cerc-io
/
stack-orchestrator
mirror of https://github.com/cerc-io/stack-orchestrator
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
stack-orchestrator/stack_orchestrator/deploy/k8s/helpers.py

644 lines
23 KiB
Python
Raw Normal View History

k8s deploy (#614)
2023-10-27 16:19:44 +00:00
# Copyright © 2023 Vulcanize
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http:#www.gnu.org/licenses/>.
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
from kubernetes import client, utils, watch
kind test stack (#629)
2023-11-08 08:11:00 +00:00
import os
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
from pathlib import Path
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
import subprocess
Process environment variables defined in compose files (#736) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/736 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-08 19:41:57 +00:00
import re
Fix pyright type errors across codebase - Add pyrightconfig.json for pyright 1.1.408 TOML parsing workaround - Add NoReturn annotations to fatal() functions for proper type narrowing - Add None checks and assertions after require=True get_record() calls - Fix AttrDict class with __getattr__ for dynamic attribute access - Add type annotations and casts for Kubernetes client objects - Store compose config as DockerDeployer instance attributes - Filter None values from dotenv and environment mappings - Use hasattr/getattr patterns for optional container attributes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:10:36 +00:00
from typing import Set, Mapping, List, Optional, cast
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
from stack_orchestrator.util import get_k8s_dir, error_exit
Rename app -> stack_orchestrator (#625)
2023-11-07 07:06:55 +00:00
from stack_orchestrator.opts import opts
Add image push command (#656)
2023-11-21 03:23:55 +00:00
from stack_orchestrator.deploy.deploy_util import parsed_pod_files_map_from_file_names
Fix kind mode and add k8s deployment test (#704) * Fix kind mode and add k8s deployment test * Fix lint errors
2024-01-16 22:55:58 +00:00
from stack_orchestrator.deploy.deployer import DeployerException
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
from stack_orchestrator import constants
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
Add missing get_kind_cluster function to helpers.py Fixes ImportError in k8s_command.py that was causing CI failure. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 00:04:46 +00:00
def get_kind_cluster():
"""Get an existing kind cluster, if any.
Uses `kind get clusters` to find existing clusters.
Returns the cluster name or None if no cluster exists.
"""
result = subprocess.run(
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
"kind get clusters", shell=True, capture_output=True, text=True
Add missing get_kind_cluster function to helpers.py Fixes ImportError in k8s_command.py that was causing CI failure. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 00:04:46 +00:00
)
if result.returncode != 0:
return None
clusters = result.stdout.strip().splitlines()
if clusters:
return clusters[0] # Return the first cluster found
return None
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
def _run_command(command: str):
if opts.o.debug:
print(f"Running: {command}")
result = subprocess.run(command, shell=True)
if opts.o.debug:
print(f"Result: {result}")
Fix kind mode and add k8s deployment test (#704) * Fix kind mode and add k8s deployment test * Fix lint errors
2024-01-16 22:55:58 +00:00
return result
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
def create_cluster(name: str, config_file: str):
Fix kind mode and add k8s deployment test (#704) * Fix kind mode and add k8s deployment test * Fix lint errors
2024-01-16 22:55:58 +00:00
result = _run_command(f"kind create cluster --name {name} --config {config_file}")
if result.returncode != 0:
raise DeployerException(f"kind create cluster failed: {result}")
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
def destroy_cluster(name: str):
_run_command(f"kind delete cluster --name {name}")
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
def wait_for_ingress_in_kind():
core_v1 = client.CoreV1Api()
for i in range(20):
warned_waiting = False
w = watch.Watch()
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
for event in w.stream(
func=core_v1.list_namespaced_pod,
