From 95f3631710351e989b8ee0b672f1c62c524d0c9f Mon Sep 17 00:00:00 2001 From: Christie Wilson Date: Fri, 10 Jul 2020 17:14:44 -0400 Subject: [PATCH] =?UTF-8?q?Add=20Tasks=20to=20acquire=20and=20release=20bo?= =?UTF-8?q?skos=20resources=20=F0=9F=90=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Boskos is a tool that allows one to create a pool of cloud projects (definitely GCP, I think it supports other providers as well), and manages acquiring, releasing, and cleaning them between leases. We use it for Tekton test infrastructure for our end to end tests and we'd like to use it for our catalog Tasks as well. This commit adds boskos acquire and release Tasks. The acquire Task also creates a pod in the running cluster to perform heartbeating so that boskos knows that the resource is still in use. The intention of the release Task is that it would be run in a Pipeline's `finally` clause, however today that would be difficult because finally Tasks can't yet use the results of other Tasks, but this functionality is on the way: https://github.com/tektoncd/pipeline/issues/2557 This is part of the work in #373 to create a Pipeline for the catalog. --- boskos-acquire/0.1/README.md | 40 +++++++++++ boskos-acquire/0.1/boskos-acquire.yaml | 67 +++++++++++++++++++ boskos-acquire/0.1/examples/pipelinerun.yaml | 34 ++++++++++ .../0.1/examples/service-account.yaml | 29 ++++++++ boskos-acquire/OWNERS | 5 ++ boskos-release/0.1/README.md | 31 +++++++++ boskos-release/0.1/boskos-release.yaml | 39 +++++++++++ boskos-release/0.1/examples/pipelinerun.yaml | 1 + .../0.1/examples/service-account.yaml | 1 + boskos-release/OWNERS | 5 ++ 10 files changed, 252 insertions(+) create mode 100644 boskos-acquire/0.1/README.md create mode 100644 boskos-acquire/0.1/boskos-acquire.yaml create mode 100644 boskos-acquire/0.1/examples/pipelinerun.yaml create mode 100644 boskos-acquire/0.1/examples/service-account.yaml create mode 100644 boskos-acquire/OWNERS create mode 100644 boskos-release/0.1/README.md create mode 100644 boskos-release/0.1/boskos-release.yaml create mode 120000 boskos-release/0.1/examples/pipelinerun.yaml create mode 120000 boskos-release/0.1/examples/service-account.yaml create mode 100644 boskos-release/OWNERS diff --git a/boskos-acquire/0.1/README.md b/boskos-acquire/0.1/README.md new file mode 100644 index 0000000000..763bde1f44 --- /dev/null +++ b/boskos-acquire/0.1/README.md @@ -0,0 +1,40 @@ +# Boskos Acquire + +The `boskos-acquire` Task can be used to acquire cloud projects from a pool with +[Boskos](https://github.com/kubernetes-sigs/boskos#boskos), by invoking `boskosctl`. + +To release projects obtained with `boskos-acquire` can be released with +[`boskos-release`](../boskos-release). + +It is implemented using [`boskosctl`](https://github.com/kubernetes-sigs/boskos/tree/master/cmd/boskosctl). + +_The Task assumes already have Boskos up and running. To set it up yourself, your +best bet would be to find an example of it already configured, for example +[the boskos configuration used for Tekton itself](https://github.com/tektoncd/plumbing/tree/master/boskos)._ + +## ServiceAccount + +After acquiring a project, the Task will start a running `pod` in your cluster to send +heartbeat requests to Boskos (Boskos will automatically clean up abandoned clusters). +This means the Task must be run with a serviceAccount that has the ability to interact +with `pods` (see [service-account.yaml](examples/service-account.yaml) for an example). + +## Parameters + +* **server-url**: The URL of the running boskos server. (_default_: http://boskos.test-pods.svc.cluster.local) +* **type**: The type of resource to request. Resource types are specified in the resource + ConfigMap provided to the Boskos server. (_default_: gke-project) +* **owner-name**: A string that identifies the owner of the leased resource to request. (_required_) + +## Results + +* **leased-resource**: The name of the leased resource + +## Usage + +See [examples/pipelinerun.yaml](examples/pipelinerun.yaml) for an example of a Pipeline that obtains +a resource using Boskos, then waits (this is when you would do whatever you need to do with the resource), +and finally releases it with [`boskos-release`](../boskos-release). + +Boskos doesn't do anything to provide you with the credentials you need to interact