From 244c9647c027ab7fe425cbce8439a8bf708b153e Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Mon, 7 Oct 2024 21:52:30 +0530 Subject: [PATCH 01/15] feat: add support for embedded etcd Signed-off-by: Vishal Choudhary --- go.mod | 22 +++- go.sum | 57 +++++++++++ pkg/storage/etcd/new.go | 9 ++ pkg/storage/etcd/store.go | 204 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 288 insertions(+), 4 deletions(-) create mode 100644 pkg/storage/etcd/new.go create mode 100644 pkg/storage/etcd/store.go diff --git a/go.mod b/go.mod index 1482c81..d865972 100644 --- a/go.mod +++ b/go.mod @@ -100,6 +100,7 @@ require ( github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v25.0.5+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.1 // indirect + github.com/dustin/go-humanize v1.0.1 // indirect github.com/emicklei/go-restful/v3 v3.11.2 // indirect github.com/emicklei/proto v1.13.2 // indirect github.com/evanphx/json-patch v5.9.0+incompatible // indirect @@ -146,8 +147,11 @@ require ( github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect github.com/gorilla/mux v1.8.1 // indirect + github.com/gorilla/websocket v1.5.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect + github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 // indirect + github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.5 // indirect @@ -158,6 +162,7 @@ require ( github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/jinzhu/copier v0.4.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/jonboulle/clockwork v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.17.5 // indirect @@ -211,6 +216,7 @@ require ( github.com/sigstore/timestamp-authority v1.2.2 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect + github.com/soheilhy/cmux v0.1.5 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect @@ -226,18 +232,25 @@ require ( github.com/theupdateframework/go-tuf v0.7.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect + github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/xanzy/go-gitlab v0.102.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect + github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 // indirect github.com/xlab/treeprint v1.2.0 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea // indirect github.com/zeebo/errs v1.3.0 // indirect - go.etcd.io/etcd/api/v3 v3.5.12 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.12 // indirect - go.etcd.io/etcd/client/v3 v3.5.12 // indirect + go.etcd.io/bbolt v1.3.11 // indirect + go.etcd.io/etcd/api/v3 v3.5.16 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.16 // indirect + go.etcd.io/etcd/client/v2 v2.305.16 // indirect + go.etcd.io/etcd/client/v3 v3.5.16 // indirect + go.etcd.io/etcd/pkg/v3 v3.5.16 // indirect + go.etcd.io/etcd/raft/v3 v3.5.16 // indirect + go.etcd.io/etcd/server/v3 v3.5.16 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect @@ -259,7 +272,7 @@ require ( golang.org/x/crypto v0.22.0 // indirect golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect golang.org/x/mod v0.16.0 // indirect - golang.org/x/net v0.22.0 // indirect + golang.org/x/net v0.23.0 // indirect golang.org/x/oauth2 v0.19.0 // indirect golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.19.0 // indirect @@ -269,6 +282,7 @@ require ( golang.org/x/tools v0.19.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/api v0.172.0 // indirect + google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect google.golang.org/grpc v1.62.1 // indirect diff --git a/go.sum b/go.sum index 5c45c35..7d7516a 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,5 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= cloud.google.com/go/compute v1.25.0 h1:H1/4SqSUhjPFE7L5ddzHOfY2bCAvjwNRZPNl6Ni5oYU= cloud.google.com/go/compute v1.25.0/go.mod h1:GR7F0ZPZH8EhChlMo9FkLd7eUTwEymjqQagxzilIxIE= @@ -118,6 +119,7 @@ github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= github.com/aliyun/credentials-go v1.3.2 h1:L4WppI9rctC8PdlMgyTkF8bBsy9pyKQEzBD1bHMRl+g= github.com/aliyun/credentials-go v1.3.2/go.mod h1:tlpz4uys4Rn7Ik4/piGRrTbXy2uLKvePgQJJduE+Y5c= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= github.com/aptible/supercronic v0.2.29 h1:I+3RoDspAs/ySQO+MQd6genE07csDV/ErhFOtACT5oo= @@ -164,6 +166,7 @@ github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240116161626-88cfadc80e8f h1:mM9Ic3+hujxWGfpEf3E0fp12Lu7Xg2u2YsNb9WeliZQ= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240116161626-88cfadc80e8f/go.mod h1:IPG+64HFPgPEx/vXYjqVpZ4lUgmzt1afdmi7ykS2Qjg= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= @@ -284,6 +287,7 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew= github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= @@ -296,6 +300,8 @@ github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= +github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -329,6 +335,7 @@ github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-rod/rod v0.114.7 h1:h4pimzSOUnw7Eo41zdJA788XsawzHjJMyzCE3BrBww0= github.com/go-rod/rod v0.114.7/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= @@ -427,6 +434,7 @@ github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 h1:l5lAOZEym3oK3 github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= @@ -497,6 +505,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.17.5 h1:d4vBd+7CHydUqpFBgUEKkSdtSugf9YFmSkvUYPquI5E= github.com/klauspost/compress v1.17.5/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -587,6 +597,7 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= @@ -625,6 +636,7 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5X github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ= github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -666,6 +678,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1 h1:9Ki0qudKpc1F github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1/go.mod h1:nhIgyu4YwwNgalIwTGsoAzam16jjAn3ADRSWKbWPwGI= github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= @@ -696,6 +710,7 @@ github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/P github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -703,6 +718,7 @@ github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0= github.com/stretchr/objx v0.5.1/go.mod h1:/iHQpkQwBD6DLUmQ4pE+s1TXdob1mORJ4/UFdrifcy0= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -771,20 +787,36 @@ github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA= go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= +go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0= +go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.etcd.io/etcd/api/v3 v3.5.12 h1:W4sw5ZoU2Juc9gBWuLk5U6fHfNVyY1WC5g9uiXZio/c= go.etcd.io/etcd/api/v3 v3.5.12/go.mod h1:Ot+o0SWSyT6uHhA56al1oCED0JImsRiU9Dc26+C2a+4= +go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0= +go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28= go.etcd.io/etcd/client/pkg/v3 v3.5.12 h1:EYDL6pWwyOsylrQyLp2w+HkQ46ATiOvoEdMarindU2A= go.etcd.io/etcd/client/pkg/v3 v3.5.12/go.mod h1:seTzl2d9APP8R5Y2hFL3NVlD6qC/dOT+3kvrqPyTas4= +go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q= +go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E= go.etcd.io/etcd/client/v2 v2.305.10 h1:MrmRktzv/XF8CvtQt+P6wLUlURaNpSDJHFZhe//2QE4= go.etcd.io/etcd/client/v2 v2.305.10/go.mod h1:m3CKZi69HzilhVqtPDcjhSGp+kA1OmbNn0qamH80xjA= +go.etcd.io/etcd/client/v2 v2.305.16 h1:kQrn9o5czVNaukf2A2At43cE9ZtWauOtf9vRZuiKXow= +go.etcd.io/etcd/client/v2 v2.305.16/go.mod h1:h9YxWCzcdvZENbfzBTFCnoNumr2ax3F19sKMqHFmXHE= go.etcd.io/etcd/client/v3 v3.5.12 h1:v5lCPXn1pf1Uu3M4laUE2hp/geOTc5uPcYYsNe1lDxg= go.etcd.io/etcd/client/v3 v3.5.12/go.mod h1:tSbBCakoWmmddL+BKVAJHa9km+O/E+bumDe9mSbPiqw= +go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE= +go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50= go.etcd.io/etcd/pkg/v3 v3.5.10 h1:WPR8K0e9kWl1gAhB5A7gEa5ZBTNkT9NdNWrR8Qpo1CM= go.etcd.io/etcd/pkg/v3 v3.5.10/go.mod h1:TKTuCKKcF1zxmfKWDkfz5qqYaE3JncKKZPFf8c1nFUs= +go.etcd.io/etcd/pkg/v3 v3.5.16 h1:cnavs5WSPWeK4TYwPYfmcr3Joz9BH+TZ6qoUtz6/+mc= +go.etcd.io/etcd/pkg/v3 v3.5.16/go.mod h1:+lutCZHG5MBBFI/U4eYT5yL7sJfnexsoM20Y0t2uNuY= go.etcd.io/etcd/raft/v3 v3.5.10 h1:cgNAYe7xrsrn/5kXMSaH8kM/Ky8mAdMqGOxyYwpP0LA= go.etcd.io/etcd/raft/v3 v3.5.10/go.mod h1:odD6kr8XQXTy9oQnyMPBOr0TVe+gT0neQhElQ6jbGRc= +go.etcd.io/etcd/raft/v3 v3.5.16 h1:zBXA3ZUpYs1AwiLGPafYAKKl/CORn/uaxYDwlNwndAk= +go.etcd.io/etcd/raft/v3 v3.5.16/go.mod h1:P4UP14AxofMJ/54boWilabqqWoW9eLodl6I5GdGzazI= go.etcd.io/etcd/server/v3 v3.5.10 h1:4NOGyOwD5sUZ22PiWYKmfxqoeh72z6EhYjNosKGLmZg= go.etcd.io/etcd/server/v3 v3.5.10/go.mod h1:gBplPHfs6YI0L+RpGkTQO7buDbHv5HJGG/Bst0/zIPo= +go.etcd.io/etcd/server/v3 v3.5.16 h1:d0/SAdJ3vVsZvF8IFVb1k8zqMZ+heGcNfft71ul9GWE= +go.etcd.io/etcd/server/v3 v3.5.16/go.mod h1:ynhyZZpdDp1Gq49jkUg5mfkDWZwXnn3eIqCqtJnrD/s= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= @@ -817,10 +849,14 @@ go.starlark.net v0.0.0-20240123142251-f86470692795 h1:LmbG8Pq7KDGkglKVn8VpZOZj6v go.starlark.net v0.0.0-20240123142251-f86470692795/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM= go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk= go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -846,6 +882,7 @@ golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -856,6 +893,7 @@ golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -863,12 +901,15 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= @@ -880,11 +921,15 @@ golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -897,8 +942,10 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -907,8 +954,10 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -957,6 +1006,7 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -979,6 +1029,8 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y= google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s= @@ -991,7 +1043,9 @@ google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZi google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= @@ -1009,6 +1063,7 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -1027,12 +1082,14 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYs gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= diff --git a/pkg/storage/etcd/new.go b/pkg/storage/etcd/new.go new file mode 100644 index 0000000..a389d02 --- /dev/null +++ b/pkg/storage/etcd/new.go @@ -0,0 +1,9 @@ +package etcd + +func NewETCDClient() { + +} + +func NewETCDServer() { + +} diff --git a/pkg/storage/etcd/store.go b/pkg/storage/etcd/store.go new file mode 100644 index 0000000..830da72 --- /dev/null +++ b/pkg/storage/etcd/store.go @@ -0,0 +1,204 @@ +package etcd + +import ( + "context" + "encoding/json" + "fmt" + "sync" + + clientv3 "go.etcd.io/etcd/client/v3" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +type ObjectStorageNamespaced[T metav1.Object] interface { + Get(ctx context.Context, name, namespace string) (T, error) + List(ctx context.Context, namespace string) ([]T, error) + Create(ctx context.Context, obj T) error + Update(ctx context.Context, obj T) error + Delete(ctx context.Context, name, namespace string) error +} + +type objectStoreNamespaced[T metav1.Object] struct { + sync.Mutex + namespaced bool + etcdclient clientv3.KV + gvk schema.GroupVersionKind + gr schema.GroupResource +} + +func NewObjectStoreNamespaced[T metav1.Object](client clientv3.KV, gvk schema.GroupVersionKind, gr schema.GroupResource) ObjectStorageNamespaced[T] { + return &objectStoreNamespaced[T]{ + namespaced: true, + etcdclient: client, + gvk: gvk, + gr: gr, + } +} + +func (o *objectStoreNamespaced[T]) getPrefix() string { + return fmt.Sprintf("%s/%s/%s/", o.gvk.Group, o.gvk.Version, o.gvk.Kind) +} + +func (o *objectStoreNamespaced[T]) getKey(name, namespace string) string { + if o.namespaced { + return fmt.Sprintf("%s %s/%s", o.getPrefix(), namespace, name) + } else { + return fmt.Sprintf("%s %s", o.getPrefix(), name) + } +} + +func (o *objectStoreNamespaced[T]) Get(ctx context.Context, name, namespace string) (T, error) { + o.Lock() + defer o.Unlock() + + var obj T + key := o.getKey(name, namespace) + resp, err := o.etcdclient.Get(ctx, key) + if err != nil { + return obj, err + } + if len(resp.Kvs) != 1 { + return obj, errors.NewNotFound(o.gr, key) + } + err = json.Unmarshal(resp.Kvs[0].Value, obj) + if err != nil { + return obj, errors.NewNotFound(o.gr, key) + } + return obj, nil +} + +func (o *objectStoreNamespaced[T]) List(ctx context.Context, namespace string) ([]T, error) { + o.Lock() + defer o.Unlock() + + var objects []T + key := o.getPrefix() + resp, err := o.etcdclient.Get(ctx, key, clientv3.WithPrefix()) + if err != nil { + return objects, err + } + if len(resp.Kvs) == 0 { + return objects, errors.NewNotFound(o.gr, key) + } + objects = make([]T, 0, len(resp.Kvs)) + for _, v := range resp.Kvs { + var obj T + err = json.Unmarshal(v.Value, obj) + if err != nil { + return objects, errors.NewNotFound(o.gr, key) + } + objects = append(objects, obj) + } + return objects, nil +} + +func (o *objectStoreNamespaced[T]) Create(ctx context.Context, obj T) error { + o.Lock() + defer o.Unlock() + + key := o.getKey(obj.GetName(), obj.GetNamespace()) + resp, err := o.etcdclient.Get(ctx, key) + if err != nil { + return err + } + if len(resp.Kvs) > 0 { + return errors.NewAlreadyExists(o.gr, key) + } + + bObject, err := json.Marshal(obj) + if err != nil { + return err + } + + _, err = o.etcdclient.Put(ctx, key, string(bObject)) + if err != nil { + return err + } + return nil +} + +func (o *objectStoreNamespaced[T]) Update(ctx context.Context, obj T) error { + o.Lock() + defer o.Unlock() + + key := o.getKey(obj.GetName(), obj.GetNamespace()) + resp, err := o.etcdclient.Get(ctx, key) + if err != nil { + return err + } + if len(resp.Kvs) != 1 { + return errors.NewNotFound(o.gr, key) + } + + bObject, err := json.Marshal(obj) + if err != nil { + return err + } + + _, err = o.etcdclient.Put(ctx, key, string(bObject)) + if err != nil { + return err + } + return nil +} + +func (o *objectStoreNamespaced[T]) Delete(ctx context.Context, name, namespace string) error { + o.Lock() + defer o.Unlock() + + key := o.getKey(name, namespace) + resp, err := o.etcdclient.Delete(ctx, key) + if err != nil { + return err + } + if resp.Deleted == 0 { + return errors.NewNotFound(o.gr, key) + } + + return nil +} + +type ObjectStorageCluster[T metav1.Object] interface { + Get(ctx context.Context, name string) (T, error) + List(ctx context.Context) ([]T, error) + Create(ctx context.Context, obj T) error + Update(ctx context.Context, obj T) error + Delete(ctx context.Context, name string) error +} + +type objectStoreCluster[T metav1.Object] struct { + store ObjectStorageNamespaced[T] +} + +func NewObjectStoreCluster[T metav1.Object](client clientv3.KV, gvk schema.GroupVersionKind, gr schema.GroupResource) ObjectStorageCluster[T] { + return &objectStoreCluster[T]{ + store: &objectStoreNamespaced[T]{ + namespaced: false, + etcdclient: client, + gvk: gvk, + gr: gr, + }, + } +} + +func (o *objectStoreCluster[T]) Get(ctx context.Context, name string) (T, error) { + return o.store.Get(ctx, name, "") +} + +func (o *objectStoreCluster[T]) List(ctx context.Context) ([]T, error) { + return o.store.List(ctx, "") +} + +func (o *objectStoreCluster[T]) Create(ctx context.Context, obj T) error { + return o.store.Create(ctx, obj) +} + +func (o *objectStoreCluster[T]) Update(ctx context.Context, obj T) error { + return o.store.Update(ctx, obj) +} + +func (o *objectStoreCluster[T]) Delete(ctx context.Context, name string) error { + return o.store.Delete(ctx, name, "") +} From 632f09d0ed6711a7af0e7f5279653b7e00a51c99 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Tue, 8 Oct 2024 13:08:02 +0530 Subject: [PATCH 02/15] feat: add client Signed-off-by: Vishal Choudhary --- pkg/storage/etcd/new.go | 86 ++++++++++++++++++++++++++++++++++++++++- pkg/utils/constants.go | 5 +++ 2 files changed, 89 insertions(+), 2 deletions(-) diff --git a/pkg/storage/etcd/new.go b/pkg/storage/etcd/new.go index a389d02..5270f00 100644 --- a/pkg/storage/etcd/new.go +++ b/pkg/storage/etcd/new.go @@ -1,9 +1,91 @@ package etcd -func NewETCDClient() { +import ( + "errors" + "time" + reportsv1 "github.com/kyverno/kyverno/api/reports/v1" + "github.com/kyverno/reports-server/pkg/storage/api" + "github.com/kyverno/reports-server/pkg/utils" + clientv3 "go.etcd.io/etcd/client/v3" + "go.etcd.io/etcd/server/v3/embed" + "k8s.io/klog/v2" + "sigs.k8s.io/wg-policy-prototypes/policy-report/pkg/api/wgpolicyk8s.io/v1alpha2" +) + +var ( + etcdEndpoints = embed.DefaultListenClientURLs + dialTimeout = 10 * time.Second +) + +type etcdClient struct { + polrClient ObjectStorageNamespaced[*v1alpha2.PolicyReport] + ephrClient ObjectStorageNamespaced[*reportsv1.EphemeralReport] + cpolrClient ObjectStorageCluster[*v1alpha2.ClusterPolicyReport] + cephrClient ObjectStorageCluster[*reportsv1.ClusterEphemeralReport] } -func NewETCDServer() { +func New() (api.Storage, error) { + client, err := clientv3.New(clientv3.Config{ + DialTimeout: dialTimeout, + Endpoints: []string{etcdEndpoints}, + }) + + if err != nil { + return nil, err + } + + return &etcdClient{ + polrClient: NewObjectStoreNamespaced[*v1alpha2.PolicyReport](client, utils.PolicyReportsGVK, utils.PolicyReportsGR), + ephrClient: NewObjectStoreNamespaced[*reportsv1.EphemeralReport](client, utils.EphemeralReportsGVK, utils.EphemeralReportsGR), + cpolrClient: NewObjectStoreCluster[*v1alpha2.ClusterPolicyReport](client, utils.ClusterPolicyReportsGVK, utils.ClusterPolicyReportsGR), + cephrClient: NewObjectStoreCluster[*reportsv1.ClusterEphemeralReport](client, utils.ClusterEphemeralReportsGVK, utils.ClusterEphemeralReportsGR), + }, nil +} + +func (e *etcdClient) Ready() bool { + return true +} + +func (e *etcdClient) PolicyReports() api.PolicyReportsInterface { + return e.polrClient +} + +func (e *etcdClient) ClusterPolicyReports() api.ClusterPolicyReportsInterface { + return e.cpolrClient +} + +func (e *etcdClient) EphemeralReports() api.EphemeralReportsInterface { + return e.ephrClient +} + +func (e *etcdClient) ClusterEphemeralReports() api.ClusterEphemeralReportsInterface { + return e.cephrClient +} + +func StartETCDServer(stopCh <-chan struct{}, dir string) error { + etcdConfig := embed.NewConfig() + etcdConfig.Dir = dir + etcd, err := embed.StartEtcd(etcdConfig) + if err != nil { + return err + } + defer etcd.Close() + + select { + case <-etcd.Server.ReadyNotify(): + klog.Info("etcd server is running!") + case <-time.After(100 * time.Second): + etcd.Server.Stop() + return errors.New("etcd server timed out and stopped!") + } + select { + case <-stopCh: + klog.Info("etcd server stopped") + return nil + case err := <-etcd.Err(): + klog.Error("error encountered in etcd server", err.Error()) + return err + } } diff --git a/pkg/utils/constants.go b/pkg/utils/constants.go index 624e92f..5d690ca 100644 --- a/pkg/utils/constants.go +++ b/pkg/utils/constants.go @@ -10,4 +10,9 @@ var ( ClusterEphemeralReportsGR = reportsv1.Resource("clusterephemeralreports") PolicyReportsGR = v1alpha2.Resource("policyreports") ClusterPolicyReportsGR = v1alpha2.Resource("clusterephemeralreports") + + EphemeralReportsGVK = reportsv1.SchemeGroupVersion.WithKind("EphemeralReport") + ClusterEphemeralReportsGVK = reportsv1.SchemeGroupVersion.WithKind("ClusterEphemeralReport") + PolicyReportsGVK = v1alpha2.SchemeGroupVersion.WithKind("PolicyReport") + ClusterPolicyReportsGVK = v1alpha2.SchemeGroupVersion.WithKind("ClusterEphemeralReport") ) From d9e7c9bfe2708b889244b8d5a3a6aaab547c14f9 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Tue, 8 Oct 2024 13:17:05 +0530 Subject: [PATCH 03/15] fix: linter Signed-off-by: Vishal Choudhary --- pkg/storage/etcd/new.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/storage/etcd/new.go b/pkg/storage/etcd/new.go index 5270f00..1fc24b0 100644 --- a/pkg/storage/etcd/new.go +++ b/pkg/storage/etcd/new.go @@ -30,7 +30,6 @@ func New() (api.Storage, error) { DialTimeout: dialTimeout, Endpoints: []string{etcdEndpoints}, }) - if err != nil { return nil, err } From 1e1ae86bc9ef5821d1ac422c53fafa9d71960105 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Tue, 8 Oct 2024 13:32:06 +0530 Subject: [PATCH 04/15] feat: add options Signed-off-by: Vishal Choudhary --- pkg/app/opts/options.go | 2 ++ pkg/app/policyserver.go | 13 +++++++++++++ pkg/storage/store.go | 24 ++++++++++++++---------- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go index ba05942..883e245 100644 --- a/pkg/app/opts/options.go +++ b/pkg/app/opts/options.go @@ -35,6 +35,7 @@ type Options struct { Kubeconfig string // dbopts + EtcdDir string DBHost string DBPort int DBUser string @@ -66,6 +67,7 @@ func (o *Options) validate() []error { func (o *Options) Flags() (fs flag.NamedFlagSets) { msfs := fs.FlagSet("policy server") msfs.BoolVar(&o.Debug, "debug", false, "Use inmemory database for debugging") + msfs.StringVar(&o.EtcdDir, "etcdDir", "", "Directory used for creating etcd server") msfs.BoolVar(&o.ShowVersion, "version", false, "Show version") msfs.