Fix helpers.py to use Caddy ingress instead of nginx The helm-charts-with-caddy branch had the Caddy manifest file but was still using nginx in the code. This change: - Switch install_ingress_for_kind() to use ingress-caddy-kind-deploy.yaml - Update wait_for_ingress_in_kind() to watch caddy-system namespace - Use correct label selector for Caddy ingress controller pods Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 08:22:07 +00:00
namespace="caddy-system",
label_selector=(
"app.kubernetes.io/name=caddy-ingress-controller,"
"app.kubernetes.io/component=controller"
),
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
timeout_seconds=30,
):
Fix pyright type errors across codebase - Add pyrightconfig.json for pyright 1.1.408 TOML parsing workaround - Add NoReturn annotations to fatal() functions for proper type narrowing - Add None checks and assertions after require=True get_record() calls - Fix AttrDict class with __getattr__ for dynamic attribute access - Add type annotations and casts for Kubernetes client objects - Store compose config as DockerDeployer instance attributes - Filter None values from dotenv and environment mappings - Use hasattr/getattr patterns for optional container attributes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:10:36 +00:00
event_dict = cast(dict, event)
pod = cast(client.V1Pod, event_dict.get("object"))
if pod and pod.status and pod.status.container_statuses:
if pod.status.container_statuses[0].ready is True:
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
if warned_waiting:
Fix helpers.py to use Caddy ingress instead of nginx The helm-charts-with-caddy branch had the Caddy manifest file but was still using nginx in the code. This change: - Switch install_ingress_for_kind() to use ingress-caddy-kind-deploy.yaml - Update wait_for_ingress_in_kind() to watch caddy-system namespace - Use correct label selector for Caddy ingress controller pods Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 08:22:07 +00:00
print("Caddy ingress controller is ready")
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
return
Fix helpers.py to use Caddy ingress instead of nginx The helm-charts-with-caddy branch had the Caddy manifest file but was still using nginx in the code. This change: - Switch install_ingress_for_kind() to use ingress-caddy-kind-deploy.yaml - Update wait_for_ingress_in_kind() to watch caddy-system namespace - Use correct label selector for Caddy ingress controller pods Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 08:22:07 +00:00
print("Waiting for Caddy ingress controller to become ready...")
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
warned_waiting = True
Fix helpers.py to use Caddy ingress instead of nginx The helm-charts-with-caddy branch had the Caddy manifest file but was still using nginx in the code. This change: - Switch install_ingress_for_kind() to use ingress-caddy-kind-deploy.yaml - Update wait_for_ingress_in_kind() to watch caddy-system namespace - Use correct label selector for Caddy ingress controller pods Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 08:22:07 +00:00
error_exit("ERROR: Timed out waiting for Caddy ingress to become ready")
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
def install_ingress_for_kind():
api_client = client.ApiClient()
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
ingress_install = os.path.abspath(
get_k8s_dir().joinpath(
Fix helpers.py to use Caddy ingress instead of nginx The helm-charts-with-caddy branch had the Caddy manifest file but was still using nginx in the code. This change: - Switch install_ingress_for_kind() to use ingress-caddy-kind-deploy.yaml - Update wait_for_ingress_in_kind() to watch caddy-system namespace - Use correct label selector for Caddy ingress controller pods Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 08:22:07 +00:00
"components", "ingress", "ingress-caddy-kind-deploy.yaml"
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
)
)
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
if opts.o.debug:
Fix helpers.py to use Caddy ingress instead of nginx The helm-charts-with-caddy branch had the Caddy manifest file but was still using nginx in the code. This change: - Switch install_ingress_for_kind() to use ingress-caddy-kind-deploy.yaml - Update wait_for_ingress_in_kind() to watch caddy-system namespace - Use correct label selector for Caddy ingress controller pods Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 08:22:07 +00:00
