ROX-24553: Possibility to add additional VPA recommenders (#1888)

stackrox · Jul 5, 2024 · d5b920f · d5b920f
1 parent f23083a
commit d5b920f
Show file tree

Hide file tree

Showing 35 changed files with 2,570 additions and 29 deletions.
diff --git a/Makefile b/Makefile
@@ -777,6 +777,10 @@ deploy/route:
 	@oc process -f ./templates/route-template.yml --local | oc apply -f - -n $(NAMESPACE)
 .PHONY: deploy/route
 
+# This will create the redhat-pull-secret secret in the rhacs-vertical-pod-autoscaler namespace if it does not exist
+deploy/redhat-pull-secret:
+	./scripts/redhat-pull-secret.sh rhacs-vertical-pod-autoscaler
+
 # When making changes to the gitops configuration for development purposes
 # situated here dev/env/manifests/fleet-manager/04-gitops-config.yaml, this
 # target will update the gitops configmap on the dev cluster.

diff --git a/dev/config/gitops-config.yaml b/dev/config/gitops-config.yaml
@@ -7,6 +7,18 @@ rhacsOperators:
       image: "quay.io/rhacs-eng/stackrox-operator:4.4.2"
       centralLabelSelector: "rhacs.redhat.com/version-selector=4.4.2"
       securedClusterReconcilerEnabled: false
+verticalPodAutoscaling:
+  recommenders:
+    - image: registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9@sha256:d268de83bd371a725c0d0dad8a48008afa982c10e2997b24ff6d139d90d964f6
+      name: vpa-1
+      imagePullSecrets: [{ name: redhat-pull-secret }]
+      recommendationMarginFraction: 0.30
+      podRecommendationMinCpuMillicores: 10
+    - image: registry.redhat.io/openshift4/ose-vertical-pod-autoscaler-rhel9@sha256:d268de83bd371a725c0d0dad8a48008afa982c10e2997b24ff6d139d90d964f6
+      name: vpa-2
+      imagePullSecrets: [{ name: redhat-pull-secret }]
+      recommendationMarginFraction: 0.30
+      podRecommendationMinCpuMillicores: 20
 tenantResources:
   default: |
     labels:
@@ -22,6 +34,18 @@ tenantResources:
     verticalPodAutoscalers:
       central:
         enabled: true
+        updatePolicy:
+          updateMode: "Auto"
+          minReplicas: 1
+        resourcePolicy:
+          containerPolicies:
+            - containerName: "*"
+              minAllowed:
+                cpu: "100m"
+                memory: "50Mi"
+              maxAllowed:
+                cpu: "1"
+                memory: "2Gi"
 centrals:
   overrides:
     - instanceIds:

diff --git a/dev/env/scripts/bootstrap.sh b/dev/env/scripts/bootstrap.sh
@@ -49,7 +49,11 @@ else
     log "Skipping installation of Vertical Pod Autoscaler"
 fi
 
-apply "${MANIFESTS_DIR}/monitoring"
+# skip manifests if openshift cluster using is_openshift_cluster
+if ! is_openshift_cluster "$CLUSTER_TYPE"; then
+    apply "${MANIFESTS_DIR}/monitoring"
+fi
+
 apply "${MANIFESTS_DIR}/addons"
 
 if is_local_cluster "$CLUSTER_TYPE"; then

diff --git a/dev/env/scripts/up.sh b/dev/env/scripts/up.sh
@@ -54,6 +54,8 @@ if ! is_openshift_cluster "$CLUSTER_TYPE"; then
     $KUBECTL -n "$ACSCS_NAMESPACE" create secret generic fleet-manager-tls 2> /dev/null || true
     $KUBECTL -n "$ACSCS_NAMESPACE" create secret generic fleet-manager-envoy-tls 2> /dev/null || true
     $KUBECTL -n "$ACSCS_NAMESPACE" create secret generic fleet-manager-active-tls 2> /dev/null || true
+    # Create the redhat-pull-secret in the rhacs-vertical-pod-autoscaler namespace
+    make -C "$GITROOT" deploy/redhat-pull-secret
 fi
 
 log "Deploying fleet-manager"

diff --git a/fleetshard/pkg/central/charts/charts_test.go b/fleetshard/pkg/central/charts/charts_test.go
@@ -9,7 +9,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/chartutil"
 
