Merge pull request #175 from EcovadisCode/aksAdoAgentCleaner

Aks ado agent cleaner

Author: mskwierczynski982

.github/pull_request_template.md

@@ -12,6 +12,7 @@ Select the chart that you are modifying:
 - [ ] app-reverse-proxy
 - [ ] pact-broker
 - [ ] ado-build-agents
+- [ ] ado-agent-cleaner
 - [ ] event-worker
 
 ## Checklist

charts/ado-agent-cleaner/.helmignore

@@ -0,0 +1,5 @@
+apiVersion: v2
+description: Helper to clean up stale AKS Azure DevOps agents
+name: charts-ado-agent-cleaner
+version: 1.0.0
+appVersion: "1.0"

charts/ado-agent-cleaner/Chart.yaml

@@ -0,0 +1,32 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: aks-agent-cleaner
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  schedule: "{{ .Values.cronSettings.schedule }}"
+  concurrencyPolicy: "{{ .Values.cronSettings.concurrencyPolicy }}"
+  successfulJobsHistoryLimit: {{ .Values.cronSettings.successfulJobsHistoryLimit }}
+  failedJobsHistoryLimit: {{ .Values.cronSettings.failedJobsHistoryLimit }}
+  jobTemplate:
+    spec:
+      activeDeadlineSeconds: {{ .Values.cronSettings.activeDeadlineSeconds }}
+      parallelism: {{ .Values.cronSettings.parallelism }}
+      template:
+        metadata:
+          labels:
+            azure.workload.identity/use: "true"
+        spec:
+          restartPolicy: Never
+          nodeSelector:
+            kubernetes.io/os: linux
+          resources:
+            {{  toYaml .Values.resources | nindent 14 }}
+          serviceAccountName: "svc-acc-{{ .Values.podName }}"
+          containers:
+          - name: agent-cleaner
+            image: "{{ .Values.imageName }}"
+            imagePullPolicy: IfNotPresent
+            env:
+              - name: AZP_URL
+                value: "{{ .Values.devopsOrgUrl }}"

charts/ado-agent-cleaner/templates/cronjob.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ado-agent-cleaner-role
+  namespace: "{{ .Release.Namespace }}"
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch","list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ado-agent-cleaner-binding
+  namespace: "{{ .Release.Namespace }}"
+subjects:
+  - kind: ServiceAccount
+    name: "svc-acc-{{ .Values.podName }}"
+roleRef:
+  kind: Role
+  name: ado-agent-cleaner-role
+  apiGroup: rbac.authorization.k8s.io

charts/ado-agent-cleaner/templates/role.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    azure.workload.identity/client-id: "{{ .Values.aadIdentity }}"
+    meta.helm.sh/release-name: "{{ .Release.Name }}"
+    meta.helm.sh/release-namespace: "{{ .Release.Namespace }}"
+  labels:
+    azure.workload.identity/use: "true"
+  name: "svc-acc-{{ .Values.podName }}"
+  namespace: "{{ .Release.Namespace }}"

charts/ado-agent-cleaner/templates/service-account.yaml

@@ -0,0 +1,26 @@
+# User Assigned Azure Identity ID with the permissions on Azure DevOps to read/cleanup agents
+aadIdentity: "xxx"
+# Azure DevOps Organization URL
+devopsOrgUrl: "https://dev.azure.com/org"
+# Name of the Pod and Service Account
+podName: agent-cleaner
+# Container Image Name for the Agent Cleaner
+imageName: aksagentcleaner:1.0.0
+
+# Settings specific for the CronJob
+cronSettings:
+  schedule: "*/30 * * * *"
+  successfulJobsHistoryLimit: 2
+  failedJobsHistoryLimit: 1
+  concurrencyPolicy: "Forbid"
+  parallelism: 1
+  activeDeadlineSeconds: 1200
+
+# Resource requests and limits for the Agent Cleaner container
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 50m
+    memory: 64Mi