.yaml +++ b/stable/insights-agent/values.yaml @@ -451,91 +451,172 @@ cloudcosts: containerSecurityContext: {} mountTmp: true +# requires a custom VPA configuration to work properly, see `right-sizer-vpa` section below in this values file right-sizer: enabled: false - schedule: "rand * * * *" - timeout: 300 - # This image is for the controller, the agent only runs the Insights uploader. image: - repository: quay.io/fairwinds/right-sizer - tag: 0.5 + repository: quay.io/fairwinds/insights-right-sizer + tag: v0.0.2-dev + # image.pullPolicy -- imagePullPolicy - Highly recommended to leave this as `Always` pullPolicy: Always - # rightsizer.imagePullSecrets -- imagePullSecrets containing private registry credentials. + config: + default: + vpa: + minReplicas: 1 + updatePolicy: + updateMode: "Off" + resourcePolicy: + containerPolicies: + - containerName: "*" + maxAllowed: + cpu: 2 + memory: "4Gi" + # imagePullSecrets -- A list of image pull secret names to use imagePullSecrets: [] - # rightsizer.stateconfigmapname -- The name of a ConfigMap where controller - # state is stored inbetween restarts. - stateconfigmapname: insights-agent-right-sizer-controller-state - # rightsizer.resetOOMsWindow -- The amount of time after which, if no OOMs - # have been seen, items will be removed from the Insights report. - resetOOMsWindow: "24h" - # rightsizer.namespaces -- Kubernetes namespaces to restrict all operations. - # By default, all namespaces are allowed. - # This applies both to OOM-kill alerts, and updating memory limits if enabled. - namespaces: [] - updateMemoryLimits: - # rightsizer.updateMemoryLimits.enabled -- Update memory limits of - # pod-controller resources whos containers are OOM-killed. - enabled: false - # rightsizer.updateMemoryLimits.increment -- The multiplier used to - # increase memory limits, in response to an OOM-kill. This value is - # multiplied by the limits of the OOM-killed container. - increment: 1.2 - # rightsizer.updateMemoryLimits.minOOMs -- The number of OOM-kills required - # before a pod-controller memory limits will be updated. - minOOMs: 2 - # rightsizer.updateMemoryLimits.max -- The multiplier used to calculate a - # maximum value to update a pod-controller memory limits. - # This value is multiplied by the starting memory limits of the first - # OOM-killed container seen by this controller. - max: 2.0 - # rightsizer.updateMemoryLimits.namespaces -- Kubernetes namespaces to - # restrict where memory limits will be updated. - # This value narrows the namespaces specified in the global `rightsizer.namespaces` one. + controller: + # controller.revisionHistoryLimit -- Number of old replicasets to retain, default is 10, 0 will garbage-collect old replicasets + revisionHistoryLimit: 10 + rbac: + # controller.rbac.create -- If set to true, rbac resources will be created for the controller + create: true + # controller.rbac.enableArgoproj -- If set to true, the clusterrole will give access to argoproj.io resources + enableArgoproj: true + # controller.rbac.extraRules -- Extra rbac rules for the controller clusterrole + extraRules: [] + # controller.rbac.extraClusterRoleBindings -- A list of ClusterRoles for which ClusterRoleBindings will be created for the ServiceAccount, if enabled + extraClusterRoleBindings: + - view + serviceAccount: + # controller.serviceAccount.create -- If true, a service account will be created for the controller. If set to false, you must set `controller.serviceAccount.name` + create: true + # controller.serviceAccount.name -- The name of an existing service account to use for the controller. Combined with `controller.serviceAccount.create` + name: + + # controller.flags -- A map of additional flags to pass to the controller + flags: + on-by-default: true + # controller.logVerbosity -- Controller log verbosity. Can be set from 1-10 with 10 being extremely verbose + logVerbosity: "2" + # controller.nodeSelector -- Node selector for the controller pod + nodeSelector: {} + # controller.tolerations -- Tolerations for the controller pod + tolerations: [] + # controller.affinity -- Affinity for the controller pods + affinity: {} + # controller.topologySpreadConstraints -- Topology spread constraints for the controller pods + topologySpreadConstraints: [] + # controller.resources -- The resources block for the controller pods + resources: + limits: {} + requests: + cpu: 25m + memory: 256Mi + # controller.podSecurityContext -- Defines the podSecurityContext for the controller pod + podSecurityContext: + seccompProfile: + type: RuntimeDefault + # controller.securityContext -- The container securityContext for the controller container + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10324 + capabilities: + drop: + - ALL + deployment: + # controller.deployment.extraVolumeMounts -- Extra volume mounts for the controller container + extraVolumeMounts: [] + # controller.deployment.extraVolumes -- Extra volumes for the controller pod + extraVolumes: [] + # controller.deployment.annotations -- Extra annotations for the controller deployment + annotations: {} + # controller.deployment.additionalLabels -- Extra labels for the controller deployment + additionalLabels: {} + + # controller.deployment.podAnnotations -- Extra annotations for the controller pod + podAnnotations: {} + oom-detection: + enabled: true + schedule: "rand * * * *" + timeout: 300 + # This image is for the controller, the agent only runs the Insights uploader. + image: + repository: quay.io/fairwinds/right-sizer + tag: 0.5 + pullPolicy: Always + + # oom-detection.stateconfigmapname -- The name of a ConfigMap where controller + # state is stored inbetween restarts. + stateconfigmapname: insights-agent-right-sizer-oom-detection-controller-state + # oom-detection.resetOOMsWindow -- The amount of time after which, if no OOMs + # have been seen, items will be removed from the Insights report. + resetOOMsWindow: "24h" + # oom-detection.annotations -- Extra annotations for oom-detection + annotations: {} + # oom-detection.namespaces -- Kubernetes namespaces to restrict all operations. + # By default, all namespaces are allowed. + # This applies both to OOM-kill alerts, and updating memory limits if enabled. namespaces: [] - SkipVolumes: true - # rightsizer.resources -- Resources for the controller deployment - resources: - requests: - cpu: 100m - memory: 128Mi - # rightsizer.deploymentAnnotations -- Annotations to add to the right-sizer controller deployment. - deploymentAnnotations: {} - # rightsizer.workloadAnnotations -- Annotations to add to the right-sizer controller deployment's worload. - workloadAnnotations: {} - # rightsizer.extraArgs -- Additional command-line flags for the controller. - extraArgs: [] - # - "-v2" - # rightsizer.containerSecurityContext -- The securityContext for the - # controller container. - containerSecurityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1200 - runAsGroup: 1200 - capabilities: - drop: - - ALL - # The global `rbac.disabled` causes this ServiceAccount to not be created. - # rightsizer.serviceAccountName -- The Kubernetes ServiceAccount for the - # controller. This account will be created unless `rbac.disabled` is set to true. - serviceAccountName: insights-agent-right-sizer-controller - rbac: - # See the global rbac.disabled value is used instead of `create` here. - # rightsizer.rbac.additionalAccess -- RBAC rules to be granted to the - # controller, providing access to custom resources. - # Specify a list of RBAC rules, - # each with a list of apiGroups, resources, and verbs. - additionalAccess: [] - # - apiGroups: - # - '' - # resources: - # - 'ACustomResource' - # verbs: - # - 'get' - # - 'update' - # - 'patch' + updateMemoryLimits: + # oom-detection.updateMemoryLimits.enabled -- Update memory limits of + # pod-controller resources whos containers are OOM-killed. + enabled: false + # oom-detection.updateMemoryLimits.increment -- The multiplier used to + # increase memory limits, in response to an OOM-kill. This value is + # multiplied by the limits of the OOM-killed container. + increment: 1.2 + # oom-detection.updateMemoryLimits.minOOMs -- The number of OOM-kills required + # before a pod-controller memory limits will be updated. + minOOMs: 2 + # oom-detection.updateMemoryLimits.max -- The multiplier used to calculate a + # maximum value to update a pod-controller memory limits. + # This value is multiplied by the starting memory limits of the first + # OOM-killed container seen by this controller. + max: 2.0 + # oom-detection.updateMemoryLimits.namespaces -- Kubernetes namespaces to + # restrict where memory limits will be updated. + # This value narrows the namespaces specified in the global `oom-detection.namespaces` one. + namespaces: [] + SkipVolumes: true + # oom-detection.resources -- Resources for the controller deployment + resources: + requests: + cpu: 100m + memory: 128Mi + # oom-detection.extraArgs -- Additional command-line flags for the controller. + extraArgs: [] + # - "-v2" + # oom-detection.containerSecurityContext -- The securityContext for the + # controller container. + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1200 + runAsGroup: 1200 + capabilities: + drop: + - ALL + +# will only apply if `right-sizer.enabled` +right-sizer-vpa: + admissionController: + registerWebhook: true + recommender: + image: + # custom Fairwinds vpa-recommender image + repository: quay.io/fairwinds/vpa-recommender + tag: master + extraArgs: + use-insights-recommender: 'true' + recommender-interval: '1h' + metrics-server: + # metrics-server.enabled -- If true, the metrics-server will be installed as a sub-chart + enabled: false + apiService: + create: true falco: enabled: false