 	"github.com/stretchr/testify/assert"
@@ -41,10 +40,7 @@ func TestTenantResourcesChart(t *testing.T) {
 }
 
 func TestInstallOrUpdateChartCreateNew(t *testing.T) {
-	chartFiles, err := TraverseChart(testdata, "testdata/test-chart")
-	require.NoError(t, err)
-	chart, err := loader.LoadFiles(chartFiles)
-	require.NoError(t, err)
+	chart := mustGetChart(t, "test-chart")
 	fakeClient := testutils.NewFakeClientBuilder(t).Build()
 	ctx := context.Background()
 
@@ -70,10 +66,7 @@ func TestInstallOrUpdateChartCreateNew(t *testing.T) {
 }
 
 func TestInstallOrUpdateChartUpdateExisting(t *testing.T) {
-	chartFiles, err := TraverseChart(testdata, "testdata/test-chart")
-	require.NoError(t, err)
-	chart, err := loader.LoadFiles(chartFiles)
-	require.NoError(t, err)
+	chart := mustGetChart(t, "test-chart")
 	fakeClient := testutils.NewFakeClientBuilder(t, dummyDeployment).Build()
 	ctx := context.Background()
 

diff --git a/fleetshard/pkg/central/charts/data/rhacs-vertical-pod-autoscaler/Chart.yaml b/fleetshard/pkg/central/charts/data/rhacs-vertical-pod-autoscaler/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: rhacs-vertical-pod-autoscaler
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.0
+appVersion: "0.0.0"
diff --git a/fleetshard/pkg/central/charts/data/rhacs-vertical-pod-autoscaler/templates/proxy-config.yaml b/fleetshard/pkg/central/charts/data/rhacs-vertical-pod-autoscaler/templates/proxy-config.yaml
@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: proxy-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "rhacs-vpa-recommender"
+    app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+    app.kubernetes.io/version: {{ $.Chart.AppVersion | quote }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
+    helm.sh/chart: "{{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_"}}"
+    meta.helm.sh/release-name: {{ $.Release.Name | quote }}
+    meta.helm.sh/release-namespace: {{ $.Release.Namespace | quote }}
+data:
+  server.js: |
+
+    /**
+     * On openshift, prometheus has a kube-rbac-proxy that requires a token to access the metrics endpoint.
+     * VerticalPodAutoscaler recommenders don't support a token-based authentication.
+     * This proxy is a simple http server that forwards requests to the prometheus metrics endpoint with the token.
+     **/
+
+    const http = require('http');
+    const https = require('https');
+    const fs = require('fs');
+    const os = require('os');
+
+    const TOKEN_PATH = process.env.TOKEN_PATH || '/var/run/secrets/kubernetes.io/serviceaccount/token'
+    const UPSTREAM_PROTOCOL = process.env.UPSTREAM_PROTOCOL || 'http'
+    const UPSTREAM_HOST = process.env.UPSTREAM_HOST
+    const UPSTREAM_PORT = process.env.UPSTREAM_PORT
+    const LISTEN_PORT = process.env.LISTEN_PORT || "9000"
+
+    function onRequest(req, res) {
+      const secret = fs.readFileSync(TOKEN_PATH, 'utf8');
+      const options = {
+        hostname: UPSTREAM_HOST,
+        port: UPSTREAM_PORT,
+        path: req.url,
+        method: req.method,
+        protocol: UPSTREAM_PROTOCOL + ':',
+        headers: {
+          ...req.headers,
+          'authorization': 'Bearer ' + secret,
+          'host': UPSTREAM_HOST
+        },
+        changeOrigin: true
+      };
+      const fn = options.protocol === 'https:' ? https : http;
+      const proxy = fn.request(options, function (r) {
+        res.writeHead(r.statusCode, r.headers);
+        r.pipe(res, {end: true});
+      });
+      req.pipe(proxy, {end: true});
+    }
+
+    http.createServer(onRequest).listen(LISTEN_PORT, '0.0.0.0');
+    console.log('Proxying on port 9000')