print("Installing Caddy ingress controller in kind cluster")
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
utils.create_from_yaml(api_client, yaml_file=ingress_install)
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
def load_images_into_kind(kind_cluster_name: str, image_set: Set[str]):
for image in image_set:
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
result = _run_command(
f"kind load docker-image {image} --name {kind_cluster_name}"
)
Fix kind mode and add k8s deployment test (#704) * Fix kind mode and add k8s deployment test * Fix lint errors
2024-01-16 22:55:58 +00:00
if result.returncode != 0:
Fix misleading error message in load_images_into_kind
2026-01-22 00:32:53 +00:00
raise DeployerException(f"kind load docker-image failed: {result}")
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
def pods_in_deployment(core_api: client.CoreV1Api, deployment_name: str):
pods = []
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
pod_response = core_api.list_namespaced_pod(
namespace="default", label_selector=f"app={deployment_name}"
)
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
if opts.o.debug:
print(f"pod_response: {pod_response}")
for pod_info in pod_response.items:
pod_name = pod_info.metadata.name
pods.append(pod_name)
return pods
Fix pyright type errors across codebase - Add pyrightconfig.json for pyright 1.1.408 TOML parsing workaround - Add NoReturn annotations to fatal() functions for proper type narrowing - Add None checks and assertions after require=True get_record() calls - Fix AttrDict class with __getattr__ for dynamic attribute access - Add type annotations and casts for Kubernetes client objects - Store compose config as DockerDeployer instance attributes - Filter None values from dotenv and environment mappings - Use hasattr/getattr patterns for optional container attributes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:10:36 +00:00
def containers_in_pod(core_api: client.CoreV1Api, pod_name: str) -> List[str]:
containers: List[str] = []
pod_response = cast(
client.V1Pod, core_api.read_namespaced_pod(pod_name, namespace="default")
)
Test Database Stack (#737) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/737
2024-02-15 05:26:29 +00:00
if opts.o.debug:
print(f"pod_response: {pod_response}")
Fix pyright type errors across codebase - Add pyrightconfig.json for pyright 1.1.408 TOML parsing workaround - Add NoReturn annotations to fatal() functions for proper type narrowing - Add None checks and assertions after require=True get_record() calls - Fix AttrDict class with __getattr__ for dynamic attribute access - Add type annotations and casts for Kubernetes client objects - Store compose config as DockerDeployer instance attributes - Filter None values from dotenv and environment mappings - Use hasattr/getattr patterns for optional container attributes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:10:36 +00:00
if not pod_response.spec or not pod_response.spec.containers:
return containers
for pod_container in pod_response.spec.containers:
if pod_container.name:
containers.append(pod_container.name)
Test Database Stack (#737) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/737
2024-02-15 05:26:29 +00:00
return containers
k8s deploy (#614)
2023-10-27 16:19:44 +00:00
def log_stream_from_string(s: str):
# Note response has to be UTF-8 encoded because the caller expects to decode it
yield ("ignore", s.encode())
Basic volume support (#622)
2023-11-03 23:02:13 +00:00
def named_volumes_from_pod_files(parsed_pod_files):
# Parse the compose files looking for named volumes
named_volumes = []
for pod in parsed_pod_files:
parsed_pod_file = parsed_pod_files[pod]
if "volumes" in parsed_pod_file:
volumes = parsed_pod_file["volumes"]
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
for volume, value in volumes.items():
Basic volume support (#622)
2023-11-03 23:02:13 +00:00
# Volume definition looks like:
# 'laconicd-data': None
named_volumes.append(volume)
return named_volumes
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
def get_kind_pv_bind_mount_path(volume_name: str):
kind test stack (#629)
2023-11-08 08:11:00 +00:00
return f"/mnt/{volume_name}"
Basic volume support (#622)
2023-11-03 23:02:13 +00:00
def volume_mounts_for_service(parsed_pod_files, service):
result = []
# Find the service
for pod in parsed_pod_files:
parsed_pod_file = parsed_pod_files[pod]
if "services" in parsed_pod_file:
services = parsed_pod_file["services"]
for service_name in services:
if service_name == service:
service_obj = services[service_name]
if "volumes" in service_obj:
volumes = service_obj["volumes"]
for mount_string in volumes:
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
# Looks like: test-data:/data
# or test-data:/data:ro or test-data:/data:rw
Volume processing fixes (#729)
2024-02-06 19:32:10 +00:00
if opts.o.debug:
print(f"mount_string: {mount_string}")
mount_split = mount_string.split(":")
volume_name = mount_split[0]
mount_path = mount_split[1]
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
mount_options = (
mount_split[2] if len(mount_split) == 3 else None
)
Volume processing fixes (#729)
2024-02-06 19:32:10 +00:00
if opts.o.debug:
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
print(f"volume_name: {volume_name}")
Volume processing fixes (#729)
2024-02-06 19:32:10 +00:00
print(f"mount path: {mount_path}")
print(f"mount options: {mount_options}")
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
volume_device = client.V1VolumeMount(
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
mount_path=mount_path,
name=volume_name,
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
read_only="ro" == mount_options,
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
)
Basic volume support (#622)
2023-11-03 23:02:13 +00:00
result.append(volume_device)
return result
Basic webapp deployer stack. (#722)
2024-02-03 02:05:15 +00:00
def volumes_for_pod_files(parsed_pod_files, spec, app_name):
Basic volume support (#622)
2023-11-03 23:02:13 +00:00
result = []
for pod in parsed_pod_files:
parsed_pod_file = parsed_pod_files[pod]
if "volumes" in parsed_pod_file:
volumes = parsed_pod_file["volumes"]
for volume_name in volumes.keys():
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
if volume_name in spec.get_configmaps():
Add Caddy ingress and k8s cluster management features - Add Caddy ingress controller manifest for kind deployments - Add k8s cluster list command for kind cluster management - Add k8s_command import and registration in deploy.py - Fix network section merge to preserve http-proxy settings - Increase default container resources (4 CPUs, 8GB memory) - Add UDP protocol support for K8s port definitions - Add command/entrypoint support for K8s deployments - Implement docker-compose variable expansion for K8s - Set ConfigMap defaultMode to 0755 for executable scripts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 04:14:22 +00:00
# Set defaultMode=0o755 to make scripts executable
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
config_map = client.V1ConfigMapVolumeSource(
name=f"{app_name}-{volume_name}", default_mode=0o755
)
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
volume = client.V1Volume(name=volume_name, config_map=config_map)
result.append(volume)
else:
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
claim = client.V1PersistentVolumeClaimVolumeSource(
claim_name=f"{app_name}-{volume_name}"
)
volume = client.V1Volume(
name=volume_name, persistent_volume_claim=claim
)
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
result.append(volume)
Basic volume support (#622)
2023-11-03 23:02:13 +00:00
return result
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
def _get_host_paths_for_volumes(deployment_context):
return deployment_context.spec.get_volumes()
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
kind test stack (#629)
2023-11-08 08:11:00 +00:00
def _make_absolute_host_path(data_mount_path: Path, deployment_dir: Path) -> Path:
if os.path.isabs(data_mount_path):
return data_mount_path
else:
# Python Path voodo that looks pretty odd:
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
return Path.cwd().joinpath(deployment_dir.joinpath(data_mount_path)).resolve()
kind test stack (#629)
2023-11-08 08:11:00 +00:00
Add ConfigMap test. (#726) * Add ConfigMap test. * eof * Minor tweak * Trigger test --------- Co-authored-by: David Boreham <david@bozemanpass.com>
2024-02-05 20:15:11 +00:00
def _generate_kind_mounts(parsed_pod_files, deployment_dir, deployment_context):
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
volume_definitions = []
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
volume_host_path_map = _get_host_paths_for_volumes(deployment_context)
kind test stack (#629)
