Add openshift-tekton-resources integration (#1892)

https://issues.redhat.com/browse/APPSRE-3389 This work has been split in two * The new integration in this commit * The openshift-saas-deploy bits in Openshift-tekton-resources: the saasherder part #1998 Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>
app-sre · Nov 16, 2021 · 05471e3 · 05471e3
1 parent a4e08b7
commit 05471e3
Show file tree

Hide file tree

Showing 22 changed files with 1,499 additions and 0 deletions.
diff --git a/helm/qontract-reconcile/values-internal.yaml b/helm/qontract-reconcile/values-internal.yaml
@@ -216,6 +216,19 @@ integrations:
   logs:
     slack: true
   trigger: true
+- name: openshift-tekton-resources
+  # resources are tentative for the moment
+  resources:
+    requests:
+      memory: 800Mi
+      cpu: 400m
+    limits:
+      memory: 1000Mi
+      cpu: 600m
+  extraArgs: --no-use-jump-host
+  logs:
+    slack: true
+  internalCertificates: true
 - name: terraform-resources
   resources:
     requests:

diff --git a/openshift/qontract-reconcile-internal.yaml b/openshift/qontract-reconcile-internal.yaml
@@ -5224,6 +5224,215 @@ objects:
           emptyDir: {}
         - name: fluentd-config
           emptyDir: {}
+- apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    labels:
+      app: qontract-reconcile-openshift-tekton-resources
+    name: qontract-reconcile-openshift-tekton-resources
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app: qontract-reconcile-openshift-tekton-resources
+    template:
+      metadata:
+        labels:
+          app: qontract-reconcile-openshift-tekton-resources
+          component: qontract-reconcile
+      spec:
+        serviceAccountName: qontract-reconcile
+        initContainers:
+        - name: internal-certificates
+          image: ${INTERNAL_CERTIFICATES_IMAGE}:${INTERNAL_CERTIFICATES_IMAGE_TAG}
+          imagePullPolicy: ${INTERNAL_CERTIFICATES_IMAGE_PULL_POLICY}
+          command: ["/bin/sh", "-c"]
+          args:
+          - |
+            cp -r /etc/pki/. /tmp/etc-pki/
+          volumeMounts:
+          - name: internal-certificates
+            mountPath: /tmp/etc-pki/
+        - name: config
+          image: ${BUSYBOX_IMAGE}:${BUSYBOX_IMAGE_TAG}
+          imagePullPolicy: ${BUSYBOX_IMAGE_PULL_POLICY}
+          resources:
+            requests:
+              memory: 10Mi
+              cpu: 15m
+            limits:
+              memory: 20Mi
+              cpu: 25m
+          env:
+          - name: SLACK_WEBHOOK_URL
+            valueFrom:
+              secretKeyRef:
+                key: slack.webhook_url
+                name: app-interface
+          - name: SLACK_CHANNEL
+            value: ${SLACK_CHANNEL}
+          - name: SLACK_ICON_EMOJI
+            value: ${SLACK_ICON_EMOJI}
+          - name: LOG_GROUP_NAME
+            valueFrom:
+              secretKeyRef:
+                name: ${CLOUDWATCH_SECRET}
+                key: log_group_name
+          command: ["/bin/sh", "-c"]
+          args:
+          - |
+            # generate fluent.conf
+            cat > /fluentd/etc/fluent.conf <<EOF
+            <source>
+              @type tail
+              path /fluentd/log/integration.log
+              pos_file /fluentd/log/integration.log.pos
+              tag integration
+              <parse>
+                @type none
+              </parse>
+            </source>
+
+            <filter integration>
+              @type grep
+              <exclude>
+                key message
+                pattern /using gql endpoint/
+              </exclude>
+            </filter>
+
+            <filter integration>
+              @type grep
+              <exclude>
+                key message
+                pattern /Certificate did not match expected hostname/
+              </exclude>
+            </filter>
+
+            <match integration>
+              @type copy
+              <store>
+                @type slack
+                webhook_url ${SLACK_WEBHOOK_URL}
+                channel ${SLACK_CHANNEL}
+                icon_emoji ${SLACK_ICON_EMOJI}
+                username sd-app-sre-bot
+                flush_interval 10s
+                message "\`\`\`[openshift-tekton-resources] %s\`\`\`"
+              </store>
+              <store>
+                @type cloudwatch_logs
+                log_group_name ${LOG_GROUP_NAME}
+                log_stream_name openshift-tekton-resources
+                auto_create_stream true
+              </store>
+            </match>
+            EOF
+          volumeMounts:
+          - name: fluentd-config
+            mountPath: /fluentd/etc/
+        containers:
+        - name: int
+          image: ${IMAGE}:${IMAGE_TAG}
+          ports:
+            - name: http
+              containerPort: 9090
+          env:
+          - name: SHARDS
+            value: "1"
+          - name: SHARD_ID
+            value: "0"
+          - name: DRY_RUN
+            value: ${DRY_RUN}
+          - name: INTEGRATION_NAME
+            value: openshift-tekton-resources
+          - name: INTEGRATION_EXTRA_ARGS
+            value: "--no-use-jump-host"
+          - name: SLEEP_DURATION_SECS
+            value: ${SLEEP_DURATION_SECS}
+          - name: GITHUB_API
+            valueFrom:
+              configMapKeyRef:
+                name: app-interface
+                key: GITHUB_API
+          - name: SENTRY_DSN
+            valueFrom:
+              configMapKeyRef:
+                name: app-interface
+                key: SENTRY_DSN
+          - name: LOG_FILE
+            value: "${LOG_FILE}"
+          - name: UNLEASH_API_URL
+            valueFrom:
+              secretKeyRef:
+                name: unleash
+                key: API_URL
+          - name: UNLEASH_CLIENT_ACCESS_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: unleash
+                key: CLIENT_ACCESS_TOKEN
+          - name: SLOW_OC_RECONCILE_THRESHOLD
+            value: "${SLOW_OC_RECONCILE_THRESHOLD}"
+          - name: LOG_SLOW_OC_RECONCILE
+            value: "${LOG_SLOW_OC_RECONCILE}"
+          - name: USE_NATIVE_CLIENT
+            value: "${USE_NATIVE_CLIENT}"
+          resources:
+            limits:
+              cpu: ${OPENSHIFT_TEKTON_RESOURCES_CPU_LIMIT}
+              memory: ${OPENSHIFT_TEKTON_RESOURCES_MEMORY_LIMIT}
+            requests:
+              cpu: ${OPENSHIFT_TEKTON_RESOURCES_CPU_REQUEST}
+              memory: ${OPENSHIFT_TEKTON_RESOURCES_MEMORY_REQUEST}
+          volumeMounts:
+          - name: qontract-reconcile-toml
+            mountPath: /config
+          - name: internal-certificates
+            mountPath: /etc/pki/
+          - name: logs
+            mountPath: /fluentd/log/
+        - name: fluentd
+          image: ${FLUENTD_IMAGE}:${FLUENTD_IMAGE_TAG}
+          imagePullPolicy: ${FLUENTD_IMAGE_PULL_POLICY}
+          env:
+          - name: AWS_REGION
+            valueFrom:
+              secretKeyRef:
+                name: ${CLOUDWATCH_SECRET}
+                key: aws_region
+          - name: AWS_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: ${CLOUDWATCH_SECRET}
+                key: aws_access_key_id
+          - name: AWS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: ${CLOUDWATCH_SECRET}
+                key: aws_secret_access_key
+          resources:
+            requests:
+              memory: 30Mi
+              cpu: 15m
+            limits:
+              memory: 120Mi
+              cpu: 25m
+          volumeMounts:
+          - name: logs
+            mountPath: /fluentd/log/
+          - name: fluentd-config
+            mountPath: /fluentd/etc/
+        volumes:
+        - name: qontract-reconcile-toml
+          secret:
+            secretName: qontract-reconcile-toml
+        - name: logs
+          emptyDir: {}
+        - name: fluentd-config
+          emptyDir: {}
+        - name: internal-certificates
+          emptyDir: {}
 - apiVersion: apps/v1
   kind: Deployment
   metadata:
@@ -8366,6 +8575,14 @@ parameters:
   value: 400m
 - name: OPENSHIFT_SAAS_DEPLOY_TRIGGER_CLEANER_MEMORY_REQUEST
   value: 800Mi
+- name: OPENSHIFT_TEKTON_RESOURCES_CPU_LIMIT
+  value: 600m
+- name: OPENSHIFT_TEKTON_RESOURCES_MEMORY_LIMIT
+  value: 1000Mi
+- name: OPENSHIFT_TEKTON_RESOURCES_CPU_REQUEST
+  value: 400m
+- name: OPENSHIFT_TEKTON_RESOURCES_MEMORY_REQUEST
+  value: 800Mi
 - name: TERRAFORM_RESOURCES_CPU_LIMIT
   value: 600m
 - name: TERRAFORM_RESOURCES_MEMORY_LIMIT

