Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apps: mv kubernetes-external-secrets and node-perf-dash, update existing, add README #2290

Merged
merged 13 commits into from
Jul 8, 2021
60 changes: 46 additions & 14 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,29 +1,61 @@
# k8s.io

Kubernetes files for various sites and infrastructure

- `audit`: script to dump all gcp resources to repo, and its most recently-reviewed results
- `cert-manager`: community-managed deployment of [cert-manager] for the `aaa` cluster
- `dns`: community-managed DNS for kubernetes.io and k8s.io
- `gcsweb.k8s.io`: community-managed deployment of [gcsweb]
- `groups`: community-managed google groups on the kubernetes.io domain
- `infra`: scripts/terraform files for community management of infra
- `k8s.gcr.io`: community-managed GCR repos
- `k8s.io`: community-managed deployment of nginx that provides redirects for k8s.io and its subdomains
- `perf-dash.k8s.io`: community-managed deployment of [perfdash]
- `publishing-bot`: community-managed deployment of [publishing-bot]
- `slack-infra`: community-managed deployment of [slack-infra]
- `node-perf-dash`: community-managed performance dashboard for Kubernetes node tests.
Kubernetes project infrastructure, managed by the kubernetes comunity via [wg-k8s-infra]

- `apps`: community-managed apps that run on the community-managed `aaa` cluster
- `gcsweb`: instance of [gcsweb] at https://gcsweb.k8s.io - owned by [sig-testing]
- `kubernetes-external-secrets`: instance of [kubernetes-external-secrets] - owned by [sig-testing]
- `node-perf-dash`: instance of [node-perf-dash] - owned by [sig-node] (TODO(https://github.com/kubernetes/k8s.io/issues/2150) migrate to apps/)
- `sippy`: instance of [sippy] at https://sippy.k8s.io - owned by [sig-architecture] (on behalf of [wg-reliability])
- `slack-infra`: instance of [slack-infra] including https://slack.k8s.io - owned by [sig-contributor-experience]
- `audit`: scripts to export all relevant gcp resources, and the most recently-reviewed export
- `cert-manager`: instance of [cert-manager] for the `aaa` cluster - owned by ???
- `dns`: DNS for kubernetes.io and k8s.io
- `groups`: google groups on the kubernetes.io domain
- `hack`: scripts used for development, testing, etc.
- `images`: container images published to `gcr.io/k8s-staging-infra-tools`
- `infra/gcp`: scripts and data to manage our GCP infrastructure
- `clusters/modules`: terraform modules intended for re-use within this repo
- `clusters/projects`: terraform to manage (parts of) GCP projects
- `k8s.gcr.io`: container images published by the project, promoted from `gcr.io/k8s-staging-*` repos
- `k8s.io`: instance of nginx that provides redirects/reverse-proxying for k8s.io and its subdomains - owned by [sig-contributor-experience] and [sig-testing] (TODO(https://github.com/kubernetes/k8s.io/issues/2150) migrate to apps/)
- `perf-dash.k8s.io`: instance of [perfdash] - owned by [sig-scalability] (TODO(https://github.com/kubernetes/k8s.io/issues/2150) migrate to apps/)
- `prow`: work-in-pogress instance of [prow] - owned by [sig-testing] (TODO(https://github.com/kubernetes/k8s.io/issues/2150) migrate to apps/)
- `publishing-bot`: instance of [publishing-bot] - owned by [sig-release] (TODO(https://github.com/kubernetes/k8s.io/issues/2150) migrate to apps/)
- `registry.k8s.io`: work-in-progress to support cross-cloud mirroring/hosting of containers and binaries
- `triage-party/release-team`: instance of [triage-party] - owned by [sig-release] (TODO(https://github.com/kubernetes/k8s.io/issues/2150) migrate to apps/)

TODO: are these actively in use or should they be retired?
- `artifacts`
- `artifactserver`
- `policies`

We provide a [publicly viewable billing-report][billing-report] accessible to members of [[email protected]]

Please see https://git.k8s.io/community/wg-k8s-infra for more information

<!-- apps -->
[cert-manager]: https://github.com/jetstack/cert-manager
[gcsweb]: https://git.k8s.io/test-infra/gcsweb
[kubernetes-external-secrets]: https://github.com/external-secrets/kubernetes-external-secrets
[node-perf-dash]: https://github.com/kubernetes-retired/contrib/tree/master/node-perf-dash
[perfdash]: https://git.k8s.io/perf-tests/perfdash
[prow]: https://git.k8s.io/test-infra/prow
[publishing-bot]: https://git.k8s.io/publishing-bot
[sippy]: https://github.com/openshift/sippy
[slack-infra]: https://sigs.k8s.io/slack-infra
[triage-party]: https://github.com/google/triage-party

<!-- misc -->
[billing-report]: https://datastudio.google.com/u/0/reporting/14UWSuqD5ef9E4LnsCD9uJWTPv8MHOA3e
[kubernetes-wg-k8s-infra@]: https://groups.google.com/forum/#!forum/kubernetes-wg-k8s-infra

