feat: inCluster onprem runtime (#378)

Author: mikhail-klimko

charts/cf-runtime/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 3.0.8
+version: 4.0.0
 keywords:
   - codefresh
   - runner
@@ -14,11 +14,15 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   artifacthub.io/changes: |
-    - kind: fixed
-      description: Fix security context for dind-lv-monitor (OpenShift support)
+    - kind: added
+      description: Add inCluster onprem runtime option (Codefresh On-Premises only)
     - kind: changed
-      description: Use rootless cli image for runtime patch job
+      description: Change templates to lib components
+    - kind: changed
+      description: Update cf-common dependency subchart
+    - kind: added
+      description: Post-delete hook to delete runtime from platform (Codefresh On-Premises only)
 dependencies:
   - name: cf-common
     repository: https://chartmuseum.codefresh.io/cf-common
-    version: 0.11.1
+    version: 0.11.2

charts/cf-runtime/README.md

@@ -12,6 +12,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
 - [Upgrade Chart](#upgrade-chart)
   - [To 2.x](#to-2x)
   - [To 3.x](#to-3x)
+  - [To 4.x](#to-4x)
 - [Architecture](#architecture)
 - [Configuration](#configuration)
   - [EBS backend volume configuration](#ebs-backend-volume-configuration)
@@ -20,6 +21,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [Volume reuse policy](#volume-reuse-policy)
   - [Volume cleaners](#volume-cleaners)
   - [Openshift](#openshift)
+  - [On-premise](#on-premise)
 
 ## Prerequisites
 
@@ -96,6 +98,13 @@ Affected values:
 - `global.existingAgentToken` is replaced with `global.agentTokenSecretKeyRef`
 - `global.existingDindCertsSecret` is replaced with `global.dindCertsSecretRef`
 
+### To 4.x
+
+This major release adds **agentless inCluster** runtime mode (relevant only for [Codefresh On-Premises](#on-premise) users)
+
+Affected values:
+- `runtime.agent` / `runtime.inCluster` / `runtime.accounts` / `runtime.description` are added
+
 ## Architecture
 
 [Codefresh Runner architecture](https://codefresh.io/docs/docs/installation/codefresh-runner/#codefresh-runner-architecture)
@@ -408,6 +417,248 @@ oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runt
 oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-volume-provisioner
 ```
 
+### On-premise
+
+If you have [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) deployed, you can install Codefresh Runner in **agentless** mode.
+
+**What is agentless mode?**
+
+Agent (aka venona) is Runner component which responsible for calling Codefresh API to run builds and create dind/engine pods and pvc objects. Agent can only be assigned to a single account, thus you can't share one runtime across multiple accounts. However, with **agentless** mode it's possible to register the runtime as **system**-type runtime so it's registered on the platform level and can be assigned/shared across multiple accounts.
+
+**What are the prerequisites?**
+- You have a running [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) control-plane environment
+- You have a Codefresh API token with platform **Admin** permissions scope
+
+
+### How to deploy agentless runtime when it's on the SAME k8s cluster as On-Premises control-plane environment?
+
+- Enable cluster-level permissions for cf-api (On-Premises control-plane component)
+
+> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) Helm chart
+```yaml
+cfapi:
+  ...
+  # -- Enable ClusterRole/ClusterRoleBinding
+  rbac:
+    namespaced: false
+```
+
+- Set the following values for Runner Helm chart
+
+`.Values.global.codefreshHost=...` \
+`.Values.global.codefreshToken=...` \
+`.Values.global.runtimeName=system/...` \
+`.Values.runtime.agent=false` \
+`.Values.runtime.inCluster=true`
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+```yaml
+global:
+  # -- URL of Codefresh On-Premises Platform
+  codefreshHost: "https://myonprem.somedomain.com"
+  # -- User token in plain text with Admin permission scope
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key.
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Distinguished runtime name
+  # (for On-Premise only; mandatory!) Must be prefixed with "system/..."
+  runtimeName: "system/prod-ue1-some-cluster-name"
+
+# -- Set runtime parameters
+runtime:
+  # -- (for On-Premise only; mandatory!) Disable agent
+  agent: false
+  # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`)
+  # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster
+  # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters
+  inCluster: true
+  # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty)
+  # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty.
+  accounts: []
+  # -- Set parent runtime to inherit.
+  runtimeExtends: []
+```
+
+- Install the chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime
+```
+
+- Verify the runtime and run test pipeline
+
+Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system) to check the runtime. Assign it to the required account(s). Run test pipeline on it.
+
+
+### How to deploy agentless runtime when it's on the DIFFERENT k8s cluster than On-Premises control-plane environment?
+
+In this case, it's required to mount runtime cluster's `KUBECONFIG` into On-Premises `cf-api` deployment
+
+- Create the neccessary RBAC resources
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+```yaml
+extraResources:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: codefresh-role
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+  rules:
+    - apiGroups: [""]
+      resources: ["pods", "persistentvolumeclaims", "persistentvolumes"]
+      verbs: ["list", "watch", "get", "create", "patch", "delete"]
+    - apiGroups: ["snapshot.storage.k8s.io"]
+      resources: ["volumesnapshots"]
+      verbs: ["list", "watch", "get", "create", "patch", "delete"]
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: codefresh-runtime-user
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: codefresh-runtime-user
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: codefresh-role
+  subjects:
+  - kind: ServiceAccount
+    name: codefresh-runtime-user
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: codefresh-runtime-user-token
+    namespace: '{{ "{{ .Release.Namespace }}" }}'
+    annotations:
+      kubernetes.io/service-account.name: codefresh-runtime-user
+  type: kubernetes.io/service-account-token
+```
+
+- Set up the following environment variables to create a `KUBECONFIG` file
+
+```shell
+NAMESPACE=cf-runtime
+CLUSTER_NAME=prod-ue1-some-cluster-name
+CURRENT_CONTEXT=$(kubectl config current-context)
+
+USER_TOKEN_VALUE=$(kubectl -n cf-runtime get secret/codefresh-runtime-user-token -o=go-template='{{ `{{.data.token}}` }}' | base64 --decode)
+CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{ `{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}` }}')
+CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}` }}')
+CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{ `{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}` }}')
+
+export -p USER_TOKEN_VALUE CURRENT_CONTEXT CURRENT_CLUSTER CLUSTER_CA CLUSTER_SERVER CLUSTER_NAME
+```
+
+- Create a kubeconfig file
+
+```console
+cat << EOF > $CLUSTER_NAME-kubeconfig
+apiVersion: v1
+kind: Config
+current-context: ${CLUSTER_NAME}
+contexts:
+- name: ${CLUSTER_NAME}
+  context:
+    cluster: ${CLUSTER_NAME}
+    user: codefresh-runtime-user
+    namespace: ${NAMESPACE}
+clusters:
+- name: ${CLUSTER_NAME}
+  cluster:
+    certificate-authority-data: ${CLUSTER_CA}
+    server: ${CLUSTER_SERVER}
+users:
+- name: ${CLUSTER_NAME}
+  user:
+    token: ${USER_TOKEN_VALUE}
+EOF
+```
+
+- **Switch context to On-Premises control-plane cluster**. Create k8s secret (via any tool like [ESO](https://external-secrets.io/v0.4.4/), `kubectl`, etc ) containing runtime cluster's `KUBECONFG` created in previous step.
+
+```shell
+NAMESPACE=codefresh
+kubectl create secret generic dind-runtime-clusters --from-file=$CLUSTER_NAME=$CLUSTER_NAME-kubeconfig -n $NAMESPACE
+```
+
+- Mount secret containing runtime cluster's `KUBECONFG` into cf-api in On-Premises control-plane cluster
+
+> `values.yaml` for [Codefresh On-Premises](https://artifacthub.io/packages/helm/codefresh-onprem/codefresh) helm chart
+```yaml
+cf-api:
+  ...
+  volumes:
+    dind-clusters:
+      enabled: true
+      type: secret
+      nameOverride: dind-runtime-clusters
+      optional: true
+```
+> volumeMount `/etc/kubeconfig` is already configured in cf-api Helm chart template. No need to specify it.
+
+- Set the following values for Runner helm chart
+
+> `values.yaml` for [Codefresh Runner](https://artifacthub.io/packages/helm/codefresh-runner/cf-runtime) helm chart
+
+`.Values.global.codefreshHost=...` \
+`.Values.global.codefreshToken=...` \
+`.Values.global.runtimeName=system/...` \
+`.Values.runtime.agent=false` \
+`.Values.runtime.inCluster=false`
+
+**Important!**
+`.Values.global.name` ("system/" prefix is ignored!) should match the cluster name (key in `dind-runtime-clusters` secret created previously)
+```yaml
+global:
+  # -- URL of Codefresh On-Premises Platform
+  codefreshHost: "https://myonprem.somedomain.com"
+  # -- User token in plain text with Admin permission scope
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key.
+  codefreshTokenSecretKeyRef: {}
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Distinguished runtime name
+  # (for On-Premise only; mandatory!) Must be prefixed with "system/..."
+  name: "system/prod-ue1-some-cluster-name"
+
+# -- Set runtime parameters
+runtime:
+  # -- (for On-Premise only; mandatory!) Disable agent
+  agent: false
+  # -- (for On-Premise only; optional) Set inCluster runtime (default: `true`)
+  # `inCluster=true` flag is set when Runtime and On-Premises control-plane are run on the same cluster
+  # `inCluster=false` flag is set when Runtime and On-Premises control-plane are on different clusters
+  inCluster: false
+  # -- (for On-Premise only; optional) Assign accounts to runtime (list of account ids; default is empty)
+  # Accounts can be assigned to the runtime in Codefresh UI later so you can kepp it empty.
+  accounts: []
+  # -- (optional) Set parent runtime to inherit.
+  runtimeExtends: []
+```
+
+- Install the chart
+
+```console
+helm upgrade --install cf-runtime oci://quay.io/codefresh/cf-runtime -f values.yaml --create-namespace --namespace cf-runtime
+```
+
+- Verify the runtime and run test pipeline
+
+Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system) to see the runtime. Assign it to the required account(s).
 
 {{ template "chart.requirementsSection" . }}