From Fedora Project Wiki

(koji operator proposal)
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 17: Line 17:
The operator needs to manage several components such as koji-hub, kojira and also koji internal data (koji tags, usernames, certificates, users, etc) which proved to be complex enough to require its own operator.
The operator needs to manage several components such as koji-hub, kojira and also koji internal data (koji tags, usernames, certificates, users, etc) which proved to be complex enough to require its own operator.


A dedicated operator for koji means it can be used in a standalone fashion and other operators such as MBBOX can just depend on this operator instead of managing koji on its own (such dependency can be managed by operator-hub).
A dedicated operator for Koji means it can be used in a standalone fashion and other operators such as MBBOX can just depend on this operator instead of managing koji on its own (such dependency can be managed by operator-hub).
 
Koji builders will use mock in "simple mode" and will run one task at a time only, auto scaling the amount of builders can be implemented in the future.


== Proposal ==
== Proposal ==
Line 29: Line 31:
The Koji operator will be responsible for deploying, configuring and  managing koji services.
The Koji operator will be responsible for deploying, configuring and  managing koji services.


There are several operator types (operator foundations if you will) at the time of this writing: go, helm and ansible - the proposal is to stick with the ansible operator to leverage koji integration code which is written in python - the operator could also take advantadge of using an existing set of upstream koji ansible modules: https://github.com/ktdreyer/koji-ansible.
There are several operator types (operator foundations if you will) at the time of this writing: go, helm and ansible - the proposal is to do it using the go operator since the operator will also schedule task pods and this action alone may require intense testing which can be limited if using the ansible one (There is also a matter of performance where GO is unbeatable if compared to other operator types).


While go operators are usually faster and more fexlible, migrating to the go operator would imply writing all koji RPC integrations from scratch.
While go operators are usually faster and more fexlible, migrating to the go operator would imply writing all koji RPC integrations from scratch.


The operator won't abstract koji tags creation from a kubernetes CR since those can exponencially increase in number but the operator will enable an "admin sidecar container" instead for sysadmins to run  koji admin commands (such as tag managament).
The operator won't abstract koji tags creation from a kubernetes CR since those can exponentially increase in number but the operator will enable an "admin sidecar container" instead for sysadmins to run  koji admin commands (such as tag management).
 
The operator also won't deploy Koji Builders (aka kojid) but will implement its own task scheduler instead - tasks will be executed in kubernetes pods.


==== Dependencies ====
==== Dependencies ====
Line 40: Line 44:


* PostgreSQL
* PostgreSQL
* RabbitMQ (if running your own "fedora messaging" instance)
* RabbitMQ (optional, only needed if fedora-messaging is enabled)


Secrets for both components should be provied in the same namespace koji is being deployed:
Secrets for both components should be provided in the same namespace Koji is being deployed:


NOTE: those values were chosen for example purposes.
NOTE: those values were chosen for example purposes.
Line 72: Line 76:
==== Resources ====
==== Resources ====


This section describes all kubernetes resources that will be managed by the operator.
This section describes all Kubernetes resources that will be managed by the operator.


Most of those components are custom resources definitions which are implemented by the operator itself but there are a few common kubernetes resources (such as secrets and configmaps) that will also be watched by the operator.
Most of those components are custom resources definitions which are implemented by the operator itself but there are a few common kubernetes resources (such as secrets and configmaps) that will also be watched by the operator.
Line 89: Line 93:


   apiVersion: apps.fedoraproject.org/v1alpha1
   apiVersion: apps.fedoraproject.org/v1alpha1
   kind: MBKojiHub
   kind: KojiHub
   metadata:
   metadata:
     name: mb-koji-hub
     name: hub
   spec:
   spec:
     image: quay.io/fedora/koji-hub:latest
     image: quay.io/fedora/koji-hub:latest
Line 142: Line 146:


   apiVersion: apps.fedoraproject.org/v1alpha1
   apiVersion: apps.fedoraproject.org/v1alpha1
   kind: MBKojira
   kind: Kojira
   metadata:
   metadata:
     name: kojira
     name: kojira
Line 148: Line 152:
     image: quay.io/fedora/kojira:latest
     image: quay.io/fedora/kojira:latest
     configmap: kojira-config
     configmap: kojira-config
    hub_username: kojira
     hub_host: koji-hub:8443
     hub_host: koji-hub:8443
     src: 'no'
     src: 'no'
     max_repo_tasks: 15
     authentication:
    repo_tasks_limit: 15
      ssl:
    cacert_secret: koji-hub-ca-cert
        cacert_secret: koji-hub-ca-cert
    client_cert_secret: kojira-client-cert
        client_cert_secret: kojira-client-cert
    shared_pvc: koji-hub-mnt-pvc


===== Koji Builder =====
===== Koji Builder =====


A Koji Builder (aka Koji Host) is the component which checks for new tasks in koji that are available in the pool awaiting for a builder to execute them.
Builders will run one task at a time using mock in "simple mode" due to mock limitations in kubernetes.
 