2023-11-08 08:11:00 +00:00
# Note these paths are relative to the location of the pod files (at present)
# So we need to fix up to make them correct and absolute because kind assumes
# relative to the cwd.
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
for pod in parsed_pod_files:
parsed_pod_file = parsed_pod_files[pod]
if "services" in parsed_pod_file:
services = parsed_pod_file["services"]
for service_name in services:
service_obj = services[service_name]
if "volumes" in service_obj:
volumes = service_obj["volumes"]
for mount_string in volumes:
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
# Looks like: test-data:/data
# or test-data:/data:ro or test-data:/data:rw
Volume processing fixes (#729)
2024-02-06 19:32:10 +00:00
if opts.o.debug:
print(f"mount_string: {mount_string}")
mount_split = mount_string.split(":")
volume_name = mount_split[0]
mount_path = mount_split[1]
if opts.o.debug:
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
print(f"volume_name: {volume_name}")
Volume processing fixes (#729)
2024-02-06 19:32:10 +00:00
print(f"map: {volume_host_path_map}")
print(f"mount path: {mount_path}")
Add ConfigMap test. (#726) * Add ConfigMap test. * eof * Minor tweak * Trigger test --------- Co-authored-by: David Boreham <david@bozemanpass.com>
2024-02-05 20:15:11 +00:00
if volume_name not in deployment_context.spec.get_configmaps():
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
if volume_host_path_map[volume_name]:
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
host_path = _make_absolute_host_path(
volume_host_path_map[volume_name],
deployment_dir,
)
container_path = get_kind_pv_bind_mount_path(
volume_name
)
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
volume_definitions.append(
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
f" - hostPath: {host_path}\n"
f" containerPath: {container_path}\n"
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
)
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
return (
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
""
if len(volume_definitions) == 0
else (" extraMounts:\n" f"{''.join(volume_definitions)}")
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
)
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
# TODO: decide if we need this functionality
def _generate_kind_port_mappings_from_services(parsed_pod_files):
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
port_definitions = []
for pod in parsed_pod_files:
parsed_pod_file = parsed_pod_files[pod]
if "services" in parsed_pod_file:
services = parsed_pod_file["services"]
for service_name in services:
service_obj = services[service_name]
if "ports" in service_obj:
ports = service_obj["ports"]
for port_string in ports:
# TODO handle the complex cases
# Looks like: 80 or something more complicated
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
port_definitions.append(
f" - containerPort: {port_string}\n"
f" hostPort: {port_string}\n"
)
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
return (
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
""
if len(port_definitions) == 0
else (" extraPortMappings:\n" f"{''.join(port_definitions)}")
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
)
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
def _generate_kind_port_mappings(parsed_pod_files):
port_definitions = []
# For now we just map port 80 for the nginx ingress controller we install in kind
port_string = "80"
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
port_definitions.append(
f" - containerPort: {port_string}\n hostPort: {port_string}\n"
)
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
return (
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
""
if len(port_definitions) == 0
else (" extraPortMappings:\n" f"{''.join(port_definitions)}")
)
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
def _generate_high_memlock_spec_mount(deployment_dir: Path):
"""Generate the extraMount entry for high-memlock-spec.json.
The spec file must be mounted at the same path inside the kind node
as it appears on the host, because containerd's base_runtime_spec
references an absolute path.
"""
spec_path = deployment_dir.joinpath(constants.high_memlock_spec_filename).resolve()
return f" - hostPath: {spec_path}\n" f" containerPath: {spec_path}\n"
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
def generate_high_memlock_spec_json():
"""Generate OCI spec JSON with unlimited RLIMIT_MEMLOCK.
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
This is needed for workloads like Solana validators that require large
amounts of locked memory for memory-mapped files during snapshot decompression.
The IPC_LOCK capability alone doesn't raise the RLIMIT_MEMLOCK limit - it only
allows mlock() calls. We need to set the rlimit in the OCI runtime spec.
Fix high-memlock spec to include complete OCI runtime config The base_runtime_spec for containerd requires a complete OCI spec, not just the rlimits section. The minimal spec was causing runc to fail with "open /proc/self/fd: no such file or directory" because essential mounts and namespaces were missing. This commit uses kind's default cri-base.json as the base and adds the rlimits configuration on top. The spec includes all necessary mounts, namespaces, capabilities, and kind-specific hooks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 07:12:11 +00:00
IMPORTANT: This must be a complete OCI runtime spec, not just the rlimits
section. The spec is based on kind's default cri-base.json with rlimits added.