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)") msfs.StringVar(&o.DBHost, "dbhost", "reportsdb.kyverno", "Host url of postgres instance") diff --git a/pkg/app/policyserver.go b/pkg/app/policyserver.go index 7c09b70..9465942 100644 --- a/pkg/app/policyserver.go +++ b/pkg/app/policyserver.go @@ -6,11 +6,13 @@ import ( "os" "github.com/kyverno/reports-server/pkg/app/opts" + "github.com/kyverno/reports-server/pkg/storage/etcd" "github.com/spf13/cobra" cliflag "k8s.io/component-base/cli/flag" "k8s.io/component-base/logs" "k8s.io/component-base/term" "k8s.io/component-base/version" + "k8s.io/klog/v2" ) func NewPolicyServer(stopCh <-chan struct{}) *cobra.Command { @@ -62,6 +64,17 @@ func runCommand(o *opts.Options, stopCh <-chan struct{}) error { if err != nil { return err } + + if o.Debug { + go func() { + err := etcd.StartETCDServer(stopCh, o.EtcdDir) + if err != nil { + klog.ErrorS(err, "failed to start etcd server") + os.Exit(1) + } + }() + } + s, err := config.Complete() if err != nil { return err diff --git a/pkg/storage/store.go b/pkg/storage/store.go index bf7f2d5..c3a7ca7 100644 --- a/pkg/storage/store.go +++ b/pkg/storage/store.go @@ -3,7 +3,7 @@ package storage import ( "github.com/kyverno/reports-server/pkg/storage/api" "github.com/kyverno/reports-server/pkg/storage/db" - "github.com/kyverno/reports-server/pkg/storage/inmemory" + "github.com/kyverno/reports-server/pkg/storage/etcd" "k8s.io/klog/v2" ) @@ -14,19 +14,23 @@ type Interface interface { func New(debug bool, config *db.PostgresConfig) (Interface, error) { klog.Infof("setting up storage, debug=%v", debug) + var storage api.Storage + var err error + if debug { - return &store{ - db: inmemory.New(), - versioning: NewVersioning(), - }, nil + storage, err = etcd.New() + if err != nil { + return nil, err + } + } else { + storage, err = db.New(config) + if err != nil { + return nil, err + } } - db, err := db.New(config) - if err != nil { - return nil, err - } return &store{ - db: db, + db: storage, versioning: NewVersioning(), }, nil } From d6eb2422a677d926d810b575e144bc6b8a5dc262 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Wed, 9 Oct 2024 14:32:28 +0530 Subject: [PATCH 05/15] chore(revert-later): working prototype Signed-off-by: Vishal Choudhary --- .github/kind.yml | 3 ++ .../reports-server/templates/deployment.yaml | 6 ++++ charts/reports-server/templates/pv.yaml | 14 ++++++++ charts/reports-server/templates/pvc.yaml | 16 +++++++++ charts/reports-server/values.yaml | 20 +++++------ config/install.yaml | 33 +++++++++++++++++++ pkg/app/policyserver.go | 1 + pkg/storage/etcd/store.go | 14 ++++++-- 8 files changed, 95 insertions(+), 12 deletions(-) create mode 100644 charts/reports-server/templates/pv.yaml create mode 100644 charts/reports-server/templates/pvc.yaml diff --git a/.github/kind.yml b/.github/kind.yml index 9438061..99fa37b 100644 --- a/.github/kind.yml +++ b/.github/kind.yml @@ -31,6 +31,9 @@ nodes: - containerPort: 443 hostPort: 443 protocol: TCP + extraMounts: + - hostPath: /home/tmp + containerPath: /data/etcd - role: worker - role: worker - role: worker diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml index ebdd41a..b8f4a17 100644 --- a/charts/reports-server/templates/deployment.yaml +++ b/charts/reports-server/templates/deployment.yaml @@ -39,6 +39,7 @@ spec: args: {{- if .Values.config.debug }} - --debug + - --etcdDir=/data/etcd {{- else }} - --dbhost={{ include "reports-server.dbHost" . }} - --dbport={{ include "reports-server.dbPort" . }} @@ -92,6 +93,8 @@ spec: containerPort: 4443 protocol: TCP volumeMounts: + - mountPath: "/data/etcd" + name: task-pv-storage - mountPath: /tmp name: tmp-dir {{- with .Values.livenessProbe }} @@ -119,3 +122,6 @@ spec: volumes: - emptyDir: {} name: tmp-dir + - name: task-pv-storage + persistentVolumeClaim: + claimName: task-pv-claim diff --git a/charts/reports-server/templates/pv.yaml b/charts/reports-server/templates/pv.yaml new file mode 100644 index 0000000..5df30ca --- /dev/null +++ b/charts/reports-server/templates/pv.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: task-pv-volume + labels: + type: local +spec: + storageClassName: standard + capacity: + storage: 10Gi + accessModes: + - ReadWriteMany + hostPath: + path: "/data/etcd" diff --git a/charts/reports-server/templates/pvc.yaml b/charts/reports-server/templates/pvc.yaml new file mode 100644 index 0000000..6bd7a52 --- /dev/null +++ b/charts/reports-server/templates/pvc.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: task-pv-claim + labels: + pv.beta.kubernetes.io/gid: "2000" +spec: + selector: + matchLabels: + {{- include "reports-server.selectorLabels" . | nindent 4 }} + storageClassName: standard + accessModes: + - ReadWriteMany + resources: + requests: + storage: 3Gi diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml index 819f7be..226a83c 100644 --- a/charts/reports-server/values.yaml +++ b/charts/reports-server/values.yaml @@ -59,16 +59,16 @@ podSecurityContext: # -- Container security context # @default -- See [values.yaml](values.yaml) securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - privileged: false - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault + # capabilities: + # drop: + # - ALL + readOnlyRootFilesystem: false + # runAsNonRoot: true + runAsUser: 0 + privileged: true + allowPrivilegeEscalation: true + # seccompProfile: + # type: RuntimeDefault # -- Liveness probe livenessProbe: diff --git a/config/install.yaml b/config/install.yaml index 366ea05..aec0e9c 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -45,6 +45,33 @@ data: postgres-password: "cmVwb3J0cw==" # We don't auto-generate LDAP password when it's not provided as we do for other passwords --- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: task-pv-volume + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/mnt/data" +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: task-pv-claim +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -312,6 +339,10 @@ spec: serviceAccountName: reports-server securityContext: fsGroup: 2000 + volumes: + - name: task-pv-storage + persistentVolumeClaim: + claimName: task-pv-claim containers: - name: reports-server args: @@ -345,6 +376,8 @@ spec: containerPort: 4443 protocol: TCP volumeMounts: + - mountPath: "/data/etcd" + name: task-pv-storage - mountPath: /tmp name: tmp-dir livenessProbe: diff --git a/pkg/app/policyserver.go b/pkg/app/policyserver.go index 9465942..d411c15 100644 --- a/pkg/app/policyserver.go +++ b/pkg/app/policyserver.go @@ -67,6 +67,7 @@ func runCommand(o *opts.Options, stopCh <-chan struct{}) error { if o.Debug { go func() { + klog.InfoS("starting embedded etcd etcd in directory=%s", o.EtcdDir) err := etcd.StartETCDServer(stopCh, o.EtcdDir) if err != nil { klog.ErrorS(err, "failed to start etcd server") diff --git a/pkg/storage/etcd/store.go b/pkg/storage/etcd/store.go index 830da72..276fab1 100644 --- a/pkg/storage/etcd/store.go +++ b/pkg/storage/etcd/store.go @@ -10,6 +10,7 @@ import ( "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/klog/v2" ) type ObjectStorageNamespaced[T metav1.Object] interface { @@ -57,13 +58,16 @@ func (o *objectStoreNamespaced[T]) Get(ctx context.Context, name, namespace stri key := o.getKey(name, namespace) resp, err := o.etcdclient.Get(ctx, key) if err != nil { + klog.ErrorS(err, "failed to get report kind=%s", o.gvk.String()) return obj, err } + klog.InfoS("get resp resp=%+v", resp) if len(resp.Kvs) != 1 { return obj, errors.NewNotFound(o.gr, key) } - err = json.Unmarshal(resp.Kvs[0].Value, obj) + err = json.Unmarshal(resp.Kvs[0].Value, &obj) if err != nil { + klog.ErrorS(err, "failed to marshal report kind=%s", o.gvk.String()) return obj, errors.NewNotFound(o.gr, key) } return obj, nil @@ -77,15 +81,17 @@ func (o *objectStoreNamespaced[T]) List(ctx context.Context, namespace string) ( key := o.getPrefix() resp, err := o.etcdclient.Get(ctx, key, clientv3.WithPrefix()) if err != nil { + klog.ErrorS(err, "failed to list report kind=%s", o.gvk.String()) return objects, err } + klog.InfoS("list resp resp=%+v", resp) if len(resp.Kvs) == 0 { return objects, errors.NewNotFound(o.gr, key) } objects = make([]T, 0, len(resp.Kvs)) for _, v := range resp.Kvs { var obj T - err = json.Unmarshal(v.Value, obj) + err = json.Unmarshal(v.Value, &obj) if err != nil { return objects, errors.NewNotFound(o.gr, key) } @@ -101,8 +107,10 @@ func (o *objectStoreNamespaced[T]) Create(ctx context.Context, obj T) error { key := o.getKey(obj.GetName(), obj.GetNamespace()) resp, err := o.etcdclient.Get(ctx, key) if err != nil { + klog.ErrorS(err, "failed to create report kind=%s", o.gvk.String()) return err } + klog.InfoS("create resp resp=%+v", resp) if len(resp.Kvs) > 0 { return errors.NewAlreadyExists(o.gr, key) } @@ -126,6 +134,7 @@ func (o *objectStoreNamespaced[T]) Update(ctx context.Context, obj T) error { key := o.getKey(obj.GetName(), obj.GetNamespace()) resp, err := o.etcdclient.Get(ctx, key) if err != nil { + klog.ErrorS(err, "failed to update report kind=%s", o.gvk.String()) return err } if len(resp.Kvs) != 1 { @@ -151,6 +160,7 @@ func (o *objectStoreNamespaced[T]) Delete(ctx context.Context, name, namespace s key := o.getKey(name, namespace) resp, err := o.etcdclient.Delete(ctx, key) if err != nil { + klog.ErrorS(err, "failed to delete report kind=%s", o.gvk.String()) return err } if resp.Deleted == 0 { From c7164968833d9238ae657d31853f64c7a145b80a Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Mon, 21 Oct 2024 12:10:59 +0530 Subject: [PATCH 06/15] feat: update flag names Signed-off-by: Vishal Choudhary --- charts/reports-server/values.yaml | 4 ++++ pkg/app/opts/options.go | 6 +++--- pkg/app/policyserver.go | 2 +- pkg/server/config.go | 16 ++++++++++------ pkg/storage/store.go | 6 +++--- 5 files changed, 21 insertions(+), 13 deletions(-) diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml index 226a83c..65d7472 100644 --- a/charts/reports-server/values.yaml +++ b/charts/reports-server/values.yaml @@ -165,6 +165,10 @@ config: # -- Enable debug (to use inmemorydatabase) debug: false + embedded: + enabled: true + dataDir: "" + db: # -- If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. secretName: "" diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go index 883e245..5a31b9d 100644 --- a/pkg/app/opts/options.go +++ b/pkg/app/opts/options.go @@ -31,7 +31,7 @@ type Options struct { Logging *logs.Options ShowVersion bool - Debug bool + Embedded bool Kubeconfig string // dbopts @@ -66,7 +66,7 @@ func (o *Options) validate() []error { func (o *Options) Flags() (fs flag.NamedFlagSets) { msfs := fs.FlagSet("policy server") - msfs.BoolVar(&o.Debug, "debug", false, "Use inmemory database for debugging") + msfs.BoolVar(&o.Embedded, "debug", false, "Use inmemory database for debugging") msfs.StringVar(&o.EtcdDir, "etcdDir", "", "Directory used for creating etcd server") msfs.BoolVar(&o.ShowVersion, "version", false, "Show version") msfs.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)") @@ -127,7 +127,7 @@ func (o Options) ServerConfig() (*server.Config, error) { return &server.Config{ Apiserver: apiserver, Rest: restConfig, - Debug: o.Debug, + Embedded: o.Embedded, DBconfig: dbconfig, }, nil } diff --git a/pkg/app/policyserver.go b/pkg/app/policyserver.go index d411c15..98da4d0 100644 --- a/pkg/app/policyserver.go +++ b/pkg/app/policyserver.go @@ -65,7 +65,7 @@ func runCommand(o *opts.Options, stopCh <-chan struct{}) error { return err } - if o.Debug { + if o.Embedded { go func() { klog.InfoS("starting embedded etcd etcd in directory=%s", o.EtcdDir) err := etcd.StartETCDServer(stopCh, o.EtcdDir) diff --git a/pkg/server/config.go b/pkg/server/config.go index e19d1f3..cb55dde 100644 --- a/pkg/server/config.go +++ b/pkg/server/config.go @@ -29,7 +29,7 @@ import ( type Config struct { Apiserver *genericapiserver.Config Rest *rest.Config - Debug bool + Embedded bool DBconfig *db.PostgresConfig } @@ -48,16 +48,20 @@ func (c Config) Complete() (*server, error) { } genericServer.Handler.NonGoRestfulMux.HandleFunc("/metrics", metricsHandler) - store, err := storage.New(c.Debug, c.DBconfig) + store, err := storage.New(c.Embedded, c.DBconfig) if err != nil { klog.Error(err) return nil, err } - klog.Info("performing migration...") - if err := c.migration(store); err != nil { - klog.Error(err) - return nil, err + // Embedded runs in a stateful set in high availability deployment + // TODO: Add leader election to add embedded + if !c.Embedded { + klog.Info("performing migration...") + if err := c.migration(store); err != nil { + klog.Error(err) + return nil, err + } } if err := api.Install(store, genericServer); err != nil { diff --git a/pkg/storage/store.go b/pkg/storage/store.go index c3a7ca7..9f6c35c 100644 --- a/pkg/storage/store.go +++ b/pkg/storage/store.go @@ -12,12 +12,12 @@ type Interface interface { api.Storage } -func New(debug bool, config *db.PostgresConfig) (Interface, error) { - klog.Infof("setting up storage, debug=%v", debug) +func New(embedded bool, config *db.PostgresConfig) (Interface, error) { + klog.Infof("setting up storage, embedded-db=%v", embedded) var storage api.Storage var err error - if debug { + if embedded { storage, err = etcd.New() if err != nil { return nil, err From 6dedb8b06badca118c4058d27da84a25481c17ed Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Wed, 30 Oct 2024 14:51:53 +0530 Subject: [PATCH 07/15] fix: add embedded etcd to chart Signed-off-by: Vishal Choudhary --- .github/kind.yml | 2 +- Makefile | 14 +- charts/reports-server/README.md | 5 +- .../reports-server/templates/deployment.yaml | 15 +- charts/reports-server/templates/etcd.yaml | 170 +++++++ charts/reports-server/templates/pv.yaml | 14 - charts/reports-server/templates/pvc.yaml | 16 - charts/reports-server/values.yaml | 9 +- ...nstall-inmemory.yaml => install-etcd.yaml} | 194 +++++++- config/install.yaml | 424 ++++++------------ pkg/app/opts/options.go | 18 +- pkg/app/policyserver.go | 13 - pkg/server/config.go | 12 +- pkg/storage/etcd/new.go | 59 +-- pkg/storage/store.go | 6 +- 15 files changed, 556 insertions(+), 415 deletions(-) create mode 100644 charts/reports-server/templates/etcd.yaml delete mode 100644 charts/reports-server/templates/pv.yaml delete mode 100644 charts/reports-server/templates/pvc.yaml rename config/{install-inmemory.yaml => install-etcd.yaml} (56%) diff --git a/.github/kind.yml b/.github/kind.yml index 99fa37b..f9ef53a 100644 --- a/.github/kind.yml +++ b/.github/kind.yml @@ -33,7 +33,7 @@ nodes: protocol: TCP extraMounts: - hostPath: /home/tmp - containerPath: /data/etcd + containerPath: /data - role: worker - role: worker - role: worker diff --git a/Makefile b/Makefile index 7790ee4..07736cd 100644 --- a/Makefile +++ b/Makefile @@ -164,23 +164,23 @@ codegen-install-manifest: $(HELM) ## Create install manifest | $(SED) -e '/^#.*/d' \ > ./config/install.yaml -codegen-install-manifest-inmemory: $(HELM) ## Create install manifest without postgres +codegen-install-manifest-etcd: $(HELM) ## Create install manifest without postgres @echo Generate latest install manifest... >&2 @$(HELM) template reports-server --namespace reports-server ./charts/reports-server/ \ --set apiServicesManagement.installApiServices.enabled=true \ --set image.tag=latest \ - --set config.debug=true \ + --set config.etcd.enabled=true \ --set postgresql.enabled=false \ --set templating.enabled=true \ | $(SED) -e '/^#.*/d' \ - > ./config/install-inmemory.yaml + > ./config/install-etcd.yaml .PHONY: codegen codegen: ## Rebuild all generated code and docs codegen: codegen-helm-docs codegen: codegen-openapi codegen: codegen-install-manifest -codegen: codegen-install-manifest-inmemory +codegen: codegen-install-manifest-etcd .PHONY: verify-codegen verify-codegen: codegen ## Verify all generated code and docs are up to date @@ -220,12 +220,12 @@ kind-install: $(HELM) kind-load ## Build image, load it in kind cluster and depl --set image.repository=$(PACKAGE) \ --set image.tag=$(GIT_SHA) -.PHONY: kind-install-inmemory -kind-install-inmemory: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart +.PHONY: kind-install-etcd +kind-install-etcd: $(HELM) kind-load ## Build image, load it in kind cluster and deploy helm chart @echo Install chart... >&2 @$(HELM) upgrade --install reports-server --namespace reports-server --create-namespace --wait ./charts/reports-server \ --set image.registry=$(KO_REGISTRY) \ - --set config.debug=true \ + --set config.etcd.enabled=true \ --set postgresql.enabled=false \ --set image.repository=$(PACKAGE) \ --set image.tag=$(GIT_SHA) diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md index 81a7333..5a60f74 100644 --- a/charts/reports-server/README.md +++ b/charts/reports-server/README.md @@ -22,7 +22,7 @@ helm install reports-server --namespace reports-server --create-namespace report | Key | Type | Default | Description | |-----|------|---------|-------------| -| postgresql.enabled | bool | `true` | Deploy postgresql dependency chart | +| postgresql.enabled | bool | `false` | Deploy postgresql dependency chart | | postgresql.auth.postgresPassword | string | `"reports"` | | | postgresql.auth.database | string | `"reportsdb"` | | | nameOverride | string | `""` | Name override | @@ -61,7 +61,8 @@ helm install reports-server --namespace reports-server --create-namespace report | affinity | object | `{}` | Affinity | | service.type | string | `"ClusterIP"` | Service type | | service.port | int | `443` | Service port | -| config.debug | bool | `false` | Enable debug (to use inmemorydatabase) | +| config.etcd.enabled | bool | `true` | | +| config.etcd.endpoints | string | `nil` | | | config.db.secretName | string | `""` | If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. | | config.db.host | string | `""` | Database host | | config.db.hostSecretKeyName | string | `"host"` | The database host will be read from this `key` in the specified Secret, when `db.secretName` is set. | diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml index b8f4a17..adc971f 100644 --- a/charts/reports-server/templates/deployment.yaml +++ b/charts/reports-server/templates/deployment.yaml @@ -37,9 +37,10 @@ spec: containers: - name: reports-server args: - {{- if .Values.config.debug }} - - --debug - - --etcdDir=/data/etcd + {{- if .Values.config.etcd.enabled }} + - --etcd + - --etcdSkipTLS + - --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379 {{- else }} - --dbhost={{ include "reports-server.dbHost" . }} - --dbport={{ include "reports-server.dbPort" . }} @@ -92,11 +93,6 @@ spec: - name: https containerPort: 4443 protocol: TCP - volumeMounts: - - mountPath: "/data/etcd" - name: task-pv-storage - - mountPath: /tmp - name: tmp-dir {{- with .Values.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} @@ -122,6 +118,3 @@ spec: volumes: - emptyDir: {} name: tmp-dir - - name: task-pv-storage - persistentVolumeClaim: - claimName: task-pv-claim diff --git a/charts/reports-server/templates/etcd.yaml b/charts/reports-server/templates/etcd.yaml new file mode 100644 index 0000000..e10a8ca --- /dev/null +++ b/charts/reports-server/templates/etcd.yaml @@ -0,0 +1,170 @@ +{{- if .Values.config.etcd.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: etcd + namespace: {{ $.Release.Namespace }} + labels: + app: etcd-reports-server + {{- include "reports-server.labels" . | nindent 4 }} +spec: + type: ClusterIP + clusterIP: None + selector: + app: etcd-reports-server + publishNotReadyAddresses: true + ports: + - name: etcd-client + port: 2379 + - name: etcd-server + port: 2380 + - name: etcd-metrics + port: 8080 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: {{ include "reports-server.fullname" . }} + name: etcd + labels: + app: etcd-reports-server + {{- include "reports-server.labels" . | nindent 4 }} +spec: + serviceName: etcd + replicas: 3 + podManagementPolicy: Parallel + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: etcd-reports-server + template: + metadata: + labels: + app: etcd-reports-server + annotations: + serviceName: etcd + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - etcd-reports-server + topologyKey: "kubernetes.io/hostname" + containers: + - name: etcd + image: quay.io/coreos/etcd:v3.5.15 + imagePullPolicy: IfNotPresent + ports: + - name: etcd-client + containerPort: 2379 + - name: etcd-server + containerPort: 2380 + - name: etcd-metrics + containerPort: 8080 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + livenessProbe: + httpGet: + path: /livez + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + env: + - name: K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SERVICE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.annotations['serviceName'] + - name: ETCDCTL_ENDPOINTS + value: $(HOSTNAME).$(SERVICE_NAME):2379 + ## TLS client configuration for etcdctl in the container. + ## These files paths are part of the "etcd-client-certs" volume mount. + # - name: ETCDCTL_KEY + # value: /etc/etcd/certs/client/tls.key + # - name: ETCDCTL_CERT + # value: /etc/etcd/certs/client/tls.crt + # - name: ETCDCTL_CACERT + # value: /etc/etcd/certs/client/ca.crt + ## + ## Use this URI_SCHEME value for non-TLS clusters. + - name: URI_SCHEME + value: "http" + ## TLS: Use this URI_SCHEME for TLS clusters. + # - name: URI_SCHEME + # value: "https" + command: + - /usr/local/bin/etcd + args: + - --name=$(HOSTNAME) + - --data-dir=/data + - --wal-dir=/data/wal + - --listen-peer-urls=$(URI_SCHEME)://0.0.0.0:2380 + - --listen-client-urls=$(URI_SCHEME)://0.0.0.0:2379 + - --advertise-client-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2379 + - --initial-cluster-state=new + - --initial-cluster-token=etcd-$(K8S_NAMESPACE) + - --initial-cluster=etcd-0=$(URI_SCHEME)://etcd-0.$(SERVICE_NAME):2380,etcd-1=$(URI_SCHEME)://etcd-1.$(SERVICE_NAME):2380,etcd-2=$(URI_SCHEME)://etcd-2.$(SERVICE_NAME):2380 + - --initial-advertise-peer-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2380 + - --listen-metrics-urls=http://0.0.0.0:8080 + # - --auto-compaction-mode=periodic + # - --auto-compaction-retention=10m + # - --client-cert-auth + # - --trusted-ca-file=$(ETCDCTL_CACERT) + # - --cert-file=$(ETCDCTL_CERT) + # - --key-file=$(ETCDCTL_KEY) + # - --peer-client-cert-auth + # - --peer-trusted-ca-file=/etc/etcd/certs/server/ca.crt + # - --peer-cert-file=/etc/etcd/certs/server/tls.crt + # - --peer-key-file=/etc/etcd/certs/server/tls.key + volumeMounts: + - name: etcd-data + mountPath: /data + # - name: etcd-client-tls + # mountPath: "/etc/etcd/certs/client" + # readOnly: true + # - name: etcd-server-tls + # mountPath: "/etc/etcd/certs/server" + # readOnly: true + volumes: + # - name: etcd-client-tls + # secret: + # secretName: etcd-client-tls + # optional: false + # - name: etcd-server-tls + # secret: + # secretName: etcd-server-tls + # optional: false + volumeClaimTemplates: + - metadata: + name: etcd-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi +{{- end }} + diff --git a/charts/reports-server/templates/pv.yaml b/charts/reports-server/templates/pv.yaml deleted file mode 100644 index 5df30ca..0000000 --- a/charts/reports-server/templates/pv.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: task-pv-volume - labels: - type: local -spec: - storageClassName: standard - capacity: - storage: 10Gi - accessModes: - - ReadWriteMany - hostPath: - path: "/data/etcd" diff --git a/charts/reports-server/templates/pvc.yaml b/charts/reports-server/templates/pvc.yaml deleted file mode 100644 index 6bd7a52..0000000 --- a/charts/reports-server/templates/pvc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: task-pv-claim - labels: - pv.beta.kubernetes.io/gid: "2000" -spec: - selector: - matchLabels: - {{- include "reports-server.selectorLabels" . | nindent 4 }} - storageClassName: standard - accessModes: - - ReadWriteMany - resources: - requests: - storage: 3Gi diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml index 65d7472..66a83f4 100644 --- a/charts/reports-server/values.yaml +++ b/charts/reports-server/values.yaml @@ -6,7 +6,7 @@ templating: postgresql: # -- Deploy postgresql dependency chart - enabled: true + enabled: false auth: @@ -162,12 +162,9 @@ service: config: - # -- Enable debug (to use inmemorydatabase) - debug: false - - embedded: + etcd: enabled: true - dataDir: "" + endpoints: ~ db: # -- If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. diff --git a/config/install-inmemory.yaml b/config/install-etcd.yaml similarity index 56% rename from config/install-inmemory.yaml rename to config/install-etcd.yaml index c111b85..3194aa7 100644 --- a/config/install-inmemory.yaml +++ b/config/install-etcd.yaml @@ -174,6 +174,31 @@ subjects: --- apiVersion: v1 kind: Service +metadata: + name: etcd + namespace: reports-server + labels: + helm.sh/chart: reports-server-0.1.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.1.1" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + clusterIP: None + selector: + app: etcd-reports-server + publishNotReadyAddresses: true + ports: + - name: etcd-client + port: 2379 + - name: etcd-server + port: 2380 + - name: etcd-metrics + port: 8080 +--- +apiVersion: v1 +kind: Service metadata: name: reports-server namespace: reports-server @@ -227,30 +252,23 @@ spec: containers: - name: reports-server args: - - --debug + - --etcd + - --etcdSkipTLS + - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379 - --cert-dir=/tmp - --secure-port=4443 - --authorization-always-allow-paths=/metrics securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault + allowPrivilegeEscalation: true + privileged: true + readOnlyRootFilesystem: false + runAsUser: 0 image: "ghcr.io/kyverno/reports-server:latest" imagePullPolicy: IfNotPresent ports: - name: https containerPort: 4443 protocol: TCP - volumeMounts: - - mountPath: /tmp - name: tmp-dir livenessProbe: failureThreshold: 10 httpGet: @@ -274,6 +292,154 @@ spec: - emptyDir: {} name: tmp-dir --- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: reports-server + name: etcd + labels: + helm.sh/chart: reports-server-0.1.1 + app.kubernetes.io/name: reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.1.1" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: etcd + replicas: 3 + podManagementPolicy: Parallel + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: etcd + template: + metadata: + labels: + app: etcd-reports-server + annotations: + serviceName: etcd + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - etcd + topologyKey: "kubernetes.io/hostname" + containers: + - name: etcd + image: quay.io/coreos/etcd:v3.5.15 + imagePullPolicy: IfNotPresent + ports: + - name: etcd-client + containerPort: 2379 + - name: etcd-server + containerPort: 2380 + - name: etcd-metrics + containerPort: 8080 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + livenessProbe: + httpGet: + path: /livez + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + env: + - name: K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SERVICE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.annotations['serviceName'] + - name: ETCDCTL_ENDPOINTS + value: $(HOSTNAME).$(SERVICE_NAME):2379 + ## TLS client configuration for etcdctl in the container. + ## These files paths are part of the "etcd-client-certs" volume mount. + # - name: ETCDCTL_KEY + # value: /etc/etcd/certs/client/tls.key + # - name: ETCDCTL_CERT + # value: /etc/etcd/certs/client/tls.crt + # - name: ETCDCTL_CACERT + # value: /etc/etcd/certs/client/ca.crt + ## + ## Use this URI_SCHEME value for non-TLS clusters. + - name: URI_SCHEME + value: "http" + ## TLS: Use this URI_SCHEME for TLS clusters. + # - name: URI_SCHEME + # value: "https" + command: + - /usr/local/bin/etcd + args: + - --name=$(HOSTNAME) + - --data-dir=/data + - --wal-dir=/data/wal + - --listen-peer-urls=$(URI_SCHEME)://0.0.0.0:2380 + - --listen-client-urls=$(URI_SCHEME)://0.0.0.0:2379 + - --advertise-client-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2379 + - --initial-cluster-state=new + - --initial-cluster-token=etcd-$(K8S_NAMESPACE) + - --initial-cluster=etcd-0=$(URI_SCHEME)://etcd-0.$(SERVICE_NAME):2380,etcd-1=$(URI_SCHEME)://etcd-1.$(SERVICE_NAME):2380,etcd-2=$(URI_SCHEME)://etcd-2.$(SERVICE_NAME):2380 + - --initial-advertise-peer-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2380 + - --listen-metrics-urls=http://0.0.0.0:8080 + # - --auto-compaction-mode=periodic + # - --auto-compaction-retention=10m + # - --client-cert-auth + # - --trusted-ca-file=$(ETCDCTL_CACERT) + # - --cert-file=$(ETCDCTL_CERT) + # - --key-file=$(ETCDCTL_KEY) + # - --peer-client-cert-auth + # - --peer-trusted-ca-file=/etc/etcd/certs/server/ca.crt + # - --peer-cert-file=/etc/etcd/certs/server/tls.crt + # - --peer-key-file=/etc/etcd/certs/server/tls.key + volumeMounts: + - name: etcd-data + mountPath: /data + # - name: etcd-client-tls + # mountPath: "/etc/etcd/certs/client" + # readOnly: true + # - name: etcd-server-tls + # mountPath: "/etc/etcd/certs/server" + # readOnly: true + volumes: + # - name: etcd-client-tls + # secret: + # secretName: etcd-client-tls + # optional: false + # - name: etcd-server-tls + # secret: + # secretName: etcd-server-tls + # optional: false + volumeClaimTemplates: + - metadata: + name: etcd-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi +--- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: diff --git a/config/install.yaml b/config/install.yaml index aec0e9c..3194aa7 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -6,19 +6,6 @@ metadata: --- apiVersion: v1 kind: ServiceAccount -metadata: - name: reports-server-postgresql - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 -automountServiceAccountToken: false ---- -apiVersion: v1 -kind: ServiceAccount metadata: name: reports-server namespace: reports-server @@ -29,49 +16,6 @@ metadata: app.kubernetes.io/version: "v0.1.1" app.kubernetes.io/managed-by: Helm --- -apiVersion: v1 -kind: Secret -metadata: - name: reports-server-postgresql - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 -type: Opaque -data: - postgres-password: "cmVwb3J0cw==" - # We don't auto-generate LDAP password when it's not provided as we do for other passwords ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: task-pv-volume - labels: - type: local -spec: - storageClassName: manual - capacity: - storage: 10Gi - accessModes: - - ReadWriteOnce - hostPath: - path: "/mnt/data" ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: task-pv-claim -spec: - storageClassName: manual - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 3Gi ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -231,61 +175,27 @@ subjects: apiVersion: v1 kind: Service metadata: - name: reports-server-postgresql-hl - namespace: "reports-server" + name: etcd + namespace: reports-server labels: + helm.sh/chart: reports-server-0.1.1 + app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.1.1" app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary - annotations: - # Use this annotation in addition to the actual publishNotReadyAddresses - # field below because the annotation will stop being respected soon but the - # field is broken in some versions of Kubernetes: - # https://github.com/kubernetes/kubernetes/issues/58662 - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" spec: type: ClusterIP clusterIP: None - # We want all pods in the StatefulSet to have their addresses published for - # the sake of the other Postgresql pods even before they're ready, since they - # have to be able to talk to each other in order to become ready. - publishNotReadyAddresses: true - ports: - - name: tcp-postgresql - port: 5432 - targetPort: tcp-postgresql selector: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary ---- -apiVersion: v1 -kind: Service -metadata: - name: reports-server-postgresql - namespace: "reports-server" - labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary -spec: - type: ClusterIP - sessionAffinity: None + app: etcd-reports-server + publishNotReadyAddresses: true ports: - - name: tcp-postgresql - port: 5432 - targetPort: tcp-postgresql - nodePort: null - selector: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary + - name: etcd-client + port: 2379 + - name: etcd-server + port: 2380 + - name: etcd-metrics + port: 8080 --- apiVersion: v1 kind: Service @@ -339,47 +249,26 @@ spec: serviceAccountName: reports-server securityContext: fsGroup: 2000 - volumes: - - name: task-pv-storage - persistentVolumeClaim: - claimName: task-pv-claim containers: - name: reports-server args: - - --dbhost=reports-server-postgresql.reports-server - - --dbport=5432 - - --dbuser=postgres - - --dbpassword=reports - - --dbname=reportsdb - - --dbsslmode=disable - - --dbsslrootcert= - - --dbsslkey= - - --dbsslcert= + - --etcd + - --etcdSkipTLS + - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379 - --cert-dir=/tmp - --secure-port=4443 - --authorization-always-allow-paths=/metrics securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault + allowPrivilegeEscalation: true + privileged: true + readOnlyRootFilesystem: false + runAsUser: 0 image: "ghcr.io/kyverno/reports-server:latest" imagePullPolicy: IfNotPresent ports: - name: https containerPort: 4443 protocol: TCP - volumeMounts: - - mountPath: "/data/etcd" - name: task-pv-storage - - mountPath: /tmp - name: tmp-dir livenessProbe: failureThreshold: 10 httpGet: @@ -406,171 +295,150 @@ spec: apiVersion: apps/v1 kind: StatefulSet metadata: - name: reports-server-postgresql - namespace: "reports-server" + namespace: reports-server + name: etcd labels: + helm.sh/chart: reports-server-0.1.1 + app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server + app.kubernetes.io/version: "v0.1.1" app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary spec: - replicas: 1 - serviceName: reports-server-postgresql-hl + serviceName: etcd + replicas: 3 + podManagementPolicy: Parallel updateStrategy: - rollingUpdate: {} type: RollingUpdate selector: matchLabels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary + app: etcd template: metadata: - name: reports-server-postgresql labels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-13.4.1 - app.kubernetes.io/component: primary + app: etcd-reports-server + annotations: + serviceName: etcd spec: - serviceAccountName: reports-server-postgresql - - automountServiceAccountToken: false affinity: - podAffinity: - podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/instance: reports-server - app.kubernetes.io/name: postgresql - app.kubernetes.io/component: primary - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - securityContext: - fsGroup: 1001 - fsGroupChangePolicy: Always - supplementalGroups: [] - sysctls: [] - hostNetwork: false - hostIPC: false + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - etcd + topologyKey: "kubernetes.io/hostname" containers: - - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r22 - imagePullPolicy: "IfNotPresent" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsNonRoot: true - runAsUser: 1001 - seLinuxOptions: {} - seccompProfile: - type: RuntimeDefault - env: - - name: BITNAMI_DEBUG - value: "false" - - name: POSTGRESQL_PORT_NUMBER - value: "5432" - - name: POSTGRESQL_VOLUME_DIR - value: "/bitnami/postgresql" - - name: PGDATA - value: "/bitnami/postgresql/data" - # Authentication - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: reports-server-postgresql - key: postgres-password - - name: POSTGRES_DATABASE - value: "reportsdb" - # Replication - # Initdb - # Standby - # LDAP - - name: POSTGRESQL_ENABLE_LDAP - value: "no" - # TLS - - name: POSTGRESQL_ENABLE_TLS - value: "no" - # Audit - - name: POSTGRESQL_LOG_HOSTNAME - value: "false" - - name: POSTGRESQL_LOG_CONNECTIONS - value: "false" - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: "false" - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: "off" - # Others - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: "error" - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: "pgaudit" - ports: - - name: tcp-postgresql - containerPort: 5432 - livenessProbe: - failureThreshold: 6 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - exec: - command: - - /bin/sh - - -c - - exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 - readinessProbe: - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - exec: - command: - - /bin/sh - - -c - - -e - - | - exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 - [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] - resources: - limits: {} - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - name: dshm - mountPath: /dev/shm - - name: data - mountPath: /bitnami/postgresql + - name: etcd + image: quay.io/coreos/etcd:v3.5.15 + imagePullPolicy: IfNotPresent + ports: + - name: etcd-client + containerPort: 2379 + - name: etcd-server + containerPort: 2380 + - name: etcd-metrics + containerPort: 8080 + readinessProbe: + httpGet: + path: /readyz + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + livenessProbe: + httpGet: + path: /livez + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + env: + - name: K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SERVICE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.annotations['serviceName'] + - name: ETCDCTL_ENDPOINTS + value: $(HOSTNAME).$(SERVICE_NAME):2379 + ## TLS client configuration for etcdctl in the container. + ## These files paths are part of the "etcd-client-certs" volume mount. + # - name: ETCDCTL_KEY + # value: /etc/etcd/certs/client/tls.key + # - name: ETCDCTL_CERT + # value: /etc/etcd/certs/client/tls.crt + # - name: ETCDCTL_CACERT + # value: /etc/etcd/certs/client/ca.crt + ## + ## Use this URI_SCHEME value for non-TLS clusters. + - name: URI_SCHEME + value: "http" + ## TLS: Use this URI_SCHEME for TLS clusters. + # - name: URI_SCHEME + # value: "https" + command: + - /usr/local/bin/etcd + args: + - --name=$(HOSTNAME) + - --data-dir=/data + - --wal-dir=/data/wal + - --listen-peer-urls=$(URI_SCHEME)://0.0.0.0:2380 + - --listen-client-urls=$(URI_SCHEME)://0.0.0.0:2379 + - --advertise-client-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2379 + - --initial-cluster-state=new + - --initial-cluster-token=etcd-$(K8S_NAMESPACE) + - --initial-cluster=etcd-0=$(URI_SCHEME)://etcd-0.$(SERVICE_NAME):2380,etcd-1=$(URI_SCHEME)://etcd-1.$(SERVICE_NAME):2380,etcd-2=$(URI_SCHEME)://etcd-2.$(SERVICE_NAME):2380 + - --initial-advertise-peer-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2380 + - --listen-metrics-urls=http://0.0.0.0:8080 + # - --auto-compaction-mode=periodic + # - --auto-compaction-retention=10m + # - --client-cert-auth + # - --trusted-ca-file=$(ETCDCTL_CACERT) + # - --cert-file=$(ETCDCTL_CERT) + # - --key-file=$(ETCDCTL_KEY) + # - --peer-client-cert-auth + # - --peer-trusted-ca-file=/etc/etcd/certs/server/ca.crt + # - --peer-cert-file=/etc/etcd/certs/server/tls.crt + # - --peer-key-file=/etc/etcd/certs/server/tls.key + volumeMounts: + - name: etcd-data + mountPath: /data + # - name: etcd-client-tls + # mountPath: "/etc/etcd/certs/client" + # readOnly: true + # - name: etcd-server-tls + # mountPath: "/etc/etcd/certs/server" + # readOnly: true volumes: - - name: dshm - emptyDir: - medium: Memory + # - name: etcd-client-tls + # secret: + # secretName: etcd-client-tls + # optional: false + # - name: etcd-server-tls + # secret: + # secretName: etcd-server-tls + # optional: false volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: data - spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "8Gi" + - metadata: + name: etcd-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi --- apiVersion: apiregistration.k8s.io/v1 kind: APIService diff --git a/pkg/app/opts/options.go b/pkg/app/opts/options.go index 5a31b9d..47e69db 100644 --- a/pkg/app/opts/options.go +++ b/pkg/app/opts/options.go @@ -9,6 +9,7 @@ import ( generatedopenapi "github.com/kyverno/reports-server/pkg/api/generated/openapi" "github.com/kyverno/reports-server/pkg/server" "github.com/kyverno/reports-server/pkg/storage/db" + "github.com/kyverno/reports-server/pkg/storage/etcd" openapinamer "k8s.io/apiserver/pkg/endpoints/openapi" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" @@ -31,10 +32,11 @@ type Options struct { Logging *logs.Options ShowVersion bool - Embedded bool + Etcd bool Kubeconfig string // dbopts + EtcdConfig etcd.EtcdConfig EtcdDir string DBHost string DBPort int @@ -66,8 +68,9 @@ func (o *Options) validate() []error { func (o *Options) Flags() (fs flag.NamedFlagSets) { msfs := fs.FlagSet("policy server") - msfs.BoolVar(&o.Embedded, "debug", false, "Use inmemory database for debugging") - msfs.StringVar(&o.EtcdDir, "etcdDir", "", "Directory used for creating etcd server") + msfs.BoolVar(&o.Etcd, "etcd", false, "Use embedded etcd database") + msfs.StringVar(&o.EtcdConfig.Endpoints, "etcdEndpoints", "", "Enpoints used for connect to etcd server") + msfs.BoolVar(&o.EtcdConfig.Insecure, "etcdSkipTLS", true, "Skip TLS verification when connecting to etcd") msfs.BoolVar(&o.ShowVersion, "version", false, "Show version") msfs.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)") msfs.StringVar(&o.DBHost, "dbhost", "reportsdb.kyverno", "Host url of postgres instance") @@ -125,10 +128,11 @@ func (o Options) ServerConfig() (*server.Config, error) { } return &server.Config{ - Apiserver: apiserver, - Rest: restConfig, - Embedded: o.Embedded, - DBconfig: dbconfig, + Apiserver: apiserver, + Rest: restConfig, + Embedded: o.Etcd, + EtcdConfig: &o.EtcdConfig, + DBconfig: dbconfig, }, nil } diff --git a/pkg/app/policyserver.go b/pkg/app/policyserver.go index 98da4d0..0e83130 100644 --- a/pkg/app/policyserver.go +++ b/pkg/app/policyserver.go @@ -6,13 +6,11 @@ import ( "os" "github.com/kyverno/reports-server/pkg/app/opts" - "github.com/kyverno/reports-server/pkg/storage/etcd" "github.com/spf13/cobra" cliflag "k8s.io/component-base/cli/flag" "k8s.io/component-base/logs" "k8s.io/component-base/term" "k8s.io/component-base/version" - "k8s.io/klog/v2" ) func NewPolicyServer(stopCh <-chan struct{}) *cobra.Command { @@ -65,17 +63,6 @@ func runCommand(o *opts.Options, stopCh <-chan struct{}) error { return err } - if o.Embedded { - go func() { - klog.InfoS("starting embedded etcd etcd in directory=%s", o.EtcdDir) - err := etcd.StartETCDServer(stopCh, o.EtcdDir) - if err != nil { - klog.ErrorS(err, "failed to start etcd server") - os.Exit(1) - } - }() - } - s, err := config.Complete() if err != nil { return err diff --git a/pkg/server/config.go b/pkg/server/config.go index cb55dde..91807e1 100644 --- a/pkg/server/config.go +++ b/pkg/server/config.go @@ -11,6 +11,7 @@ import ( "github.com/kyverno/reports-server/pkg/api" "github.com/kyverno/reports-server/pkg/storage" "github.com/kyverno/reports-server/pkg/storage/db" + "github.com/kyverno/reports-server/pkg/storage/etcd" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/watch" apimetrics "k8s.io/apiserver/pkg/endpoints/metrics" @@ -27,10 +28,11 @@ import ( ) type Config struct { - Apiserver *genericapiserver.Config - Rest *rest.Config - Embedded bool - DBconfig *db.PostgresConfig + Apiserver *genericapiserver.Config + Rest *rest.Config + Embedded bool + EtcdConfig *etcd.EtcdConfig + DBconfig *db.PostgresConfig } func (c Config) Complete() (*server, error) { @@ -48,7 +50,7 @@ func (c Config) Complete() (*server, error) { } genericServer.Handler.NonGoRestfulMux.HandleFunc("/metrics", metricsHandler) - store, err := storage.New(c.Embedded, c.DBconfig) + store, err := storage.New(c.Embedded, c.DBconfig, c.EtcdConfig) if err != nil { klog.Error(err) return nil, err diff --git a/pkg/storage/etcd/new.go b/pkg/storage/etcd/new.go index 1fc24b0..ee8b4bd 100644 --- a/pkg/storage/etcd/new.go +++ b/pkg/storage/etcd/new.go @@ -1,22 +1,25 @@ package etcd import ( - "errors" + "crypto/tls" + "strings" "time" reportsv1 "github.com/kyverno/kyverno/api/reports/v1" "github.com/kyverno/reports-server/pkg/storage/api" "github.com/kyverno/reports-server/pkg/utils" clientv3 "go.etcd.io/etcd/client/v3" - "go.etcd.io/etcd/server/v3/embed" - "k8s.io/klog/v2" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials/insecure" "sigs.k8s.io/wg-policy-prototypes/policy-report/pkg/api/wgpolicyk8s.io/v1alpha2" ) -var ( - etcdEndpoints = embed.DefaultListenClientURLs - dialTimeout = 10 * time.Second -) +var dialTimeout = 10 * time.Second + +type EtcdConfig struct { + Endpoints string + Insecure bool +} type etcdClient struct { polrClient ObjectStorageNamespaced[*v1alpha2.PolicyReport] @@ -25,11 +28,18 @@ type etcdClient struct { cephrClient ObjectStorageCluster[*reportsv1.ClusterEphemeralReport] } -func New() (api.Storage, error) { - client, err := clientv3.New(clientv3.Config{ +func New(cfg *EtcdConfig) (api.Storage, error) { + clientCfg := clientv3.Config{ DialTimeout: dialTimeout, - Endpoints: []string{etcdEndpoints}, - }) + Endpoints: strings.Split(cfg.Endpoints, ","), + } + if cfg.Insecure { + clientCfg.TLS = &tls.Config{ + InsecureSkipVerify: true, + } + clientCfg.DialOptions = []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())} + } + client, err := clientv3.New(clientCfg) if err != nil { return nil, err } @@ -61,30 +71,3 @@ func (e *etcdClient) EphemeralReports() api.EphemeralReportsInterface { func (e *etcdClient) ClusterEphemeralReports() api.ClusterEphemeralReportsInterface { return e.cephrClient } - -func StartETCDServer(stopCh <-chan struct{}, dir string) error { - etcdConfig := embed.NewConfig() - etcdConfig.Dir = dir - etcd, err := embed.StartEtcd(etcdConfig) - if err != nil { - return err - } - defer etcd.Close() - - select { - case <-etcd.Server.ReadyNotify(): - klog.Info("etcd server is running!") - case <-time.After(100 * time.Second): - etcd.Server.Stop() - return errors.New("etcd server timed out and stopped!") - } - - select { - case <-stopCh: - klog.Info("etcd server stopped") - return nil - case err := <-etcd.Err(): - klog.Error("error encountered in etcd server", err.Error()) - return err - } -} diff --git a/pkg/storage/store.go b/pkg/storage/store.go index 9f6c35c..a6650c3 100644 --- a/pkg/storage/store.go +++ b/pkg/storage/store.go @@ -12,13 +12,13 @@ type Interface interface { api.Storage } -func New(embedded bool, config *db.PostgresConfig) (Interface, error) { - klog.Infof("setting up storage, embedded-db=%v", embedded) +func New(embedded bool, config *db.PostgresConfig, etcdCfg *etcd.EtcdConfig) (Interface, error) { + klog.Infof("setting up storage, embedded-db=%v, etcdconfig=%+v", embedded, etcdCfg) var storage api.Storage var err error if embedded { - storage, err = etcd.New() + storage, err = etcd.New(etcdCfg) if err != nil { return nil, err } From a3743a696796e4c1640cffffb12012165eb6add3 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Wed, 30 Oct 2024 15:03:46 +0530 Subject: [PATCH 08/15] feat: fix charts Signed-off-by: Vishal Choudhary --- .../reports-server/templates/deployment.yaml | 3 +++ charts/reports-server/values.yaml | 20 ++++++++-------- config/install-etcd.yaml | 23 ++++++++++++++----- config/install.yaml | 23 ++++++++++++++----- 4 files changed, 47 insertions(+), 22 deletions(-) diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml index adc971f..c374221 100644 --- a/charts/reports-server/templates/deployment.yaml +++ b/charts/reports-server/templates/deployment.yaml @@ -87,6 +87,9 @@ spec: {{- end}} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + volumeMounts: + - mountPath: /tmp + name: tmp-dir image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml index 66a83f4..f61549f 100644 --- a/charts/reports-server/values.yaml +++ b/charts/reports-server/values.yaml @@ -59,16 +59,16 @@ podSecurityContext: # -- Container security context # @default -- See [values.yaml](values.yaml) securityContext: - # capabilities: - # drop: - # - ALL - readOnlyRootFilesystem: false - # runAsNonRoot: true - runAsUser: 0 - privileged: true - allowPrivilegeEscalation: true - # seccompProfile: - # type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault # -- Liveness probe livenessProbe: diff --git a/config/install-etcd.yaml b/config/install-etcd.yaml index 3194aa7..5545413 100644 --- a/config/install-etcd.yaml +++ b/config/install-etcd.yaml @@ -178,6 +178,7 @@ metadata: name: etcd namespace: reports-server labels: + app: etcd-reports-server helm.sh/chart: reports-server-0.1.1 app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server @@ -259,10 +260,19 @@ spec: - --secure-port=4443 - --authorization-always-allow-paths=/metrics securityContext: - allowPrivilegeEscalation: true - privileged: true - readOnlyRootFilesystem: false - runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: tmp-dir image: "ghcr.io/kyverno/reports-server:latest" imagePullPolicy: IfNotPresent ports: @@ -298,6 +308,7 @@ metadata: namespace: reports-server name: etcd labels: + app: etcd-reports-server helm.sh/chart: reports-server-0.1.1 app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server @@ -311,7 +322,7 @@ spec: type: RollingUpdate selector: matchLabels: - app: etcd + app: etcd-reports-server template: metadata: labels: @@ -329,7 +340,7 @@ spec: - key: app operator: In values: - - etcd + - etcd-reports-server topologyKey: "kubernetes.io/hostname" containers: - name: etcd diff --git a/config/install.yaml b/config/install.yaml index 3194aa7..5545413 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -178,6 +178,7 @@ metadata: name: etcd namespace: reports-server labels: + app: etcd-reports-server helm.sh/chart: reports-server-0.1.1 app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server @@ -259,10 +260,19 @@ spec: - --secure-port=4443 - --authorization-always-allow-paths=/metrics securityContext: - allowPrivilegeEscalation: true - privileged: true - readOnlyRootFilesystem: false - runAsUser: 0 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: tmp-dir image: "ghcr.io/kyverno/reports-server:latest" imagePullPolicy: IfNotPresent ports: @@ -298,6 +308,7 @@ metadata: namespace: reports-server name: etcd labels: + app: etcd-reports-server helm.sh/chart: reports-server-0.1.1 app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server @@ -311,7 +322,7 @@ spec: type: RollingUpdate selector: matchLabels: - app: etcd + app: etcd-reports-server template: metadata: labels: @@ -329,7 +340,7 @@ spec: - key: app operator: In values: - - etcd + - etcd-reports-server topologyKey: "kubernetes.io/hostname" containers: - name: etcd From 83e8f7b53ea5129555bcd8cd416ffcf864854c41 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Thu, 31 Oct 2024 12:11:37 +0530 Subject: [PATCH 09/15] fix: list err Signed-off-by: Vishal Choudhary --- pkg/storage/etcd/store.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/storage/etcd/store.go b/pkg/storage/etcd/store.go index 276fab1..b811885 100644 --- a/pkg/storage/etcd/store.go +++ b/pkg/storage/etcd/store.go @@ -86,7 +86,7 @@ func (o *objectStoreNamespaced[T]) List(ctx context.Context, namespace string) ( } klog.InfoS("list resp resp=%+v", resp) if len(resp.Kvs) == 0 { - return objects, errors.NewNotFound(o.gr, key) + return objects, nil } objects = make([]T, 0, len(resp.Kvs)) for _, v := range resp.Kvs { From cc3287a5208d5a87fb7f3a22608bc6e5e147a58f Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Thu, 31 Oct 2024 12:23:15 +0530 Subject: [PATCH 10/15] fix: more bugs Signed-off-by: Vishal Choudhary --- charts/reports-server/values.yaml | 4 ++-- pkg/storage/etcd/new.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml index f61549f..8ebf1fb 100644 --- a/charts/reports-server/values.yaml +++ b/charts/reports-server/values.yaml @@ -60,8 +60,8 @@ podSecurityContext: # @default -- See [values.yaml](values.yaml) securityContext: capabilities: - drop: - - ALL + drop: + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 diff --git a/pkg/storage/etcd/new.go b/pkg/storage/etcd/new.go index ee8b4bd..c6883c5 100644 --- a/pkg/storage/etcd/new.go +++ b/pkg/storage/etcd/new.go @@ -35,7 +35,7 @@ func New(cfg *EtcdConfig) (api.Storage, error) { } if cfg.Insecure { clientCfg.TLS = &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec } clientCfg.DialOptions = []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())} } From 5e9227e5c9c270e101c9010bc722b80c3086d7cf Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Thu, 31 Oct 2024 13:00:20 +0530 Subject: [PATCH 11/15] update kyverno images Signed-off-by: Vishal Choudhary --- .github/workflows/conformance-tests.yaml | 4 +++- .github/workflows/migration-tests.yaml | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml index df4fc39..6d3e479 100644 --- a/.github/workflows/conformance-tests.yaml +++ b/.github/workflows/conformance-tests.yaml @@ -82,7 +82,9 @@ jobs: - name: Install latest kyverno run: | set -e - kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + make -c ./kyverno kind-deploy-kyverno - name: Wait for kyverno ready run: | set -e diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml index 33616db..5443e44 100644 --- a/.github/workflows/migration-tests.yaml +++ b/.github/workflows/migration-tests.yaml @@ -73,7 +73,8 @@ jobs: - name: Install kyverno v1.12.4 run: | set -e - kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml + export HELM=${{ steps.helm.outputs.helm-path }} + make -c ./kyverno kind-deploy-kyverno - name: Wait for kyverno ready run: | set -e From 0ce148e6d8d119d4623ce5107209090d278698fc Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Thu, 31 Oct 2024 13:11:27 +0530 Subject: [PATCH 12/15] feat: update instructions Signed-off-by: Vishal Choudhary --- .github/workflows/conformance-tests.yaml | 2 +- .github/workflows/migration-tests.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml index 6d3e479..2056ac3 100644 --- a/.github/workflows/conformance-tests.yaml +++ b/.github/workflows/conformance-tests.yaml @@ -84,7 +84,7 @@ jobs: set -e set -e export HELM=${{ steps.helm.outputs.helm-path }} - make -c ./kyverno kind-deploy-kyverno + make -C ./kyverno kind-deploy-kyverno - name: Wait for kyverno ready run: | set -e diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml index 5443e44..34b78f9 100644 --- a/.github/workflows/migration-tests.yaml +++ b/.github/workflows/migration-tests.yaml @@ -70,11 +70,11 @@ jobs: run: | set -e kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml - - name: Install kyverno v1.12.4 + - name: Install kyverno run: | set -e export HELM=${{ steps.helm.outputs.helm-path }} - make -c ./kyverno kind-deploy-kyverno + make -C ./kyverno kind-deploy-kyverno - name: Wait for kyverno ready run: | set -e From 5deda6179ee6b97fb97e7c828e9e340c641d38d6 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Thu, 31 Oct 2024 13:28:51 +0530 Subject: [PATCH 13/15] fix: helm install Signed-off-by: Vishal Choudhary --- .github/workflows/conformance-tests.yaml | 4 +++- .github/workflows/migration-tests.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml index 2056ac3..615a598 100644 --- a/.github/workflows/conformance-tests.yaml +++ b/.github/workflows/conformance-tests.yaml @@ -84,7 +84,9 @@ jobs: set -e set -e export HELM=${{ steps.helm.outputs.helm-path }} - make -C ./kyverno kind-deploy-kyverno + helm repo add kyverno https://kyverno.github.io/kyverno/ + kubectl create namespace kyverno + helm install kyverno --namespace kyverno kyverno/kyverno - name: Wait for kyverno ready run: | set -e diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml index 34b78f9..07bbe47 100644 --- a/.github/workflows/migration-tests.yaml +++ b/.github/workflows/migration-tests.yaml @@ -74,7 +74,9 @@ jobs: run: | set -e export HELM=${{ steps.helm.outputs.helm-path }} - make -C ./kyverno kind-deploy-kyverno + helm repo add kyverno https://kyverno.github.io/kyverno/ + kubectl create namespace kyverno + helm install kyverno --namespace kyverno kyverno/kyverno - name: Wait for kyverno ready run: | set -e From d9103ce034d39cb0eb4f0675cae06cf4c5f53f25 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Thu, 31 Oct 2024 14:07:11 +0530 Subject: [PATCH 14/15] fix: blocking change Signed-off-by: Vishal Choudhary --- .github/workflows/conformance-tests.yaml | 2 +- .github/workflows/migration-tests.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml index 615a598..48e1c96 100644 --- a/.github/workflows/conformance-tests.yaml +++ b/.github/workflows/conformance-tests.yaml @@ -86,7 +86,7 @@ jobs: export HELM=${{ steps.helm.outputs.helm-path }} helm repo add kyverno https://kyverno.github.io/kyverno/ kubectl create namespace kyverno - helm install kyverno --namespace kyverno kyverno/kyverno + helm install kyverno --namespace kyverno kyverno/kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace='*' - name: Wait for kyverno ready run: | set -e diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml index 07bbe47..5a1e5e7 100644 --- a/.github/workflows/migration-tests.yaml +++ b/.github/workflows/migration-tests.yaml @@ -76,7 +76,7 @@ jobs: export HELM=${{ steps.helm.outputs.helm-path }} helm repo add kyverno https://kyverno.github.io/kyverno/ kubectl create namespace kyverno - helm install kyverno --namespace kyverno kyverno/kyverno + helm install kyverno --namespace kyverno kyverno/kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace='*' - name: Wait for kyverno ready run: | set -e From 15594650f57a762ca5f3395d13787a9873bd74b0 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Thu, 31 Oct 2024 19:06:27 +0530 Subject: [PATCH 15/15] fix: update defaults Signed-off-by: Vishal Choudhary --- charts/reports-server/README.md | 5 +- .../reports-server/templates/deployment.yaml | 2 + charts/reports-server/values.yaml | 5 +- config/install.yaml | 376 +++++++++++------- 4 files changed, 240 insertions(+), 148 deletions(-) diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md index 5a60f74..d4f6d66 100644 --- a/charts/reports-server/README.md +++ b/charts/reports-server/README.md @@ -22,7 +22,7 @@ helm install reports-server --namespace reports-server --create-namespace report | Key | Type | Default | Description | |-----|------|---------|-------------| -| postgresql.enabled | bool | `false` | Deploy postgresql dependency chart | +| postgresql.enabled | bool | `true` | Deploy postgresql dependency chart | | postgresql.auth.postgresPassword | string | `"reports"` | | | postgresql.auth.database | string | `"reportsdb"` | | | nameOverride | string | `""` | Name override | @@ -61,8 +61,9 @@ helm install reports-server --namespace reports-server --create-namespace report | affinity | object | `{}` | Affinity | | service.type | string | `"ClusterIP"` | Service type | | service.port | int | `443` | Service port | -| config.etcd.enabled | bool | `true` | | +| config.etcd.enabled | bool | `false` | | | config.etcd.endpoints | string | `nil` | | +| config.etcd.insecure | bool | `true` | | | config.db.secretName | string | `""` | If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. | | config.db.host | string | `""` | Database host | | config.db.hostSecretKeyName | string | `"host"` | The database host will be read from this `key` in the specified Secret, when `db.secretName` is set. | diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml index c374221..e2fe93b 100644 --- a/charts/reports-server/templates/deployment.yaml +++ b/charts/reports-server/templates/deployment.yaml @@ -39,7 +39,9 @@ spec: args: {{- if .Values.config.etcd.enabled }} - --etcd + {{- if .Values.config.etcd.insecure }} - --etcdSkipTLS + {{- end }} - --etcdEndpoints=https://etcd-0.etcd.{{ $.Release.Namespace }}:2379,https://etcd-1.etcd.{{ $.Release.Namespace }}:2379,https://etcd-2.etcd.{{ $.Release.Namespace }}:2379 {{- else }} - --dbhost={{ include "reports-server.dbHost" . }} diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml index 8ebf1fb..a2a0292 100644 --- a/charts/reports-server/values.yaml +++ b/charts/reports-server/values.yaml @@ -6,7 +6,7 @@ templating: postgresql: # -- Deploy postgresql dependency chart - enabled: false + enabled: true auth: @@ -163,8 +163,9 @@ service: config: etcd: - enabled: true + enabled: false endpoints: ~ + insecure: true db: # -- If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. diff --git a/config/install.yaml b/config/install.yaml index 5545413..284d05b 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -6,6 +6,19 @@ metadata: --- apiVersion: v1 kind: ServiceAccount +metadata: + name: reports-server-postgresql + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 +automountServiceAccountToken: false +--- +apiVersion: v1 +kind: ServiceAccount metadata: name: reports-server namespace: reports-server @@ -16,6 +29,22 @@ metadata: app.kubernetes.io/version: "v0.1.1" app.kubernetes.io/managed-by: Helm --- +apiVersion: v1 +kind: Secret +metadata: + name: reports-server-postgresql + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 +type: Opaque +data: + postgres-password: "cmVwb3J0cw==" + # We don't auto-generate LDAP password when it's not provided as we do for other passwords +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -175,28 +204,61 @@ subjects: apiVersion: v1 kind: Service metadata: - name: etcd - namespace: reports-server + name: reports-server-postgresql-hl + namespace: "reports-server" labels: - app: etcd-reports-server - helm.sh/chart: reports-server-0.1.1 - app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.1.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary + annotations: + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" spec: type: ClusterIP clusterIP: None - selector: - app: etcd-reports-server + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. publishNotReadyAddresses: true ports: - - name: etcd-client - port: 2379 - - name: etcd-server - port: 2380 - - name: etcd-metrics - port: 8080 + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + selector: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary +--- +apiVersion: v1 +kind: Service +metadata: + name: reports-server-postgresql + namespace: "reports-server" + labels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary +spec: + type: ClusterIP + sessionAffinity: None + ports: + - name: tcp-postgresql + port: 5432 + targetPort: tcp-postgresql + nodePort: null + selector: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary --- apiVersion: v1 kind: Service @@ -253,9 +315,15 @@ spec: containers: - name: reports-server args: - - --etcd - - --etcdSkipTLS - - --etcdEndpoints=https://etcd-0.etcd.reports-server:2379,https://etcd-1.etcd.reports-server:2379,https://etcd-2.etcd.reports-server:2379 + - --dbhost=reports-server-postgresql.reports-server + - --dbport=5432 + - --dbuser=postgres + - --dbpassword=reports + - --dbname=reportsdb + - --dbsslmode=disable + - --dbsslrootcert= + - --dbsslkey= + - --dbsslcert= - --cert-dir=/tmp - --secure-port=4443 - --authorization-always-allow-paths=/metrics @@ -305,151 +373,171 @@ spec: apiVersion: apps/v1 kind: StatefulSet metadata: - namespace: reports-server - name: etcd + name: reports-server-postgresql + namespace: "reports-server" labels: - app: etcd-reports-server - helm.sh/chart: reports-server-0.1.1 - app.kubernetes.io/name: reports-server app.kubernetes.io/instance: reports-server - app.kubernetes.io/version: "v0.1.1" app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary spec: - serviceName: etcd - replicas: 3 - podManagementPolicy: Parallel + replicas: 1 + serviceName: reports-server-postgresql-hl updateStrategy: + rollingUpdate: {} type: RollingUpdate selector: matchLabels: - app: etcd-reports-server + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary template: metadata: + name: reports-server-postgresql labels: - app: etcd-reports-server - annotations: - serviceName: etcd + app.kubernetes.io/instance: reports-server + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + app.kubernetes.io/version: 16.1.0 + helm.sh/chart: postgresql-13.4.1 + app.kubernetes.io/component: primary spec: + serviceAccountName: reports-server-postgresql + + automountServiceAccountToken: false affinity: + podAffinity: + podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - etcd-reports-server - topologyKey: "kubernetes.io/hostname" + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/instance: reports-server + app.kubernetes.io/name: postgresql + app.kubernetes.io/component: primary + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 1001 + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + hostNetwork: false + hostIPC: false containers: - - name: etcd - image: quay.io/coreos/etcd:v3.5.15 - imagePullPolicy: IfNotPresent - ports: - - name: etcd-client - containerPort: 2379 - - name: etcd-server - containerPort: 2380 - - name: etcd-metrics - containerPort: 8080 - readinessProbe: - httpGet: - path: /readyz - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 30 - livenessProbe: - httpGet: - path: /livez - port: 8080 - initialDelaySeconds: 15 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - env: - - name: K8S_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: HOSTNAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SERVICE_NAME - valueFrom: - fieldRef: - fieldPath: metadata.annotations['serviceName'] - - name: ETCDCTL_ENDPOINTS - value: $(HOSTNAME).$(SERVICE_NAME):2379 - ## TLS client configuration for etcdctl in the container. - ## These files paths are part of the "etcd-client-certs" volume mount. - # - name: ETCDCTL_KEY - # value: /etc/etcd/certs/client/tls.key - # - name: ETCDCTL_CERT - # value: /etc/etcd/certs/client/tls.crt - # - name: ETCDCTL_CACERT - # value: /etc/etcd/certs/client/ca.crt - ## - ## Use this URI_SCHEME value for non-TLS clusters. - - name: URI_SCHEME - value: "http" - ## TLS: Use this URI_SCHEME for TLS clusters. - # - name: URI_SCHEME - # value: "https" - command: - - /usr/local/bin/etcd - args: - - --name=$(HOSTNAME) - - --data-dir=/data - - --wal-dir=/data/wal - - --listen-peer-urls=$(URI_SCHEME)://0.0.0.0:2380 - - --listen-client-urls=$(URI_SCHEME)://0.0.0.0:2379 - - --advertise-client-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2379 - - --initial-cluster-state=new - - --initial-cluster-token=etcd-$(K8S_NAMESPACE) - - --initial-cluster=etcd-0=$(URI_SCHEME)://etcd-0.$(SERVICE_NAME):2380,etcd-1=$(URI_SCHEME)://etcd-1.$(SERVICE_NAME):2380,etcd-2=$(URI_SCHEME)://etcd-2.$(SERVICE_NAME):2380 - - --initial-advertise-peer-urls=$(URI_SCHEME)://$(HOSTNAME).$(SERVICE_NAME):2380 - - --listen-metrics-urls=http://0.0.0.0:8080 - # - --auto-compaction-mode=periodic - # - --auto-compaction-retention=10m - # - --client-cert-auth - # - --trusted-ca-file=$(ETCDCTL_CACERT) - # - --cert-file=$(ETCDCTL_CERT) - # - --key-file=$(ETCDCTL_KEY) - # - --peer-client-cert-auth - # - --peer-trusted-ca-file=/etc/etcd/certs/server/ca.crt - # - --peer-cert-file=/etc/etcd/certs/server/tls.crt - # - --peer-key-file=/etc/etcd/certs/server/tls.key - volumeMounts: - - name: etcd-data - mountPath: /data - # - name: etcd-client-tls - # mountPath: "/etc/etcd/certs/client" - # readOnly: true - # - name: etcd-server-tls - # mountPath: "/etc/etcd/certs/server" - # readOnly: true + - name: postgresql + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r22 + imagePullPolicy: "IfNotPresent" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1001 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + env: + - name: BITNAMI_DEBUG + value: "false" + - name: POSTGRESQL_PORT_NUMBER + value: "5432" + - name: POSTGRESQL_VOLUME_DIR + value: "/bitnami/postgresql" + - name: PGDATA + value: "/bitnami/postgresql/data" + # Authentication + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: reports-server-postgresql + key: postgres-password + - name: POSTGRES_DATABASE + value: "reportsdb" + # Replication + # Initdb + # Standby + # LDAP + - name: POSTGRESQL_ENABLE_LDAP + value: "no" + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: "no" + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: "false" + - name: POSTGRESQL_LOG_CONNECTIONS + value: "false" + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: "false" + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: "off" + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: "error" + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: "pgaudit" + ports: + - name: tcp-postgresql + containerPort: 5432 + livenessProbe: + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /bin/sh + - -c + - exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /bin/sh + - -c + - -e + - | + exec pg_isready -U "postgres" -d "dbname=reportsdb" -h 127.0.0.1 -p 5432 + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] + resources: + limits: {} + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - name: dshm + mountPath: /dev/shm + - name: data + mountPath: /bitnami/postgresql volumes: - # - name: etcd-client-tls - # secret: - # secretName: etcd-client-tls - # optional: false - # - name: etcd-server-tls - # secret: - # secretName: etcd-server-tls - # optional: false + - name: dshm + emptyDir: + medium: Memory volumeClaimTemplates: - - metadata: - name: etcd-data - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 1Gi + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "8Gi" --- apiVersion: apiregistration.k8s.io/v1 kind: APIService