A koji builder user and host will be created and the resource name (metadata.name) will be used ad username.


Each builder supports at least one arhcitecture (x86_64, i386, etc) and can be added to channels for task context purposes.
It won't have access to the koji volume at all.


Resource proposal:
Resource proposal:
Line 171: Line 175:
   spec:
   spec:
     image: quay.io/fedora/koji-builder:latest
     image: quay.io/fedora/koji-builder:latest
     replicas: 1
     hub_host: koji-hub:8443
     configmap: koji-builder-configmap
     authentication:
    cacert_secret: koji-hub-ca-cert
      ssl:
    client_cert_secret: koji-builder-client-cert
        cacert_secret: koji-hub-ca-cert
    koji_hub_user: 'koji-builder.mbox.dev'
        client_cert_secret: koji-builder-default-client-cert
    koji_hub_url: 'https://koji-hub:8443'
 
    max_jobs: 5
    vendor: MBox
    host_archs: [x86_64]
    channels:[default, createrepo]
    host_name: koji-hub:8443
    ssl_verify: false
    shared_pvc: koji-hub-mnt-pvc


===== Koji User =====
===== Koji User =====

Latest revision as of 13:15, 15 June 2021

Koji Operator Proposal

STATE: DRAFT

Abstract

A proposal for decoupling koji from the MBBOX operator and manage it in its own independent operator.

Authors

Leonardo Rossetti

Motivation

Koji is currently being handled/deployed in the MBBOX operator together with other components such as MBS.

The operator needs to manage several components such as koji-hub, kojira and also koji internal data (koji tags, usernames, certificates, users, etc) which proved to be complex enough to require its own operator.

A dedicated operator for Koji means it can be used in a standalone fashion and other operators such as MBBOX can just depend on this operator instead of managing koji on its own (such dependency can be managed by operator-hub).

Koji builders will use mock in "simple mode" and will run one task at a time only, auto scaling the amount of builders can be implemented in the future.

Proposal

The proposal is about moving koji to its own operator, repository, container images, etc.

The MBBOX operator should just create Koji custom resources and check for its status readiness.

Operator

The Koji operator will be responsible for deploying, configuring and managing koji services.

There are several operator types (operator foundations if you will) at the time of this writing: go, helm and ansible - the proposal is to do it using the go operator since the operator will also schedule task pods and this action alone may require intense testing which can be limited if using the ansible one (There is also a matter of performance where GO is unbeatable if compared to other operator types).

While go operators are usually faster and more fexlible, migrating to the go operator would imply writing all koji RPC integrations from scratch.

The operator won't abstract koji tags creation from a kubernetes CR since those can exponentially increase in number but the operator will enable an "admin sidecar container" instead for sysadmins to run koji admin commands (such as tag management).

The operator also won't deploy Koji Builders (aka kojid) but will implement its own task scheduler instead - tasks will be executed in kubernetes pods.

Dependencies

Koji depends on some components/services which will not be handled by the operator but are considered operator dependencies:

  • PostgreSQL
  • RabbitMQ (optional, only needed if fedora-messaging is enabled)

Secrets for both components should be provided in the same namespace Koji is being deployed:

NOTE: those values were chosen for example purposes.

 #psql secret
 apiVersion: v1
 kind: Secret
 metadata:
   name: postgres
   labels:
     app: postgres
 data:
   POSTGRES_HOST: postgresql
   POSTGRES_DB: mboxdb
   POSTGRES_USER: koji
   POSTGRES_PASSWORD: mbox
 #rabbit mq secret
 apiVersion: v1
 kind: Secret
   metadata:
     name: koji-fedora-messaging-cert
   data:
     ca_cert.pem: my_ca_cert_content
     client_cert.pem: my_client_cert_content
     client_key.pem: my_client_key_content


Resources

This section describes all Kubernetes resources that will be managed by the operator.

Most of those components are custom resources definitions which are implemented by the operator itself but there are a few common kubernetes resources (such as secrets and configmaps) that will also be watched by the operator.

The operator should re-run its reconcyle loop every N seconds to ensure both deployed components and koji data are in the epected state - this is automatically done by the operator reconcyle loop.

Koji Hub

Resource responsible for defining the koji-hub server config.

The operator should create an "admin" sidecar container If sidecar is set to true so sysadmins can run koji admin commands from that container.

The sidecar property should be optional and default to false.

Resource Proposal:

 apiVersion: apps.fedoraproject.org/v1alpha1
 kind: KojiHub
 metadata:
   name: hub
 spec:
   image: quay.io/fedora/koji-hub:latest
   replicas: 1
   persistent: true
   host: koji.mbox.dev # change it to match the external web url/route of koji-hub
   configmap: koji-hub
   ca_cert_secret: koji-hub-ca-cert
   service_cert_secret: koji-hub-service-cert
   postgres_secret: postgres
   http_enabled: true
   https_enabled: true
   topic_prefix: mbox_dev
   fedora_messaging_url: amqps://koji:something@rabbitmq
   messaging_cert_cm: koji-hub-msg
   ingress_backend: nginx # default
   # ingress_backend: openshift
   httpd_pvc_name: koji-hub-httpd-pvc
   httpd_pvc_size: 1Gi
   mnt_pvc_name: koji-hub-mnt-pvc
   mnt_pvc_size: 10Gi
   sidecar: true
Koji Web

Koji web is the frontend web appliction of koji to list builds, tasks, etc.

Resource Proposal:

 apiVersion: apps.fedoraproject.org/v1alpha1
 kind: KojiWeb
 metadata:
   name: koji-web
 spec:
     image: quay.io/fedora/koji-hub:latest
     replicas: 1
     client_cert_secret: koji-hub-web-client-cert
     client_username: kojiweb
     hub_host: koji_hub:8443
     cacert_secret: koji-hub-ca-cert
     client_cert_secret: koji-web-client-cert
Kojira

Kojira is a koji daemon responsible for generating build roots, repos and etc. It is a core backend component for koji.

Only one instance of kojira should be allowed per "koji deployment"/namespace.

Resource proposal:

 apiVersion: apps.fedoraproject.org/v1alpha1
 kind: Kojira
 metadata:
   name: kojira
 spec:
   image: quay.io/fedora/kojira:latest
   configmap: kojira-config
   hub_host: koji-hub:8443
   src: 'no'
   authentication:
     ssl:
       cacert_secret: koji-hub-ca-cert
       client_cert_secret: kojira-client-cert
Koji Builder

Builders will run one task at a time using mock in "simple mode" due to mock limitations in kubernetes.

A koji builder user and host will be created and the resource name (metadata.name) will be used ad username.

It won't have access to the koji volume at all.

Resource proposal:

 apiVersion: apps.fedoraproject.org/v1alpha1
 kind: KojiBuilder
 metadata:
   name: default
 spec:
   image: quay.io/fedora/koji-builder:latest
   hub_host: koji-hub:8443
   authentication:
     ssl:
       cacert_secret: koji-hub-ca-cert
       client_cert_secret: koji-builder-default-client-cert


Koji User

Creating a KojiUser custom resource would make the operator create an user in koji and keeping it synchronized with the CR config (such as user perms) and even recreate the user if it gets deleted.

Resource Proposal:

 apiVersion: apps.fedoraproject.org/v1alpha1
 kind: KojiUser
 metadata:
   name: kojira
   labels:
     app: koji
 spec:
   permissions:
     - repo
   authentication:
     ssl: #may support others, such as krb and even multiple authentication mechanisms
       client_secret_name: kojira-cert
       ca_secret_name: ca-cert

The username field will use the value of metadata.name.

KubeCtl Plugin

A koji kubectl plugin which runs koji commands in the admin sidecar pod as a koji admin.

This plugin enables syadmins to manage koji using kubectl.

The plugin should check if the sidecar container is present otherwise fail describing the steps to set a sidecar container for koji-hub.

Kubectl plugins development are very straightforward and well documented: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/

Example:

 kubectl koji grant-permission repo kojira


Copyright

This document has been placed in the public domain.