Merge pull request #12 from resurfaceio/feat/503-state

Feat/503 state
resurfaceio · Jun 3, 2024 · f254283 · f254283
2 parents 5b10f7c + 0fa981e
commit f254283
Show file tree

Hide file tree

Showing 9 changed files with 183 additions and 58 deletions.
diff --git a/helm/resurfaceio/resurface/templates/_helpers.tpl b/helm/resurfaceio/resurface/templates/_helpers.tpl
@@ -344,6 +344,34 @@ TLS helper
 {{ print $tlsMode }}
 {{- end -}}
 
+{{/*
+HAProxy errorfiles patcher job template
+*/}}
+{{- define "jobs.haproxy.errorfilePatcher.spec" -}}
+restartPolicy: Never
+serviceAccountName: {{ include "resurface.fullname" . | printf "%s-patcher-sa" }}
+securityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+tolerations:
+  {{- toYaml .Values.tolerations | nindent 2 }}
+containers:
+  - name: updater
+    image: jitesoft/kubectl
+    command:
+      - "/home/kube/scripts/patch.sh"
+    volumeMounts:
+      - name: script
+        mountPath: "/home/kube/scripts"
+        readOnly: true
+volumes:
+  - name: script
+    configMap:
+      name: haproxy-errorfiles-script
+      defaultMode: 0550
+{{- end -}}
+
 {{/*
 Coordinator config.properties
 */}}

