CR-7598 (#180)

elad-codefresh · web-flow · commit 4736b3253560 · 2021-12-16T18:12:05.000+02:00
* initial commit

* constants for reqs and improved validation logic

* removed redundant

* bump

* error msg

* group in store

* resolved pr comments

* bump

* codegen

* rename as kubeutil

* using ... instead of loop
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-VERSION=v0.0.167
+VERSION=v0.0.168
 
 OUT_DIR=dist
 YEAR?=$(shell date +"%Y")
diff --git a/cmd/commands/runtime.go b/cmd/commands/runtime.go
@@ -47,6 +47,7 @@ import (
 	argowf "github.com/argoproj/argo-workflows/v3/pkg/apis/workflow"
 
 	"github.com/Masterminds/semver/v3"
+	kubeutil "github.com/codefresh-io/cli-v2/pkg/util/kube"
 	"github.com/ghodss/yaml"
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
@@ -75,9 +76,8 @@ type (
 		GitIntegrationOpts   *apmodel.AddGitIntegrationArgs
 		KubeFactory          kube.Factory
 		CommonConfig         *runtime.CommonConfig
-
-		versionStr  string
-		kubeContext string
+		versionStr           string
+		kubeContext          string
 	}
 	RuntimeUninstallOptions struct {
 		RuntimeName string
@@ -498,6 +498,11 @@ func preInstallationChecks(ctx context.Context, opts *RuntimeInstallOptions) err
 		return fmt.Errorf("existing runtime check failed: %w", err)
 	}
 
+	err := kubeutil.EnsureClusterRequirements(ctx, opts.KubeFactory, opts.RuntimeName)
+	if err != nil {
+		return fmt.Errorf(fmt.Sprintf("validation of minimum cluster requirements failed: %v ", err))
+	}
+
 	return nil
 }
 
@@ -555,7 +560,7 @@ func checkExistingRuntimes(ctx context.Context, runtime string) error {
 }
 
 func intervalCheckIsRuntimePersisted(ctx context.Context, runtimeName string) error {
-	maxRetries := 180          // up to 30 min
+	maxRetries := 180 // up to 30 min
 	waitMsg := "Waiting for the runtime installation to complete"
 	stop := util.WithSpinner(ctx, waitMsg)
 	ticker := time.NewTicker(time.Second * 10)
@@ -976,10 +981,10 @@ func createWorkflowsIngress(ctx context.Context, cloneOpts *git.CloneOptions, rt
 		Name:      rt.Name + store.Get().WorkflowsIngressName,
 		Namespace: rt.Namespace,
 		Annotations: map[string]string{
-			"ingress.kubernetes.io/protocol": "https",
-			"ingress.kubernetes.io/rewrite-target": "/$2",
+			"ingress.kubernetes.io/protocol":               "https",
+			"ingress.kubernetes.io/rewrite-target":         "/$2",
 			"nginx.ingress.kubernetes.io/backend-protocol": "https",
-			"nginx.ingress.kubernetes.io/rewrite-target": "/$2",
+			"nginx.ingress.kubernetes.io/rewrite-target":   "/$2",
 		},
 		Paths: []ingressutil.IngressPath{
 			{
diff --git a/docs/releases/release_notes.md b/docs/releases/release_notes.md
@@ -1,10 +1,10 @@
 ### Installed Applications:
 
--   Argo CD [v2.1.3](https://github.com/codefresh-io/argo-cd/releases/tag/v2.1.3)
-    -   Argo CD ApplicationSet Controller [v0.2.0](https://github.com/argoproj-labs/applicationset/releases/tag/v0.2.0)
--   Argo Events [v1.4.0](https://github.com/argoproj/argo-events/releases/tag/v1.4.0)
--   Argo Rollouts [v1.1.0](https://github.com/argoproj/argo-rollouts/releases/tag/v1.1.0)
--   Argo Workflows [v3.1.8](https://github.com/argoproj/argo-workflows/releases/tag/v3.1.8)
+- Argo CD [v2.1.3](https://github.com/codefresh-io/argo-cd/releases/tag/v2.1.3)
+  - Argo CD ApplicationSet Controller [v0.2.0](https://github.com/argoproj-labs/applicationset/releases/tag/v0.2.0)
+- Argo Events [v1.4.0](https://github.com/argoproj/argo-events/releases/tag/v1.4.0)
+- Argo Rollouts [v1.1.0](https://github.com/argoproj/argo-rollouts/releases/tag/v1.1.0)
+- Argo Workflows [v3.1.8](https://github.com/argoproj/argo-workflows/releases/tag/v3.1.8)
 