<!-- community groups -->
[sig-architecture]: https://git.k8s.io/community/sig-architecture
[sig-contributor-experience]: https://git.k8s.io/community/sig-contributor-experience
[sig-node]: https://git.k8s.io/community/sig-node
[sig-release]: https://git.k8s.io/community/sig-release
[sig-scalability]: https://git.k8s.io/community/sig-scalability
[sig-testing]: https://git.k8s.io/community/sig-testing
[wg-k8s-infra]: https://git.k8s.io/community/wg-k8s-infra
[wg-reliability]: https://git.k8s.io/community/wg-reliability
43 changes: 43 additions & 0 deletions apps/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# apps

Kubernetes community-managed project infrastructure in the form of apps that
run on the `aaa` cluster. See [running-in-community-clusters.md] for more details

## proposed format

Each directory in here corresponds to a single `app`, which means:

- the app runs in a namespace named `app` on the `aaa` cluster
- the app is owned by a SIG, as designated by a `sig/foo` label in OWNERS
- app managers are members of the `k8s-infra-rbac-{app}@kubernetes.io` group
- the app's k8s resources all have the label `app: {app}`
- any secrets needed by this app are implemented via `ExternalSecret` CRDs (TODO(https://github.com/kubernetes/k8s.io/issues/2220))

The expected layout for a given app is:

```
{app} # the k8s namespace this runs in, managed by k8s-infra-rbac-{app}@kubernetes.io
├── OWNERS # must have relevant reviewers/approvers, and labels: [sig/foo, area/apps/{app}]
├── README.md # what is it, who owns it, how to deploy it
├── deploy.sh # ideally "how to deploy it" == run this script
└── *.yaml # kubernetes resources / manifests, deployable via kubectl apply -f
```

Expect this to change as we iterate toward convergence on a standard that
actually fits the apps we run today.

## known issues

- enforcement
- OWNER constraints enforcemed by humans
- no validation of yaml beyond yamllint
- `app:` convention enforcement by humands
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: spelling humands

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I'll fix this in a followup

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followup PR: #2314

- `*.yaml` can be more than k8s resources
- consider a `resources/` subdir convention for all k8s resources
- allows for config files etc. at app root
- `app:` label convention
- cert-manager has multiple `app:` labels: `cainjector`, `cert-manager`, `webhook`, and many empty
- consider a custom label `k8s-infra-app:`; could do prefix but then need to decide on a DNS name
- is this a convention worth enforcing? perhaps namespace is enough

[running-in-community-clusters.md]: /running-in-community-clusters.md
File renamed without changes.
17 changes: 3 additions & 14 deletions apps/gcsweb.k8s.io/README.md → apps/gcsweb/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,23 +37,12 @@ of `deployment.yaml` by `kubectl apply`.

Ensure you have [access to the cluster]

Ensure you are a member of both:
Ensure you are a member of `[email protected]`

- [email protected]
- [email protected]

Connecting to cloud-shell:

```shell
gcloud alpha cloud-shell ssh --authorize-session --project kubernetes-public
```

Deploy gcsweb:
From within this directory:

```shell
git clone https://github.com/kubernetes/k8s.io
cd k8s.io
kubectl apply -Rf gcsweb/
./deploy.sh
```

[access to the cluster]: https://github.com/kubernetes/k8s.io/blob/main/running-in-community-clusters.md#access-the-cluster
File renamed without changes.
50 changes: 50 additions & 0 deletions apps/gcsweb/deploy.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash

# Copyright 2021 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Deploys this app to the aaa cluster, or whatever cluster is pointed to
# by KUBECTL_CONTEXT if set. Assumes the app's namespace already exists.
#
# Members of k8s-infra-rbac-${app}@kubernetes.io can run this.

set -o errexit
set -o nounset
set -o pipefail

SCRIPT_ROOT=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)

app=$(basename "${SCRIPT_ROOT}")

# coordinates to locate the target cluster in gke
cluster_name="aaa"
cluster_project="kubernetes-public"
cluster_region="us-central1"

# coordinates to locate the app on the target cluster
namespace="${app}"

# well known name set by `gcloud container clusters get-credentials`
gke_context="gke_${cluster_project}_${cluster_region}_${cluster_name}"
context="${KUBECTL_CONTEXT:-${gke_context}}"

# ensure we have a context to talk to the target cluster
if ! kubectl config get-contexts "${context}" >/dev/null 2>&1; then
gcloud container clusters get-credentials "${cluster_name}" --project="${cluster_project}" --region="${cluster_region}"
context="${gke_context}"
fi

# deploy kubernetes resources
pushd "${SCRIPT_ROOT}" >/dev/null
kubectl --context="${context}" --namespace="${namespace}" apply --dry-run=client -f .
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@ spec:
image: k8s.gcr.io/gcsweb:v1.1.0
args:
- -upgrade-proxied-http-to-https
- -b=kubernetes-jenkins
- -b=kubernetes-release
- -b=kubernetes-release-dev
- -b=k8s-infra-prow-results
- -b=k8s-infra-scalability-tests-logs
- -b=k8s-release-dev
- -b=kubernetes-jenkins
- -b=kubernetes-release
- -b=kubernetes-release-dev
- -p=8080
ports:
- containerPort: 8080
Expand Down
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,8 @@ Ensure you are a member of:

If you encounter any issue during the deployment, reach out to [email protected] for help.

