From 9edfb2efaef128f710d58e3fd6b935144c987ca7 Mon Sep 17 00:00:00 2001 From: Aleksandr Nogikh Date: Mon, 24 Feb 2025 17:20:00 +0100 Subject: syz-cluster: move more configs to common --- syz-cluster/Makefile | 2 +- syz-cluster/overlays/common/kustomization.yaml | 16 ++++ syz-cluster/overlays/common/workflow-roles.yaml | 93 ++++++++++++++++++++++ syz-cluster/overlays/dev/fake-gcs.yaml | 83 ------------------- syz-cluster/overlays/dev/global-config.yaml | 13 --- syz-cluster/overlays/dev/kustomization.yaml | 36 --------- .../overlays/dev/network-policy-spanner.yaml | 27 ------- syz-cluster/overlays/dev/workflow-artifacts.yaml | 13 --- syz-cluster/overlays/dev/workflow-roles.yaml | 93 ---------------------- syz-cluster/overlays/minikube/fake-gcs.yaml | 83 +++++++++++++++++++ syz-cluster/overlays/minikube/global-config.yaml | 13 +++ syz-cluster/overlays/minikube/kustomization.yaml | 22 +++++ .../overlays/minikube/network-policy-spanner.yaml | 27 +++++++ .../overlays/minikube/workflow-artifacts.yaml | 13 +++ 14 files changed, 268 insertions(+), 266 deletions(-) create mode 100644 syz-cluster/overlays/common/workflow-roles.yaml delete mode 100644 syz-cluster/overlays/dev/fake-gcs.yaml delete mode 100644 syz-cluster/overlays/dev/global-config.yaml delete mode 100644 syz-cluster/overlays/dev/kustomization.yaml delete mode 100644 syz-cluster/overlays/dev/network-policy-spanner.yaml delete mode 100644 syz-cluster/overlays/dev/workflow-artifacts.yaml delete mode 100644 syz-cluster/overlays/dev/workflow-roles.yaml create mode 100644 syz-cluster/overlays/minikube/fake-gcs.yaml create mode 100644 syz-cluster/overlays/minikube/global-config.yaml create mode 100644 syz-cluster/overlays/minikube/kustomization.yaml create mode 100644 syz-cluster/overlays/minikube/network-policy-spanner.yaml create mode 100644 syz-cluster/overlays/minikube/workflow-artifacts.yaml diff --git a/syz-cluster/Makefile b/syz-cluster/Makefile index b3227e15c..58237cece 100644 --- a/syz-cluster/Makefile +++ b/syz-cluster/Makefile @@ -64,4 +64,4 @@ restart-spanner: build-db-mgmt ./run-local.sh db-mgmt migrate k8s-config-dev: - @kubectl kustomize ./overlays/dev/ | IMAGE_PREFIX=${IMAGE_PREFIX} IMAGE_TAG=${IMAGE_TAG} envsubst + @kubectl kustomize ./overlays/minikube/ | IMAGE_PREFIX=${IMAGE_PREFIX} IMAGE_TAG=${IMAGE_TAG} envsubst diff --git a/syz-cluster/overlays/common/kustomization.yaml b/syz-cluster/overlays/common/kustomization.yaml index 32eb3672e..c6ff1cb67 100644 --- a/syz-cluster/overlays/common/kustomization.yaml +++ b/syz-cluster/overlays/common/kustomization.yaml @@ -2,6 +2,22 @@ # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. resources: + - ../../controller + - ../../dashboard + - ../../series-tracker + - ../../kernel-disk + - ../../reporter + - ../../workflow + - https://github.com/argoproj/argo-workflows/releases/download/v3.6.2/install.yaml - network-deny-all.yaml - network-policy-controller.yaml - network-policy-git-access.yaml + - workflow-roles.yaml + +patches: + - target: + kind: Deployment + patch: |- + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: IfNotPresent diff --git a/syz-cluster/overlays/common/workflow-roles.yaml b/syz-cluster/overlays/common/workflow-roles.yaml new file mode 100644 index 000000000..44655c8e1 --- /dev/null +++ b/syz-cluster/overlays/common/workflow-roles.yaml @@ -0,0 +1,93 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: argo-workflow-role +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - status +- apiGroups: + - argoproj.io + resources: + - workflowtasksets + - workflowartifactgctasks + verbs: + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtasksets/status + - workflowartifactgctasks/status + verbs: + - patch +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: argo-workflow-list-binding + namespace: default +subjects: +- kind: ServiceAccount + name: default + namespace: default +roleRef: + kind: Role + name: argo-workflow-role + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: executor +rules: +- apiGroups: ["argoproj.io"] + resources: + - workflowtaskresults + verbs: + - create + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: executor-default + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: executor +subjects: +- kind: ServiceAccount + name: default + namespace: default + +--- + +apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: default + name: default.service-account-token +type: kubernetes.io/service-account-token diff --git a/syz-cluster/overlays/dev/fake-gcs.yaml b/syz-cluster/overlays/dev/fake-gcs.yaml deleted file mode 100644 index b5af7594c..000000000 --- a/syz-cluster/overlays/dev/fake-gcs.yaml +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright 2025 syzkaller project authors. All rights reserved. -# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fake-gcs-server -spec: - replicas: 1 - selector: - matchLabels: - app: fake-gcs-server - template: - metadata: - labels: - app: fake-gcs-server - spec: - initContainers: - - name: create-test-bucket - image: busybox - command: ["sh", "-c", "mkdir -p /data/test-bucket /data/blobs"] - volumeMounts: - - name: data-volume - mountPath: /data - containers: - - name: fake-gcs-server - imagePullPolicy: IfNotPresent - image: fsouza/fake-gcs-server - args: [ - "-scheme", "http", - "-public-host", "fake-gcs-server.default.svc.cluster.local", - "-external-url", "http://fake-gcs-server.default.svc.cluster.local:4443" - ] - ports: - - containerPort: 4443 - volumeMounts: - - name: data-volume - mountPath: /data - volumes: - - name: data-volume - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: fake-gcs-server -spec: - selector: - app: fake-gcs-server - ports: - - protocol: TCP - port: 4443 - targetPort: 4443 - type: LoadBalancer - ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: fake-gcs-server-access -spec: - podSelector: - matchLabels: - app: fake-gcs-server - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: controller - - podSelector: - matchLabels: - app: reporter - - podSelector: - matchLabels: - app: web-dashboard - - podSelector: - matchLabels: - tier: workflow - - podSelector: - matchLabels: - app: workflow-controller diff --git a/syz-cluster/overlays/dev/global-config.yaml b/syz-cluster/overlays/dev/global-config.yaml deleted file mode 100644 index 83293e81e..000000000 --- a/syz-cluster/overlays/dev/global-config.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2025 syzkaller project authors. All rights reserved. -# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: global-config -data: - SPANNER_EMULATOR_HOST: "cloud-spanner-emulator:9010" - SPANNER_DATABASE_URI: "projects/my-project/instances/my-instance/databases/db" - STORAGE_EMULATOR_HOST: "http://fake-gcs-server.default.svc.cluster.local:4443" - BLOB_STORAGE_GCS_BUCKET: "blobs" # Initialized in fake-gcs.yaml - PARALLEL_WORKERS: "1" # Process only one series at a time. diff --git a/syz-cluster/overlays/dev/kustomization.yaml b/syz-cluster/overlays/dev/kustomization.yaml deleted file mode 100644 index ff4e93d20..000000000 --- a/syz-cluster/overlays/dev/kustomization.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2025 syzkaller project authors. All rights reserved. -# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. - -resources: - - ../../controller - - ../../dashboard - - ../../series-tracker - - ../../kernel-disk - - ../../reporter - - ../common - - ../../workflow - - global-config.yaml - - https://github.com/argoproj/argo-workflows/releases/download/v3.6.2/install.yaml - - workflow-roles.yaml - - fake-gcs.yaml - - workflow-artifacts.yaml - - network-policy-spanner.yaml - -patches: - - target: - kind: Deployment - patch: |- - - op: replace - path: /spec/template/spec/containers/0/imagePullPolicy - value: IfNotPresent - - target: - kind: ConfigMap - name: workflow-controller-configmap - patch: |- - - op: replace - path: /data - value: - executor: | - env: - - name: STORAGE_EMULATOR_HOST - value: http://fake-gcs-server.default.svc.cluster.local:4443 diff --git a/syz-cluster/overlays/dev/network-policy-spanner.yaml b/syz-cluster/overlays/dev/network-policy-spanner.yaml deleted file mode 100644 index bfda8c609..000000000 --- a/syz-cluster/overlays/dev/network-policy-spanner.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2025 syzkaller project authors. All rights reserved. -# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. - -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: cloud-spanner-access -spec: - podSelector: - matchLabels: - app: cloud-spanner-emulator - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: db-mgmt - - podSelector: - matchLabels: - app: controller - - podSelector: - matchLabels: - app: web-dashboard - - podSelector: - matchLabels: - app: reporter diff --git a/syz-cluster/overlays/dev/workflow-artifacts.yaml b/syz-cluster/overlays/dev/workflow-artifacts.yaml deleted file mode 100644 index fe34bf84d..000000000 --- a/syz-cluster/overlays/dev/workflow-artifacts.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2025 syzkaller project authors. All rights reserved. -# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: artifact-repositories - annotations: - workflows.argoproj.io/default-artifact-repository: gcs-repo -data: - gcs-repo: | - gcs: - bucket: test-bucket diff --git a/syz-cluster/overlays/dev/workflow-roles.yaml b/syz-cluster/overlays/dev/workflow-roles.yaml deleted file mode 100644 index 44655c8e1..000000000 --- a/syz-cluster/overlays/dev/workflow-roles.yaml +++ /dev/null @@ -1,93 +0,0 @@ -# Copyright 2025 syzkaller project authors. All rights reserved. -# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: default - name: argo-workflow-role -rules: -- apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - status -- apiGroups: - - argoproj.io - resources: - - workflowtasksets - - workflowartifactgctasks - verbs: - - list - - watch -- apiGroups: - - argoproj.io - resources: - - workflowtasksets/status - - workflowartifactgctasks/status - verbs: - - patch ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argo-workflow-list-binding - namespace: default -subjects: -- kind: ServiceAccount - name: default - namespace: default -roleRef: - kind: Role - name: argo-workflow-role - apiGroup: rbac.authorization.k8s.io - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: default - name: executor -rules: -- apiGroups: ["argoproj.io"] - resources: - - workflowtaskresults - verbs: - - create - - patch - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: executor-default - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: executor -subjects: -- kind: ServiceAccount - name: default - namespace: default - ---- - -apiVersion: v1 -kind: Secret -metadata: - annotations: - kubernetes.io/service-account.name: default - name: default.service-account-token -type: kubernetes.io/service-account-token diff --git a/syz-cluster/overlays/minikube/fake-gcs.yaml b/syz-cluster/overlays/minikube/fake-gcs.yaml new file mode 100644 index 000000000..64084fe82 --- /dev/null +++ b/syz-cluster/overlays/minikube/fake-gcs.yaml @@ -0,0 +1,83 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fake-gcs-server +spec: + replicas: 1 + selector: + matchLabels: + app: fake-gcs-server + template: + metadata: + labels: + app: fake-gcs-server + spec: + initContainers: + - name: create-test-bucket + image: busybox + command: ["sh", "-c", "mkdir -p /data/workflow-artifacts /data/blobs"] + volumeMounts: + - name: data-volume + mountPath: /data + containers: + - name: fake-gcs-server + imagePullPolicy: IfNotPresent + image: fsouza/fake-gcs-server + args: [ + "-scheme", "http", + "-public-host", "fake-gcs-server.default.svc.cluster.local", + "-external-url", "http://fake-gcs-server.default.svc.cluster.local:4443" + ] + ports: + - containerPort: 4443 + volumeMounts: + - name: data-volume + mountPath: /data + volumes: + - name: data-volume + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: fake-gcs-server +spec: + selector: + app: fake-gcs-server + ports: + - protocol: TCP + port: 4443 + targetPort: 4443 + type: LoadBalancer + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: fake-gcs-server-access +spec: + podSelector: + matchLabels: + app: fake-gcs-server + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: controller + - podSelector: + matchLabels: + app: reporter + - podSelector: + matchLabels: + app: web-dashboard + - podSelector: + matchLabels: + tier: workflow + - podSelector: + matchLabels: + app: workflow-controller diff --git a/syz-cluster/overlays/minikube/global-config.yaml b/syz-cluster/overlays/minikube/global-config.yaml new file mode 100644 index 000000000..83293e81e --- /dev/null +++ b/syz-cluster/overlays/minikube/global-config.yaml @@ -0,0 +1,13 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: global-config +data: + SPANNER_EMULATOR_HOST: "cloud-spanner-emulator:9010" + SPANNER_DATABASE_URI: "projects/my-project/instances/my-instance/databases/db" + STORAGE_EMULATOR_HOST: "http://fake-gcs-server.default.svc.cluster.local:4443" + BLOB_STORAGE_GCS_BUCKET: "blobs" # Initialized in fake-gcs.yaml + PARALLEL_WORKERS: "1" # Process only one series at a time. diff --git a/syz-cluster/overlays/minikube/kustomization.yaml b/syz-cluster/overlays/minikube/kustomization.yaml new file mode 100644 index 000000000..c5e7b3e9d --- /dev/null +++ b/syz-cluster/overlays/minikube/kustomization.yaml @@ -0,0 +1,22 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +resources: + - ../common + - global-config.yaml + - fake-gcs.yaml + - network-policy-spanner.yaml + - workflow-artifacts.yaml + +patches: + - target: + kind: ConfigMap + name: workflow-controller-configmap + patch: |- + - op: replace + path: /data + value: + executor: | + env: + - name: STORAGE_EMULATOR_HOST + value: http://fake-gcs-server.default.svc.cluster.local:4443 diff --git a/syz-cluster/overlays/minikube/network-policy-spanner.yaml b/syz-cluster/overlays/minikube/network-policy-spanner.yaml new file mode 100644 index 000000000..bfda8c609 --- /dev/null +++ b/syz-cluster/overlays/minikube/network-policy-spanner.yaml @@ -0,0 +1,27 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cloud-spanner-access +spec: + podSelector: + matchLabels: + app: cloud-spanner-emulator + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: db-mgmt + - podSelector: + matchLabels: + app: controller + - podSelector: + matchLabels: + app: web-dashboard + - podSelector: + matchLabels: + app: reporter diff --git a/syz-cluster/overlays/minikube/workflow-artifacts.yaml b/syz-cluster/overlays/minikube/workflow-artifacts.yaml new file mode 100644 index 000000000..690ae176a --- /dev/null +++ b/syz-cluster/overlays/minikube/workflow-artifacts.yaml @@ -0,0 +1,13 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: artifact-repositories + annotations: + workflows.argoproj.io/default-artifact-repository: gcs-repo +data: + gcs-repo: | + gcs: + bucket: workflow-artifacts -- cgit mrf-deployment