 ### Using brew:
 
@@ -23,7 +23,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.167/cf-linux-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.168/cf-linux-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-linux-amd64 /usr/local/bin/cf
@@ -36,7 +36,7 @@ cf version
 
 ```bash
 # download and extract the binary
-curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.167/cf-darwin-amd64.tar.gz | tar zx
+curl -L --output - https://github.com/codefresh-io/cli-v2/releases/download/v0.0.168/cf-darwin-amd64.tar.gz | tar zx
 
 # move the binary to your $PATH
 mv ./cf-darwin-amd64 /usr/local/bin/cf
diff --git a/manifests/runtime.yaml b/manifests/runtime.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: "{{ namespace }}"
 spec:
   defVersion: 1.0.0
-  version: 0.0.167
+  version: 0.0.168
   bootstrapSpecifier: github.com/codefresh-io/cli-v2/manifests/argo-cd
   components:
     - name: events
diff --git a/pkg/store/store.go b/pkg/store/store.go
@@ -111,6 +111,9 @@ type Store struct {
 	GithubAccessTokenSecretKey           string
 	ArgoCD                               string
 	Silent                               bool
+	MinimumMemorySizeRequired            string
+	MinimumCpuRequired                   string
+	MinimumLocalDiskSizeRequired         string
 }
 
 // Get returns the global store
@@ -183,6 +186,8 @@ func init() {
 	s.GithubAccessTokenSecretObjectName = "autopilot-secret"
 	s.GithubAccessTokenSecretKey = "git_token"
 	s.ArgoCD = "argo-cd"
+	s.MinimumMemorySizeRequired = "3000"
+	s.MinimumCpuRequired = "2"
 	initVersion()
 }
 
diff --git a/pkg/util/kube/kube.go b/pkg/util/kube/kube.go
@@ -0,0 +1,204 @@
+// Copyright 2021 The Codefresh Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kube
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/argoproj-labs/argocd-autopilot/pkg/kube"
+	"github.com/codefresh-io/cli-v2/pkg/store"
+	authv1 "k8s.io/api/authorization/v1"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+type (
+	rbacValidation struct {
+		Namespace string
+		Resource  string
+		Verbs     []string
+		Group     string
+	}
+
+	validationRequest struct {
+		cpu        string
+		memorySize string
+		rbac       []rbacValidation
+	}
+)
+
+func EnsureClusterRequirements(ctx context.Context, kubeFactory kube.Factory, namespace string) error {
+	requirementsValidationErrorMessage := "cluster does not meet minimum requirements"
+	var specificErrorMessages []string
+
+	client, err := kubeFactory.KubernetesClientSet()
+	if err != nil {
+		return fmt.Errorf("cannot create kubernetes clientset: %v ", err)
+	}
+
+	req := validationRequest{
+		rbac: []rbacValidation{
+			{
+				Resource:  "ServiceAccount",
+				Verbs:     []string{"create", "delete"},
+				Namespace: namespace,
+			},
+			{
+				Resource:  "ConfigMap",
+				Verbs:     []string{"create", "update", "delete"},
+				Namespace: namespace,
+			},
+			{
+				Resource:  "Service",
+				Verbs:     []string{"create", "update", "delete"},
+				Namespace: namespace,
+			},
+			{
+				Resource:  "Role",
+				Group:     "rbac.authorization.k8s.io",
+				Verbs:     []string{"create", "update", "delete"},
+				Namespace: namespace,
+			},
+			{
+				Resource:  "RoleBinding",
+				Group:     "rbac.authorization.k8s.io",
+				Verbs:     []string{"create", "update", "delete"},
+				Namespace: namespace,
+			},
+			{
+				Resource:  "persistentvolumeclaims",
+				Verbs:     []string{"create", "update", "delete"},
+				Namespace: namespace,
+			},
+			{
+				Resource:  "pods",
+				Verbs:     []string{"create", "update", "delete"},
