Merge pull request #284 from typeid/interceptor_deployment

Interceptor deployment

Author: openshift-merge-bot[bot]

Dockerfile

@@ -4,12 +4,14 @@ FROM $BUILDER_IMG as builder
 ADD . /opt
 WORKDIR /opt
 
-RUN git update-index --refresh; make CGO_ENABLED=0 cadctl-install-local-force
+RUN make CGO_ENABLED=0 build-cadctl
+RUN make CGO_ENABLED=0 build-interceptor
 
 
 FROM quay.io/app-sre/ubi8-ubi-minimal:8.10 as runner
 
-COPY --from=builder /opt/cadctl/cadctl /bin/cadctl
+COPY --from=builder /opt/bin/cadctl /bin/cadctl
+COPY --from=builder /opt/bin/interceptor /bin/interceptor
 
 ARG BUILD_DATE
 ARG VERSION

Makefile

@@ -107,15 +107,3 @@ coverage:
 
 .PHONY: validate
 validate: generate-template-file isclean
-
-# Build targets
-cadctl/cadctl: cadctl/**/*.go pkg/**/*.go go.mod go.sum
-	GOBIN=$(PWD)/cadctl go install -ldflags="-s -w" -mod=readonly -trimpath $(PWD)/cadctl
-
-.PHONY: cadctl-install-local
-cadctl-install-local: cadctl/cadctl
-
-.PHONY: cadctl-install-local-force
-cadctl-install-local-force:
-	rm cadctl/cadctl >/dev/null 2>&1 || true
-	make cadctl-install-local

README.md

@@ -6,16 +6,17 @@
 
 - [Configuration Anomaly Detection](#configuration-anomaly-detection)
   - [About](#about)
+  - [Overview](#overview)
+    - [Workflow](#workflow)
   - [Contributing](#contributing)
+    - [Building](#building)
     - [Adding a new investigation](#adding-a-new-investigation)
   - [Testing locally](#testing-locally)
     - [Pre-requirements](#pre-requirements)
     - [Running cadctl for an incident ID](#running-cadctl-for-an-incident-id)
   - [Documentation](#documentation)
-    - [CAD CLI](#cad-cli)
     - [Investigations](#investigations)
     - [Integrations](#integrations)
-    - [Overview](#overview)
     - [Templates](#templates)
     - [Dashboards](#dashboards)
     - [Deployment](#deployment)
@@ -32,8 +33,29 @@
 
 Configuration Anomaly Detection (CAD) is responsible for reducing manual SRE effort by pre-investigating alerts, detecting cluster anomalies and sending relevant communications to the cluster owner.
 
+## Overview
+
+CAD consists of:
+- a tekton deployment including a custom tekton interceptor
+- the `cadctl` command line tool implementing alert remediations and pre-investigations
+
+### Workflow
+
+1) [PagerDuty Webhooks](https://support.pagerduty.com/docs/webhooks) are used to trigger Configuration-Anomaly-Detection when a [PagerDuty incident](https://support.pagerduty.com/docs/incidents) is created
+2) The webhook routes to a [Tekton EventListener](https://tekton.dev/docs/triggers/eventlisteners/)
+3) Received webhooks are filtered by a [Tekton Interceptor](https://tekton.dev/docs/triggers/interceptors/) that uses the payload to evaluate whether the alert has an implemented handler function in `cadctl` or not. If there is no handler implemented, the alert is directly forwarded to a human SRE. 
+4) If `cadctl` implements a handler for the received payload/alert, a [Tekton PipelineRun](https://tekton.dev/docs/pipelines/pipelineruns/) is started.
+5) The pipeline runs `cadctl` which determines the handler function by itself based on the payload. 
+
+![CAD Overview](./images/cad_overview/cad_architecture_dark.png#gh-dark-mode-only)
+![CAD Overview](./images/cad_overview/cad_architecture_light.png#gh-light-mode-only)
+
 ## Contributing 
 
+### Building
+
+For build targets, see `make help`. 
+
 ### Adding a new investigation
 
 CAD investigations are triggered by PagerDuty webhooks. Currently, CAD supports the following two formats of webhooks:
@@ -70,10 +92,6 @@ Example usage:`./test/generate_incident.sh ClusterHasGoneMissing 2b94brrrrrrrrrr
 
 ## Documentation
 
-### CAD CLI
-
-* [cadctl](./cadctl/README.md) -- Performs investigation workflow.
-
 ### Investigations
 
 Every alert managed by CAD corresponds to an investigation, representing the executed code associated with the alert.
@@ -87,16 +105,6 @@ Investigation specific documentation can be found in the according investigation
 * [OCM](https://github.com/openshift-online/ocm-sdk-go) -- Retrieving cluster info, sending service logs, and managing (post, delete) limited support reasons.
 * [osd-network-verifier](https://github.com/openshift/osd-network-verifier) -- Tool to verify the pre-configured networking components for ROSA and OSD CCS clusters.
 
