Merge pull request #22 from consideRatio/pr/docker-api

Add docker-api daemonset, prepares k8s nodes for build pods' requirements
2i2c-org · Apr 27, 2023 · 5140e84 · 5140e84
2 parents 6d2f0ad + 72f969f
commit 5140e84
Show file tree

Hide file tree

Showing 8 changed files with 204 additions and 16 deletions.
diff --git a/.github/workflows/test-chart.yaml b/.github/workflows/test-chart.yaml
@@ -165,4 +165,4 @@ jobs:
       - uses: jupyterhub/action-k8s-namespace-report@v1
         if: always()
         with:
-          important-workloads: deploy/binderhub-service
+          important-workloads: deploy/binderhub-service daemonset/binderhub-service-docker-api
diff --git a/.github/workflows/watch-dependencies.yaml b/.github/workflows/watch-dependencies.yaml
@@ -4,11 +4,16 @@
 # This Workflow watches dependencies and automatically creates PRs to update
 # them.
 #
+# - Watch multiple images tags referenced in values.yaml to match the latest
+#   stable image tag (ignoring pre-releases).
 # - Refreeze images/*/requirements.txt based on images/*/requirements.in
 #
 name: Watch dependencies
 
 on:
+  pull_request:
+    paths:
+      - ".github/workflows/watch-dependencies.yaml"
   push:
     paths:
       - "images/*/requirements.in"
@@ -20,6 +25,65 @@ on:
   workflow_dispatch:
 
 jobs:
+  update-image-dependencies:
+    if: github.repository == '2i2c-org/binderhub-service'
+    runs-on: ubuntu-22.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: docker
+            registry: docker.io
+            repository: library/docker
+            values_path: dockerApi.image.tag
+            tag_prefix: ""
+            tag_suffix: -dind
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get values.yaml pinned tag of ${{ matrix.registry }}/${{ matrix.repository }}
+        id: local
+        run: |
+          local_tag=$(cat binderhub-service/values.yaml | yq e '.${{ matrix.values_path }}' -)
+          echo "tag=$local_tag" >> $GITHUB_OUTPUT
+
+      - name: Get latest tag of ${{ matrix.registry }}/${{ matrix.repository }}
+        id: latest
+        # The skopeo image helps us list tags consistently from different docker
+        # registries. We identify the latest docker image tag based on the
+        # version numbers of format x.y.z included in a pattern with an optional
+        # prefix and suffix, like the tags "v4.5.0" (v prefix) and "23.0.5-dind"
+        # (-dind suffix).
+        run: |
+          latest_tag=$(
+              docker run --rm quay.io/skopeo/stable list-tags docker://${{ matrix.registry }}/${{ matrix.repository }} \
+            | jq -r '[.Tags[] | select(. | match("^${{ matrix.tag_prefix }}\\d+\\.\\d+\\.\\d+${{ matrix.tag_suffix }}$") | .string)] | sort_by(split(".") | map(ltrimstr("${{ matrix.tag_prefix }}") | rtrimstr("${{ matrix.tag_suffix }}") | tonumber)) | last'
+          )
+          echo "tag=$latest_tag" >> $GITHUB_OUTPUT
+
+      - name: Update values.yaml pinned tag
+        if: steps.local.outputs.tag != steps.latest.outputs.tag
+        run: |
+          sed --in-place 's/tag: "${{ steps.local.outputs.tag }}"/tag: "${{ steps.latest.outputs.tag }}"/g' binderhub-service/values.yaml
+
+      - name: git diff
+        if: steps.local.outputs.tag != steps.latest.outputs.tag
+        run: git --no-pager diff --color=always
+
+      # ref: https://github.com/peter-evans/create-pull-request
+      - uses: peter-evans/create-pull-request@v4
+        if: github.event_name != 'pull_request'
+        with:
+          branch: update-image-dependencies
+          labels: dependencies
+          commit-message: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }}
+          title: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }}
+          body: >-
+            A new ${{ matrix.repository }} image version has been detected, version
+            `${{ steps.latest.outputs.tag }}`.
+
   refreeze-dockerfile-requirements-txt:
     if: github.repository == '2i2c-org/binderhub-service'
     runs-on: ubuntu-22.04
@@ -38,6 +102,7 @@ jobs:
 
       # ref: https://github.com/peter-evans/create-pull-request
       - uses: peter-evans/create-pull-request@v4
+        if: github.event_name != 'pull_request'
         with:
           branch: update-image-requirements
           labels: dependencies

diff --git a/binderhub-service/templates/_helpers.tpl b/binderhub-service/templates/_helpers.tpl
@@ -2,7 +2,7 @@
   Expand the name of the chart.
 */}}
 {{- define "binderhub-service.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- .Values.nameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{- /*
@@ -14,7 +14,7 @@
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- $name := .Values.nameOverride | default .Chart.Name }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}

diff --git a/binderhub-service/templates/deployment.yaml b/binderhub-service/templates/deployment.yaml
@@ -9,6 +9,7 @@ spec:
   selector:
     matchLabels:
       {{- include "binderhub-service.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: binderhub
   template:
     metadata:
       annotations:
@@ -18,6 +19,7 @@ spec:
         {{- end }}
       labels:
         {{- include "binderhub-service.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: binderhub
     spec:
       volumes:
         - name: secret