with the resource you +have leased. Setting up and managing these credentials is outside the scope of Boskos's responsibilities. \ No newline at end of file diff --git a/boskos-acquire/0.1/boskos-acquire.yaml b/boskos-acquire/0.1/boskos-acquire.yaml new file mode 100644 index 0000000000..2903a5248a --- /dev/null +++ b/boskos-acquire/0.1/boskos-acquire.yaml @@ -0,0 +1,67 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: boskos-acquire + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "boskos,test" +spec: + description: | + The boskos-acquire Task will request a resource of the specified type from the + server-url. If successful, it will start a pod that will run the boskosctl heartbeat + command. When you are done with the resource, release it with boskos-release. + params: + - name: server-url + description: The URL of the running boskos server + default: "http://boskos.test-pods.svc.cluster.local" + - name: type + description: | + The type of resource to request. Resource types are specified in the resource + ConfigMap provided to the Boskos server. + default: gke-project + - name: owner-name + description: A string that identifies the owner of the leased resource to request. + results: + - name: leased-resource + description: The name of the leased resource + steps: + - name: boskosctl-acquire + image: gcr.io/k8s-staging-boskos/boskosctl@sha256:a7fc984732c5dd0b4e0fe0a92e2730fa4b6bddecd0f6f6c7c6b5501abe4ab105 + script: | + RESOURCE=$(boskosctl acquire \ + --server-url=$(params.server-url) \ + --owner-name=$(params.owner-name) \ + --type=$(params.type) \ + --state=free \ + --target-state=busy) + echo $RESOURCE > /workspace/full-resource-output.json + echo $RESOURCE | jq -rj ".name" > /tekton/results/leased-resource + - name: create-boskosctl-heartbeat-pod + image: ubuntu + script: | + FULL_RESOURCE_OUTPUT=$(cat /workspace/full-resource-output.json) + LEASED_RESOURCE=$(cat /tekton/results/leased-resource) + cat < /workspace/heartbeat.yaml + apiVersion: v1 + kind: Pod + metadata: + name: boskos-heartbeat-$LEASED_RESOURCE + spec: + containers: + - name: heatbeat + image: gcr.io/k8s-staging-boskos/boskosctl@sha256:a7fc984732c5dd0b4e0fe0a92e2730fa4b6bddecd0f6f6c7c6b5501abe4ab105 + args: + - heartbeat + - --server-url=$(params.server-url) + - --owner-name=$(params.owner-name) + - --resource=$FULL_RESOURCE_OUTPUT + - --period=10s + EOF + - name: start-boskosctl-heartbeat + image: lachlanevenson/k8s-kubectl + args: + - "apply" + - "-f" + - "/workspace/heartbeat.yaml" diff --git a/boskos-acquire/0.1/examples/pipelinerun.yaml b/boskos-acquire/0.1/examples/pipelinerun.yaml new file mode 100644 index 0000000000..58756119bc --- /dev/null +++ b/boskos-acquire/0.1/examples/pipelinerun.yaml @@ -0,0 +1,34 @@ +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + generateName: do-boskos- +spec: + serviceAccountName: boskos-heartbeat + pipelineSpec: + params: + - name: owner-name + default: trying-out-boskos + tasks: + - name: boskos-acquire + taskRef: + name: boskos-acquire + params: + - name: owner-name + value: $(params.owner-name) + - name: wait + runAfter: [boskos-acquire] + taskSpec: + steps: + - image: ubuntu + script: | + sleep 1m + - name: boskos-release + runAfter: [wait] + taskRef: + name: boskos-release + params: + - name: leased-resource + # TODO(pipeline#2557): This is a good candidate for a finally clause + value: $(tasks.boskos-acquire.results.leased-resource) + - name: owner-name + value: $(params.owner-name) \ No newline at end of file diff --git a/boskos-acquire/0.1/examples/service-account.yaml b/boskos-acquire/0.1/examples/service-account.yaml new file mode 100644 index 0000000000..cef7ad66bd --- /dev/null +++ b/boskos-acquire/0.1/examples/service-account.