WIP: Push image to Quay

.circleci/config.yml

@@ -0,0 +1,32 @@
+version: 2.1
+
+orbs:
+  architect: giantswarm/architect@1.1.0
+
+workflows:
+  build:
+    jobs:
+      - architect/push-to-docker:
+          context: "architect"
+          name: push-scaphandre-to-quay
+          image: "quay.io/giantswarm/scaphandre"
+          username_envar: "QUAY_USERNAME"
+          password_envar: "QUAY_PASSWORD"
+          # Needed to trigger job also on git tag.
+          filters:
+            tags:
+              only: /^v.*/
+
+      - architect/push-to-app-catalog:
+          context: "architect"
+          name: push-scaphandre-to-playground-catalog
+          app_catalog: "giantswarm-playground-catalog"
+          app_catalog_test: "giantswarm-playground-test-catalog"
+          chart: "scaphandre"
+          requires:
+            - push-scaphandre-to-quay
+          # Needed to trigger job also on git tag.
+          filters:
+            tags:
+              only: /^v.*/
+

Dockerfile

@@ -0,0 +1,35 @@
+FROM rust:1.48 as planner
+WORKDIR app
+
+RUN cargo install cargo-chef
+COPY . .
+
+# Analyze dependencies
+RUN cargo chef prepare  --recipe-path recipe.json
+
+FROM rust:1.48 as cacher
+WORKDIR app
+RUN cargo install cargo-chef
+COPY --from=planner /app/recipe.json recipe.json
+
+# Cache dependencies
+RUN cargo chef cook --release --recipe-path recipe.json
+
+FROM rust:1.48 as builder
+WORKDIR app
+COPY . .
+
+# Copy over the cached dependencies
+COPY --from=cacher /app/target target
+COPY --from=cacher $CARGO_HOME $CARGO_HOME
+RUN cargo build --release
+
+FROM ubuntu:20.10 as runtime
+WORKDIR app
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND="noninteractive" apt-get install -y ca-certificates tzdata \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /app/target/release/scaphandre /usr/local/bin
+ENTRYPOINT ["/usr/local/bin/scaphandre"]

helm/scaphandre/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+appVersion: v0.1.1
+description: A Helm chart for Scaphande electrical power consumption agent
+home: https://github.com/hubblo-org/scaphandre
+name: scaphandre
+version: [[ .Version ]]

helm/scaphandre/templates/daemonset.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Chart.Name }}
+  template:
+    metadata:
+      name: {{ .Chart.Name }}
+      labels:
+        app.kubernetes.io/name: {{ .Chart.Name }}
+    spec:
+      tolerations:
+      # Tolerate all taints for observability
+      - operator: "Exists"
+      securityContext:
+        runAsUser: {{ .Values.userID }}
+        runAsGroup: {{ .Values.userGroup }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image.registry }}/{{ .Values.image.name }}:{{ .Values.image.tag }}"
+        ports:
+        - name: metrics
+          containerPort: {{ .Values.port }}
+        args:
+        - 'prometheus'
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        volumeMounts:
+        - mountPath: /proc
+          name: proc
+          readOnly: false
+        - mountPath: /sys/class/powercap
+          name: powercap
+          readOnly: false
+      volumes:
+      - hostPath:
+          path: /proc
+          type: "Directory"
+        name: proc
+      - hostPath:
+          path: /sys/class/powercap
+          type: "Directory"
+        name: powercap
+      serviceAccountName: {{ .Chart.Name }}

helm/scaphandre/templates/psp.yaml

@@ -0,0 +1,27 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}  
+spec:
+  privileged: true
+  allowPrivilegeEscalation: false
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  volumes:
+  - 'hostPath'
+  hostPID: true
+  hostIPC: true

helm/scaphandre/templates/rbac.yaml

@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}  
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Chart.Name }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}  
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - {{ .Chart.Name }}
+  verbs:
+  - "use"

helm/scaphandre/templates/service-account.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}

helm/scaphandre/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Chart.Name }}
+  labels:
+    app.kubernetes.io/name: {{ .Chart.Name }}
+  annotations:
+    prometheus.io/port: "{{ .Values.port  }}"
+    prometheus.io/scheme: "http"
+    prometheus.io/scrape: "true"
+spec:
+  ports:
+  - port: {{ .Values.port }}
+    name: metrics
+    targetPort: metrics
+  selector:
+    app.kubernetes.io/name: {{ .Chart.Name }}

helm/scaphandre/values.yaml

@@ -0,0 +1,17 @@
+image:
+  registry: quay.io
+  name: giantswarm/scaphandre
+  tag: [[ .Version ]]
+
+port: 8080
+
+resources:
+  limits:
+    memory: 75Mi
+  requests:
+    cpu: 75m
+    memory: 50Mi
+
+# Run as root user to get proper permissions
+userID: 0
+groupID: 0