helm/resource-annotator: add Helm chart.

Add a Helm chart for resource-annotator.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>

Author: klihub

deployment/helm/resource-annotator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deployment/helm/resource-annotator/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: unstable
+description: |
+  The resource annotator webhook creates a pod annotation with all the resource requirements
+  present in the pod's containers for CPU and memory compute resources.
+name: nri-resource-annotator
+sources:
+ - https://github.com/containers/nri-plugins
+home: https://github.com/containers/nri-plugins
+type: application
+version: v0.0.0

deployment/helm/resource-annotator/README.md

@@ -0,0 +1,66 @@
+# Resource Annotator Mutating Webhook
+
+This chart deploys the resource annotator mutating admission webhook.
+This webhook can be used to provide extra information for NRI resource
+policy plugins about compute (CPU and memory) resource requirements of
+containers. The hook will put a well known annotation on the pod which
+describes the resources for all init container and containers by name.
+If found, NRI resource policy plugins will use this extra information
+to discover container resource requirements instead of estimating them.
+
+## Prerequisites
+
+- An NRI resource plugin > v0.11.0
+- Helm 3.0.0+
+
+## Installing the Chart
+
+Path to the chart: `resource-annotator`
+
+At the moment the webhook does not you cert-manager. Instead you need
+to generate a certificate for the webhook before instantiating it and
+pass the certificate and its related key to helm. The below example
+demonstrates how this can be done.
+
+```shell
+$ helm repo add nri-plugins https://containers.github.io/nri-plugins
+$ mkdir cert
+$ SVC=resource-annotator NS=kube-system
+$ openssl req -x509 -newkey rsa:2048 -sha256 -days 365 -nodes \
+      -keyout ./cert/server-key.pem \
+      -out ./cert/server-crt.pem \
+      -subj "/CN=$SVC.$NS.svc" \
+      -addext "subjectAltName=DNS:$SVC,DNS:$SVC.$NS,DNS:$SVC.$NS.svc"
+$ helm -n $NS install nri-webhook nri-plugins/nri-resource-annotator \
+      --set service.secret.crt=$(base64 -w0 < ./cert/server-crt.pem) \
+      --set service.secret.key=$(base64 -w0 < ./cert/server-key.pem)
+```
+
+This will set up everything for the resource annotator webhook.
+
+## Uninstalling the Chart
+
+You can uninstall the resource annotator webhook with the following
+helm command.
+
+```shell
+$ NS=kube-system
+$ helm -n $NS uninstall nri-webhook
+```
+
+## Configuration options
+
+The tables below present an overview of the parameters available for users to
+customize with their own values, along with the default values.
+
+| Name                        | Default                                               | Description                    |
+|-----------------------------|-------------------------------------------------------|--------------------------------|
+| `image.name`                | ghcr.io/containers/nri-plugins/nri-resource-annotator | container image name           |
+| `image.tag`                 | unstable                                              | container image tag            |
+| `image.pullPolicy`          | Always                                                | image pull policy              |
+| `service.base64Crt`         | no sane default, see instructions above               | base64 encoded certificate     |
+| `service.base64Key`         | no sane default, see instructions above               | base64 encoded certificate key |
+| `resources.requests.cpu`    | 250m                                                  | CPU resource request           |
+| `resources.requests.memory` | 256Mi                                                 | memory resource request        |
+| `resources.limits.cpu`      | 1                                                     | CPU resource limit             |
+| `resources.limits.memory`   | 256Mi                                                 | memory resource limit          |

deployment/helm/resource-annotator/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{/*
+Common labels
+*/}}
+{{- define "resource-annotator.labels" -}}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{ include "resource-annotator.selectorLabels" . }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "resource-annotator.selectorLabels" -}}
+app.kubernetes.io/name: resource-annotator
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}

deployment/helm/resource-annotator/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: resource-annotator-secret
+  namespace: {{ .Release.Namespace }}
+data:
+  svc.crt: {{ .Values.service.base64Crt }}
+  svc.key: {{ .Values.service.base64Key }}
+type: Opaque

deployment/helm/resource-annotator/templates/webhook-config.yaml

@@ -0,0 +1,29 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: resource-annotator
+webhooks:
+- name: resource-annotator.noderesource.dev
+  sideEffects: None
+  admissionReviewVersions: ["v1"]
+  rules:
+    - apiGroups:
+        - "*"
+      apiVersions:
+        - "*"
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - pods
+  objectSelector:
+    matchExpressions:
+      - key: helm.sh/chart
+        operator: NotIn
+        values: ["{{ .Chart.Name }}-{{ .Chart.Version }}"]
+  failurePolicy: Fail
+  clientConfig:
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: resource-annotator
+    caBundle: {{ .Values.service.base64Crt }}

deployment/helm/resource-annotator/templates/webhook-deployment.yaml

@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: resource-annotator
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "resource-annotator.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+    {{- include "resource-annotator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+      {{- include "resource-annotator.labels" . | nindent 8 }}
+    spec:
+      containers:
+      - name: webhook
+        image: {{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        volumeMounts:
+        - name: certs
+          mountPath: /etc/resource-annotator/certs.d/
+          readOnly: true
+        args:
+         - "-cert-file=/etc/resource-annotator/certs.d/svc.crt"
+         - "-key-file=/etc/resource-annotator/certs.d/svc.key"
+         - "-port=8443"
+        {{- if .Values.extraEnv }}
+        env:
+          {{- range $name, $value := .Values.extraEnv }}
+          - name: {{ $name }}
+            value: {{ quote $value }}
+          {{- end }}
+        {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+          readOnlyRootFilesystem: true
+#          runAsNonRoot: true
+        resources:
+        {{- if .Values.resources.requests }}
+          requests:
+          {{- range $name, $value := .Values.resources.requests }}
+            {{ $name }}: "{{ $value }}"
+          {{- end }}
+        {{- end }}
+        {{- if .Values.resources.limits }}
+          limits:
+          {{- range $name, $value := .Values.resources.limits }}
+            {{ $name }}: "{{ $value }}"
+          {{- end }}
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            scheme: HTTPS
+            port: 8443
+            httpHeaders:
+            - name: "Content-Type"
+              value: "application/json"
+          initialDelaySeconds: 5
+          periodSeconds: 30
+
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: "Equal"
+          value: ""
+          effect: "NoSchedule"
+      priorityClassName: system-node-critical
+      volumes:
+      # The webhook uses k8s secrets to store TLS secrets. For now, you need to
+      # generate a cert/key pair and pass it to Helm, base64 encoded, using the
+      # corresponding Helm values.
+      - name: certs
+        secret:
+          secretName: resource-annotator-secret
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: resource-annotator
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    {{- include "resource-annotator.selectorLabels" . | nindent 6 }}
+  ports:
+  - port: 443
+    targetPort: 8443
+    protocol: TCP

deployment/helm/resource-annotator/values.schema.json

@@ -0,0 +1,51 @@
+{
+  "$schema": "http://json-schema.org/schema#",
+  "required": [
+    "image",
+    "service"
+  ],
+  "properties": {
+    "image": {
+      "type": "object",
+      "required": [
+        "name",
+        "pullPolicy"
+      ],
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "tag": {
+          "type": "string"
+        },
+        "pullPolicy": {
+          "type": "string",
+          "enum": [
+            "Never",
+            "Always",
+            "IfNotPresent"
+          ]
+        }
+      }
+    },
+    "service": {
+      "type": "object",
+      "required": [
+        "base64Crt",
+        "base64Key"
+      ],
+      "properties": {
+        "base64Crt": {
+          "type": "string",
+          "$comment": "base64 encoded certificate (PEM)",
+          "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"
+        },
+        "key": {
+          "type": "string",
+          "$comment": "base64 encoded key (PEM)",
+          "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"
+        }
+      }
+    }
+  }
+}

deployment/helm/resource-annotator/values.yaml

@@ -0,0 +1,25 @@
+# Default values for nri-plugins.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+---
+image:
+  name: ghcr.io/containers/nri-plugins/resource-annotator
+  # image tag, Chart.AppVersion if unset
+  #tag: unstable
+  pullPolicy: Always
+
+service:
+  base64Crt: UHV0IGhlcmUgeW91ciBjZXJ0aWZpY2F0ZSAoUEVNKQo=
+  base64Key: QW5kIGhlcmUgeW91ciBjZXJ0aWZpY2F0ZSBrZXkgKFBFTSkK
+
+resources:
+  requests:
+    cpu: 250m
+    memory: 256Mi
+  limits:
+    cpu: 1
+    memory: 256Mi
+
+# Extra environment variables to inject.
+extraEnv:
+#  LOGGER_DEBUG: "*"