Refactor sts-resizer

Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch>
vshn · Nov 30, 2023 · f893a69 · f893a69
1 parent e15cf99
commit f893a69
Show file tree

Hide file tree

Showing 11 changed files with 222 additions and 104 deletions.
diff --git a/component/class/defaults.yml b/component/class/defaults.yml
@@ -134,6 +134,7 @@ parameters:
           memory: 200Mi
 
     stsResizer:
+      enabled: true
       resources:
         requests:
           cpu: 100m
@@ -303,6 +304,8 @@ parameters:
           smtpFromAddress: myuser@example.com
           secretNamespace: syn-appcat
           secretName: mailgun-smtp-credentials
+        stsResizer:
+          enabled: true
         postgres:
           # bucket_region: 'lpg' || 'ch-gva-2'
           bucket_region: ""
@@ -509,7 +512,6 @@ parameters:
             enabled: false
             restoreSA: mariadbrestoreserviceaccount
             restoreRoleRules: ${appcat:defaultRestoreRoleRules}
-            hasSts: true
             openshiftTemplate:
               serviceName: mariadbbyvshn
               description: "The open source relational database management system (DBMS) that is a compatible drop-in replacement for the widely used MySQL database technology"

diff --git a/component/component/statefuleset-resize-controller.jsonnet b/component/component/statefuleset-resize-controller.jsonnet
@@ -66,10 +66,47 @@ local deployment = loadManifest('config/manager/manager.yaml') + {
   },
 };
 
+local resizeServiceAccount = kube.ServiceAccount('sa-sts-deleter') + {
+  metadata+: {
+    namespace: params.services.controlNamespace,
+  },
+};
+
+local resizeClusterRole = kube.ClusterRole('appcat:job:resizejob') {
+  rules: [
+    {
+      apiGroups: [ 'helm.crossplane.io' ],
+      resources: [ 'releases' ],
+      verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
+    },
+    {
+      apiGroups: [ 'apps' ],
+      resources: [ 'statefulsets' ],
+      verbs: [ 'delete', 'get', 'watch', 'list', 'update', 'patch' ],
+    },
+    {
+      apiGroups: [ 'helm.crossplane.io' ],
+      resources: [ 'releases' ],
+      verbs: [ 'update', 'get' ],
+    },
+    {
+      apiGroups: [ '' ],
+      resources: [ 'pods' ],
+      verbs: [ 'list', 'get', 'update', 'delete' ],
+    },
+  ],
+};
+
+local resizeClusterRoleBinding = kube.ClusterRoleBinding('appcat:job:resizejob') + {
+  roleRef_: resizeClusterRole,
+  subjects_: [ resizeServiceAccount ],
+};
+
 // Curently we only need this for redis.
-if params.services.vshn.enabled && params.services.vshn.redis.enabled then {
+if params.services.vshn.enabled && params.services.vshn.stsResizer.enabled then {
   'controllers/sts-resizer/10_role': role,
   'controllers/sts-resizer/10_sa': sa,
   'controllers/sts-resizer/10_binding': binding,
   'controllers/sts-resizer/10_deployment': deployment,
+  'controllers/sts-resizer/20_rbac_resize_job': [ resizeServiceAccount, resizeClusterRole, resizeClusterRoleBinding ],
 }
diff --git a/component/component/vshn_appcat_services.jsonnet b/component/component/vshn_appcat_services.jsonnet
@@ -51,42 +51,6 @@ local vshn_appcat_service(name) =
     subjects_: [ restoreServiceAccount ],
   };
 
-  local resizeServiceAccount = kube.ServiceAccount('sa-sts-deleter') + {
-    metadata+: {
-      namespace: params.services.controlNamespace,
-    },
-  };
-
-  local resizeClusterRole = kube.ClusterRole('appcat:job:' + name + ':resizejob') {
-    rules: [
-      {
-        apiGroups: [ 'helm.crossplane.io' ],
-        resources: [ 'releases' ],
-        verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
-      },
-      {
-        apiGroups: [ 'apps' ],
-        resources: [ 'statefulsets' ],
-        verbs: [ 'delete', 'get', 'watch', 'list', 'update', 'patch' ],
-      },
-      {
-        apiGroups: [ 'helm.crossplane.io' ],
-        resources: [ 'releases' ],
-        verbs: [ 'update', 'get' ],
-      },
-      {
-        apiGroups: [ '' ],
-        resources: [ 'pods' ],
-        verbs: [ 'list', 'get', 'update', 'delete' ],
-      },
-    ],
-  };
-
-  local resizeClusterRoleBinding = kube.ClusterRoleBinding('appcat:job:' + name + ':resizejob') + {
-    roleRef_: resizeClusterRole,
-    subjects_: [ resizeServiceAccount ],
-  };
-
   local xrd = xrds.XRDFromCRD(
     'x' + serviceNamePlural + '.vshn.appcat.vshn.io',
     xrds.LoadCRD('vshn.appcat.vshn.io_' + serviceNamePlural + '.yaml', params.images.appcat.tag),
@@ -201,7 +165,6 @@ local vshn_appcat_service(name) =
     ['20_rbac_vshn_%s' % name]: xrds.CompositeClusterRoles(xrd),
     ['21_composition_vshn_%s' % name]: composition,
     ['20_role_vshn_%s_restore' % name]: [ restoreRole, restoreServiceAccount, restoreClusterRoleBinding ],
-    [if serviceParams.hasSts then '20_rbac_vshn_%s_resize' % name]: [ resizeClusterRole, resizeServiceAccount, resizeClusterRoleBinding ],
     ['20_plans_vshn_%s' % name]: plansCM,
     ['22_prom_rule_sla_%s' % name]: promRuleSLA,
     [if isOpenshift then '21_openshift_template_%s_vshn' % name]: osTemplate,

