Merge pull request #2 from StackEng/vakil/ASCN-202

ASCN-202:  Local k8s / docker / cnab for opserver

Author: stephen-vakil

Dockerfile

@@ -22,7 +22,13 @@ WORKDIR /app/src/Opserver.Web
 RUN dotnet publish -c Release -o publish
 
 # Build runtime image
-FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS web
+FROM cr.stackoverflow.software/so-aspnet:6.0-jammy-chiseled AS base
+
+USER $APP_UID
+
 WORKDIR /app
-COPY --from=web-publish /app/src/Opserver.Web/publish ./
+COPY --chown=app:app --from=web-publish /app/src/Opserver.Web/publish ./
+COPY --chown=app:app --from=web-publish /app/src/Opserver.Web/opserverSettings.json ./Config/opserverSettings.json
+
+
 ENTRYPOINT ["dotnet", "Opserver.Web.dll"]

charts/opserver/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+.github/CODEOWNERS

charts/opserver/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: opserver
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.0.1" # we don't use this field

charts/opserver/templates/deployment.yaml

@@ -0,0 +1,167 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      service: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        service: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ .Release.Name  }}
+      containers:
+      - name: opserver
+        image: "{{ .Values.images.containerRegistry }}/{{ .Values.images.opserver.name }}:{{ .Values.images.opserver.tag }}"
+        resources:
+          requests:
+            memory: {{ .Values.requests.memory }}
+            cpu: {{ .Values.requests.cpu }}
+          limits:
+            memory: {{ .Values.limits.memory }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+        volumeMounts:
+        - name: writable-tmp #need our own read-write enabled temp directory because aspnet spills large requests over to disk
+          mountPath: /mnt/tmp
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - containerPort: {{ .Values.kestrel.endPoints.http.containerPort }}
+        livenessProbe:
+          httpGet:
+            path: /health-checks/live
+            port: {{ .Values.kestrel.endPoints.http.containerPort }}
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 2
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /health-checks/ready
+            port: {{ .Values.kestrel.endPoints.http.containerPort }}
+          initialDelaySeconds: 10
+          periodSeconds: 1
+          successThreshold: 3
+        volumeMounts:
+        - name: writable-tmp
+          mountPath: /mnt/tmp
+          
+        env:
+        - name: NODE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+
+        - name: DOTNET_EnableDiagnostics
+          value: "0"
+
+        - name: ASPNETCORE_ENVIRONMENT
+          value: {{ .Values.aspnetcoreEnvironment }}
+        - name: PRODUCT
+          value: {{ .Values.product }}
+
+        - name: EXCEPTIONAL__STORE__APPLICATIONNAME
+          value: "{{ .Release.Name }}"
+        - name: EXCEPTIONAL__STORE__TYPE
+          value: "{{ .Values.exceptional.store.type }}"
+
+        - name: DATADOG__AGENTHOST
+          value: "{{- if eq .Values.datadog.agentHost "127.0.0.1"}}$(NODE_IP){{- else}}{{ .Values.datadog.agentHost }}{{- end}}"
+        - name: DATADOG__AGENTPORT
+          value: "{{ .Values.datadog.agentPort }}"
+
+        # this exact variable is required for our datadog configuration to work with tracing / APM
+        - name: DD_AGENT_HOST
+          value: "{{- if eq .Values.datadog.agentHost "127.0.0.1"}}$(NODE_IP){{- else}}{{ .Values.datadog.agentHost }}{{- end}}"
+
+        - name: DD_RUNTIME_METRICS_ENABLED
+          value: "true"
+
+        - name: DD_SERVICE
+          value: "opserver"
+
+        - name: KESTREL__ENDPOINTS__HTTP__URL
+          value: "http://0.0.0.0:{{ .Values.kestrel.endPoints.http.containerPort }}/"
+
+        - name: TMPDIR #tell OS to use our read-write volume mount as its temp directory
+          value: "/mnt/tmp"
+
+        - name: SQL_EXCEPTIONAL_SERVERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sqlExternalSecret.targetName }}
+              key: exceptionalServername
+        - name: SQL_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sqlExternalSecret.targetName }}
+              key: exceptionalUsername
+        - name: SQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sqlExternalSecret.targetName }}
+              key: exceptionalPassword
+
+      {{- if hasKey .Values.opserverSettings "sql" }}      
+        - name: Modules__Sql__defaultConnectionString
+          value: "Server=$(SQL_EXCEPTIONAL_SERVERNAME);Database=Local.Exceptions;User ID=$(SQL_USERNAME);Password=$(SQL_PASSWORD);"
+        {{- range $i, $instance := .Values.opserverSettings.sql }}
+        - name: Modules__Sql__instances__{{ $i }}__name
+          value: "{{ $instance.name }}"
+        {{- end }}
+      {{- end }}
+
+      {{- if hasKey .Values.opserverSettings "exceptions" }}      
+        {{- range $i, $instance := .Values.opserverSettings.exceptions }}
+        - name: Modules__Exceptions__stores__{{ $i }}__connectionString
+          value: "Server={{ $instance.serverName}};Database={{ $instance.database}};User ID=$(SQL_USERNAME);Password=$(SQL_PASSWORD);"
+        {{- end }}
+      {{- end }}
+
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              service: {{ .Release.Name }}
+          matchLabelKeys:
+            - pod-template-hash
+
+      {{- if and (hasKey .Values "nodeScheduling") (hasKey .Values.nodeScheduling "nodeSelectorLabel")}}
+      nodeSelector:
+        {{- range .Values.nodeScheduling.nodeSelectorLabel }}
+        {{ .name }}: {{ .value | quote }}
+        {{- end }}
+      {{- end }}
+
+      {{- if and (hasKey .Values "nodeScheduling") (hasKey .Values.nodeScheduling "tolerations")}}
+      tolerations:
+        {{- range .Values.nodeScheduling.tolerations }}
+        - key: {{ .key }}
+          operator: {{ .operator }}
+          value: {{ .value | quote }}
+          effect: {{ .effect }}        
+        {{- end }}
+      {{- end }}      
+     
+      restartPolicy: Always
+      imagePullSecrets:
+      - name: "{{ .Values.image.pullSecretName }}"
+      volumes:
+      - name: data-volume
+        emptyDir: {}
+      - name: log-volume
+        emptyDir: {}
+      volumes:
+      - name: writable-tmp
+        emptyDir: {}