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
"""
import json
# Use maximum 64-bit signed integer value for unlimited
max_rlimit = 9223372036854775807
Fix high-memlock spec to include complete OCI runtime config The base_runtime_spec for containerd requires a complete OCI spec, not just the rlimits section. The minimal spec was causing runc to fail with "open /proc/self/fd: no such file or directory" because essential mounts and namespaces were missing. This commit uses kind's default cri-base.json as the base and adds the rlimits configuration on top. The spec includes all necessary mounts, namespaces, capabilities, and kind-specific hooks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 07:12:11 +00:00
# Based on kind's /etc/containerd/cri-base.json with rlimits added
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
spec = {
Fix high-memlock spec to include complete OCI runtime config The base_runtime_spec for containerd requires a complete OCI spec, not just the rlimits section. The minimal spec was causing runc to fail with "open /proc/self/fd: no such file or directory" because essential mounts and namespaces were missing. This commit uses kind's default cri-base.json as the base and adds the rlimits configuration on top. The spec includes all necessary mounts, namespaces, capabilities, and kind-specific hooks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 07:12:11 +00:00
"ociVersion": "1.1.0-rc.1",
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
"process": {
Fix high-memlock spec to include complete OCI runtime config The base_runtime_spec for containerd requires a complete OCI spec, not just the rlimits section. The minimal spec was causing runc to fail with "open /proc/self/fd: no such file or directory" because essential mounts and namespaces were missing. This commit uses kind's default cri-base.json as the base and adds the rlimits configuration on top. The spec includes all necessary mounts, namespaces, capabilities, and kind-specific hooks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 07:12:11 +00:00
"user": {"uid": 0, "gid": 0},
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
],
"effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
],
"permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
],
},
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
"rlimits": [
{"type": "RLIMIT_MEMLOCK", "hard": max_rlimit, "soft": max_rlimit},
{"type": "RLIMIT_NOFILE", "hard": 1048576, "soft": 1048576},
Fix high-memlock spec to include complete OCI runtime config The base_runtime_spec for containerd requires a complete OCI spec, not just the rlimits section. The minimal spec was causing runc to fail with "open /proc/self/fd: no such file or directory" because essential mounts and namespaces were missing. This commit uses kind's default cri-base.json as the base and adds the rlimits configuration on top. The spec includes all necessary mounts, namespaces, capabilities, and kind-specific hooks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 07:12:11 +00:00
],
"noNewPrivileges": True,
},
"root": {"path": "rootfs"},
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc",
"options": ["nosuid", "noexec", "nodev"],
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": ["nosuid", "strictatime", "mode=755", "size=65536k"],
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5",
],
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": ["nosuid", "noexec", "nodev", "mode=1777", "size=65536k"],
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": ["nosuid", "noexec", "nodev"],
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": ["nosuid", "noexec", "nodev", "ro"],
},
{
"destination": "/run",
"type": "tmpfs",
"source": "tmpfs",
"options": ["nosuid", "strictatime", "mode=755", "size=65536k"],
},
],
"linux": {
"resources": {"devices": [{"allow": False, "access": "rwm"}]},
"cgroupsPath": "/default",
"namespaces": [
{"type": "pid"},
{"type": "ipc"},
{"type": "uts"},
{"type": "mount"},
{"type": "network"},
],
"maskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi",
],
"readonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger",
],
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
},
Fix high-memlock spec to include complete OCI runtime config The base_runtime_spec for containerd requires a complete OCI spec, not just the rlimits section. The minimal spec was causing runc to fail with "open /proc/self/fd: no such file or directory" because essential mounts and namespaces were missing. This commit uses kind's default cri-base.json as the base and adds the rlimits configuration on top. The spec includes all necessary mounts, namespaces, capabilities, and kind-specific hooks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 07:12:11 +00:00
"hooks": {"createContainer": [{"path": "/kind/bin/mount-product-files.sh"}]},
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
}
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
return json.dumps(spec, indent=2)
# Keep old name as alias for backward compatibility
def generate_cri_base_json():
"""Deprecated: Use generate_high_memlock_spec_json() instead."""
return generate_high_memlock_spec_json()
def _generate_containerd_config_patches(
deployment_dir: Path, has_high_memlock: bool
) -> str:
"""Generate containerdConfigPatches YAML for custom runtime handlers.
