create cep-checker (#1387)

* create cep-checker Signed-off-by: terashima <[email protected]> --------- Signed-off-by: terashima <[email protected]>
cybozu · Jul 26, 2024 · 1b5fd56 · 1b5fd56
1 parent 2e54537
commit 1b5fd56
Show file tree

Hide file tree

Showing 16 changed files with 1,166 additions and 0 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -34,6 +34,9 @@ jobs:
           - dir: "./cephcsi"
             container-image: "cephcsi"
             request-scan: "false"
+          - dir: "./cep-checker"
+            container-image: "cep-checker"
+            make-targets: "test"
           - dir: "./ceph-extra-exporter"
             container-image: "ceph-extra-exporter"
             make-targets: "check-generate test"

diff --git a/cep-checker/.gitignore b/cep-checker/.gitignore
@@ -0,0 +1,2 @@
+cep-checker
+bin
diff --git a/cep-checker/Dockerfile b/cep-checker/Dockerfile
@@ -0,0 +1,11 @@
+FROM ghcr.io/cybozu/golang:1.22-jammy AS build
+COPY . /work/src
+WORKDIR /work/src
+RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o cep-checker
+
+FROM scratch
+LABEL org.opencontainers.image.source="https://github.com/cybozu/neco-containers"
+
+COPY --from=build /work/src/cep-checker /
+EXPOSE 8080/tcp
+ENTRYPOINT ["/cep-checker"]
diff --git a/cep-checker/Makefile b/cep-checker/Makefile
@@ -0,0 +1,16 @@
+
+.PHONEY: build
+build:
+	CGO_ENABLED=0 go build -ldflags="-w -s" -o cep-checker .
+
+.PHONEY: test
+test:
+	$(MAKE) -C e2e setup
+	$(MAKE) -C e2e start
+	$(MAKE) -C e2e install-cilium
+	$(MAKE) -C e2e test
+	$(MAKE) -C e2e stop
+
+.PHONEY: docker-build
+docker-build:
+	docker build -t ghcr.io/cybozu/cep-checker:dev .
diff --git a/cep-checker/README.md b/cep-checker/README.md
@@ -0,0 +1,27 @@
+# cep-checker
+
+cep-checker checks the consistency between Pod and CiliumEndpoint.
+
+## Usage
+
+```
+$ ./cep-checker -h
+cep-checker checks missing Pods or CiliumEndpoints
+
+Usage:
+  cep-checker [flags]
+
+Flags:
+  -h, --help                    help for cep-checker
+  -i, --interval duration       Interval to check missing CEPs or Pods (default 30s)
+  -m, --metrics-server string   Metrics server address and port (default "0.0.0.0:8080")
+  -v, --version                 version for cep-checker
+```
+
+## Metrics
+
+```
+// Gauge
+cep_checker_missing{name="cep name", namespace="namespace", resource="cep"}
+cep_checker_missing{name="pod name", namespace="namespace", resource="pod"}
+```
diff --git a/cep-checker/TAG b/cep-checker/TAG
@@ -0,0 +1 @@
+1.0.0
diff --git a/cep-checker/e2e/Makefile b/cep-checker/e2e/Makefile
@@ -0,0 +1,57 @@
+ARCH ?= amd64
+OS ?= linux
+
+E2ETEST_K8S_VERSION  := 1.28.7
+KIND_VERSION := 0.23.0
+CILIUM_VERSION := 1.14.13
+CILIUM_CLI_VERSION := 0.15.22
+
+PROJECT_DIR := $(CURDIR)/../
+BIN_DIR := $(PROJECT_DIR)/bin
+
+CURL := curl -sSLf
+KUBECTL := $(BIN_DIR)/kubectl
+
+KIND := $(BIN_DIR)/kind
+KIND_CLUSTER_NAME := cep-checker
+KIND_CONFIG := kind.yaml
+
+CILIUM_CLI := $(BIN_DIR)/cilium
+
+.PHONY: setup
+setup: $(KUBECTL) $(KIND) $(CILIUM_CLI)
+
+.PHONY: start
+start:
+	$(KIND) create cluster --name=$(KIND_CLUSTER_NAME) --image=kindest/node:v$(E2ETEST_K8S_VERSION) --config=$(KIND_CONFIG)
+	$(MAKE) -C ../ docker-build
+	$(KIND) load docker-image ghcr.io/cybozu/cep-checker:dev --name=$(KIND_CLUSTER_NAME)
+
+.PHONEY: install-cilium
+install-cilium:
+	$(CILIUM_CLI) install --version $(CILIUM_VERSION) --wait
+
+.PHONY: test
+test:
+	env RUN_E2E=1 \
+		go test -v -race . -ginkgo.v -ginkgo.fail-fast
+
+.PHONY: stop
+stop:
+	$(KIND) delete cluster --name=$(KIND_CLUSTER_NAME)
+	-docker image rm ghcr.io/cybozu/cep-checker:dev
+	-docker image prune -f
+
+$(KIND): $(BIN_DIR)
+	$(CURL) -o $(KIND) https://github.com/kubernetes-sigs/kind/releases/download/v$(KIND_VERSION)/kind-$(OS)-$(ARCH)
+	chmod a+x $(KIND)
+
+$(KUBECTL): $(BIN_DIR)
+	$(CURL) -o $(BIN_DIR)/kubectl https://storage.googleapis.com/kubernetes-release/release/v$(E2ETEST_K8S_VERSION)/bin/$(OS)/$(ARCH)/kubectl && chmod a+x $(BIN_DIR)/kubectl
+
+$(CILIUM_CLI): $(BIN_DIR)
+	$(CURL) https://github.com/cilium/cilium-cli/releases/download/v$(CILIUM_CLI_VERSION)/cilium-linux-amd64.tar.gz | tar -xz -C $(BIN_DIR)
+	chmod a+x $@
+
+$(BIN_DIR):
+	mkdir -p $@
diff --git a/cep-checker/e2e/cep-checker.yaml b/cep-checker/e2e/cep-checker.yaml
@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cep-checker
+  namespace: kube-system 
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cep-checker 
+  template:
+    metadata:
+      labels:
+        app: cep-checker 
+    spec:
+      containers:
+      - image: ghcr.io/cybozu/cep-checker:dev
+        name: cep-checker
+        ports:
+        - containerPort: 8080
+      serviceAccountName: cep-checker
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cep-checker-metrics 
+  namespace: kube-system
+spec:
+  type: ClusterIP
+  selector:
+    app: cep-checker
+  ports:
+  - protocol: "TCP"
+    port: 8080
+    targetPort: 8080
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cep-checker
+  namespace: kube-system
+automountServiceAccountToken: true
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cep-checker
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cep-checker
+subjects:
+  - kind: ServiceAccount
+    name: cep-checker
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cep-checker 
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - "cilium.io"
+  resources:
+  - ciliumendpoints
+  verbs:
+  - get
+  - list
diff --git a/cep-checker/e2e/kind.yaml b/cep-checker/e2e/kind.yaml
@@ -0,0 +1,6 @@
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+networking:
+  disableDefaultCNI: true
+nodes:
+  - role: control-plane
diff --git a/cep-checker/e2e/pod.yaml b/cep-checker/e2e/pod.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test
+spec:
+  containers:
+  - name: ubuntu
+    image: ghcr.io/cybozu/ubuntu:22.04
+    command: ["/bin/sleep", "3650d"]
+    imagePullPolicy: IfNotPresent
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    sysctls:
+    - name: net.ipv4.ping_group_range
+      value: 0 10000
+  restartPolicy: Always
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: curl
+spec:
+  containers:
+  - name: ubuntu
+    image: ghcr.io/cybozu/ubuntu:22.04
+    command: ["/bin/sleep", "3650d"]
+    imagePullPolicy: IfNotPresent
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    sysctls:
+    - name: net.ipv4.ping_group_range
+      value: 0 10000
+  restartPolicy: Always
diff --git a/cep-checker/e2e/run_test.go b/cep-checker/e2e/run_test.go
@@ -0,0 +1,23 @@
+package e2e
+
+import (
+	"bytes"
+	"fmt"
+	"os/exec"
+)
+
+func kubectl(input []byte, args ...string) ([]byte, error) {
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+	cmd := exec.Command("../bin/kubectl", args...)
+	cmd.Stdout = stdout
+	cmd.Stderr = stderr
+	if input != nil {
+		cmd.Stdin = bytes.NewReader(input)
+	}
+	err := cmd.Run()
+	if err == nil {
+		return stdout.Bytes(), nil
+	}
+	return nil, fmt.Errorf("kubectl failed with %s: stderr=%s", err, stderr)
+}