diff --git a/component/component/vshn_redis.jsonnet b/component/component/vshn_redis.jsonnet
@@ -101,42 +101,6 @@ local restoreClusterRoleBinding = kube.ClusterRoleBinding('appcat:job:redis:rest
   subjects_: [ restoreServiceAccount ],
 };
 
-local resizeServiceAccount = kube.ServiceAccount('sa-sts-deleter') + {
-  metadata+: {
-    namespace: params.services.controlNamespace,
-  },
-};
-
-local resizeClusterRole = kube.ClusterRole('appcat:job:redis:resizejob') {
-  rules: [
-    {
-      apiGroups: [ 'helm.crossplane.io' ],
-      resources: [ 'releases' ],
-      verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
-    },
-    {
-      apiGroups: [ 'apps' ],
-      resources: [ 'statefulsets' ],
-      verbs: [ 'delete', 'get', 'watch', 'list', 'update', 'patch' ],
-    },
-    {
-      apiGroups: [ 'helm.crossplane.io' ],
-      resources: [ 'releases' ],
-      verbs: [ 'update', 'get' ],
-    },
-    {
-      apiGroups: [ '' ],
-      resources: [ 'pods' ],
-      verbs: [ 'list', 'get', 'update', 'delete' ],
-    },
-  ],
-};
-
-local resizeClusterRoleBinding = kube.ClusterRoleBinding('appcat:job:redis:resizejob') + {
-  roleRef_: resizeClusterRole,
-  subjects_: [ resizeServiceAccount ],
-};
-
 local composition =
   local namespace = comp.KubeObject('v1', 'Namespace') +
                     {
@@ -736,7 +700,6 @@ if params.services.vshn.enabled && redisParams.enabled then {
   '20_xrd_vshn_redis': xrd,
   '20_rbac_vshn_redis': xrds.CompositeClusterRoles(xrd),
   '20_role_vshn_redisrestore': [ restoreRole, restoreServiceAccount, restoreClusterRoleBinding ],
-  '20_rbac_vshn_redis_resize': [ resizeClusterRole, resizeServiceAccount, resizeClusterRoleBinding ],
   '20_plans_vshn_redis': plansCM,
   '21_composition_vshn_redis': composition,
   '22_prom_rule_sla_redis': promRuleRedisSLA,

diff --git a/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_binding.yaml b/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_binding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: appcat:contoller:sts-resizer
+  namespace: syn-appcat
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: appcat:contoller:sts-resizer
+subjects:
+  - kind: ServiceAccount
+    name: sts-resizer
+    namespace: syn-appcat
diff --git a/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_deployment.yaml b/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_deployment.yaml
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: sts-resizer
+  namespace: syn-appcat
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      containers:
+        - args:
+            - --inplace
+          image: quay.io/vshn/statefulset-resize-controller:v0.3.0
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          name: manager
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              cpu: 250m
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 50Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: sts-resizer
+      terminationGracePeriodSeconds: 10
diff --git a/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_role.yaml b/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_role.yaml
@@ -0,0 +1,88 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: appcat:contoller:sts-resizer
+  namespace: syn-appcat
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
diff --git a/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_sa.yaml b/component/tests/golden/minio/appcat/appcat/controllers/sts-resizer/10_sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sts-resizer
+  namespace: syn-appcat
diff --git a/...cat/appcat/20_rbac_vshn_redis_resize.yaml → ...llers/sts-resizer/20_rbac_resize_job.yaml b/...cat/appcat/20_rbac_vshn_redis_resize.yaml → ...llers/sts-resizer/20_rbac_resize_job.yaml
@@ -1,10 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: sa-sts-deleter
+  name: sa-sts-deleter
+  namespace: syn-appcat-control
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   annotations: {}
   labels:
-    name: appcat-job-redis-resizejob
-  name: appcat:job:redis:resizejob
+    name: appcat-job-resizejob
+  name: appcat:job:resizejob
 rules:
   - apiGroups:
       - helm.crossplane.io
@@ -46,26 +55,17 @@ rules:
       - update
       - delete
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  annotations: {}
-  labels:
-    name: sa-sts-deleter
-  name: sa-sts-deleter
-  namespace: syn-appcat-control
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations: {}
   labels:
-    name: appcat-job-redis-resizejob
-  name: appcat:job:redis:resizejob
+    name: appcat-job-resizejob
+  name: appcat:job:resizejob
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: appcat:job:redis:resizejob
+  name: appcat:job:resizejob
 subjects:
   - kind: ServiceAccount
     name: sa-sts-deleter

diff --git a/component/tests/golden/minio/appcat/appcat/statefuleset-resize-controller.yaml b/component/tests/golden/minio/appcat/appcat/statefuleset-resize-controller.yaml