Add GCP Marketplace deployment support

Add Jsonnet configuration and manifests to support deploying parca-agent
to Google Cloud Marketplace. Includes DaemonSet, RBAC, ConfigMap, and
Application definitions.

Author: metalmatze

.gitignore

@@ -9,6 +9,7 @@
 TODO.md
 minikube-*
 /data
+/deploy/gcp/tmp/
 
 # Snap Packaging Artifacts
 *.snap

deploy/Makefile

@@ -8,7 +8,7 @@ vendor:
 
 .PHONY: manifests
 manifests: vendor $(shell find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print)
-	rm -rf manifests tilt
+	rm -rf manifests tilt gcp/manifest/manifest.yaml.template
 	mkdir -p manifests/openshift manifests/kubernetes tilt
 	export VERSION=$(VERSION) SERVER_VERSION=$(SERVER_VERSION) && ./generate.sh
 

deploy/gcp.jsonnet

@@ -0,0 +1,40 @@
+function(version='v0.0.1-alpha.3')
+  //  local ns = {
+  //    apiVersion: 'v1',
+  //    kind: 'Namespace',
+  //    metadata: {
+  //      name: 'parca',
+  //      labels: {
+  //        'pod-security.kubernetes.io/enforce': 'privileged',
+  //        'pod-security.kubernetes.io/audit': 'privileged',
+  //        'pod-security.kubernetes.io/warn': 'privileged',
+  //      },
+  //    },
+  //  };
+
+  local agent = (import 'parca-agent/parca-agent.libsonnet')({
+    name: '$name',
+    namespace: '$namespace',
+    version: version,
+    image: 'ghcr.io/parca-dev/parca-agent:' + version,
+    // This assumes there's a running parca in the cluster.
+    stores: ['parca.parca.svc.cluster.local:7070'],
+    insecure: true,
+    //   token: "<token>",
+    //   stores: [
+    //     'grpc.polarsignals.com:443',
+    //   ],
+    // Available Options:
+    //   samplingRatio: 0.5,
+    //   Docs for usage of Label Selector
+    //   https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+    //   podLabelSelector: 'app=my-web-app,version=v1',
+  });
+
+  {
+    //    '0namespace': ns,
+    //  } + {
+    ['parca-agent-' + name]: agent[name]
+    for name in std.objectFields(agent)
+    if agent[name] != null
+  }

deploy/gcp/Dockerfile

@@ -0,0 +1 @@
+FROM gcr.io/cloud-marketplace-tools/k8s/deployer_envsubst/onbuild

deploy/gcp/manifest/application.yaml.template

@@ -0,0 +1,23 @@
+apiVersion: app.k8s.io/v1beta1
+kind: Application
+metadata:
+  name: "$name"
+  namespace: "$namespace"
+  annotations:
+    marketplace.cloud.google.com/deploy-info: '{"partner_id": "partner", "product_id": "nginx", "partner_name": "Partner"}'
+  labels:
+    app.kubernetes.io/name: "$name"
+spec:
+  descriptor:
+    type: parca-agent
+    version: '0.44.0'
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: "$name"
+  componentKinds:
+  # The group is determined from the apiVersion: $GROUP_NAME/$VERSION
+  - group: apps
+    kind: DaemonSet
+  - group: ''
+    kind: Service
+

deploy/gcp/manifest/manifest.yaml.template

@@ -0,0 +1,206 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: observability
+    app.kubernetes.io/instance: $name
+    app.kubernetes.io/name: parca-agent
+    app.kubernetes.io/version: v0.44.0
+  name: $name
+  namespace: $namespace
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: observability
+    app.kubernetes.io/instance: $name
+    app.kubernetes.io/name: parca-agent
+    app.kubernetes.io/version: v0.44.0
+  name: $name
+  namespace: $namespace
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: $name
+subjects:
+- kind: ServiceAccount
+  name: $name
+  namespace: $namespace
+---
+apiVersion: v1
+data:
+  parca-agent.yaml: |-
+    "relabel_configs":
+    - "source_labels":
+      - "__meta_process_executable_compiler"
+      "target_label": "compiler"
+    - "source_labels":
+      - "__meta_system_kernel_machine"
+      "target_label": "arch"
+    - "source_labels":
+      - "__meta_system_kernel_release"
+      "target_label": "kernel_version"
+    - "source_labels":
+      - "__meta_kubernetes_namespace"
+      "target_label": "namespace"
+    - "source_labels":
+      - "__meta_kubernetes_pod_name"
+      "target_label": "pod"
+    - "source_labels":
+      - "__meta_kubernetes_pod_container_name"
+      "target_label": "container"
+    - "source_labels":
+      - "__meta_kubernetes_pod_container_image"
+      "target_label": "container_image"
+    - "source_labels":
+      - "__meta_kubernetes_node_label_topology_kubernetes_io_region"
+      "target_label": "region"
+    - "source_labels":
+      - "__meta_kubernetes_node_label_topology_kubernetes_io_zone"
+      "target_label": "zone"
+    - "action": "labelmap"
+      "regex": "__meta_kubernetes_pod_label_(.+)"
+      "replacement": "${1}"
+    - "action": "labeldrop"
+      "regex": "apps_kubernetes_io_pod_index|controller_revision_hash|statefulset_kubernetes_io_pod_name|pod_template_hash"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: observability
+    app.kubernetes.io/instance: $name
+    app.kubernetes.io/name: parca-agent
+    app.kubernetes.io/version: v0.44.0
+  name: $name
+  namespace: $namespace
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app.kubernetes.io/component: observability
+    app.kubernetes.io/instance: $name
+    app.kubernetes.io/name: parca-agent
+    app.kubernetes.io/version: v0.44.0
+  name: $name
+  namespace: $namespace
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: observability
+      app.kubernetes.io/instance: $name
+      app.kubernetes.io/name: parca-agent
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: observability
+        app.kubernetes.io/instance: $name
+        app.kubernetes.io/name: parca-agent
+        app.kubernetes.io/version: v0.44.0
+    spec:
+      containers:
+      - args:
+        - --http-address=:7071
+        - --node=$(NODE_NAME)
+        - --config-path=/etc/parca-agent/parca-agent.yaml
+        - --remote-store-address=parca.parca.svc.cluster.local:7070
+        - --remote-store-insecure
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        image: ghcr.io/parca-dev/parca-agent:v0.44.0
+        name: parca-agent
+        ports:
+        - containerPort: 7071
+          name: http
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - SYS_ADMIN
+          privileged: true
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+        - mountPath: /run
+          name: run
+        - mountPath: /boot
+          name: boot
+          readOnly: true
+        - mountPath: /lib/modules
+          name: modules
+        - mountPath: /sys/kernel/debug
+          name: debugfs
+        - mountPath: /sys/fs/cgroup
+          name: cgroup
+        - mountPath: /sys/fs/bpf
+          name: bpffs
+        - mountPath: /etc/parca-agent
+          name: config
+        - mountPath: /var/run/dbus/system_bus_socket
+          name: dbus-system
+      hostPID: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: $name
+      tolerations:
+      - operator: Exists
+      volumes:
+      - emptyDir: {}
+        name: tmp
+      - hostPath:
+          path: /run
+        name: run
+      - hostPath:
+          path: /boot
+        name: boot
+      - hostPath:
+          path: /sys/fs/cgroup
+        name: cgroup
+      - hostPath:
+          path: /lib/modules
+        name: modules
+      - hostPath:
+          path: /sys/fs/bpf
+        name: bpffs
+      - hostPath:
+          path: /sys/kernel/debug
+        name: debugfs
+      - configMap:
+          name: $name
+        name: config
+      - hostPath:
+          path: /var/run/dbus/system_bus_socket
+        name: dbus-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: observability
+    app.kubernetes.io/instance: $name
+    app.kubernetes.io/name: parca-agent
+    app.kubernetes.io/version: v0.44.0
+  name: $name
+  namespace: $namespace
+---

deploy/gcp/schema.yaml

@@ -0,0 +1,30 @@
+x-google-marketplace:
+  schemaVersion: v2
+
+  applicationApiVersion: v1beta1
+  # The published version is required and MUST match the tag
+  # of the deployer image
+  publishedVersion: '0.44.0'
+  publishedVersionMetadata:
+    releaseNote: >-
+      A first release.
+  # The images property will be filled in during part 2
+  images: {}
+
+properties:
+  name:
+    type: string
+    x-google-marketplace:
+      type: NAME
+  namespace:
+    type: string
+    x-google-marketplace:
+      type: NAMESPACE
+  replicas:
+    type: integer
+    title: Nginx Replica Count
+    description: The number of nginx replicas to deploy
+
+required:
+- name
+- namespace

deploy/generate.sh

@@ -1,8 +1,15 @@
 #!/usr/bin/env bash
 set -e
 
+# Kubernetes
 jsonnet --tla-str version="${VERSION}" -J vendor main.jsonnet -m manifests/kubernetes | xargs -I{} sh -c 'cat {} | gojsontoyaml > {}.yaml; rm -f {}' -- {}
 for f in manifests/kubernetes/*; do cat ${f} >> manifests/kubernetes-manifest.yaml; echo '---' >> manifests/kubernetes-manifest.yaml; done
+# OpenShift
 jsonnet --tla-str version="${VERSION}" -J vendor openshift.jsonnet -m manifests/openshift | xargs -I{} sh -c 'cat {} | gojsontoyaml > {}.yaml; rm -f {}' -- {}
 for f in manifests/openshift/*; do cat ${f} >> manifests/openshift-manifest.yaml; echo '---' >> manifests/openshift-manifest.yaml; done
+# GCP Marketplace
+jsonnet --tla-str version="${VERSION}" -J vendor gcp.jsonnet -m gcp/tmp | xargs -I{} sh -c 'cat {} | gojsontoyaml > {}.yaml; rm -f {}' -- {}
+for f in gcp/tmp/*; do cat ${f} >> gcp/manifest/manifest.yaml.template; echo '---' >> gcp/manifest/manifest.yaml.template; done
+# Tilt
 jsonnet --tla-str serverVersion="${SERVER_VERSION}" -J vendor dev.jsonnet -m tilt | xargs -I{} sh -c 'cat {} | gojsontoyaml > {}.yaml; rm -f {}' -- {}
+