Merge pull request #1454 from smerle33/geoip-nomount

feat(geoipupdater): remove the mount for the pvc as we use azcopy
jenkins-infra · Dec 2, 2024 · d0a5eb6 · d0a5eb6
2 parents 353c0f2 + 315b20e
commit d0a5eb6
Show file tree

Hide file tree

Showing 10 changed files with 199 additions and 57 deletions.
diff --git a/charts/geoipupdates/Chart.yaml b/charts/geoipupdates/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: MaxMind GeoIP database updater
 name: geoipupdates
-version: 1.0.0
+version: 2.0.0
 appVersion: "v7.1.0"
 maintainers:
 - email: jenkins-infra-team@googlegroups.com

diff --git a/charts/geoipupdates/templates/cronjob.yaml b/charts/geoipupdates/templates/cronjob.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -13,28 +14,47 @@ spec:
         spec:
           serviceAccountName: {{ include "geoipupdate.fullname" . }}
           restartPolicy: Never
+          {{- with .Values.imagePullSecrets }}
+            imagePullSecrets:
+              {{- toYaml . | nindent 12 }}
+          {{- end }}
           containers:
             - name: geoipupdate
-              image: "{{ .Values.image }}:{{ .Chart.AppVersion }}"
-              imagePullPolicy: {{ .Values.imagePullPolicy }}
+              image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
               {{- with .Values.containerSecurityContext }}
               securityContext:
                 {{- toYaml . | nindent 16 }}
               {{- end }}
               volumeMounts:
-                - name: geoipdata
-                  mountPath: /usr/share/GeoIP
-                  readOnly: false
                 - name: tmpdir
                   mountPath: /tmp
                   readOnly: false
+              {{- with .Values.resources }}
               resources:
-                {{- toYaml .Values.resources | nindent 16 }}
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
               env:
+                {{- with .Values.geoipupdate.dryrun }}
+                - name: GEOIPUPDATE_DRYRUN
+                  value: {{ . | quote }}
+                {{- end }}
+                {{- with .Values.geoipupdate.editions }}
                 - name: GEOIPUPDATE_EDITION_IDS
-                  value: {{ .Values.geoipupdate.editions }}
+                  value: {{ . }}
+                {{- end }}
+                {{- with .Values.geoipupdate.update_frequency }}
                 - name: GEOIPUPDATE_FREQUENCY
-                  value: {{ .Values.geoipupdate.update_frequency | quote }}
+                  value: {{ . | quote }}
+                {{- end }}
+                {{- with .Values.geoipupdate.storage_name }}
+                - name: STORAGE_NAME
+                  value: {{ . }}
+                {{- end }}
+                {{- with .Values.geoipupdate.storage_fileshare }}
+                - name: STORAGE_FILESHARE
+                  value: {{ . }}
+                {{- end }}
               envFrom:
               - secretRef:
                   name: {{ include "geoipupdate.fullname" . }}
@@ -51,12 +71,6 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           volumes:
-            - name: geoipdata
-            {{- if .Values.dataVolume }}
-              {{- toYaml .Values.dataVolume | nindent 14 }}
-            {{- else }}
-              emptyDir: {}
-            {{- end }}
             - name: tmpdir
               emptyDir:
                 medium: "Memory"
diff --git a/charts/geoipupdates/templates/rbac.yaml b/charts/geoipupdates/templates/rbac.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "geoipupdate.fullname" . }}
+  labels:
+{{ include "geoipupdate.labels" . | indent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "geoipupdate.fullname" . }}
+  labels:
+{{ include "geoipupdate.labels" . | indent 4 }}
+rules:
+  - apiGroups: ["batch"]
+    resources: ["pods"]
+    resourceNames: [{{ include "geoipupdate.fullname" . }}]
+    verbs: ["get", "read", "list", "watch", "create", "patch", "replace", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "geoipupdate.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "geoipupdate.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "geoipupdate.fullname" . }}
diff --git a/charts/geoipupdates/templates/secret.yaml b/charts/geoipupdates/templates/secret.yaml
@@ -8,4 +8,7 @@ type: Opaque
 data:
   GEOIPUPDATE_ACCOUNT_ID: {{ .Values.geoipupdate.account_id | b64enc }}
   GEOIPUPDATE_LICENSE_KEY: {{ .Values.geoipupdate.license_key | b64enc }}
+  JENKINS_INFRA_FILESHARE_CLIENT_ID: {{ .Values.geoipupdate.fileshare_client_id | b64enc }}
+  JENKINS_INFRA_FILESHARE_CLIENT_SECRET: {{ .Values.geoipupdate.fileshare_client_secret | b64enc }}
+  JENKINS_INFRA_FILESHARE_TENANT_ID: {{ .Values.geoipupdate.fileshare_tenant_id | b64enc }}
 {{- end }}
diff --git a/charts/geoipupdates/tests/custom_values_test.yaml b/charts/geoipupdates/tests/custom_values_test.yaml
@@ -0,0 +1,59 @@
+suite: Tests with custom values
+values:
+  - values/custom_geoipupdater.yaml
+templates:
+  - cronjob.yaml
+tests:
+  - it: should define a customized "geoipupdate" cronjob
+    template: cronjob.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: CronJob
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-geoipupdates
+      - equal:
+          path:  metadata.labels["app.kubernetes.io/name"]
+          value: "geoipupdate"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/instance"]
+          value: "RELEASE-NAME"
+      - equal:
+          path: "spec.jobTemplate.spec.template.spec.containers[*].imagePullPolicy"
+          value: IfNotPresent
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.volumes[0].emptyDir.medium
+          value: "Memory"
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0].readOnly
+          value: false
+      # Env. variables
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[0].name
+          value: GEOIPUPDATE_DRYRUN
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[1].name
+          value: GEOIPUPDATE_EDITION_IDS
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[1].value
+          value: alleditions
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[2].name
+          value: GEOIPUPDATE_FREQUENCY
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[2].value
+          value: "74"
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[3].name
+          value: STORAGE_NAME
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[3].value
+          value: mystoragename
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[4].name
+          value: STORAGE_FILESHARE
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[4].value
+          value: myfileshare
diff --git a/charts/geoipupdates/tests/defaults_test.yaml b/charts/geoipupdates/tests/defaults_test.yaml
@@ -2,13 +2,17 @@ suite: default tests
 templates:
   - cronjob.yaml
 tests:
-  - it: should define the default "geoipupdate" cronjob with default imagePullPolicy and metadata labels
+  - it: should define the default "geoipupdate" cronjob with default image.pullPolicy and metadata labels
     template: cronjob.yaml
     asserts:
       - hasDocuments:
           count: 1
-      - isKind:
+      - documentIndex: 0
+        isKind:
           of: CronJob
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-geoipupdates
       - equal:
           path:  metadata.labels["app.kubernetes.io/name"]
           value: "geoipupdate"
@@ -18,32 +22,32 @@ tests:
       - equal:
           path: "spec.jobTemplate.spec.template.spec.containers[*].imagePullPolicy"
           value: IfNotPresent
-      # GeoIP is an emptyDir, with default mountpath
-      - equal:
-          path: spec.jobTemplate.spec.template.spec.volumes[0].name
-          value: geoipdata
-      - equal:
-          path: spec.jobTemplate.spec.template.spec.volumes[0].emptyDir
-          value: {}
       - equal:
-          path: spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0].name
-          value: geoipdata
-      - equal:
-          path: spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0].mountPath
-          value: /usr/share/GeoIP
+          path: spec.jobTemplate.spec.template.spec.volumes[0].emptyDir.medium
+          value: "Memory"
       - equal:
           path: spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0].readOnly
           value: false
       # Env. variables
       - equal:
           path: spec.jobTemplate.spec.template.spec.containers[0].env[0].name
-          value: GEOIPUPDATE_EDITION_IDS
+          value: GEOIPUPDATE_DRYRUN
       - equal:
           path: spec.jobTemplate.spec.template.spec.containers[0].env[0].value
-          value: GeoLite2-ASN GeoLite2-City GeoLite2-Country
+          value: "true"
       - equal:
           path: spec.jobTemplate.spec.template.spec.containers[0].env[1].name
-          value: GEOIPUPDATE_FREQUENCY
+          value: GEOIPUPDATE_EDITION_IDS
