Support SSH reruns

CircleCI-Public · Jun 28, 2023 · a478fad · a478fad
1 parent 49b1048
commit a478fad
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 1 deletion.
diff --git a/Chart.yaml b/Chart.yaml
@@ -4,5 +4,5 @@ description: For deploying a CircleCI Container Agent
 icon: https://raw.githubusercontent.com/circleci/media/master/logo/build/horizontal_dark.1.png
 type: application
 
-version: "101.0.7"
+version: "101.1.0"
 appVersion: "3"
diff --git a/changelog.md b/changelog.md
@@ -2,6 +2,10 @@
 
 This is the Container Agent Helm Chart changelog
 
+# 101.1.0
+
+- [PREVIEW] Support SSH reruns 
+
 # 101.0.7
 
 - Update README with new parameters & add some documentation links to `values.yaml`

diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -94,6 +94,17 @@ spec:
               value: {{ .Values.logging.serviceAccount.secret.name | quote }}
             - name: KUBE_AUTODETECT_PLATFORM
               value: {{ .Values.agent.autodetectPlatform | quote }}
+
+            {{- if .Values.agent.ssh.isEnabled }}
+            {{- $sshName := printf "%s-ssh" (include "container-agent.fullname" .) }}
+            - name: KUBE_SSH_IS_ENABLED
+              value: "true"
+            - name: KUBE_SSH_GATEWAY_NAME
+              value: {{ $sshName }}
+            - name: KUBE_SSH_SERVICE_NAME
+              value: {{ $sshName }}
+            {{- end }}
+
           livenessProbe: {{ toYaml .Values.agent.livenessProbe | nindent 12 }}
           readinessProbe: {{ toYaml .Values.agent.readinessProbe | nindent 12 }}
         {{- if .Values.agent.resources }}

diff --git a/templates/role.yaml b/templates/role.yaml
@@ -19,6 +19,13 @@ rules:
   - apiGroups: ["", "events.k8s.io/v1"]
     resources: ["events"]
     verbs: ["watch"]
+
+  {{- if .Values.agent.ssh.isEnabled }}
+  - apiGroups: ["", "gateway.networking.k8s.io"]
+    resources: ["gateways", "services", "endpoints"]
+    verbs: ["get"]
+  {{- end }} # if .Values.agent.ssh.isEnabled
+
 {{- if $role.rules }}
   {{- toYaml $role.rules | indent 2 }}
 {{- end }} # if $role.rules

diff --git a/templates/ssh.yaml b/templates/ssh.yaml
@@ -0,0 +1,71 @@
+{{- if .Values.agent.ssh.isEnabled }}
+
+{{- $startPort := .Values.agent.ssh.startPort | int }}
+{{- $ports := untilStep $startPort (add $startPort .Values.agent.ssh.numPorts | int) 1 -}}
+{{- $namespace := .Release.Namespace | quote }}
+{{- $name := printf "%s-ssh" (include "container-agent.fullname" .) }}
+
+kind: GatewayClass
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: {{ $name }}
+  namespace: {{ $namespace }}
+spec:
+  controllerName: {{ .Values.agent.ssh.controllerName }}
+
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: {{ $name }}
+  namespace: {{ $namespace }}
+spec:
+  gatewayClassName: {{ $name }}
+  listeners:
+    {{- range $i, $port := $ports }}
+    - name: ssh-{{ $port }}
+      protocol: TCP
+      port: {{ $port }}
+      allowedRoutes:
+        kinds:
+          - kind: TCPRoute
+    {{- end }}
+
+---
+{{- range $i, $port := $ports }}
+{{ $portName := printf "ssh-%d" $port }}
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+  name: {{ $portName }}
+  namespace: {{ $namespace }}
+spec:
+  parentRefs:
+  - name: {{ $name }}
+    sectionName: {{ $portName }}
+  rules:
+  - backendRefs:
+    - name: {{ $name }}
+      port: {{ $port }}
+{{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $name }}
+  namespace: {{ $namespace }}
+spec:
+  selector:
+    app.kubernetes.io/managed-by: circleci-container-agent
+  ports:
+  {{- range $i, $port := $ports }}
+  {{ $portName := printf "ssh-%d" $port }}
+  - name: {{ $portName }}
+    protocol: TCP
+    port: {{ $port }}
+    targetPort: {{ $portName }}
+  {{- end }}
+
+{{- end }} # if .Values.agent.ssh.isEnabled
diff --git a/values.yaml b/values.yaml
@@ -202,6 +202,23 @@ agent:
     # Check interval
     interval: 15m
 
+  ssh:
+    # Controls whether to enable SSH reruns (see: https://circleci.com/docs/ssh-access-jobs/).
+    # Note that enabling SSH reruns will install additional resources to your cluster. Notably,
+    # SSH reruns requires the Kubernetes Gateway API (see: https://gateway-api.sigs.k8s.io/).
+    isEnabled: false
+
+    # The name of the infrastructure provider for the SSH rerun Gateway (see: https://gateway-api.sigs.k8s.io/implementations/).
+    # SSH reruns depend on the TCPRoute resource, so only implementations that support it are compatible at this time.
+    # Please consult the documentation for your preferred Gateway implementation for guidance on setting it up in your cluster.
+    # The Envoy Gateway has been successfully tested for SSH reruns (see: https://gateway.envoyproxy.io/v0.4.0/user/tcp-routing.html).
+    controllerName: "gateway.envoyproxy.io/gatewayclass-controller"
+
+    # Specify the port range that is approved for SSH connections.
+    # Note that the number of concurrent jobs rerun with SSH is limited by the number of ports in this range.
+    startPort: 54782
+    numPorts: 10
+
 # Kubernetes service account settings
 serviceAccount:
   create: true