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: boskos-heartbeat + namespace: default +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pod-editor + namespace: default +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: boskos-heartbeat-pod-editor + namespace: default +subjects: + - kind: ServiceAccount + name: boskos-heartbeat + namespace: default +roleRef: + kind: Role + name: pod-editor + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/boskos-acquire/OWNERS b/boskos-acquire/OWNERS new file mode 100644 index 0000000000..b9600912f6 --- /dev/null +++ b/boskos-acquire/OWNERS @@ -0,0 +1,5 @@ +approvers: +- bobcatfish + +reviewers: +- bobcatfish diff --git a/boskos-release/0.1/README.md b/boskos-release/0.1/README.md new file mode 100644 index 0000000000..ac6db7db23 --- /dev/null +++ b/boskos-release/0.1/README.md @@ -0,0 +1,31 @@ +# Boskos Release + +The `boskos-release` Task can be used to release cloud projects +which were obtained from a pool with [Boskos](https://github.com/kubernetes-sigs/boskos#boskos) +via [`boskos-acquire`](../boskos-acquire). + +It will mark the resource as `dirty` so that Boskos will clear any obtained resources. + +It is implemented using [`boskosctl`](https://github.com/kubernetes-sigs/boskos/tree/master/cmd/boskosctl). + +_The Task assumes already have Boskos up and running. To set it up yourself, your +best bet would be to find an example of it already configured, for example +[the boskos configuration used for Tekton itself](https://github.com/tektoncd/plumbing/tree/master/boskos)._ + +## ServiceAccount + +[`boskos-acquire`](../boskos-acquire) will start a `pod` in your cluster to maintain the lease +via a heartbeat. `boskos-release` will delete that pod, and so the Task must be run with a +serviceAccount that has the ability to delete `pods` (see [service-account.yaml](examples/service-account.yaml) for an example). + +## Parameters + +* **server-url**: The URL of the running boskos server. (_default_: http://boskos.test-pods.svc.cluster.local) +* **leased-resource**: The name of the leased resource. (_required_) +* **owner-name**: A string that identifies the owner of the leased resource to request. (_required_) + +## Usage + +See [examples/pipelinerun.yaml](examples/pipelinerun.yaml) for an example of a Pipeline that obtains +a resource using [`boskos-acquire`](../boskos-acquire), then waits (this is when you would do whatever +you need to do with the resource), and finally releases it with `boskos-release`. diff --git a/boskos-release/0.1/boskos-release.yaml b/boskos-release/0.1/boskos-release.yaml new file mode 100644 index 0000000000..de73f6ed4e --- /dev/null +++ b/boskos-release/0.1/boskos-release.yaml @@ -0,0 +1,39 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: boskos-release + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "boskos,test" +spec: + description: | + The boskos-release Task will release the specified resource from the boskos instance + at server-url. It also assumes the resource was obtained via boskos-acquire and so + terminates the heartbeat pod that was created by that Task to keep the resource obtained. + It will mark the resource as dirty so that the boskos Janitor will clean it (by deleting + any state created). + params: + - name: server-url + description: The URL of the running boskos server + default: "http://boskos.test-pods.svc.cluster.local" + - name: leased-resource + description: A string that identifies the leased resource to release. + - name: owner-name + description: A string that identifies the owner of the leased resource to request. + steps: + - name: boskosctl-release + image: gcr.io/k8s-staging-boskos/boskosctl@sha256:a7fc984732c5dd0b4e0fe0a92e2730fa4b6bddecd0f6f6c7c6b5501abe4ab105 + args: + - "release" + - "--server-url=$(params.server-url)" + - "--owner-name=$(params.owner-name)" + - "--name=$(params.leased-resource)" + - "--target-state=dirty" + - name: stop-boskosctl-heartbeat + image: lachlanevenson/k8s-kubectl + args: + - "delete" + - "pod" + - "boskos-heartbeat-$(params.leased-resource)" diff --git a/boskos-release/0.1/examples/pipelinerun.yaml b/boskos-release/0.1/examples/pipelinerun.yaml new file mode 120000 index 0000000000..6d790e5b72 --- /dev/null +++ b/boskos-release/0.1/examples/pipelinerun.yaml @@ -0,0 +1 @@ +boskos-acquire/0.1/examples/pipelinerun.yaml \ No newline at end of file diff --git a/boskos-release/0.1/examples/service-account.yaml b/boskos-release/0.1/examples/service-account.yaml new file mode 120000 index 0000000000..0332df6229 --- /dev/null +++ b/boskos-release/0.1/examples/service-account.yaml @@ -0,0 +1 @@ +boskos-acquire/0.1/examples/service-account.yaml \ No newline at end of file diff --git a/boskos-release/OWNERS b/boskos-release/OWNERS new file mode 100644 index 0000000000..b9600912f6 --- /dev/null +++ b/boskos-release/OWNERS @@ -0,0 +1,5 @@ +approvers: +- bobcatfish + +reviewers: +- bobcatfish