This configures containerd to have a runtime handler named 'high-memlock'
that uses a custom OCI base spec with unlimited RLIMIT_MEMLOCK.
"""
if not has_high_memlock:
return ""
spec_path = deployment_dir.joinpath(constants.high_memlock_spec_filename).resolve()
runtime_name = constants.high_memlock_runtime
plugin_path = 'plugins."io.containerd.grpc.v1.cri".containerd.runtimes'
return (
"containerdConfigPatches:\n"
" - |-\n"
f" [{plugin_path}.{runtime_name}]\n"
' runtime_type = "io.containerd.runc.v2"\n'
f' base_runtime_spec = "{spec_path}"\n'
)
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
Process environment variables defined in compose files (#736) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/736 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-08 19:41:57 +00:00
# Note: this makes any duplicate definition in b overwrite a
def merge_envs(a: Mapping[str, str], b: Mapping[str, str]) -> Mapping[str, str]:
result = {**a, **b}
return result
Fix pyright type errors across codebase - Add pyrightconfig.json for pyright 1.1.408 TOML parsing workaround - Add NoReturn annotations to fatal() functions for proper type narrowing - Add None checks and assertions after require=True get_record() calls - Fix AttrDict class with __getattr__ for dynamic attribute access - Add type annotations and casts for Kubernetes client objects - Store compose config as DockerDeployer instance attributes - Filter None values from dotenv and environment mappings - Use hasattr/getattr patterns for optional container attributes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:10:36 +00:00
def _expand_shell_vars(
raw_val: str, env_map: Optional[Mapping[str, str]] = None
) -> str:
Add Caddy ingress and k8s cluster management features - Add Caddy ingress controller manifest for kind deployments - Add k8s cluster list command for kind cluster management - Add k8s_command import and registration in deploy.py - Fix network section merge to preserve http-proxy settings - Increase default container resources (4 CPUs, 8GB memory) - Add UDP protocol support for K8s port definitions - Add command/entrypoint support for K8s deployments - Implement docker-compose variable expansion for K8s - Set ConfigMap defaultMode to 0755 for executable scripts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 04:14:22 +00:00
# Expand docker-compose style variable substitution:
# ${VAR} - use VAR value or empty string
# ${VAR:-default} - use VAR value or default if unset/empty
# ${VAR-default} - use VAR value or default if unset
if env_map is None:
env_map = {}
if raw_val is None:
return ""
match = re.search(r"^\$\{([^}]+)\}$", raw_val)
Process environment variables defined in compose files (#736) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/736 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-08 19:41:57 +00:00
if match:
Add Caddy ingress and k8s cluster management features - Add Caddy ingress controller manifest for kind deployments - Add k8s cluster list command for kind cluster management - Add k8s_command import and registration in deploy.py - Fix network section merge to preserve http-proxy settings - Increase default container resources (4 CPUs, 8GB memory) - Add UDP protocol support for K8s port definitions - Add command/entrypoint support for K8s deployments - Implement docker-compose variable expansion for K8s - Set ConfigMap defaultMode to 0755 for executable scripts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 04:14:22 +00:00
inner = match.group(1)
# Check for default value syntax
if ":-" in inner:
var_name, default_val = inner.split(":-", 1)
return env_map.get(var_name, "") or default_val
elif "-" in inner:
var_name, default_val = inner.split("-", 1)
return env_map.get(var_name, default_val)
else:
return env_map.get(inner, "")
return raw_val
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
def envs_from_compose_file(
Fix pyright type errors across codebase - Add pyrightconfig.json for pyright 1.1.408 TOML parsing workaround - Add NoReturn annotations to fatal() functions for proper type narrowing - Add None checks and assertions after require=True get_record() calls - Fix AttrDict class with __getattr__ for dynamic attribute access - Add type annotations and casts for Kubernetes client objects - Store compose config as DockerDeployer instance attributes - Filter None values from dotenv and environment mappings - Use hasattr/getattr patterns for optional container attributes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:10:36 +00:00
compose_file_envs: Mapping[str, str], env_map: Optional[Mapping[str, str]] = None
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
) -> Mapping[str, str]:
Process environment variables defined in compose files (#736) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/736 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-08 19:41:57 +00:00
result = {}
for env_var, env_val in compose_file_envs.items():
Add Caddy ingress and k8s cluster management features - Add Caddy ingress controller manifest for kind deployments - Add k8s cluster list command for kind cluster management - Add k8s_command import and registration in deploy.py - Fix network section merge to preserve http-proxy settings - Increase default container resources (4 CPUs, 8GB memory) - Add UDP protocol support for K8s port definitions - Add command/entrypoint support for K8s deployments - Implement docker-compose variable expansion for K8s - Set ConfigMap defaultMode to 0755 for executable scripts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-21 04:14:22 +00:00
expanded_env_val = _expand_shell_vars(env_val, env_map)
Process environment variables defined in compose files (#736) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/736 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-08 19:41:57 +00:00
result.update({env_var: expanded_env_val})
return result
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
def envs_from_environment_variables_map(
map: Mapping[str, str]
) -> List[client.V1EnvVar]:
Add env var support for k8s (#634)
2023-11-09 00:53:46 +00:00
result = []
for env_var, env_val in map.items():
result.append(client.V1EnvVar(env_var, env_val))
return result
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
# This needs to know:
# The service ports for the cluster
# The bind mounted volumes for the cluster
#
# Make ports like this:
# extraPortMappings:
# - containerPort: 80
# hostPort: 80
# # optional: set the bind address on the host
# # 0.0.0.0 is the current default
# listenAddress: "127.0.0.1"
# # optional: set the protocol to one of TCP, UDP, SCTP.
# # TCP is the default
# protocol: TCP
# Make bind mounts like this:
# extraMounts:
# - hostPath: /path/to/my/files
# containerPath: /files
Add ConfigMap test. (#726) * Add ConfigMap test. * eof * Minor tweak * Trigger test --------- Co-authored-by: David Boreham <david@bozemanpass.com>
2024-02-05 20:15:11 +00:00
def generate_kind_config(deployment_dir: Path, deployment_context):
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
compose_file_dir = deployment_dir.joinpath("compose")
# TODO: this should come from the stack file, not this way
pod_files = [p for p in compose_file_dir.iterdir() if p.is_file()]
parsed_pod_files_map = parsed_pod_files_map_from_file_names(pod_files)
port_mappings_yml = _generate_kind_port_mappings(parsed_pod_files_map)
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
mounts_yml = _generate_kind_mounts(
parsed_pod_files_map, deployment_dir, deployment_context
)
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
# Check if unlimited_memlock is enabled
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
unlimited_memlock = deployment_context.spec.get_unlimited_memlock()
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
# Generate containerdConfigPatches for RuntimeClass support
containerd_patches_yml = _generate_containerd_config_patches(
deployment_dir, unlimited_memlock
)
# Add high-memlock spec file mount if needed
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
if unlimited_memlock:
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
spec_mount = _generate_high_memlock_spec_mount(deployment_dir)
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
if mounts_yml:
# Append to existing mounts
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
mounts_yml = mounts_yml.rstrip() + "\n" + spec_mount
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
else:
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
mounts_yml = f" extraMounts:\n{spec_mount}"
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
# Build the config - containerdConfigPatches must be at cluster level (before nodes)
config = "kind: Cluster\n" "apiVersion: kind.x-k8s.io/v1alpha4\n"
if containerd_patches_yml:
config += containerd_patches_yml
config += (
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
"nodes:\n"
"- role: control-plane\n"
Support non-tls ingress for kind (#748) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/748 Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-02-17 01:54:30 +00:00
" kubeadmConfigPatches:\n"
" - |\n"
" kind: InitConfiguration\n"
" nodeRegistration:\n"
" kubeletExtraArgs:\n"
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
' node-labels: "ingress-ready=true"\n'
Add generated kind config (#623)
2023-11-06 06:21:53 +00:00
f"{port_mappings_yml}\n"
f"{mounts_yml}\n"
)
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
return config