CLOUDP-90457 Create kubelinter-check.yml (#605)

killian2k · chatton · web-flow · commit b15e712b902c · 2021-07-09T14:04:07.000+02:00
* Create kubelinter-check.yml

Added the kubelinter action + reduce the CPU request when doing the e2e tests. Now, the manager.yaml and the openshift operator are in the mongodb namespace

* correction kubelinter

* add setup go

* use cat

* adding script to manage the kube-linter

* correct script to manage the kube-linter

* correct script to manage the kube-linter 2

* list folders in github_workspace

* list folders in github_workspace and parent

* add dump github context

* add dump github context

* Makes script more readable and add checkout

* list hidden files

* fix script file

* fix script file 2

* fix script file 2

* add yamls to test_and_integrated_action

* add yamls to test_and_integrated_action

* Add the exception for specific error

* Solve the yaml error files with kube-linter

* fix tests

* remove useless files

* modifier e2e role

* Modified a few files, readiness not working

* modified the manager file TEMPORARLY to see if the modifications that will be made on openshift may have issues

* Solved a few issues, removed probe

* Solved a few issues, removed probe 2

* Fix typo

* Fix typo 2

* Tests passes locally

* fixed role

* removed sec context

* set manager to default workspace

* Fixing minimum CPU required

* PModify the e2e cpu requests to lower values

* Now tests should pass

* reduced cpu amount

* PModify the e2e cpu requests to lower values again

* added security to manager.yaml

* corrected files

* Update kubelinter-check.yml

* Update role.yaml

Removed spaces in last line

* Update role.yaml

* Update role.yaml

* Throw an error when withCPURequest() or other with...() function is called with incorrect params. Changed namespace from default to mongodb

* Cancel the tests on mongodb namespace

* Update kustomization.yaml

* Update operator_openshift.yaml

* Update .github/config_files/config_lint.yaml

Co-authored-by: Cian Hatton &lt;cianhatton@gmail.com&gt;

* Update service_account.yaml

* Update kubelinter-check.yml

* Update service_account.yaml

Co-authored-by: Cian Hatton &lt;cianhatton@gmail.com&gt;
diff --git a/.github/config_files/config_lint.yaml b/.github/config_files/config_lint.yaml
@@ -0,0 +1,13 @@
+checks:
+  addAllBuiltIn: true
+
+#Reasons to exclude:
+  # non-existent-service-account because the service account is created in another file
+  # minimum-three-replicas because the deployment contains only 1 replica of the operator
+  # no-readiness-probe & no-liveness-probe because for now, it brings nothing to add these probes
+  # because they will not check whether the operator is actually ready/living
+  exclude:
+  - "non-existent-service-account"
+  - "minimum-three-replicas"
+  - "no-liveness-probe"
+  - "no-readiness-probe"
diff --git a/.github/config_files/config_lint_openshift.yaml b/.github/config_files/config_lint_openshift.yaml
@@ -0,0 +1,16 @@
+checks:
+  addAllBuiltIn: true
+  
+  #Reasons to exclude
+  # non-existent-service-account because the service account is created in another file
+  # minimum-three-replicas because the deployment contains only 1 replica of the operator
+  # no-readiness-probe & no-liveness-probe because for now it brings nothing to add theses probes
+  # because they will not check whether the operator is actually ready/living
+  # run-as-non-root & no-read-only-root-fs because the security is managed somewhere else
+  exclude:
+  - "non-existent-service-account"
+  - "minimum-three-replicas"
+  - "no-liveness-probe"
+  - "no-readiness-probe"
+  - "run-as-non-root"
+  - "no-read-only-root-fs"
diff --git a/.github/workflows/kubelinter-check.yml b/.github/workflows/kubelinter-check.yml
@@ -0,0 +1,44 @@
+name: Kubelinter-check
+
+on:
+  push:
+    branches:
+    - master
+    paths-ignore: 
+    - docs/**
+  pull_request:
+    branches:
+    - master
+  workflow_dispatch: {}
+
+jobs:
+  Kubelinter-check:
+    name: Run Kube-linter check
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v2
+      
+    - name: Scan directory ./deploy/clusterwide/ with kube-linter
+      uses: stackrox/kube-linter-action@v1
+      with:
+        directory: deploy/clusterwide
+        config: ${GITHUB_WORKSPACE}/.github/config_files/config_lint.yaml
+
+    - name: Scan directory ./deploy/openshift/ with kube-linter
+      uses: stackrox/kube-linter-action@v1
+      with:
+        directory: deploy/openshift
+        config: ${GITHUB_WORKSPACE}/.github/config_files/config_lint_openshift.yaml
+
+    - name: Scan directory ./config/manager/ with kube-linter
+      uses: stackrox/kube-linter-action@v1
+      with:
+        directory: config/manager/manager.yaml
+        config: ${GITHUB_WORKSPACE}/.github/config_files/config_lint.yaml
+
+    - name: Scan directory ./config/samples/ with kube-linter
+      uses: stackrox/kube-linter-action@v1
+      with:
+        directory: config/samples
+        config: ${GITHUB_WORKSPACE}/.github/config_files/config_lint.yaml
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -2,16 +2,35 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: mongodb-kubernetes-operator
+  namespace: mongodb
+  labels:
+    owner: mongodb
+  annotations:
+    email: "support@mongodb.com"
 spec:
   replicas: 1
   selector:
     matchLabels:
       name: mongodb-kubernetes-operator
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   template:
     metadata:
       labels:
         name: mongodb-kubernetes-operator
     spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: name
+                operator: In
+                values:
+                - mongodb-kubernetes-operator
+            topologyKey: "kubernetes.io/hostname"
       containers:
       - command:
         - /usr/local/bin/entrypoint
@@ -39,4 +58,15 @@ spec:
         image: quay.io/mongodb/mongodb-kubernetes-operator:0.6.2
         imagePullPolicy: Always
         name: mongodb-kubernetes-operator
+        resources:
+          limits:
+            cpu: 1100m
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 200Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsUser: 2000
+        
       serviceAccountName: mongodb-kubernetes-operator
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: mongodb-kubernetes-operator
+  namespace: mongodb
 rules:
 - apiGroups:
   - ""
diff --git a/deploy/clusterwide/role.yaml b/deploy/clusterwide/role.yaml
@@ -6,10 +6,8 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods
   - services
   - configmaps
-  - secrets
   verbs:
   - create
   - delete
@@ -22,8 +20,18 @@ rules:
   - apps
   resources:
   - statefulsets
+  verbs: 
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
   verbs:
-  - create
   - delete
   - get
   - list
diff --git a/deploy/clusterwide/role_binding.yaml b/deploy/clusterwide/role_binding.yaml
@@ -5,7 +5,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: mongodb-kubernetes-operator
-  namespace: default
+  namespace: mongodb
 roleRef:
   kind: ClusterRole
   name: mongodb-kubernetes-operator
diff --git a/deploy/e2e/service_account.yaml b/deploy/e2e/service_account.yaml
@@ -2,3 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: e2e-test
+  # namespace is 'default' for the e2e tests because the TLS certificates 
+  # generated used as test fixture (in the TLS tests) only work with the 
+  # default namespace.
+  namespace: default
diff --git a/deploy/openshift/operator_openshift.yaml b/deploy/openshift/operator_openshift.yaml
@@ -2,18 +2,38 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: mongodb-kubernetes-operator
+  namespace: mongodb
+  labels:
+    owner: mongodb
+  annotations:
+    email: "support@mongodb.com"
 spec:
   replicas: 1
   selector:
     matchLabels:
       name: mongodb-kubernetes-operator
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   template:
     metadata:
       labels:
         name: mongodb-kubernetes-operator
     spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: name
+                operator: In
+                values:
+                - mongodb-kubernetes-operator
+            topologyKey: "kubernetes.io/hostname"
       containers:
-      - command:
+      - name: mongodb-kubernetes-operator
+        command:
         - mongodb-kubernetes-operator
         env:
         - name: WATCH_NAMESPACE
@@ -40,5 +60,11 @@ spec:
           value: docker.io
         image: quay.io/mongodb/mongodb-kubernetes-operator:0.6.2
         imagePullPolicy: Always
-        name: mongodb-kubernetes-operator
+        resources:
+          limits:
+            cpu: 1100m
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 200Mi
       serviceAccountName: mongodb-kubernetes-operator
diff --git a/test/e2e/setup/setup.go b/test/e2e/setup/setup.go
@@ -18,6 +18,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiErrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -167,6 +168,7 @@ func deployOperator(ctx *e2eutil.Context) error {
 		withEnvVar(construct.AgentImageEnv, testConfig.agentImage),
 		withEnvVar(construct.ReadinessProbeImageEnv, testConfig.readinessProbeImage),
 		withEnvVar(construct.VersionUpgradeHookImageEnv, testConfig.versionUpgradeHookImage),
+		withCPURequest("50m"),
 	); err != nil {
 		return errors.Errorf("error building operator deployment: %s", err)
 	}
@@ -202,7 +204,7 @@ func hasDeploymentRequiredReplicas(dep *appsv1.Deployment) wait.ConditionFunc {
 
 // buildKubernetesResourceFromYamlFile will create the kubernetes resource defined in yamlFilePath. All of the functional options
 // provided will be applied before creation.
-func buildKubernetesResourceFromYamlFile(ctx *e2eutil.Context, yamlFilePath string, obj client.Object, options ...func(obj runtime.Object)) error {
+func buildKubernetesResourceFromYamlFile(ctx *e2eutil.Context, yamlFilePath string, obj client.Object, options ...func(obj runtime.Object) error) error {
 	data, err := ioutil.ReadFile(yamlFilePath)
 	if err != nil {
 		return errors.Errorf("error reading file: %s", err)
@@ -213,7 +215,9 @@ func buildKubernetesResourceFromYamlFile(ctx *e2eutil.Context, yamlFilePath stri
 	}
 
 	for _, opt := range options {
-		opt(obj)
+		if err := opt(obj); err != nil {
+			return err
+		}
 	}
 
 	return createOrUpdate(ctx, obj)
@@ -239,11 +243,33 @@ func createOrUpdate(ctx *e2eutil.Context, obj client.Object) error {
 	return nil
 }
 
+// withCPURequest assumes that the underlying type is an appsv1.Deployment.
+// it returns a function which will change the amount
+// requested for the CPUresource. There will be
+// no effect when used with a non-deployment type
+func withCPURequest(cpuRequest string) func(runtime.Object) error {
+	return func(obj runtime.Object) error {
+		dep, ok := obj.(*appsv1.Deployment)
+		if !ok {
+			return errors.Errorf("withCPURequest() called on a non-deployment object")
+		}
+		quantityCPU, okCPU := resource.ParseQuantity(cpuRequest)
+		if okCPU != nil {
+			return okCPU
+		}
+		for _, cont := range dep.Spec.Template.Spec.Containers {
+			cont.Resources.Requests["cpu"] = quantityCPU
+		}
+
+		return nil
+	}
+}
+
 // withNamespace returns a function which will assign the namespace
 // of the underlying type to the value specified. We can
 // add new types here as required.
-func withNamespace(ns string) func(runtime.Object) {
-	return func(obj runtime.Object) {
+func withNamespace(ns string) func(runtime.Object) error {
+	return func(obj runtime.Object) error {
 		switch v := obj.(type) {
 		case *rbacv1.Role:
 			v.Namespace = ns
@@ -255,18 +281,24 @@ func withNamespace(ns string) func(runtime.Object) {
 			v.Namespace = ns
 		case *appsv1.Deployment:
 			v.Namespace = ns
+		default:
+			return errors.Errorf("withNamespace() called on a non supported object")
 		}
+
+		return nil
 	}
 }
 
-func withEnvVar(key, val string) func(obj runtime.Object) {
-	return func(obj runtime.Object) {
+func withEnvVar(key, val string) func(obj runtime.Object) error {
+	return func(obj runtime.Object) error {
 		if testPod, ok := obj.(*corev1.Pod); ok {
 			testPod.Spec.Containers[0].Env = updateEnvVarList(testPod.Spec.Containers[0].Env, key, val)
 		}
 		if testDeployment, ok := obj.(*appsv1.Deployment); ok {
 			testDeployment.Spec.Template.Spec.Containers[0].Env = updateEnvVarList(testDeployment.Spec.Template.Spec.Containers[0].Env, key, val)
 		}
+
+		return nil
 	}
 }
 
@@ -282,11 +314,14 @@ func updateEnvVarList(envVarList []corev1.EnvVar, key, val string) []corev1.EnvV
 
 // withOperatorImage assumes that the underlying type is an appsv1.Deployment
 // which has the operator container as the first container. There will be
-// no effect when used with a non-deployment type
-func withOperatorImage(image string) func(runtime.Object) {
-	return func(obj runtime.Object) {
+// an error return when used with a non-deployment type
+func withOperatorImage(image string) func(runtime.Object) error {
+	return func(obj runtime.Object) error {
 		if dep, ok := obj.(*appsv1.Deployment); ok {
 			dep.Spec.Template.Spec.Containers[0].Image = image
+			return nil
 		}
+
+		return fmt.Errorf("withOperatorImage() called on a non-deployment object")
 	}
 }
