Merge branch 'release-1.0' into fix/reconcile-re-drift

codefresh-io · Jun 19, 2024 · cde1e7c · cde1e7c
2 parents e43ecc1 + 341366b
commit cde1e7c
Show file tree

Hide file tree

Showing 11 changed files with 311 additions and 13 deletions.
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 6.3.26
+version: 6.3.34
 keywords:
   - codefresh
   - runner

diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -20,6 +20,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
 - [Configuration](#configuration)
   - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
   - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration)
+  - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke)
   - [Custom volume mounts](#custom-volume-mounts)
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
@@ -440,6 +441,113 @@ runtime:
       topology.kubernetes.io/zone: northeurope-1
 ```
 
+### GCE Disks backend volume configuration in GKE
+
+`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret)
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: |
+        {
+        "type": "service_account",
+        "project_id": "...",
+        "private_key_id": "...",
+        "private_key": "...",
+        "client_email": "...",
+        "client_id": "...",
+        "auth_uri": "...",
+        "token_uri": "...",
+        "auth_provider_x509_cert_url": "...",
+        "client_x509_cert_url": "..."
+        }
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.:
+    # serviceAccountJsonSecretKeyRef:
+    #   name: gce-service-account
+    #   key: service-account.json
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
 ### Custom global environment variables
 
 You can add your own environment variables to the runtime environment. All pipeline steps have access to the global variables.
@@ -1013,10 +1121,10 @@ Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](http
 | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) |
 | runtime.agent | bool | `true` | (for On-Premise only) Enable agent |
 | runtime.description | string | `""` | Runtime description |
-| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":"true"},"image":{"registry":"quay.io","repository":"codefresh/dind","tag":"26.0.0-1.28.6"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
+| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":"true"},"image":{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.0.0-1.28.6"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
 | runtime.dind.affinity | object | `{}` | Set affinity |
 | runtime.dind.env | object | `{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":"true"}` | Set additional env vars. |
-| runtime.dind.image | object | `{"registry":"quay.io","repository":"codefresh/dind","tag":"26.0.0-1.28.6"}` | Set dind image. |
+| runtime.dind.image | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.0.0-1.28.6"}` | Set dind image. |
 | runtime.dind.nodeSelector | object | `{}` | Set node selector. |
 | runtime.dind.podAnnotations | object | `{}` | Set pod annotations. |
 | runtime.dind.podLabels | object | `{}` | Set pod labels. |
@@ -1051,6 +1159,16 @@ Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](http
 | runtime.engine.serviceAccount | string | `"codefresh-engine"` | Set service account for pod. |
 | runtime.engine.tolerations | list | `[]` | Set tolerations. |
 | runtime.engine.userEnvVars | list | `[]` | Set extra env vars |
+| runtime.engine.workflowLimits | object | `{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}` | Set workflow limits. |
+| runtime.engine.workflowLimits.MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS | int | `600` | Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION | int | `86400` | Maximum time for workflow execution; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_ELECTED_STATE_AGE_ALLOWED | int | `900` | Maximum time allowed to workflow to spend in "elected" state; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_RETRY_ATTEMPTS_ALLOWED | int | `20` | Maximum retry attempts allowed for workflow. |
+| runtime.engine.workflowLimits.MAXIMUM_TERMINATING_STATE_AGE_ALLOWED | int | `900` | Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds. |
+| runtime.engine.workflowLimits.MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE | int | `300` | Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds. |
+| runtime.engine.workflowLimits.TIME_ENGINE_INACTIVE_UNTIL_TERMINATION | int | `300` | Time since the last health check report after which workflow is terminated; seconds. |
+| runtime.engine.workflowLimits.TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY | int | `60` | Time since the last health check report after which the engine is considered unhealthy; seconds. |
+| runtime.engine.workflowLimits.TIME_INACTIVE_UNTIL_TERMINATION | int | `2700` | Time since the last workflow logs activity after which workflow is terminated; seconds. |
 | runtime.gencerts | object | See below | Parameters for `gencerts-dind` post-upgrade/install hook |
 | runtime.inCluster | bool | `true` | (for On-Premise only) Set inCluster runtime |
 | runtime.patch | object | See below | Parameters for `runtime-patch` post-upgrade/install hook |

diff --git a/charts/cf-runtime/README.md.gotmpl b/charts/cf-runtime/README.md.gotmpl
@@ -20,6 +20,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
 - [Configuration](#configuration)
   - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
   - [Azure Disks backend volume configuration in AKS](#azure-disks-backend-volume-configuration)
+  - [GCE Disks backend volume configuration in GKE](#gce-disks-backend-volume-configuration-in-gke)
   - [Custom volume mounts](#custom-volume-mounts)
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
@@ -440,6 +441,112 @@ runtime:
       topology.kubernetes.io/zone: northeurope-1
 ```
 
+### GCE Disks backend volume configuration in GKE
+
+`dind-volume-provisioner` should have `ComputeEngine.StorageAdmin` permissions
+
+There are three options:
+
+1. Run `dind-volume-provisioner` pod on the node/node-group with IAM Service Account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+2. Pass static credentials in `.Values.storage.gcedisk.serviceAccountJson` (inline) or `.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef` (from your own secret)
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: |
+        {
+        "type": "service_account",
+        "project_id": "...",
+        "private_key_id": "...",
+        "private_key": "...",
+        "client_email": "...",
+        "client_id": "...",
+        "auth_uri": "...",
+        "token_uri": "...",
+        "auth_provider_x509_cert_url": "...",
+        "client_x509_cert_url": "..."
+        }
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.:
+    # serviceAccountJsonSecretKeyRef:
+    #   name: gce-service-account
+    #   key: service-account.json
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
+
+3. Assign IAM role to `dind-volume-provisioner` service account
+
+```yaml
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: gcedisk
+
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "`pd-standard"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-central1-c"
+
+volumeProvisioner:
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Additional service account annotations
+    annotations:
+      iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
+
+# -- Set runtime parameters
+runtime:
+  # -- Parameters for DinD (docker-in-docker) pod
+  dind:
+    # -- Set node selector.
+    nodeSelector:
+      topology.kubernetes.io/zone: us-central1-c
+```
 
 ### Custom global environment variables
 

diff --git a/charts/cf-runtime/templates/_components/volume-provisioner/_env-vars.yaml b/charts/cf-runtime/templates/_components/volume-provisioner/_env-vars.yaml
@@ -34,7 +34,7 @@ AWS_SECRET_ACCESS_KEY:
 {{- end }}
 
 {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
-GOOGLE_APPLICATION_CREDENTIALS: /etc/dind-volume-provisioner/credentials/google-service-account.json
+GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
 {{- end }}
 
 {{- if and .Values.storage.mountAzureJson }}
@@ -62,7 +62,7 @@ CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
     optional: true
   {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
 - name: credentials
-  secrete:
+  secret:
     secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
     optional: true
   {{- end }}
@@ -85,4 +85,4 @@ CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
   readOnly: true
   mountPath: "/etc/kubernetes/azure.json"
   {{- end }}
-{{- end }}
+{{- end }}
diff --git a/charts/cf-runtime/templates/_components/volume-provisioner/_secret.yaml b/charts/cf-runtime/templates/_components/volume-provisioner/_secret.yaml
@@ -9,7 +9,8 @@ metadata:
     {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
 stringData:
   {{- with .Values.storage.gcedisk.serviceAccountJson }}
-  google-service-account.json: {{ . }}
+  google-service-account.json: |
+{{- . | nindent 4 }}
   {{- end }}
   {{- with .Values.storage.ebs.accessKeyId }}
   aws_access_key_id: {{ . }}

diff --git a/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml b/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml
@@ -13,6 +13,7 @@ runtimeScheduler:
   {{- if $engineContext.image }}
   image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }}
   {{- end }}
+  imagePullPolicy: {{ $engineContext.image.pullPolicy }}
   {{- with $engineContext.command }}
   command: {{- toYaml . | nindent 4 }}
   {{- end }}
@@ -37,7 +38,7 @@ runtimeScheduler:
   userEnvVars:  {{- toYaml . | nindent 4 }}
   {{- end }}
   {{- with $engineContext.workflowLimits }}
-  workflowLimits: {{ toYaml . | nindent 4 }}
+  workflowLimits: {{- toYaml . | nindent 4 }}
   {{- end }}
   cluster:
     namespace: {{ .Release.Namespace }}
@@ -85,6 +86,7 @@ dockerDaemonScheduler:
   {{- if $dindContext.image }}
   dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }}
   {{- end }}
+  imagePullPolicy: {{ $dindContext.image.pullPolicy }}
   {{- with $dindContext.userAccess }}
   userAccess: {{ . }}
   {{- end }}
@@ -192,4 +194,4 @@ appProxy:
 {{- if not .Values.runtime.agent }}
 systemHybrid: true
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/charts/cf-runtime/tests/private-registry/private_registry_test.yaml b/charts/cf-runtime/tests/private-registry/private_registry_test.yaml
@@ -32,14 +32,17 @@ tests:
             runtimeScheduler:
               type: KubernetesPod
               image: 'somedomain.io/codefresh/engine:tagoverride'
+              imagePullPolicy: IfNotPresent
               command:
                 - npm
                 - run
                 - start
               envVars:
                 CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: '1000'
+                FORCE_COMPOSE_SERIAL_PULL: 'false'
                 LOGGER_LEVEL: 'debug'
                 LOG_OUTGOING_HTTP_REQUESTS: 'false'
+                METRICS_PROMETHEUS_ENABLED: 'true'
                 COMPOSE_IMAGE: 'somedomain.io/codefresh/compose:tagoverride'
                 CONTAINER_LOGGER_IMAGE: 'somedomain.io/codefresh/cf-container-logger:tagoverride'
                 DOCKER_BUILDER_IMAGE: 'somedomain.io/codefresh/cf-docker-builder:tagoverride'
@@ -51,6 +54,16 @@ tests:
                 KUBE_DEPLOY: 'somedomain.io/codefresh/cf-deploy-kubernetes:tagoverride'
                 PIPELINE_DEBUGGER_IMAGE: 'somedomain.io/codefresh/cf-debugger:tagoverride'
                 TEMPLATE_ENGINE: 'somedomain.io/codefresh/pikolo:tagoverride'
+              workflowLimits:
+                MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600
+                MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400
+                MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900
+                MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20
+                MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900
+                MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300
+                TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300
+                TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60
+                TIME_INACTIVE_UNTIL_TERMINATION: 2700
               cluster:
                 namespace: codefresh
                 serviceAccount: codefresh-engine
@@ -67,6 +80,7 @@ tests:
             dockerDaemonScheduler:
               type: DindKubernetesPod
               dindImage: 'somedomain.io/codefresh/dind:tagoverride'
+              imagePullPolicy: IfNotPresent
               userAccess: true
               envVars:
                 DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: 'true'