-### Overview
-
-- CAD is a command line tool that is run in tekton pipelines. 
-- The tekton service is running on an app-sre cluster. 
-- CAD is triggered by PagerDuty webhooks configured on selected services, meaning that all alerts in that service trigger a CAD pipeline. 
-- CAD uses the data received via the webhook to determine which investigation to start.
-
-![CAD Overview](./images/cad_overview/cad_architecture_dark.png#gh-dark-mode-only)
-![CAD Overview](./images/cad_overview/cad_architecture_light.png#gh-light-mode-only)
-
 ### Templates
 
 * [Update-Template](./hack/update-template/README.md) -- Updating configuration-anomaly-detection-template.Template.yaml.

cadctl/README.md

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cad-interceptor-deployment
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: cad-interceptor
+  template:
+    metadata:
+      labels:
+        app: cad-interceptor
+    spec:
+      containers:
+      - name: cad-interceptor
+        image: ${REGISTRY_IMG}:${IMAGE_TAG}
+        command: ["/bin/bash", "-c"]
+        args: ["interceptor"]
+        ports:
+        - containerPort: 8080
+        envFrom:
+        - secretRef:
+            name: cad-pd-token
+        resources:
+          limits:
+            cpu: "100m"
+            memory: "500Mi"
+          requests:
+            cpu: "10m"
+            memory: "100Mi"
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 3
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+      restartPolicy: Always 
+      serviceAccountName: pipeline
+      terminationGracePeriodSeconds: 30
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cad-interceptor-service
+spec:
+  selector:
+    app: cad-interceptor
+  ports:
+  - protocol: TCP
+    port: 8080
+    targetPort: 8080
+  type: ClusterIP
+---
+apiVersion: triggers.tekton.dev/v1beta1
+kind: Interceptor
+metadata:
+  name: cad-interceptor
+spec:
+  clientConfig:
+    service:
+      name: cad-interceptor-service
+      namespace: ${NAMESPACE_NAME}
+      port: 8080

deploy/interceptor.yaml

@@ -45,6 +45,10 @@ spec:
       params:
       - name: "filter"
         value: "header.canonical('X-Secret-Token').compareSecret('X_SECRET_TOKEN', 'cad-pd-token')"
+    # Enable after interceptor deployment is tested
+    # - ref:
+    #     name: "cad-interceptor"
+    #     kind: NamespacedInterceptor
   bindings:
   - ref: cad-check-trigger
   template:

deploy/pipeline-trigger.yaml

@@ -174,4 +174,4 @@ require (
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
-replace github.com/openshift/configuration-anomaly-detection => ../
+replace github.com/openshift/configuration-anomaly-detection => ../

interceptor/go.mod

@@ -1078,4 +1078,4 @@ sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77Vzej
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
-sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

interceptor/go.sum

@@ -10,6 +10,84 @@ parameters:
 - name: NAMESPACE_NAME
   value: configuration-anomaly-detection
 objects:
+- apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: cad-interceptor-deployment
+  spec:
+    replicas: 2
+    selector:
+      matchLabels:
+        app: cad-interceptor
+    template:
+      metadata:
+        labels:
+          app: cad-interceptor
+      spec:
+        containers:
+        - args:
+          - interceptor
+          command:
+          - /bin/bash
+          - -c
+          envFrom:
+          - secretRef:
+              name: cad-pd-token
+          image: ${REGISTRY_IMG}:${IMAGE_TAG}
+          name: cad-interceptor
+          ports:
+          - containerPort: 8080
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ready
+              port: 8080
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          resources:
+            limits:
+              cpu: 100m
+              memory: 500Mi
+            requests:
+              cpu: 10m
+              memory: 100Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsGroup: 65532
+            runAsNonRoot: true
+            runAsUser: 65532
+            seccompProfile:
+              type: RuntimeDefault
+        restartPolicy: Always
+        serviceAccountName: pipeline
+        terminationGracePeriodSeconds: 30
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: cad-interceptor-service
+  spec:
+    ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+    selector:
+      app: cad-interceptor
+    type: ClusterIP
+- apiVersion: triggers.tekton.dev/v1beta1
+  kind: Interceptor
+  metadata:
+    name: cad-interceptor
+  spec:
+    clientConfig:
+      service:
+        name: cad-interceptor-service
+        namespace: ${NAMESPACE_NAME}
+        port: 8080
 - apiVersion: triggers.tekton.dev/v1beta1
   kind: TriggerBinding
   metadata: