From 5631a6a0dba983fa1513d42eef728828fadadf20 Mon Sep 17 00:00:00 2001 From: Dominik Rosiek <58699848+sumo-drosiek@users.noreply.github.com> Date: Tue, 23 Apr 2024 10:10:00 +0200 Subject: [PATCH] chore: use Sumo Logic hosted Kube RBAC Proxy (#3674) * chore: add script and action to sync repositories Signed-off-by: Dominik Rosiek * feat: use Sumo Logic hosted Kube RBAC Proxy Signed-off-by: Dominik Rosiek * chore: change schedule for syncing repositories Signed-off-by: Dominik Rosiek * chore: restrict sync workflow to be run once Signed-off-by: Dominik Rosiek * chore: rename workflows Signed-off-by: Dominik Rosiek * chore: fix typo Signed-off-by: Dominik Rosiek --------- Signed-off-by: Dominik Rosiek --- .changelog/3674.added.txt | 1 + .github/workflows/sync-repositories.yaml | 30 ++++++++++ .../workflows/workflow-sync-repositories.yaml | 59 +++++++++++++++++++ ci/sync-repository.sh | 11 ++++ deploy/helm/sumologic/README.md | 2 + deploy/helm/sumologic/values.yaml | 8 +++ shell.nix | 1 + 7 files changed, 112 insertions(+) create mode 100644 .changelog/3674.added.txt create mode 100644 .github/workflows/sync-repositories.yaml create mode 100644 .github/workflows/workflow-sync-repositories.yaml create mode 100755 ci/sync-repository.sh diff --git a/.changelog/3674.added.txt b/.changelog/3674.added.txt new file mode 100644 index 0000000000..3316efb891 --- /dev/null +++ b/.changelog/3674.added.txt @@ -0,0 +1 @@ +chore: use Sumo Logic hosted Kube RBAC Proxy \ No newline at end of file diff --git a/.github/workflows/sync-repositories.yaml b/.github/workflows/sync-repositories.yaml new file mode 100644 index 0000000000..242f26ab30 --- /dev/null +++ b/.github/workflows/sync-repositories.yaml @@ -0,0 +1,30 @@ +name: Sync Repositories + +on: + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +jobs: + sync-repositories: + name: Sync container repositories + strategy: + matrix: + include: + - docker_username: DOCKERHUB_LOGIN_KUBE_RBAC_PROXY + docker_password: DOCKERHUB_PASSWORD_KUBE_RBAC_PROXY + aws_access_key: AWS_ACCESS_KEY_ID_KUBE_RBAC_PROXY + aws_secret_access_key: AWS_SECRET_ACCESS_KEY_KUBE_RBAC_PROXY + src_repository: quay.io/brancz/kube-rbac-proxy + dest_docker_namespace: docker.io/sumologic + dest_ecr_namespace: public.ecr.aws/a4t4y2n3 + uses: ./.github/workflows/workflow-sync-repositories.yaml + with: + src_repository: ${{ matrix.src_repository }} + dest_docker_namespace: ${{ matrix.dest_docker_namespace }} + dest_ecr_namespace: ${{ matrix.dest_ecr_namespace }} + secrets: + DOCKER_USERNAME: ${{ secrets[matrix.docker_username] }} + DOCKER_PASSWORD: ${{ secrets[matrix.docker_password] }} + AWS_ACCESS_KEY_ID: ${{ secrets[matrix.aws_access_key] }} + AWS_SECRET_ACCESS_KEY: ${{ secrets[matrix.aws_secret_access_key] }} diff --git a/.github/workflows/workflow-sync-repositories.yaml b/.github/workflows/workflow-sync-repositories.yaml new file mode 100644 index 0000000000..fbfdf8d6be --- /dev/null +++ b/.github/workflows/workflow-sync-repositories.yaml @@ -0,0 +1,59 @@ +name: Sync container repository + +on: + workflow_call: + inputs: + src_repository: + description: Source repository + required: true + type: string + dest_docker_namespace: + description: Destination DockerHub repository + required: true + type: string + dest_ecr_namespace: + description: Destination ECR repository + required: true + type: string + secrets: + DOCKER_USERNAME: + required: true + DOCKER_PASSWORD: + required: true + AWS_ACCESS_KEY_ID: + required: true + AWS_SECRET_ACCESS_KEY: + required: true + +jobs: + sync-repository: + runs-on: ubuntu-20.04 + name: ${{ inputs.src_repository }} + steps: + - name: No re-runs + run: | + if [ "$GITHUB_RUN_ATTEMPT" -gt 1 ]; then + echo "It is not advised to re-run this workflow! It won't speed up the process!" + exit 1 + else + echo "not a re-run, continue" + fi + - uses: actions/checkout@v4 + - name: Install skopeo + run: sudo apt-get install skopeo -y + - name: Login to Docker Hub + uses: docker/login-action@v3.1.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name: Synchronize image to Docker Hub repository + run: ./ci/sync-repository.sh ${{ inputs.src_repository }} ${{ inputs.dest_docker_namespace }} + - name: Login to ECR + run: |- + aws ecr-public get-login-password --region us-east-1 \ + | docker login --username AWS --password-stdin ${{ inputs.dest_ecr_namespace }} + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + - name: Synchronize image to ECR repository + run: ./ci/sync-repository.sh ${{ inputs.src_repository }} ${{ inputs.dest_ecr_namespace }} diff --git a/ci/sync-repository.sh b/ci/sync-repository.sh new file mode 100755 index 0000000000..32e29cda99 --- /dev/null +++ b/ci/sync-repository.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +SRC_REPOSITORY=${1} +DESTINATION_NAMESPACE=${2} +skopeo sync \ + -f v2s2 \ + --retry-times 5 \ + --src docker \ + --dest docker \ + "${SRC_REPOSITORY}" \ + "${DESTINATION_NAMESPACE}" diff --git a/deploy/helm/sumologic/README.md b/deploy/helm/sumologic/README.md index 6535e0f9bd..f89c277791 100644 --- a/deploy/helm/sumologic/README.md +++ b/deploy/helm/sumologic/README.md @@ -319,6 +319,7 @@ The following table lists the configurable parameters of the Sumo Logic chart an | `opentelemetry-operator.instrumentationJobImage.image.tag` | Name of the image tag used to apply Instrumentation resource | `2.22.0` | | `opentelemetry-operator.admissionWebhooks` | Admission webhooks make sure only requests with correctly formatted rules will get into the Operator. They also enable the sidecar injection for OpenTelemetryCollector and Instrumentation CR's. | See [values.yaml] | | `opentelemetry-operator.manager.env` | Additional environment variables for opentelemetry-operator helm chart. | `{"ENABLE_WEBHOOKS": "true"}` | +| `opentelemetry-operator.kubeRBACProxy.image.repository` | Container repository for Kube RBAC Proxy. | `public.ecr.aws/sumologic/kube-rbac-proxy` | | `otelcolInstrumentation.enabled` | Enables Sumo Otel Distro Collector StatefulSet to collect telemetry data. [See docs for more information.](/docs/opentelemetry-collector/traces.md) | `true` | | `otelcolInstrumentation.autoscaling.enabled` | Option to override the default autoscaling parameter (sumologic.autoscaling.enabled) for Sumo Otel Distro Collector StatefulSet and specify params for HPA. Autoscaling needs metrics-server to access cpu metrics. | `false` | | `otelcolInstrumentation.autoscaling.minReplicas` | Default min replicas for autoscaling. | `3` | @@ -503,6 +504,7 @@ The following table lists the configurable parameters of the Sumo Logic chart an | `tailing-sidecar-operator.enabled` | Flag to control deploying Tailing Sidecar Operator Helm sub-chart. | `false` | | `tailing-sidecar-operator.fullnameOverride` | Used to override the chart's full name. | `Nil` | | `tailing-sidecar-operator.scc.create` | Create OpenShift's Security Context Constraint | `false` | +| `tailing-sidecar-operator.kubeRbacProxy.image.repository` | Container repository for Kube RBAC Proxy | `public.ecr.aws/sumologic/kube-rbac-proxy` | | `pvcCleaner.metrics.enabled` | Flag to enable cleaning unused PVCs for otelcol metrics statefulsets. | `false` | | `pvcCleaner.logs.enabled` | Flag to enable cleaning unused PVCs for otelcol logs statefulsets. | `false` | | `pvcCleaner.job.image.repository` | Image repository for pvcCleaner docker containers. | `public.ecr.aws/sumologic/kubernetes-tools-kubectl` | diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml index 0bca6609d4..38b389a2ee 100644 --- a/deploy/helm/sumologic/values.yaml +++ b/deploy/helm/sumologic/values.yaml @@ -2418,6 +2418,10 @@ tailing-sidecar-operator: scc: create: false + kubeRbacProxy: + image: + repository: public.ecr.aws/sumologic/kube-rbac-proxy + ## Configure OpenTelemetry Operator - Instrumentation ## ref: https://github.com/open-telemetry/opentelemetry-helm-charts/tree/main/charts/opentelemetry-operator opentelemetry-operator: @@ -2526,6 +2530,10 @@ opentelemetry-operator: cpu: 150m memory: 256Mi + kubeRBACProxy: + image: + repository: public.ecr.aws/sumologic/kube-rbac-proxy + ## pvcCleaner deletes unused PVCs pvcCleaner: metrics: diff --git a/shell.nix b/shell.nix index 380542c366..415a60cde3 100644 --- a/shell.nix +++ b/shell.nix @@ -30,6 +30,7 @@ pkgs.mkShell { pkgs.golangci-lint pkgs.go pkgs.kind + pkgs.skopeo ]; } ## Output of `make tool-versions`: