Giter Club home page Giter Club logo

skiperator's Introduction

Skiperator

Skiperator is an operator intended to make the setup of applications simple from the users' point of view. When using the operator an application developer can set up all associated resources for an optimal deployment using a simple custom resource called Application.

Prerequisites

  • The Dockerfile must build an image where the user ID is set to 150 as this UID is hard coded in Skiperator

Application reference

Below you will find a list of all accepted input parameters to the Application custom resource.

To see explanations and requirements for all inputs, see the documentation under the API documentation.

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Application
metadata:
  name: teamname-frontend
  namespace: yournamespace
spec:
  # Required, everything beyond image and port is optional
  image: "kartverket/example"
  port: 8080
  
  priority: medium
  
  additionalPorts:
    - name: metrics-port
      port: 8181
      protocol: TCP
    - name: another-port
      port: 8282
      protocol: TCP
      
  command:
    - node
    - ./server.js
     
  ingresses:
    - testapp.dev.skip.statkart.no
    
  replicas: 2
  # or
  replicas:
    min: 2
    max: 5
    targetCpuUtilization: 80
    
  gcp:
    auth:
      serviceAccount: [email protected]
      
  env:
    - name: ENV
      value: PRODUCTION
    - name: USERNAME
      valueFrom:
        configMapKeyRef:
          name: some-configmap
          key: username
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: some-secret
          key: password
          
  envFrom:
    - configMap: some-configmap
    - secret: some-secret
  filesFrom:
    - emptyDir: temp-dir
      mountPath: /tmp
    - configMap: some-configmap
      mountPath: /var/run/configmap
    - secret: some-secret
      mountPath: /var/run/secret
    - persistentVolumeClaim: some-pvc
      mountPath: /var/run/volume
  
  strategy:
    type: RollingUpdate
  
  liveness:
    path: "/"
    port: 8080
    failureThreshold: 3
    timeout: 1
    initialDelay: 0
  readiness:
    # Readiness has the same options as liveness
    path: ..
  startup:
    # Startup has the same options as liveness
    path: ..
    
  labels:
    someLabel: some-label
    
  resourceLabels:
    Deployment:
      labelKey: A value for the label
    Service:
      labelKeyOne: A value for the one label
      labelKeyTwo: A value for the two label
      
  prometheus:
    port: 8181
    path: "/metrics"
  authorizationSettings:
    allowAll: false
    allowList:
      - "/actuator/health"
      - "/actuator/info"

  resources:
    limits:
      cpu: 1000m # Avoid using this
      memory: 1G
    requests:
      cpu: 25m
      memory: 250M
  
  enablePDB: true
  
  accessPolicy:
    inbound:
      # The rules list specifies a list of applications. When no namespace is
      # specified it refers to an app in the current namespace. For apps in
      # other namespaces, namespace is required. Alternately you can define
      # namespacesByLabel as a value-map of namespace labels. If both
      # namespace and namespacesByLabel are defined for an application,
      # namespacesByLabel is ignored
      rules:
        - application: other-app
        - application: third-app
          namespace: other-namespace
        - application: fourth-app
          namespacesByLabel:
            somelabel: somevalue
            anotherlabel: anothervalue
    # outbound specifies egress rules. Which apps on the cluster and the
    # internet are the Application allowed to send requests to? Alternately
    # you can define namespacesByLabel as a value-map of namespace labels.
    # If both namespace and namespacesByLabel are defined for an application,
    # namespacesByLabel is ignored
    outbound:
      rules:
        - application: some-app
          namespacesByLabel:
            somelabel: somevalue
        - application: other-app
      external:
        - host: nrk.no
        - host: smtp.mailgrid.com
          ip: "123.123.123.123"
          ports:
            - name: smtp
              protocol: TCP
              port: 587

SKIPJob reference

Below you will find a list of all accepted input parameters to the SKIPJob custom resource. Only types are shown here. The fields are documented in the API, see the API

apiVersion: skiperator.kartverket.no/v1alpha1
kind: SKIPJob
metadata:
  namespace: sample
  name: sample-job
spec:
  cron:
    schedule: "* * * * *"
    suspend: false 
    startingDeadlineSeconds: 10
  
  job: 
    activeDeadlineSeconds: 10
    backoffLimit: 10
    suspend: false
    ttlSecondsAfterFinished: 
    
  prometheus:
    path: /metrics
    port: 8080  
  
  container:
    # Pod
    image: ""
    command:
      - ""
    resources:
      requests:
        cpu: 10m
        memory: 128Mi
      limits:
        memory: 256Mi
    
    # Networking
    accessPolicy:
      inbound:
        rules:
          - application: ""
            namespace: ""
      outbound:
        external:
          - host: ""
            ip: ""
            ports:
              - name: ""
                port: 10
                protocol: ""
    additionalPorts:
      - name: ""
        port: 10
        protocol: ""
        
    # Volumes / environment    
    env:
      - name: ""
        value: ""
    envFrom:
      - configMap: ""
      - secret: ""
    filesFrom:
      - mountPath: ""
        # + one of:
        secret: ""
        configMap: ""
        emptyDir: ""
        persistentVolumeClaim: ""
      
    gcp:
      auth:
        serviceAccount: ""

    # Probes
    startup:
      path: ""
      port: 0
      failureThreshold: 0
      initialDelay: 0
      period: 0
      successThreshold: 0
      timeout: 0
    # Same as startup
    liveness:
      ...
    readiness:
      ...