To boostrap Kubernetes External Secrets:

```shell
kubectl apply -Rf kubernetes-external-secrets/
./deploy.sh
```

[access to the cluster]: https://github.com/kubernetes/k8s.io/blob/main/running-in-community-clusters.md#access-the-cluster
[access to the cluster]: https://github.com/kubernetes/k8s.io/blob/main/running-in-community-clusters.md#access-the-cluster
50 changes: 50 additions & 0 deletions apps/kubernetes-external-secrets/deploy.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash

# Copyright 2021 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Deploys this app to the aaa cluster, or whatever cluster is pointed to
# by KUBECTL_CONTEXT if set. Assumes the app's namespace already exists.
#
# Members of k8s-infra-rbac-${app}@kubernetes.io can run this.

set -o errexit
set -o nounset
set -o pipefail

SCRIPT_ROOT=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)

app=$(basename "${SCRIPT_ROOT}")

# coordinates to locate the target cluster in gke
cluster_name="aaa"
cluster_project="kubernetes-public"
cluster_region="us-central1"

# coordinates to locate the app on the target cluster
namespace="${app}"

# well known name set by `gcloud container clusters get-credentials`
gke_context="gke_${cluster_project}_${cluster_region}_${cluster_name}"
context="${KUBECTL_CONTEXT:-${gke_context}}"

# ensure we have a context to talk to the target cluster
if ! kubectl config get-contexts "${context}" >/dev/null 2>&1; then
gcloud container clusters get-credentials "${cluster_name}" --project="${cluster_project}" --region="${cluster_region}"
context="${gke_context}"
fi

# deploy kubernetes resources
pushd "${SCRIPT_ROOT}" >/dev/null
kubectl --context="${context}" --namespace="${namespace}" apply --dry-run=client -f .
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
iam.gke.io/gcp-service-account: kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com
name: kubernetes-external-secrets
namespace: kubernetes-external-secrets
labels:
app: kubernetes-external-secrets
annotations:
iam.gke.io/gcp-service-account: kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalsecrets.kubernetes-client.io
labels:
app: kubernetes-external-secrets
annotations:
# used in e2e testing
app.kubernetes.io/managed-by: helm
Expand Down
11 changes: 11 additions & 0 deletions apps/node-perf-dash/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# See the OWNERS docs at https://go.k8s.io/owners

approvers:
- sig-node-leads
reviewers:
- sig-node-leads
emeritus_approvers:
- karan

labels:
- sig/node
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ kind: ManagedCertificate
metadata:
name: node-perf-dash-k8s-io
namespace: node-perf-dash
labels:
app: node-perf-dash
spec:
domains:
- node-perf-dash.k8s.io
50 changes: 50 additions & 0 deletions apps/node-perf-dash/deploy.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash

# Copyright 2021 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Deploys this app to the aaa cluster, or whatever cluster is pointed to
# by KUBECTL_CONTEXT if set. Assumes the app's namespace already exists.
#
# Members of k8s-infra-rbac-${app}@kubernetes.io can run this.

set -o errexit
set -o nounset
set -o pipefail

SCRIPT_ROOT=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)

app=$(basename "${SCRIPT_ROOT}")

# coordinates to locate the target cluster in gke
cluster_name="aaa"
cluster_project="kubernetes-public"
cluster_region="us-central1"

# coordinates to locate the app on the target cluster
namespace="${app}"

# well known name set by `gcloud container clusters get-credentials`
gke_context="gke_${cluster_project}_${cluster_region}_${cluster_name}"
context="${KUBECTL_CONTEXT:-${gke_context}}"

# ensure we have a context to talk to the target cluster
if ! kubectl config get-contexts "${context}" >/dev/null 2>&1; then
gcloud container clusters get-credentials "${cluster_name}" --project="${cluster_project}" --region="${cluster_region}"
context="${gke_context}"
fi

# deploy kubernetes resources
pushd "${SCRIPT_ROOT}" >/dev/null
kubectl --context="${context}" --namespace="${namespace}" apply --dry-run=client -f .
File renamed without changes.
File renamed without changes.
2 changes: 1 addition & 1 deletion apps/sippy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ and tests. Visit (placeholder for eventual URL) to see the kube instance.
- From the `apps/sippy` directory run:

```console
kubectl apply -f .
./deploy.sh
```
Loading