diff --git a/reconcile/cli.py b/reconcile/cli.py
@@ -33,6 +33,7 @@
 import reconcile.openshift_saas_deploy_trigger_upstream_jobs
 import reconcile.openshift_saas_deploy_trigger_configs
 import reconcile.openshift_saas_deploy_trigger_cleaner
+import reconcile.openshift_tekton_resources
 import reconcile.saas_file_owners
 import reconcile.gitlab_ci_skipper
 import reconcile.gitlab_labeler
@@ -355,6 +356,14 @@ def gitlab_project_id(function):
     return function
 
 
+def saas_file_name(function):
+    function = click.option('--saas-file-name',
+                            help='saas-file to act on.',
+                            default=None)(function)
+
+    return function
+
+
 def enable_deletion(**kwargs):
     def f(function):
         opt = '--enable-deletion/--no-enable-deletion'
@@ -862,6 +871,22 @@ def openshift_saas_deploy_trigger_cleaner(ctx, thread_pool_size,
         ctx.obj, thread_pool_size, internal, use_jump_host)
 
 
+@integration.command()
+@threaded()
+@internal()
+@use_jump_host()
+@saas_file_name
+@click.pass_context
+def openshift_tekton_resources(ctx, thread_pool_size,
+                               internal, use_jump_host, saas_file_name):
+    run_integration(reconcile.openshift_tekton_resources,
+                    ctx.obj,
+                    thread_pool_size,
+                    internal,
+                    use_jump_host,
+                    saas_file_name)
+
+
 @integration.command()
 @throughput
 @click.argument('gitlab-project-id')