    # Miscellaneous
    priority: ""    
    restartPolicy: ""

Routing reference

Routing is a separate custom resource that can be used set ut path based routing for a Skiperator application. Use this instead of the ingresses field in the Application custom resource. The routes are processed in order, so the last route should be a catch-all route. This will only work for applications in the same namespace as the Routing resource.

Below you will find a list of all accepted input parameters to the Routing custom resource. Only types are shown here. The fields are documented in the API, see the API

apiVersion: skiperator.kartverket.no/v1alpha1
kind: Routing
metadata:
  name: sample-routing
  namespace: sample
spec:
  hostname: app.example.com
  routes:
  - pathPrefix: /api
    rewriteUri: true
    targetApp: backend-app
  - pathPrefix: /
    rewriteUri: false
    targetApp: frontend-app

Developing

See CONTRIBUTING.md for information on how to develop the Skiperator.

skiperator's People

Contributors

anderssonw avatar dependabot[bot] avatar evenh avatar hagen93 avatar eliihen avatar berg-thom avatar omaen avatar snorreselmer avatar bardove avatar kronene avatar martinhny avatar felhal avatar sisselfladby avatar griznah avatar evenboee avatar kagkarlsson avatar ebijon avatar jorn-ola-birkeland avatar sarmil avatar odasko avatar

Stargazers

Ole Fredrik Skudsvik avatar Asbjørn Mikkelsen avatar Jørgen Pettersen avatar avatar Mats Andreassen avatar Atle Krogstad Berg avatar avatar Sunil Shivanand avatar avatar Hans Kristian Flaatten avatar Vegar Sechmann Molvig avatar Leif Lislegård avatar avatar

Watchers

James Cloos avatar Carsten Mielke avatar avatar Pål Asmund Røste avatar avatar avatar

Forkers

kagkarlsson jorn-ola-birkeland anderssonw sarmil

skiperator's Issues

accessPolicy rules without matching services gives error

When adding a new accessPolicy rule a lookup is done on a matching service. See https://github.com/kartverket/skiperator/blob/main/controllers/network_policy.go#L209. When this does not exist it fails in creating the NetworkPolicy entirely, thus disabling zero trust for that pod.

The behavior of this error is not obvious to the product teams as other resources are created correctly and networking is functional. This could instead be "logged" as an event in the namespace and skipped rather than aborting the creation of the NetworkPolicy.

The intended behavior should be that the NetworkPolicy is created despite of any failures so that the deny-all rules always are correctly applied.

Dokumentasjon av oppsett

Dockerfile må ha user/group id 150 siden disse er hardkodet i skiperator

Secret for image pull må defineres manuelt og skal ha navn github-auth med credentials fra georgrobot.

Support emptyDir volumes

With a root system that is not writable being able to define writable ephemeral volumes may be useful.

/tmp is writable anyway, so let's wait to see if this is actually a requirement.

accessPolicy.outbound uten rules gir feil

Spesifiserer man accessPolicy.outbound.external uten accessPolicy.outbound.rules får man følgende feil:

1.6587390484239306e+09	ERROR	Reconciler error	{"controller": "application", "controllerGroup": "skiperator.kartverket.no", "controllerKind": "Application", "application": {"name":"application-sample","namespace":"skiperator-test"}, "namespace": "skiperator-test", "name": "application-sample", "reconcileID": "ba0e7942-d2d3-4ff7-8062-4e28926e6e5f", "error": "admission webhook \"validation.istio.io\" denied the request: configuration is invalid: gateway must have at least one server"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/home/henesp/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/home/henesp/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:234
1.6587390484238644e+09	ERROR	Reconciler error	{"controller": "application", "controllerGroup": "skiperator.kartverket.no", "controllerKind": "Application", "application": {"name":"application-sample","namespace":"skiperator-test"}, "namespace": "skiperator-test", "name": "application-sample", "reconcileID": "20e1f67d-3d36-4b57-aeab-070a42cac0f3", "error": "admission webhook \"validation.istio.io\" denied the request: configuration is invalid: 2 errors occurred:\n\t* delegate virtual service must have no gateways specified\n\t* http, tcp or tls must be provided in virtual service\n\n"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/home/henesp/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/home/henesp/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:234

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.