From 6876643e74416c495e72ad372410b6348fcb58b8 Mon Sep 17 00:00:00 2001 From: Dejan Zele Pejchev Date: Fri, 12 Jul 2024 06:58:27 +0200 Subject: [PATCH] testkube: add support for defining image credentials cache ttl --- charts/testkube-api/README.md | 99 +++++++++++++++++-- charts/testkube-api/templates/deployment.yaml | 2 + charts/testkube-api/values.yaml | 2 + charts/testkube/README.md | 11 ++- charts/testkube/values.yaml | 6 +- 5 files changed, 104 insertions(+), 16 deletions(-) diff --git a/charts/testkube-api/README.md b/charts/testkube-api/README.md index 29f180819..1aadf9383 100644 --- a/charts/testkube-api/README.md +++ b/charts/testkube-api/README.md @@ -1,6 +1,6 @@ # testkube-api -![Version: 1.15.2](https://img.shields.io/badge/Version-1.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.15.2](https://img.shields.io/badge/AppVersion-1.15.2-informational?style=flat-square) +![Version: 2.0.10](https://img.shields.io/badge/Version-2.0.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.10](https://img.shields.io/badge/AppVersion-2.0.10-informational?style=flat-square) A Helm chart for Testkube api @@ -14,7 +14,11 @@ A Helm chart for Testkube api | Key | Type | Default | Description | |-----|------|---------|-------------| +| additionalJobVolumeMounts | list | `[]` | | +| additionalJobVolumes | list | `[]` | | | additionalNamespaces | list | `[]` | | +| additionalVolumeMounts | list | `[]` | | +| additionalVolumes | list | `[]` | | | affinity | object | `{}` | | | analyticsEnabled | bool | `true` | | | autoscaling.annotations | object | `{}` | | @@ -44,43 +48,82 @@ A Helm chart for Testkube api | cloud.key | string | `""` | | | cloud.migrate | string | `""` | | | cloud.orgId | string | `""` | | -| cloud.url | string | `"agent.testkube.io:443"` | | +| cloud.tls.certificate.caFile | string | `"/tmp/agent-cert/ca.crt"` | | +| cloud.tls.certificate.certFile | string | `"/tmp/agent-cert/cert.crt"` | | +| cloud.tls.certificate.keyFile | string | `"/tmp/agent-cert/cert.key"` | | +| cloud.tls.certificate.secretRef | string | `""` | | +| cloud.tls.customCaDirPath | string | `""` | Specifies the path to the directory (skip the trailing slash) where CA certificates should be mounted. The mounted file should container a PEM encoded CA certificate. | +| cloud.tls.customCaSecretRef | string | `""` | | +| cloud.tls.enabled | bool | `true` | | +| cloud.tls.skipVerify | bool | `false` | | | cloud.uiUrl | string | `""` | | +| cloud.url | string | `"agent.testkube.io:443"` | | | clusterName | string | `""` | | | configValues | string | `""` | | +| containerResources | object | `{}` | | | dashboardUri | string | `""` | | -| dnsPolicy | string | `""` | | +| defaultStorageClassName | string | `""` | Whether to generate RBAC for test job or use manually provided generateTestJobRBAC: true # default storage class name for PVC volumes | | disableMongoMigrations | bool | `false` | | | disableSecretCreation | bool | `false` | | +| dnsPolicy | string | `""` | | | enableK8sEvents | bool | `true` | | | enableSecretsEndpoint | bool | `false` | | -| executionNamespaces | list | `[]` | | +| enabledExecutors | string | `nil` | | +| executionNamespaces | string | `nil` | | | executors | string | `""` | | -| extraEnvVars | object | `{}` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | +| global.affinity | object | `{}` | | | global.annotations | object | `{}` | | +| global.features.logsV2 | bool | `false` | | +| global.features.whitelistedContainers | string | `"init,logs,scraper"` | | | global.imagePullSecrets | list | `[]` | | | global.imageRegistry | string | `""` | | | global.labels | object | `{}` | | +| global.nodeSelector | object | `{}` | | +| global.testWorkflows.createOfficialTemplates | bool | `true` | | +| global.testWorkflows.createServiceAccountTemplates | bool | `true` | | +| global.testWorkflows.globalTemplate.enabled | bool | `false` | | +| global.testWorkflows.globalTemplate.name | string | `"global-template"` | | +| global.testWorkflows.globalTemplate.spec | object | `{}` | | +| global.tls.caCertPath | string | `""` | | +| global.tolerations | list | `[]` | | +| global.volumes.additionalVolumeMounts | list | `[]` | | +| global.volumes.additionalVolumes | list | `[]` | | | hostNetwork | string | `""` | | | httpReadBufferSize | int | `8192` | | | image.digest | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | -| image.pullSecret | list | `[]` | | +| image.pullSecrets | list | `[]` | | | image.registry | string | `"docker.io"` | | | image.repository | string | `"kubeshop/testkube-api-server"` | | -| enabledExecutors | object | `{}` | | +| imageInspectionCache.enabled | bool | `true` | | +| imageInspectionCache.name | string | `"testkube-image-cache"` | | +| imageInspectionCache.ttl | string | `"30m"` | | +| imageTwInit.digest | string | `""` | | +| imageTwInit.registry | string | `"docker.io"` | | +| imageTwInit.repository | string | `"kubeshop/testkube-tw-init"` | | +| imageTwToolkit.digest | string | `""` | | +| imageTwToolkit.registry | string | `"docker.io"` | | +| imageTwToolkit.repository | string | `"kubeshop/testkube-tw-toolkit"` | | +| initContainerResources | object | `{}` | | +| jobAnnotations | object | `{}` | | | jobContainerTemplate | string | `""` | | +| jobPodAnnotations | object | `{}` | | | jobScraperTemplate | string | `""` | | | jobServiceAccountName | string | `""` | | | kubeVersion | string | `""` | | | livenessProbe.initialDelaySeconds | int | `30` | | | logs.bucket | string | `"testkube-logs"` | | | logs.storage | string | `"minio"` | | +| logsServiceAccount.annotations | object | `{}` | | +| logsServiceAccount.create | bool | `true` | | +| logsServiceAccount.name | string | `""` | | +| logsV2ContainerResources | object | `{}` | | | minio.accessModes[0] | string | `"ReadWriteOnce"` | | | minio.affinity | object | `{}` | | | minio.enabled | bool | `true` | | -| minio.extraEnvVars | object | `{}` | | +| minio.extraEnvVars | list | `[]` | | | minio.extraVolumeMounts | list | `[]` | | | minio.extraVolumes | list | `[]` | | | minio.image.pullPolicy | string | `"IfNotPresent"` | | @@ -106,13 +149,27 @@ A Helm chart for Testkube api | minio.secretUserName | string | `""` | | | minio.securityContext | object | `{}` | | | minio.serviceAccountName | string | `""` | | +| minio.serviceMonitor.enabled | bool | `false` | | +| minio.serviceMonitor.interval | string | `"15s"` | | +| minio.serviceMonitor.labels | object | `{}` | | +| minio.serviceMonitor.matchLabels | list | `[]` | | | minio.storage | string | `"10Gi"` | | | minio.tolerations | list | `[]` | | | mongodb.allowDiskUse | bool | `true` | | | mongodb.dsn | string | `"mongodb://testkube-mongodb:27017"` | | | multinamespace.enabled | bool | `false` | | | nameOverride | string | `""` | | +| nats.embedded | bool | `false` | | | nats.enabled | bool | `true` | | +| nats.tls.certSecret.baseMountPath | string | `"/etc/client-certs/nats"` | | +| nats.tls.certSecret.caFile | string | `"ca.crt"` | | +| nats.tls.certSecret.certFile | string | `"cert.crt"` | | +| nats.tls.certSecret.enabled | bool | `false` | | +| nats.tls.certSecret.keyFile | string | `"cert.key"` | | +| nats.tls.certSecret.name | string | `"nats-client-cert"` | | +| nats.tls.enabled | bool | `false` | | +| nats.tls.mountCACertificate | bool | `false` | | +| nats.tls.skipVerify | bool | `false` | | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | | podLabels | object | `{}` | | @@ -126,6 +183,7 @@ A Helm chart for Testkube api | readinessProbe.initialDelaySeconds | int | `45` | | | replicaCount | int | `1` | | | resources | object | `{}` | | +| scraperContainerResources | object | `{}` | | | securityContext | object | `{}` | | | service.annotations | object | `{}` | | | service.labels | object | `{}` | | @@ -141,33 +199,56 @@ A Helm chart for Testkube api | storage.accessKey | string | `""` | | | storage.accessKeyId | string | `""` | | | storage.bucket | string | `"testkube-artifacts"` | | +| storage.certSecret.baseMountPath | string | `"/etc/client-certs/storage"` | | +| storage.certSecret.caFile | string | `"ca.crt"` | | +| storage.certSecret.certFile | string | `"cert.crt"` | | +| storage.certSecret.enabled | bool | `false` | | +| storage.certSecret.keyFile | string | `"cert.key"` | | +| storage.certSecret.name | string | `"nats-client-cert"` | | | storage.compressArtifacts | bool | `true` | | | storage.endpoint | string | `""` | | | storage.endpoint_port | string | `"9000"` | | | storage.expiration | int | `0` | | +| storage.mountCACertificate | bool | `false` | | | storage.region | string | `""` | | | storage.scrapperEnabled | bool | `true` | | | storage.secretKeyAccessKeyId | string | `""` | | | storage.secretKeySecretAccessKey | string | `""` | | | storage.secretNameAccessKeyId | string | `""` | | | storage.secretNameSecretAccessKey | string | `""` | | +| storage.skipVerify | bool | `false` | | | storage.token | string | `""` | | +| storageRequest | string | `"1Gi"` | | | templates.job | string | `""` | | | templates.jobContainer | string | `""` | | | templates.pvcContainer | string | `""` | | | templates.scraperContainer | string | `""` | | | templates.slavePod | string | `""` | | +| testConnection.affinity | object | `{}` | | | testConnection.enabled | bool | `false` | | +| testConnection.nodeSelector | object | `{}` | | +| testConnection.tolerations | list | `[]` | | | testServiceAccount.annotations | object | `{}` | | | testServiceAccount.create | bool | `true` | | +| testkubeLogs.grpcAddress | string | `"testkube-logs:9090"` | GRPC address | +| testkubeLogs.tls.certSecret.baseMountPath | string | `"/etc/client-certs/grpc"` | Base path to mount the client certificate secret | +| testkubeLogs.tls.certSecret.caFile | string | `"ca.crt"` | Path to ca file (used for self-signed certificates) | +| testkubeLogs.tls.certSecret.certFile | string | `"cert.crt"` | Path to client certificate file | +| testkubeLogs.tls.certSecret.enabled | bool | `false` | Toggle whether to mount k8s secret which contains GRPC client certificate (cert.crt, cert.key, ca.crt) | +| testkubeLogs.tls.certSecret.keyFile | string | `"cert.key"` | Path to client certificate key file | +| testkubeLogs.tls.certSecret.name | string | `"grpc-client-cert"` | Name of the grpc client certificate secret | +| testkubeLogs.tls.enabled | bool | `false` | Toggle whether to enable TLS in GRPC client | +| testkubeLogs.tls.mountCACertificate | bool | `false` | If enabled, will also require a CA certificate to be provided | +| testkubeLogs.tls.skipVerify | bool | `false` | Toggle whether to verify certificates | | tolerations | list | `[]` | | | uiIngress.annotations | object | `{}` | | | uiIngress.enabled | bool | `false` | | | uiIngress.hosts | list | `[]` | | | uiIngress.labels | object | `{}` | | | uiIngress.path | string | `"/results/(v\\d/executions.*)"` | | +| uiIngress.pathType | string | `"Prefix"` | | | uiIngress.tls | list | `[]` | | | uiIngress.tlsenabled | bool | `false` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2) +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/testkube-api/templates/deployment.yaml b/charts/testkube-api/templates/deployment.yaml index 9ba0b3f39..9a78fbf35 100644 --- a/charts/testkube-api/templates/deployment.yaml +++ b/charts/testkube-api/templates/deployment.yaml @@ -215,6 +215,8 @@ spec: {{- end }} - name: WHITELISTED_CONTAINERS value: "{{ .Values.global.features.whitelistedContainers }}" + - name: TESTKUBE_IMAGE_CREDENTIALS_CACHE_TTL + value: "{{ .Values.imageInspectionCache.ttl }}" image: {{ include "testkube-api.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: diff --git a/charts/testkube-api/values.yaml b/charts/testkube-api/values.yaml index d52de5eac..7788ddc64 100644 --- a/charts/testkube-api/values.yaml +++ b/charts/testkube-api/values.yaml @@ -175,6 +175,8 @@ imageInspectionCache: enabled: true ## ConfigMap name to persist cache name: "testkube-image-cache" + ## TTL for image pull secrets cache (set to 0 to disable) + ttl: 30m ## Multinamespace feature. Disabled by default multinamespace: diff --git a/charts/testkube/README.md b/charts/testkube/README.md index af3de2af8..4e399386c 100644 --- a/charts/testkube/README.md +++ b/charts/testkube/README.md @@ -2,7 +2,7 @@ Testkube is an open-source platform that simplifies the deployment and management of automated testing infrastructure. -![Version: 2.0.13](https://img.shields.io/badge/Version-2.0.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.0.17](https://img.shields.io/badge/Version-2.0.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ## Install @@ -136,7 +136,7 @@ kubectl label --overwrite crds scripts.tests.testkube.io app.kubernetes.io/manag | Repository | Name | Version | |------------|------|---------| | file://../global | global | 0.1.2 | -| file://../testkube-api | testkube-api | 2.0.8 | +| file://../testkube-api | testkube-api | 2.0.10 | | file://../testkube-logs | testkube-logs | 0.2.0 | | file://../testkube-operator | testkube-operator | 2.0.0 | | https://charts.bitnami.com/bitnami | mongodb | 13.10.1 | @@ -256,8 +256,9 @@ kubectl label --overwrite crds scripts.tests.testkube.io app.kubernetes.io/manag | testkube-api.image.pullSecrets | list | `[]` | Testkube API k8s secret for private registries | | testkube-api.image.registry | string | `"docker.io"` | Testkube API image registry | | testkube-api.image.repository | string | `"kubeshop/testkube-api-server"` | Testkube API image name | -| testkube-api.imageInspectionCache.enabled | bool | `true` | | -| testkube-api.imageInspectionCache.name | string | `"testkube-image-cache"` | | +| testkube-api.imageInspectionCache.enabled | bool | `true` | Status of the persistent cache | +| testkube-api.imageInspectionCache.name | string | `"testkube-image-cache"` | ConfigMap name to persist cache | +| testkube-api.imageInspectionCache.ttl | string | `"30m"` | TTL for image pull secrets cache (set to 0 to disable) | | testkube-api.imageTwInit.digest | string | `""` | Test Workflows image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | | testkube-api.imageTwInit.pullSecrets | list | `[]` | Test Workflows image k8s secret for private registries | | testkube-api.imageTwInit.registry | string | `"docker.io"` | Test Workflows image registry | @@ -408,7 +409,7 @@ kubectl label --overwrite crds scripts.tests.testkube.io app.kubernetes.io/manag | testkube-logs.storage.secretKeySecretAccessKey | string | `""` | Key for storage secretAccessKeyId taken from k8s secret | | testkube-logs.storage.secretNameAccessKeyId | string | `""` | k8s Secret name for storage accessKeyId | | testkube-logs.storage.secretNameSecretAccessKey | string | `""` | K8s Secret Name for storage secretAccessKeyId | -| testkube-logs.storage.skipVerify | bool | `true` | Toggle whether to verify TLS certificates | +| testkube-logs.storage.skipVerify | bool | `false` | Toggle whether to verify TLS certificates | | testkube-logs.storage.token | string | `""` | MinIO Token | | testkube-logs.testConnection | object | `{"enabled":false}` | Test Connection pod | | testkube-logs.tls.certSecret.baseMountPath | string | `"/etc/server-certs/grpc"` | Base path to mount the server certificate secret | diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml index dcac97dd7..6a14897bf 100644 --- a/charts/testkube/values.yaml +++ b/charts/testkube/values.yaml @@ -522,10 +522,12 @@ testkube-api: ## Persistent cache for Docker imageInspectionCache: - ## Status of the persistent cache + # -- Status of the persistent cache enabled: true - ## ConfigMap name to persist cache + # -- ConfigMap name to persist cache name: "testkube-image-cache" + # -- TTL for image pull secrets cache (set to 0 to disable) + ttl: 30m # ref: https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm # -- Tolerations to schedule a workload to nodes with any architecture type. Required for deployment to GKE cluster.