       - equal:
           path: spec.jobTemplate.spec.template.spec.containers[0].env[1].value
+          value: GeoLite2-ASN GeoLite2-City GeoLite2-Country
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[2].name
+          value: GEOIPUPDATE_FREQUENCY
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[2].value
           value: "24"
+      - notExists:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[3].name
+      - notExists:
+          path: spec.jobTemplate.spec.template.spec.containers[0].env[4].name
diff --git a/charts/geoipupdates/tests/defaults_test_rbac.yaml b/charts/geoipupdates/tests/defaults_test_rbac.yaml
@@ -0,0 +1,18 @@
+suite: default tests for rbac
+templates:
+  - rbac.yaml
+tests:
+  - it: should define the default "objects" for rbac (ServiceAccount, Role, RoleBinding)
+    template: rbac.yaml
+    asserts:
+      - hasDocuments:
+          count: 3
+      - documentIndex: 0
+        isKind:
+          of: ServiceAccount
+      - documentIndex: 1
+        isKind:
+          of: Role
+      - documentIndex: 2
+        isKind:
+          of: RoleBinding
diff --git a/charts/geoipupdates/tests/values/custom_geoipupdater.yaml b/charts/geoipupdates/tests/values/custom_geoipupdater.yaml
@@ -0,0 +1,12 @@
+geoipupdate:
+  dryrun: true
+  account_id: "myaccount"
+  license_key: "mylicencekey"
+  fileshare_client_id: "clientid"
+  fileshare_client_secret: "clientsecret"
+  fileshare_tenant_id: "tenantid"
+  editions: "alleditions"
+  update_frequency: 74
+  storage_name: "mystoragename"
+  storage_fileshare: "myfileshare"
+  cron: '0 6 * * *' # default to every day at 6AM
diff --git a/charts/geoipupdates/values.yaml b/charts/geoipupdates/values.yaml
@@ -1,13 +1,21 @@
-image: ghcr.io/maxmind/geoipupdate
+image:
+  repository: jenkinsciinfra/geoipupdate
+  tag: 0.2.1
+  pullPolicy: IfNotPresent
 imagePullSecrets: []
-imagePullPolicy: IfNotPresent
 # securityContext:
 # Secret values, set to empty below for reference:
 geoipupdate:
+  dryrun: true
   account_id: ""
   license_key: ""
-  editions: GeoLite2-ASN GeoLite2-City GeoLite2-Country
+  fileshare_client_id: ""
+  fileshare_client_secret: ""
+  fileshare_tenant_id: ""
+  editions: "GeoLite2-ASN GeoLite2-City GeoLite2-Country"
   update_frequency: 24
+  storage_name: ""
+  storage_fileshare: ""
   cron: '0 4 * * *' # default to every day at 4AM
 podSecurityContext: {}
 # fsGroup: 2000
@@ -19,22 +27,16 @@ containerSecurityContext: {}
 # runAsNonRoot: true
 # runAsUser: 1000
 resources: {}
-# We usually recommend not to specify default resources and to leave this as a conscious
-# choice for the user. This also increases chances charts run on environments with little
-# resources, such as Minikube. If you do want to specify resources, uncomment the following
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-# limits:
-#   cpu: 100m
-#   memory: 128Mi
-# requests:
-#   cpu: 100m
-#   memory: 128Mi
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 256Mi # minimum 256Mi to avoid OMM kill for `az login`
+  # requests:
+  #   cpu: 100m
+  #   memory: 256Mi
 nodeSelector: {}
 tolerations: []
 affinity: {}
-
-## Defines the geoipdata volume
-## Example with a statically provisionned PVC;
-# dataVolume:
-#   persistentVolumeClaim:
-#     claimName: existing-pvc
diff --git a/updatecli/updatecli.d/geoipupdates.yaml b/updatecli/updatecli.d/geoipupdates.yaml
@@ -1,4 +1,4 @@
-name: Bump `ghcr.io/maxmind/geoipupdate` docker image and helm chart versions
+name: Bump `jenkinsciinfra/geoipupdate` docker image and helm chart versions
 
 scms:
   default:
@@ -14,20 +14,20 @@ scms:
 
 sources:
   lastVersion:
-    name: Get latest version of maxmind/geoipupdate
+    name: Get latest version of jenkinsciinfra/geoipupdate
     kind: githubrelease
     spec:
-      owner: maxmind
-      repository: geoipupdate
+      owner: jenkins-infra
+      repository: docker-geoipupdate
       token: "{{ requiredEnv .github.token }}"
       username: "{{ .github.username }}"
 
 conditions:
   checkGeoIPDockerImagePublished:
-    name: Ensure that the image "ghcr.io/maxmind/geoipupdate:<found_version>" is published
+    name: Ensure that the image "jenkinsciinfra/geoipupdate:<found_version>" is published
     kind: dockerimage
     spec:
-      image: ghcr.io/maxmind/geoipupdate
+      image: jenkinsciinfra/geoipupdate
       architectures:
         - "arm64"
       # Tag comes from sourceid