upkeep: migrert canary hit

Levde før i helm-charts repoet, med manuell oppdatering av image.

Author: Kyrremann

.github/workflows/master.yaml

@@ -26,13 +26,15 @@ jobs:
           - hookd
           - deploy
           - deployd
-          - canary-deployer
+          - deploy-canary
           - deploy-action
         include:
           - component: hookd
             chart: true
           - component: deployd
             chart: true
+          - component: deploy-canary
+            chart: true
     steps:
       - uses: actions/checkout@v4 # ratchet:exclude
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # ratchet:azure/setup-helm@v3

charts/deploy-canary/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/deploy-canary/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: deploy-canary
+sources:
+  - https://github.com/nais/helm-charts/tree/main/features/deploy-canary
+description: Canary component of the nais deploy system
+type: application
+version: 0.1.2

charts/deploy-canary/Feature.yaml

@@ -0,0 +1,38 @@
+dependencies:
+  - allOf:
+      - hookd
+      - nais-verification
+environmentKinds:
+  - management
+values:
+  ignoredClusters:
+    config:
+      type: string_array
+  clusters:
+    description: List of clusters to deploy the canary image into
+    computed:
+      template: |
+        {{- $ignored := .Configs.ignoredClusters}}
+        {{- range eachOf .Envs "name" }}
+          {{- if not (has . $ignored) }}
+          - {{ . }}
+          {{- end }}
+        {{- end }}
+  deploy_server:
+    description: Deploy server host:port pair
+    displayName: Deploy server
+    computed:
+      template: '"{{ subdomain . "deploy" }}:443"'
+  image.imagePullPolicy:
+    config:
+      type: string
+  image.repository:
+    config:
+      type: string
+  image.tag:
+    config:
+      type: string
+  timeout:
+    description: How much time the deploy system is allowed to use per deploy
+    config:
+      type: string

charts/deploy-canary/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Canary deployer is a CronJob that tries to use NAIS deploy to deploy a canary image to a set of clusters.
+
+The monitoring system reads metrics from the canary image, and can tell if the deploy system is lagging.

charts/deploy-canary/templates/_helpers.tpl

@@ -0,0 +1,60 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "deploycanary.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "deploycanary.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "deploycanary.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "deploycanary.labels" -}}
+app: {{ include "deploycanary.name" . }}
+helm.sh/chart: {{ include "deploycanary.chart" . }}
+{{ include "deploycanary.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "deploycanary.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "deploycanary.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "deploycanary.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "deploycanary.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/deploy-canary/templates/cronjob.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "deploycanary.name" . }}
+  labels:
+    {{- include "deploycanary.labels" . | nindent 4 }}
+spec:
+  schedule: "*/5 * * * *"
+  startingDeadlineSeconds: 600
+  successfulJobsHistoryLimit: 1
+  suspend: false
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            linkerd.io/inject: disabled
+          labels:
+            app: canary-deployer
+        spec:
+          volumes:
+            - name: tmp
+              emptyDir:
+                medium: Memory
+          {{- with .Values.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          restartPolicy: Never
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            runAsUser: 65534
+            runAsNonRoot: true
+            runAsGroup: 65534
+            fsGroup: 65534
+          containers:
+          - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+            imagePullPolicy: {{ .Values.image.pullPolicy }}
+            name: canary-deployer
+            securityContext:
+              capabilities:
+                drop:
+                  - ALL
+              seccompProfile:
+                type: RuntimeDefault
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+            env:
+              - name: DEPLOY_SERVER
+                value: {{ .Values.deploy_server }}
+              - name: CLUSTERS
+                value: {{ join " " .Values.clusters }}
+              - name: NAMESPACE
+                value: {{ .Values.namespace }}
+              - name: TIMEOUT
+                value: {{ .Values.timeout }}
+              - name: APIKEY
+                valueFrom:
+                  secretKeyRef:
+                    name: nais-verification-deploy-key
+                    key: DEPLOY_API_KEY
+            volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+              readOnly: false

charts/deploy-canary/templates/fqdn-netpol.yaml

@@ -0,0 +1,21 @@
+{{- if .Capabilities.APIVersions.Has "networking.gke.io/v1alpha3" }}
+apiVersion: networking.gke.io/v1alpha3
+kind: FQDNNetworkPolicy
+metadata:
+  name: {{ .Release.Name }}-fqdn
+  annotations:
+    fqdnnetworkpolicies.networking.gke.io/aaaa-lookups: "skip"
+spec:
+  egress:
+    - to:
+      - fqdns:
+        - {{ (split ":" .Values.deploy_server)._0 }}
+      ports:
+      - port: {{ (split ":" .Values.deploy_server)._1 }}
+        protocol: TCP
+  podSelector:
+    matchLabels:
+      app: canary-deployer
+  policyTypes:
+  - Egress
+{{- end }}

charts/deploy-canary/values.yaml

@@ -0,0 +1,23 @@
+# Default values for deploy-canary.
+
+imagePullSecrets: []
+
+# ignored clusters, used by fasit template
+ignoredClusters: []
+
+# list of cluster ids that canary should deploy to.
+clusters:
+  - foo
+  - bar
+
+image:
+  repository: "europe-north1-docker.pkg.dev/nais-io/nais/images/canary-deployer"
+  tag: "2024-06-17-122647-049ad8a"
+  pullPolicy: IfNotPresent
+
+deploy_server: deploy.dev-nais.cloud.nais.io:443
+
+namespace: nais-verification
+
+# How much time is the deploy system allowed to use for deploying?
+timeout: 15s