charts/opserver/templates/fake-secretstore.yaml

@@ -0,0 +1,19 @@
+{{ if .Values.secretStore.fake }}
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: fakeopserversecretstore
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+spec:
+  provider:
+    fake:
+      data:
+      - key: "ExceptionsSqlServerName"
+        value: "host.docker.internal"
+      - key: "db-opserver-User"
+        value: "opserver"
+      - key: "db-opserver-Password"
+        value: "opserver"
+{{ end }}

charts/opserver/templates/ingress.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certIssuer }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.createTlsCert }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.secretName }}
+  {{- end}}
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ .Release.Name }}
+                port:
+                  number: {{ .Values.kestrel.endPoints.http.containerPort }}
+{{- end}}

charts/opserver/templates/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}

charts/opserver/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ .Release.Name }}
+spec:
+  selector:
+    service: {{ .Release.Name }}
+  ports:
+  - name: "80"
+    port: 80
+    targetPort: {{ .Values.kestrel.endPoints.http.containerPort }}

charts/opserver/templates/sql-external-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .Values.sqlExternalSecret.name }}
+spec:
+  refreshInterval: {{ .Values.sqlExternalSecret.refreshInterval }}
+  secretStoreRef:
+    name: {{ .Values.sqlExternalSecret.storeRefName }}
+    kind: ClusterSecretStore
+  target:
+    name: {{ .Values.sqlExternalSecret.targetName }}
+  data:
+  - secretKey: exceptionalServername
+    remoteRef:
+      key: {{ .Values.sqlExternalSecret.remoteRefs.exceptionalServerName }}
+  - secretKey: exceptionalUsername
+    remoteRef:
+      key: {{ .Values.sqlExternalSecret.remoteRefs.exceptionalUsername }}
+  - secretKey: exceptionalPassword
+    remoteRef:
+      key: {{ .Values.sqlExternalSecret.remoteRefs.exceptionalPassword }}

charts/opserver/values.yaml

@@ -0,0 +1,66 @@
+appName: "opserver"
+replicaCount: 1
+
+tier: "Local"
+product: "public" # used for datadog metrics and logs
+aspnetcoreEnvironment: "Local"
+
+requests:
+  cpu: "1m"
+  memory: "1M"
+
+limits:
+  memory: "1Gi"
+
+exceptional:
+  store:
+    type: "Memory"
+    connectionString: ""
+
+datadog:
+  agentHost: ""
+  agentPort: "0"
+
+secretStore:
+  fake: true
+
+images:
+  containerRegistry: "local.software"
+  opserver:
+    name: "stackeng/opserver/opserver"
+    tag: "latest"
+
+image:
+  pullPolicy: IfNotPresent
+  pullSecretName: cloudsmith-cr-prod
+
+adminRolebindingGroupId: "not set"
+
+kestrel:
+  endPoints:
+    http:
+      url: "http://0.0.0.0:8080/"
+      containerPort: 8080
+
+ingress:
+  certIssuer: "letsencrypt-staging"
+  className: "nginx-external"
+  host: "opserver.local"
+  secretName: "opserver-secret"
+  enabled: true
+  createTlsCert: false
+
+db:
+  ExceptionalDbName: Local.Exceptions
+
+sqlExternalSecret:
+  name: opserver-sqldb-external-secret
+  refreshInterval: 5m
+  storeRefName: fakeopserversecretstore
+  targetName: sql-secret
+  remoteRefs:
+    exceptionalServerName: ExceptionsSqlServerName
+    exceptionalUsername: db-opserver-User
+    exceptionalPassword: db-opserver-Password
+
+nodeScheduling: {}