feat(app-proxy): add leader election (#621)

Author: mikhail-klimko

charts/gitops-runtime/templates/_components/cap-app-proxy/_deployment.yaml

@@ -1,4 +1,5 @@
 {{- define "cap-app-proxy.resources.deployment" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -86,6 +87,60 @@ spec:
         - mountPath: /app/config/all
           name: all-certs
           readOnly: true
+      {{- if gt (int .Values.replicaCount) 1 }}
+      - name: leader-elector
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" (index .Values "leader-elector" "image") "context" .) }}
+        imagePullPolicy: {{ index .Values "leader-elector" "image" "pullPolicy" | default "IfNotPresent" }}
+        command:
+          - leader-elector
+        args:
+          - --id=$(POD_NAME)
+          - --lease-name=$(LEASE_NAME)
+          - --namespace=$(NAMESPACE)
+          - --lease-duration=$(LEASE_DURATION)
+          - --lease-renew-duration=$(LEASE_RENEW_DURATION)
+        env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: LEASE_NAME
+            value: cap-app-proxy
+          - name: LEASE_DURATION
+            value: 10s
+          - name: LEASE_RENEW_DURATION
+            value: 5s
+        {{- with index .Values "leader-elector" "containerSecurityContext" }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 4040
+          initialDelaySeconds: {{ index .Values "leader-elector" "livenessProbe" "initialDelaySeconds" }}
+          periodSeconds: {{ index .Values "leader-elector" "livenessProbe" "periodSeconds" }}
+          timeoutSeconds: {{ index .Values "leader-elector" "livenessProbe" "timeoutSeconds" }}
+          successThreshold: {{ index .Values "leader-elector" "livenessProbe" "successThreshold" }}
+          failureThreshold: {{ index .Values "leader-elector" "livenessProbe" "failureThreshold" }}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 4040
+          initialDelaySeconds: {{ index .Values "leader-elector" "readinessProbe" "initialDelaySeconds" }}
+          periodSeconds: {{ index .Values "leader-elector" "readinessProbe" "periodSeconds" }}
+          timeoutSeconds: {{ index .Values "leader-elector" "readinessProbe" "timeoutSeconds" }}
+          successThreshold: {{ index .Values "leader-elector" "readinessProbe" "successThreshold" }}
+          failureThreshold: {{ index .Values "leader-elector" "readinessProbe" "failureThreshold" }}
+        {{- with index .Values "leader-elector" "resources" }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- end }}
       {{- with .Values.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -98,6 +153,9 @@ spec:
       tolerations:
         {{- toYaml . | nindent 6 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- include (printf "%s.tplrender" $cfCommonTplSemver ) (dict "Values" . "context" .) | nindent 8 }}
+      {{- end }}
       volumes:
       {{- with .Values.extraVolumes }}
           {{- toYaml . | nindent 6 }}

charts/gitops-runtime/templates/_components/cap-app-proxy/_rbac.yaml

@@ -52,6 +52,25 @@ rules:
   - update
   - delete
   - patch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml

@@ -211,6 +211,12 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE:
       key: enrichmentJiraEnrichmentImage
       optional: true
 NODE_EXTRA_CA_CERTS: /app/config/all/all.cer
+{{- if gt (int .Values.replicaCount) 1 }}
+LEADER_ID:
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+{{- end }}
 {{ include "codefresh-gitops-runtime.get-proxy-env-vars" . }}
 {{- end -}}
 

charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml

@@ -99,27 +99,30 @@ spec:
       {{- with .Values.affinity }}
       affinity: {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- include (printf "%s.tplrender" $cfCommonTplSemver ) (dict "Values" . "context" .) | nindent 8 }}
+      {{- end }}
       volumes:
-       - name: tls-certs
-         configMap:
-           name: argocd-tls-certs-cm
-       - name: argocd-repo-server-tls
-         secret:
-           secretName: argocd-repo-server-tls
-           optional: true
-           items:
-           - key: tls.crt
-             path: tls.crt
-           - key: tls.key
-             path: tls.key
-           - key: ca.crt
-             path: ca.crt
-       {{- if .Values.global.codefresh.tls.caCerts.secretKeyRef }}
-       - name: codefresh-tls
-         secret:
-           secretName: {{ .Values.global.codefresh.tls.caCerts.secretKeyRef.name }}
-       {{- end }}
-       {{- with .Values.extraVolumes }}
-           {{- toYaml . | nindent 6 }}
-       {{- end }}
+        - name: tls-certs
+          configMap:
+            name: argocd-tls-certs-cm
+        - name: argocd-repo-server-tls
+          secret:
+            secretName: argocd-repo-server-tls
+            optional: true
+            items:
+            - key: tls.crt
+              path: tls.crt
+            - key: tls.key
+              path: tls.key
+            - key: ca.crt
+              path: ca.crt
+        {{- if .Values.global.codefresh.tls.caCerts.secretKeyRef }}
+        - name: codefresh-tls
+          secret:
+            secretName: {{ .Values.global.codefresh.tls.caCerts.secretKeyRef.name }}
+        {{- end }}
+        {{- with .Values.extraVolumes }}
+            {{- toYaml . | nindent 6 }}
+        {{- end }}
 {{- end }}

