Initial aws test

Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch>
vshn · Nov 2, 2023 · 3300fbf · 3300fbf
1 parent ed76643
commit 3300fbf
Show file tree

Hide file tree

Showing 26 changed files with 845 additions and 3 deletions.
diff --git a/component/.cruft.json b/component/.cruft.json
@@ -1,13 +1,13 @@
 {
   "template": "https://github.com/projectsyn/commodore-component-template.git",
-  "commit": "f3e9e403454f4f46a18608d0e4d2c2c96b593d3b",
+  "commit": "913f9693b1c2be92ecaee469fd0fa1bd608f7aaa",
   "checkout": "main",
   "context": {
     "cookiecutter": {
       "name": "AppCat",
       "slug": "appcat",
       "parameter_key": "appcat",
-      "test_cases": "defaults exoscale cloudscale openshift vshn apiserver controllers minio",
+      "test_cases": "defaults exoscale cloudscale openshift vshn apiserver controllers minio aws",
       "add_lib": "n",
       "add_pp": "n",
       "add_golden": "y",

diff --git a/component/.github/workflows/test.yaml b/component/.github/workflows/test.yaml
@@ -40,6 +40,7 @@ jobs:
           - apiserver
           - controllers
           - minio
+          - aws
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -62,6 +63,7 @@ jobs:
           - apiserver
           - controllers
           - minio
+          - aws
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

diff --git a/component/.yamllint.yml b/component/.yamllint.yml
@@ -6,6 +6,16 @@ rules:
     max: 80
     level: warning
 
+  # Forbid octal literals until we've fully migrated to reclass-rs
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+
+  # Restrict truthy values to set which is parsed as boolean by reclass-rs
+  truthy:
+    allowed-values: ['true', 'false', 'True', 'False', 'TRUE', 'FALSE']
+    check-keys: true
+
 ignore: |
   component/dependencies/
   component/helmcharts/

diff --git a/component/Makefile.vars.mk b/component/Makefile.vars.mk
@@ -46,4 +46,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/exoscale.yml tests/cloudscale.yml tests/openshift.yml tests/vshn.yml tests/apiserver.yml tests/controllers.yml tests/minio.yml
+test_instances = tests/defaults.yml tests/exoscale.yml tests/cloudscale.yml tests/openshift.yml tests/vshn.yml tests/apiserver.yml tests/controllers.yml tests/minio.yml tests/aws.yml
diff --git a/component/class/defaults.yml b/component/class/defaults.yml
@@ -28,6 +28,10 @@ parameters:
         registry: ghcr.io
         repository: vshn/provider-minio/provider
         tag: v0.1.0
+      provider-aws:
+        registry: xpkg.upbound.io
+        repository: upbound/provider-aws
+        tag: 0.43.0
       sloth:
         registry: ghcr.io
         image: slok/sloth
@@ -197,6 +201,16 @@ parameters:
         controllerConfig: {}
         providerConfig: {}
 
+      aws:
+        enabled: false
+        namespace: ${crossplane:namespace}
+        spec:
+          package: ${appcat:images:provider-aws:registry}/${appcat:images:provider-aws:repository}:${appcat:images:provider-aws:tag}
+        controllerConfig:
+          serviceAccountName: provider-aws
+          roleArn: "? {vaultkv:${cluster:tenant}/${cluster:name}/appcat/provider-aws/role-arn}"
+        providerConfig: {}
+
       kubernetes:
         enabled: false
         namespace: ${crossplane:namespace}
@@ -429,6 +443,13 @@ parameters:
                 disk: 50Gi
           instances: []
 
+      # Config for AWS composites
+      aws:
+        enabled: false
+        secretNamespace: ${crossplane:namespace}
+        rds:
+          enabled: true
+
       # Config for exoscale composites
       exoscale:
         enabled: false

diff --git a/component/component/provider.jsonnet b/component/component/provider.jsonnet
@@ -109,6 +109,43 @@ local controllerConfigRef(config) =
       providerSecret(provider.credentials),
       kube.Namespace(provider.connectionSecretNamespace),
     ],
+  [if params.providers.aws.enabled then '10_provider_aws']:
+    local provider = params.providers.aws;
+
+    local sa = kube.ServiceAccount(provider.controllerConfig.serviceAccountName) {
+      metadata+: {
+        namespace: provider.namespace,
+        annotations: {
+          'eks.amazonaws.com/role-arn': provider.controllerConfig.roleArn,
+        },
+      },
+    };  
+    local controllerConf = [
+      crossplane.ControllerConfig('aws') {
+        metadata+: {
+          annotations: {
+            'eks.amazonaws.com/role-arn': provider.controllerConfig.roleArn,
+          },
+        },
+      }
+    ];
+    [
+      crossplane.Provider('aws') {
+        spec+: provider.spec + controllerConfigRef(controllerConf),
+      },
+      crossplane.ProviderConfig('aws') {
+        apiVersion: 'aws.upbound.io/v1beta1',
+        spec+: addCredentials(
+          provider.providerConfig,
+          {
+            source: 'IRSA',
+          }
+        ),
+      },
+      sa,
+    ]
+    +
+    controllerConf,
   [if params.providers.kubernetes.enabled then '10_provider_kubernetes']:
     local provider = params.providers.kubernetes;
 

diff --git a/component/tests/aws.yml b/component/tests/aws.yml
@@ -0,0 +1,25 @@
+parameters:
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-crossplane/v2.3.0/lib/crossplane.libsonnet
+        output_path: vendor/lib/crossplane.libsonnet
+
+  crossplane:
+    namespace: syn-crossplane
+  appcat:
+    providers:
+      kubernetes:
+        enabled: true
+      aws:
+        enabled: true
+        controllerConfig:
+          roleArn: arn:aws:iam::123456789012:role/role-name
+    services:
+      generic:
+        objectstorage:
+          enabled: false
+      vshn:
+        enabled: false
+      aws:
+        enabled: true
diff --git a/component/tests/golden/aws/appcat/appcat/10_appcat_billing_recording_rule.yaml b/component/tests/golden/aws/appcat/appcat/10_appcat_billing_recording_rule.yaml
@@ -0,0 +1,85 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-billing
+  name: appcat-billing
+  namespace: syn-appcat
+spec:
+  groups:
+    - name: appcat-billing-rules
+      rules:
+        - expr: |
+            sum by (label_appcat_vshn_io_claim_namespace,label_appcat_vshn_io_sla,product,provider,architecture, category, claim_namespace,tenant_id) (
+            # Sum values over one hour and get mean
+            sum_over_time(
+              # Udpate label product: $product:$provider:$tenant_id:$claim_namespace:$architecture
+              label_join(
+                # Add label category: $provider:$claim_namespace
+                label_join(
+                  # Add label architecture: $SLA, where $SLA is the content of label appcat.vshn.io/sla
+                  label_replace(
+                    # Add label provider: vshn
+                    label_replace(
+                      # Add label product: postgres
+                      label_replace(
+                        # Default appcat.vshn.io/sla to besteffort if it is not set
+                        label_replace(
+                          # Copy label appcat.vshn.io/namespace to label claim_namespace
+                          label_replace(
+                            # Populate tenant_id
+                            label_replace(
+                              # Fetch all namespaces with label label_appuio_io_billing_name=~"appcat-.+"
+                              kube_namespace_labels{ label_appuio_io_billing_name=~"appcat-.+"} *
+                              on (namespace) group_right(label_appuio_io_organization,label_appcat_vshn_io_claim_namespace,label_appcat_vshn_io_sla, label_appuio_io_billing_name)
+                              kube_pod_info{created_by_kind!="Job"},
+                              "tenant_id",
+            "t-silent-test-1234",
+            "",
+            ""
+
+                            ),
+                            "claim_namespace",
+                            "$1",
+                            "label_appcat_vshn_io_claim_namespace",
+                            "(.*)"
+                          ),
+                          "label_appcat_vshn_io_sla",
+                          "besteffort",
+                          "label_appcat_vshn_io_sla",
+                          "^$"
+                        ),
+                        "product",
+                        "appcat_$1",
+                        "label_appuio_io_billing_name",
+                        "appcat-(.+)"
+                      ),
+                      "provider",
+                      "vshn",
+                      "",
+                      ""
+                    ),
+                    "sla",
+                    "$1",
+                    "label_appcat_vshn_io_sla",
+                    "(.*)"
+                  ),
+                  "category",
+                  ":",
+                  "provider",
+                  "claim_namespace"
+                ),
+                "product",
+                ":",
+                "product",
+                "provider",
+                "tenant_id",
+                "claim_namespace",
+                "sla"
+              # other billing queries have [59m:1m] here. This is due to some
+              # obscure discrepancies between how the cloud-reporting evaluates the query
+              # and how the GUI/recording rules evaluate the query.
+              )[60m:1m]
+            )/60 )
+          record: appcat:billing
diff --git a/component/tests/golden/aws/appcat/appcat/10_appcat_maintenance_recording_rule.yaml b/component/tests/golden/aws/appcat/appcat/10_appcat_maintenance_recording_rule.yaml
@@ -0,0 +1,15 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-maintenance
+  name: appcat-maintenance
+  namespace: syn-appcat
+spec:
+  groups:
+    - name: appcat-cluster-maintenance
+      rules:
+        - expr: max(max_over_time(openshift_upgrade_controller_upgradejob_state{state="active"}[10m]))
+            or vector(0)
+          record: appcat:cluster:maintenance
diff --git a/component/tests/golden/aws/appcat/appcat/10_appcat_namespace.yaml b/component/tests/golden/aws/appcat/appcat/10_appcat_namespace.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    name: syn-appcat
+    openshift.io/cluster-monitoring: 'true'
+  name: syn-appcat
diff --git a/component/tests/golden/aws/appcat/appcat/10_clusterrole_services_read.yaml b/component/tests/golden/aws/appcat/appcat/10_clusterrole_services_read.yaml
@@ -0,0 +1,44 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: appcat-services-read
+  name: appcat:services:read
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+      - pods/status
+      - events
+      - services
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create
+  - apiGroups:
+      - ''
+      - project.openshift.io
+    resources:
+      - projects
+    verbs:
+      - get
diff --git a/component/tests/golden/aws/appcat/appcat/10_clusterrole_view.yaml b/component/tests/golden/aws/appcat/appcat/10_clusterrole_view.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+    rbac.authorization.k8s.io/aggregate-to-edit: 'true'
+    rbac.authorization.k8s.io/aggregate-to-view: 'true'
+  name: appcat:browse
+rules:
+  - apiGroups:
+      - apiextensions.crossplane.io
+    resources:
+      - compositions
+      - compositionrevisions
+      - compositeresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/component/tests/golden/aws/appcat/appcat/10_provider_aws.yaml b/component/tests/golden/aws/appcat/appcat/10_provider_aws.yaml
@@ -0,0 +1,45 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: '10'
+  labels:
+    name: aws
+  name: aws
+spec:
+  controllerConfigRef:
+    name: aws
+  package: xpkg.upbound.io/upbound/provider-aws:0.43.0
+---
+apiVersion: aws.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: '10'
+  labels:
+    name: aws
+  name: aws
+spec:
+  credentials:
+    source: IRSA
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name
+  labels:
+    name: provider-aws
+  name: provider-aws
+  namespace: syn-crossplane
+---
+apiVersion: pkg.crossplane.io/v1alpha1
+kind: ControllerConfig
+metadata:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/role-name
+  labels:
+    name: aws
+  name: aws