diff --git a/binderhub-service/templates/docker-api/daemonset.yaml b/binderhub-service/templates/docker-api/daemonset.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "binderhub-service.fullname" . }}-docker-api
+  labels:
+    {{- include "binderhub-service.labels" . | nindent 4 }}
+    app.kubernetes.io/component: docker-api
+spec:
+  selector:
+    matchLabels:
+      {{- include "binderhub-service.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: docker-api
+  template:
+    metadata:
+      labels:
+        {{- include "binderhub-service.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: docker-api
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+    spec:
+      containers:
+        - name: docker-api
+          image: {{ .Values.dockerApi.image.repository }}:{{ .Values.dockerApi.image.tag }}
+          args:
+            - dockerd
+            - --data-root=/var/lib/docker-api
+            - --exec-root=/var/run/docker-api
+            - --host=unix://var/run/docker-api/docker-api.sock
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/docker-api
+            - name: exec
+              mountPath: /var/run/docker-api
+          resources:
+            {{- .Values.dockerApi.resources | toYaml | nindent 12 }}
+          securityContext:
+            {{- .Values.dockerApi.securityContext | toYaml | nindent 12 }}
+      volumes:
+        - name: data
+          hostPath:
+            path: /var/lib/docker-api
+            type: DirectoryOrCreate
+        - name: exec
+          hostPath:
+            path: /var/run/docker-api
+            type: DirectoryOrCreate
+      {{- with .Values.dockerApi.image.pullSecrets }}
+      imagePullSecrets:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .Values.dockerApi.podSecurityContext }}
+      securityContext:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .Values.dockerApi.nodeSelector }}
+      nodeSelector:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .Values.dockerApi.affinity }}
+      affinity:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .Values.dockerApi.tolerations }}
+      tolerations:
+        {{- . | toYaml | nindent 8 }}
+      {{- end }}
diff --git a/binderhub-service/values.schema.yaml b/binderhub-service/values.schema.yaml
@@ -41,7 +41,6 @@ properties:
   # Deployment resource
   # ---------------------------------------------------------------------------
   #
-
   config:
     type: object
     additionalProperties: false
@@ -58,7 +57,7 @@ properties:
 
   replicas:
     type: integer
-  image:
+  image: &image
     type: object
     additionalProperties: false
     required: [repository, tag]
@@ -71,13 +70,13 @@ properties:
         enum: [null, "", IfNotPresent, Always, Never]
       pullSecrets:
         type: array
-  resources:
+  resources: &resources
     type: object
     additionalProperties: true
-  securityContext:
+  securityContext: &securityContext
     type: object
     additionalProperties: true
-  podSecurityContext:
+  podSecurityContext: &podSecurityContext
     type: object
     additionalProperties: true
   podAnnotations: &labels-and-annotations
@@ -86,14 +85,14 @@ properties:
     patternProperties:
       ".*":
         type: string
-  nodeSelector:
+  nodeSelector: &nodeSelector
     type: object
     additionalProperties: true
-  tolerations:
-    type: array
-  affinity:
+  affinity: &affinity
     type: object
     additionalProperties: true
+  tolerations: &tolerations
+    type: array
 
   # RBAC resources
   # ---------------------------------------------------------------------------
@@ -155,3 +154,20 @@ properties:
       tls:
         type: array
       annotations: *labels-and-annotations
+
+  # DaemonSet resource - docker-api
+  # ---------------------------------------------------------------------------
+  #
+  dockerApi:
+    type: object
+    additionalProperties: false
+    required: [image]
+    properties:
+      image: *image
+      resources: *resources
+      securityContext: *securityContext
+      podSecurityContext: *podSecurityContext
+      podAnnotations: *labels-and-annotations
+      nodeSelector: *nodeSelector
+      affinity: *affinity
+      tolerations: *tolerations
diff --git a/binderhub-service/values.yaml b/binderhub-service/values.yaml
@@ -22,7 +22,8 @@ config:
   BinderHub:
     base_url: /
     use_registry: true
-  KubernetesBuildExecutor: {}
+  KubernetesBuildExecutor:
+    docker_host: /var/run/docker-api/docker-api.sock
 extraConfig: {}
 
 replicas: 1
@@ -31,19 +32,20 @@ image:
   tag: "set-by-chartpress"
   pullPolicy: ""
   pullSecrets: []
+resources: {}
 securityContext:
   capabilities:
     drop:
       - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000
-resources: {}
-podAnnotations: {}
+
 podSecurityContext: {}
+podAnnotations: {}
 nodeSelector: {}
-tolerations: []
 affinity: {}
+tolerations: []
 
 # RBAC resources
 # -----------------------------------------------------------------------------
@@ -79,3 +81,27 @@ ingress:
         - path: /
           pathType: ImplementationSpecific
   tls: []
+
+# DaemonSet resource - docker-api
+# -----------------------------------------------------------------------------
+#
+# This DaemonSet starts a pod on each node to setup a Docker API that
+# binderhub's spawned build pods can make use of, via a hostPath volume that
+# exposes a unix socket.
+#
+dockerApi:
+  image:
+    repository: docker.io/library/docker
+    tag: "23.0.5-dind" # ref: https://hub.docker.com/_/docker/tags
+    pullPolicy: ""
+    pullSecrets: []
+  resources: {}
+  securityContext:
+    privileged: true
+    runAsUser: 0
+
+  podSecurityContext: {}
+  podAnnotations: {}
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml
@@ -37,3 +37,14 @@ service:
 #
 ingress:
   enabled: false
+
+# DaemonSet resource - docker-api
+# -----------------------------------------------------------------------------
+#
+dockerApi:
+  image:
+    repository: docker.io/library/docker
+    tag: "23.0.5-dind"
+  securityContext:
+    privileged: true
+    runAsUser: 0