diff --git a/helm/resurfaceio/resurface/templates/auth/authentication/sa.yaml b/helm/resurfaceio/resurface/templates/auth/authentication/sa.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "resurface.fullname" . | printf "%s-sa" }}
+  namespace: {{ .Release.Namespace }}
+{{- if default "" .Values.provider | ne "ibm-openshift" | and .Values.ingress.controller.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "resurface.fullname" . | printf "%s-patcher-sa" }}
+  namespace: {{ .Release.Namespace }}
+{{ end -}}
diff --git a/...urfaceio/resurface/templates/scc/crb.yaml → ...ace/templates/auth/authorization/crb.yaml b/...urfaceio/resurface/templates/scc/crb.yaml → ...ace/templates/auth/authorization/crb.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "resurface.fullname" . | printf "%s-scc-binding" }}
+  name: {{ include "resurface.fullname" . | printf "%s-binding" }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -16,4 +16,4 @@ subjects:
     name: {{ .Values.minio.serviceAccount.name }}
     namespace: {{ .Release.Namespace }}
   {{- end }}
-{{- end -}}
+{{- end -}}
diff --git a/helm/resurfaceio/resurface/templates/auth/authorization/patcher-role.yaml b/helm/resurfaceio/resurface/templates/auth/authorization/patcher-role.yaml
@@ -0,0 +1,29 @@
+{{- if default "" .Values.provider | ne "ibm-openshift" | and .Values.ingress.controller.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: configmap-patcher
+rules:
+  - apiGroups: ["apps"]
+    resources: ["statefulsets", "deployments", "replicasets", "daemonsets"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["nodes", "pods", "persistentvolumeclaims", "persistentvolumes", "services"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "watch", "list", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: patcher-binding
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "resurface.fullname" . | printf "%s-patcher-sa" }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: configmap-patcher
+{{- end -}}
diff --git a/...urfaceio/resurface/templates/scc/scc.yaml → ...ace/templates/auth/authorization/scc.yaml b/...urfaceio/resurface/templates/scc/scc.yaml → ...ace/templates/auth/authorization/scc.yaml
diff --git a/...surfaceio/resurface/templates/config.yaml → ...o/resurface/templates/config/haproxy.yaml b/...surfaceio/resurface/templates/config.yaml → ...o/resurface/templates/config/haproxy.yaml
@@ -1,53 +1,15 @@
 {{- $tls := default "" .Values.provider | eq "ibm-openshift" | or .Values.ingress.tls.enabled | ternary ":ssl" "" -}}
-{{- $iss := lookup "v1" "Secret" .Release.Namespace "trino-iss" -}}
-{{- if empty $iss -}}
-{{- $iss = randAscii 32 | b64enc -}}
-{{- else -}}
-{{ $iss = $iss.data.iss }}
-{{- end }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: trino-iss
-  namespace: {{ .Release.Namespace }}
-type: Opaque
-data:
-  iss: {{ $iss }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: trino-coordinator-config
-  namespace: {{ .Release.Namespace }}
-data:
-  config.properties: |
-    {{- include "resurface.config.coordinator" . | nindent 4 }}
-    internal-communication.shared-secret={{ $iss }}
-{{- if and .Values.auth.enabled .Values.auth.basic.enabled }}
-  password-authenticator.properties: |
-    password-authenticator.name=file
-    file.password-file=etc/creds/password.db
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: trino-creds
-  namespace: {{ .Release.Namespace }}
-type: Opaque
-data:
-  password.db: {{ include "resurface.auth.creds" . }}
-{{ end }}
----
+{{- if default "" .Values.provider | ne "ibm-openshift" | and .Values.ingress.controller.enabled -}}
+{{- if and .Values.iceberg.enabled .Values.minio.enabled .Values.ingress.minio.expose }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: trino-worker-config
+  name: haproxy-extra-ports
   namespace: {{ .Release.Namespace }}
 data:
-  config.properties: |
-    {{- include "resurface.config.worker" . | nindent 4 }}
-    internal-communication.shared-secret={{ $iss }}
-{{- if default "" .Values.provider | ne "ibm-openshift" | and .Values.ingress.controller.enabled }}
+  {{ .Values.ingress.minio.port | default 9001 | int }}:
+    {{ index .Subcharts "minio" | include "minio.fullname" | printf "%s/%[4]s-console:%[2]s%[3]s" .Release.Namespace .Values.minio.consoleService.port $tls }}
+{{- end }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -78,20 +40,39 @@ data:
             Please, try again in a few minutes.
           </p>
           <p id="contact">
-            If this issue persists, please contact support at <a href="mailto:api-support@graylog.com">api-support@graylog.com</a>.
+            If this issue persists, please contact support at <a href="mailto:api-support@graylog.com?subject=Kubernetes%20error&body=My%20cluster%20won%27t%20start.%20Please%20help!%0A%0AMy%20license%3A%20%3CPaste%20your%20license%20here%3E%0A%0A---%20BEGIN%20CLUSTER%20INFO%20---%0A%0A!EMPTY!%0A%0A---%20END%20CLUSTER%20INFO%20---">api-support@graylog.com</a>.
           </p>
         <div>
       </body>
     </html>
-{{- if and .Values.iceberg.enabled .Values.minio.enabled .Values.ingress.minio.expose }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: haproxy-extra-ports
+  name: haproxy-errorfiles-script
   namespace: {{ .Release.Namespace }}
 data:
-  {{ .Values.ingress.minio.port | default 9001 | int }}:
-    {{ index .Subcharts "minio" | include "minio.fullname" | printf "%s/%[4]s-console:%[2]s%[3]s" .Release.Namespace .Values.minio.consoleService.port $tls }}
-{{- end }}
-{{- end }}
+  patch.sh: |-
+    #!/bin/ash
+    print_separator() {
+    N=30; SYM='='
+    SEP=$(printf '%0.s'$SYM $(seq 1 $N))
+    echo -e "${SEP}\n${SEP}\n $1 \n${SEP}\n${SEP}"
+    }
+    cd /home/kube
+    timeout 2m ash -c 'until kubectl get svc {{ index .Subcharts "kubernetes-ingress" | include "kubernetes-ingress.fullname" }} -n resurface --template "{{ "{{" }} range (index .status.loadBalancer.ingress 0) {{ "}}" }}{{ "{{" }} . {{ "}}" }}{{ "{{" }} end {{ "}}" }}" &> /dev/null; do sleep 10; done'
+    touch state
+    print_separator "nodes" >> state
+    kubectl describe nodes >> state
+    for i in pods sts pvc svc; do
+    print_separator "${i}" >> state
+    kubectl describe $i -n {{ .Release.Namespace }} >> state
+    done
+    print_separator "pv" >> state
+    kubectl describe pv >> state
+    ENCODED=$(tar c -z state | base64 -w 0)
+    echo -e "data:\n  \"503\": |-" > patch.yml
+    kubectl get cm haproxy-errorfiles --template '{{ "{{" }} index .data "503" {{ "}}" }}' | sed -e 's/^/    /g' >> patch.yml
+    sed -i -e "s|!EMPTY!|$ENCODED|g" patch.yml
+    kubectl patch configmap haproxy-errorfiles --patch-file patch.yml
+{{- end -}}
diff --git a/helm/resurfaceio/resurface/templates/config/trino.yaml b/helm/resurfaceio/resurface/templates/config/trino.yaml
@@ -0,0 +1,48 @@
+{{- $iss := lookup "v1" "Secret" .Release.Namespace "trino-iss" -}}
+{{- if empty $iss -}}
+  {{- $iss = randAscii 32 | b64enc -}}
+{{- else -}}
+  {{ $iss = $iss.data.iss }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: trino-iss
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  iss: {{ $iss }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: trino-coordinator-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.properties: |
+    {{- include "resurface.config.coordinator" . | nindent 4 }}
+    internal-communication.shared-secret={{ $iss }}
+{{- if and .Values.auth.enabled .Values.auth.basic.enabled }}
+  password-authenticator.properties: |
+    password-authenticator.name=file
+    file.password-file=etc/creds/password.db
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: trino-creds
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  password.db: {{ include "resurface.auth.creds" . }}
+{{ end }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: trino-worker-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.properties: |
+    {{- include "resurface.config.worker" . | nindent 4 }}
+    internal-communication.shared-secret={{ $iss }}
diff --git a/helm/resurfaceio/resurface/templates/jobs/file-patcher.yaml b/helm/resurfaceio/resurface/templates/jobs/file-patcher.yaml
@@ -0,0 +1,31 @@
+{{- if default "" .Values.provider | ne "ibm-openshift" | and .Values.ingress.controller.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ index .Subcharts "kubernetes-ingress" | include "kubernetes-ingress.fullname" | printf "%s-file-patcher-job" }}
+  labels:
+    {{- include "resurface.labels" . | nindent 4 }}
+spec:
+  ttlSecondsAfterFinished: 10
+  template:
+    metadata:
+      annotations:
+        "helm.sh/hook": post-install,post-upgrade
+    spec:
+      {{- include "jobs.haproxy.errorfilePatcher.spec" . | nindent 6 }}
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ index .Subcharts "kubernetes-ingress" | include "kubernetes-ingress.fullname" | printf "%s-file-patcher" }}
+  labels:
+    {{- include "resurface.labels" . | nindent 4 }}
+spec:
+  successfulJobsHistoryLimit: 1
+  schedule: "0 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          {{- include "jobs.haproxy.errorfilePatcher.spec" . | nindent 10 }}
+{{- end -}}
diff --git a/helm/resurfaceio/resurface/templates/sa.yaml b/helm/resurfaceio/resurface/templates/sa.yaml