+				Namespace: namespace,
+			},
+		},
+		memorySize: store.Get().MinimumMemorySizeRequired,
+		cpu:        store.Get().MinimumCpuRequired,
+	}
+
+	specs := []*authv1.SelfSubjectAccessReview{}
+	for _, rbac := range req.rbac {
+		for _, verb := range rbac.Verbs {
+			attr := &authv1.ResourceAttributes{
+				Resource: rbac.Resource,
+				Verb:     verb,
+				Group:    rbac.Group,
+			}
+			if rbac.Namespace != "" {
+				attr.Namespace = rbac.Namespace
+			}
+			specs = append(specs, &authv1.SelfSubjectAccessReview{
+				Spec: authv1.SelfSubjectAccessReviewSpec{
+					ResourceAttributes: attr,
+				},
+			})
+		}
+	}
+
+	rbacres := testRBAC(ctx, client, specs)
+	if len(rbacres) > 0 {
+		specificErrorMessages = append(specificErrorMessages, rbacres...)
+		return fmt.Errorf("%s: failed testing rbac: %v", requirementsValidationErrorMessage, specificErrorMessages)
+	}
+
+	nodes, err := client.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return fmt.Errorf("%s: failed getting nodes: %v", requirementsValidationErrorMessage, err)
+	}
+
+	if len(nodes.Items) == 0 {
+		return fmt.Errorf("%s: No nodes in cluster", requirementsValidationErrorMessage)
+	}
+
+	atLeastOneMet := false
+	for _, n := range nodes.Items {
+		res := testNode(n, req)
+		if len(res) > 0 {
+			specificErrorMessages = append(specificErrorMessages, res...)
+		} else {
+			atLeastOneMet = true
+		}
+	}
+	if !atLeastOneMet {
+		return fmt.Errorf("%s: %v", requirementsValidationErrorMessage, specificErrorMessages)
+	}
+
+	return nil
+}
+
+func testRBAC(ctx context.Context, client kubernetes.Interface, specs []*authv1.SelfSubjectAccessReview) []string {
+	res := []string{}
+	for _, sar := range specs {
+		resp, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
+		if err != nil {
+			res = append(res, err.Error())
+			continue
+		}
+		if !resp.Status.Allowed {
+			verb := sar.Spec.ResourceAttributes.Verb
+			namespace := sar.Spec.ResourceAttributes.Namespace
+			resource := sar.Spec.ResourceAttributes.Resource
+			group := sar.Spec.ResourceAttributes.Group
+			msg := strings.Builder{}
+			msg.WriteString(fmt.Sprintf("Insufficient permission, %s %s/%s is not allowed", verb, group, resource))
+			if namespace != "" {
+				msg.WriteString(fmt.Sprintf(" on namespace %s", namespace))
+			}
+			res = append(res, msg.String())
+		}
+	}
+	return res
+}
+
+func testNode(n v1.Node, req validationRequest) []string {
+	result := []string{}
+
+	if req.cpu != "" {
+		requiredCPU, err := resource.ParseQuantity(req.cpu)
+		if err != nil {
+			result = append(result, err.Error())
+			return result
+		}
+		cpu := n.Status.Capacity.Cpu()
+
+		if cpu != nil && cpu.Cmp(requiredCPU) == -1 {
+			msg := fmt.Sprintf("Insufficiant CPU on node %s, current: %s - required: %s", n.GetObjectMeta().GetName(), cpu.String(), requiredCPU.String())
+			result = append(result, msg)
+		}
+	}
+
+	if req.memorySize != "" {
+		requiredMemory, err := resource.ParseQuantity(req.memorySize)
+		if err != nil {
+			result = append(result, err.Error())
+			return result
+		}
+		memory := n.Status.Capacity.Memory()
+		if memory != nil && memory.Cmp(requiredMemory) == -1 {
+			msg := fmt.Sprintf("Insufficiant Memory on node %s, current: %s - required: %s", n.GetObjectMeta().GetName(), memory.String(), requiredMemory.String())
+			result = append(result, msg)
+		}
+	}
+
+	return result
+}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-VERSION=v0.0.167`
	`1`	`+VERSION=v0.0.168`
`2`	`2`
`3`	`3`	`OUT_DIR=dist`
`4`	`4`	`YEAR?=$(shell date +"%Y")`