charts/gitops-runtime/templates/_components/gitops-operator/_pdb.yaml

@@ -0,0 +1,21 @@
+{{- define "gitops-operator.resources.pdb" }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "gitops-operator.fullname" . }}
+  labels:
+    {{- include "gitops-operator.labels" . | nindent 4 }}
+spec:
+{{- if or .Values.pdb.minAvailable .Values.pdb.maxUnavailable }}
+  {{- with .Values.pdb.minAvailable }}
+  minAvailable: {{ . }}
+  {{- end }}
+  {{- with .Values.pdb.maxUnavailable }}
+  maxUnavailable: {{ . }}
+  {{- end }}
+{{- else }}
+  {{- fail (printf "ERROR: pdb.minAvailable or pdb.maxUnavailable is required!" ) }}
+{{- end }}
+  selector:
+    matchLabels: {{- include "gitops-operator.selectorLabels" . | nindent 6 }}
+{{- end }}

charts/gitops-runtime/templates/_components/internal-router/_deployment.yaml

@@ -1,4 +1,5 @@
 {{- define "internal-router.resources.deployment" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -82,4 +83,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- include (printf "%s.tplrender" $cfCommonTplSemver ) (dict "Values" . "context" .) | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/gitops-runtime/templates/gitops-operator/pdb.yaml

@@ -0,0 +1,7 @@
+{{- $gitopsOperatorContext := deepCopy . }}
+{{- $_ := set $gitopsOperatorContext "Values" (deepCopy (get .Values "gitops-operator")) }}
+{{- $_ := set $gitopsOperatorContext.Values "global" (deepCopy (get .Values "global")) }}
+
+{{- if $gitopsOperatorContext.Values.pdb.enabled }}
+{{- include "gitops-operator.resources.pdb" $gitopsOperatorContext }}
+{{- end }}

charts/gitops-runtime/tests/app-proxy-misc_test.yaml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
 suite: misc tests on app-proxy templates generation
 templates:
   - app-proxy/deployment.yaml
@@ -266,3 +267,31 @@ tests:
       content:
         name: HTTPS_PROXY
         value: proxys.example.com
+
+- it: app-proxy should have leader-elector container if replicaCount > 1
+  template: 'app-proxy/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    app-proxy.replicaCount: 2
+  asserts:
+  - lengthEqual:
+      path: spec.template.spec.containers
+      count: 2
+  - equal:
+      path: spec.template.spec.containers[1].name
+      value: leader-elector
+
+- it: app-proxy should not have leader-elector container if replicaCount = 1
+  template: 'app-proxy/deployment.yaml'
+  values:
+  - ./values/mandatory-values.yaml
+  set:
+    app-proxy.replicaCount: 1
+  asserts:
+  - lengthEqual:
+      path: spec.template.spec.containers
+      count: 1
+  - equal:
+      path: spec.template.spec.containers[0].name
+      value: cap-app-proxy

charts/gitops-runtime/values-ha.yaml

@@ -0,0 +1,137 @@
+global:
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+
+app-proxy:
+  # -- Set to 1 until https://codefresh-io.atlassian.net/browse/CR-29338 is resolved
+  replicaCount: 1
+  pdb:
+    enabled: true
+    minAvailable: 1
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: cap-app-proxy
+
+gitops-operator:
+  replicaCount: 2
+  pdb:
+    enabled: true
+    minAvailable: 1
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: gitops-operator
+
+internal-router:
+  replicaCount: 2
+  pdb:
+    enabled: true
+    minAvailable: 1
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: internal-router
+
+cf-argocd-extras:
+  sourcesServer:
+    hpa:
+      enabled: true
+      minReplicas: 2
+    pdb:
+      enabled: true
+      minAvailable: 1
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/component: sources-server
+  eventReporter:
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/component: event-reporter
+
+argo-cd:
+  redis-ha:
+    enabled: true
+
+  controller:
+    replicas: 1
+
+  server:
+    autoscaling:
+      enabled: true
+      minReplicas: 2
+    pdb:
+      enabled: true
+      minAvailable: 1
+
+  repoServer:
+    autoscaling:
+      enabled: true
+      minReplicas: 2
+    pdb:
+      enabled: true
+      minAvailable: 1
+
+  applicationSet:
+    replicas: 2
+
+argo-workflows:
+  controller:
+    replicas: 2
+    pdb:
+      enabled: true
+      minAvailable: 1
+  server:
+    autoscaling:
+      enabled: true
+      minReplicas: 2
+    pdb:
+      enabled: true
+      minAvailable: 1
+
+event-reporters:
+  workflow:
+    sensor:
+      replicas: 2
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: sensor-name
+                    operator: In
+                    values:
+                      - workflow-reporter
+              topologyKey: "kubernetes.io/hostname"
+  rollout:
+    sensor:
+      replicas: 2
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: sensor-name
+                    operator: In
+                    values:
+                      - rollout-reporter
+              topologyKey: "kubernetes.io/hostname"