cerc-io
/
stack-orchestrator
mirror of https://github.com/cerc-io/stack-orchestrator
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
stack-orchestrator/stack_orchestrator/deploy/spec.py

214 lines
6.9 KiB
Python
Raw Normal View History

k8s refactor (#595)
2023-10-24 20:44:48 +00:00
# Copyright © 2022, 2023 Vulcanize
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http:#www.gnu.org/licenses/>.
import typing
Switch to Docker-style limits
2024-02-08 06:43:41 +00:00
from pathlib import Path
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
import humanfriendly
Support for k8s ingress and tls (#659)
2023-11-21 23:04:36 +00:00
from stack_orchestrator import constants
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
from stack_orchestrator.util import get_yaml
k8s refactor (#595)
2023-10-24 20:44:48 +00:00
Switch to Docker-style limits
2024-02-08 06:43:41 +00:00
class ResourceLimits:
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
cpus: float | None = None
memory: int | None = None
storage: int | None = None
Switch to Docker-style limits
2024-02-08 06:43:41 +00:00
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
def __init__(self, obj=None):
if obj is None:
obj = {}
Switch to Docker-style limits
2024-02-08 06:43:41 +00:00
if "cpus" in obj:
self.cpus = float(obj["cpus"])
if "memory" in obj:
self.memory = humanfriendly.parse_size(obj["memory"])
if "storage" in obj:
self.storage = humanfriendly.parse_size(obj["storage"])
def __len__(self):
return len(self.__dict__)
def __iter__(self):
for k in self.__dict__:
yield k, self.__dict__[k]
def __repr__(self):
return str(self.__dict__)
class Resources:
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
limits: ResourceLimits | None = None
reservations: ResourceLimits | None = None
Switch to Docker-style limits
2024-02-08 06:43:41 +00:00
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
def __init__(self, obj=None):
if obj is None:
obj = {}
Switch to Docker-style limits
2024-02-08 06:43:41 +00:00
if "reservations" in obj:
self.reservations = ResourceLimits(obj["reservations"])
if "limits" in obj:
self.limits = ResourceLimits(obj["limits"])
def __len__(self):
return len(self.__dict__)
def __iter__(self):
for k in self.__dict__:
yield k, self.__dict__[k]
def __repr__(self):
return str(self.__dict__)
k8s refactor (#595)
2023-10-24 20:44:48 +00:00
class Spec:
obj: typing.Any
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
file_path: Path | None
k8s refactor (#595)
2023-10-24 20:44:48 +00:00
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
def __init__(self, file_path: Path | None = None, obj=None) -> None:
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
if obj is None:
obj = {}
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
self.file_path = file_path
self.obj = obj
def __getitem__(self, item):
return self.obj[item]
def __contains__(self, item):
return item in self.obj
def get(self, item, default=None):
return self.obj.get(item, default)
k8s refactor (#595)
2023-10-24 20:44:48 +00:00
def init_from_file(self, file_path: Path):
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
self.obj = get_yaml().load(open(file_path))
Path is not a context manager in python 3.13 (#971) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/971 Reviewed-by: rachmaninovquar <rachmaninovquar@noreply.git.vdb.to>
2025-10-16 17:55:44 +00:00
self.file_path = file_path
Support for k8s ingress and tls (#659)
2023-11-21 23:04:36 +00:00
def get_image_registry(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.image_registry_key)
Support for k8s ingress and tls (#659)
2023-11-21 23:04:36 +00:00
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
def get_image_registry_config(self) -> dict | None:
Add private registry authentication support Add ability to configure private container registry credentials in spec.yml for deployments using images from registries like GHCR. - Add get_image_registry_config() to spec.py for parsing image-registry config - Add create_registry_secret() to create K8s docker-registry secrets - Update cluster_info.py to use dynamic {deployment}-registry secret names - Update deploy_k8s.py to create registry secret before deployment - Document feature in deployment_patterns.md The token-env pattern keeps credentials out of git - the spec references an environment variable name, and the actual token is passed at runtime. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 17:25:33 +00:00
"""Returns registry auth config: {server, username, token-env}.
Used for private container registries like GHCR. The token-env field
specifies an environment variable containing the API token/PAT.
Rename image-registry to registry-credentials to avoid collision The existing 'image-registry' key is used for pushing images to a remote registry (URL string). Rename the new auth config to 'registry-credentials' to avoid collision. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 17:30:35 +00:00
Note: Uses 'registry-credentials' key to avoid collision with
'image-registry' key which is for pushing images.
Add private registry authentication support Add ability to configure private container registry credentials in spec.yml for deployments using images from registries like GHCR. - Add get_image_registry_config() to spec.py for parsing image-registry config - Add create_registry_secret() to create K8s docker-registry secrets - Update cluster_info.py to use dynamic {deployment}-registry secret names - Update deploy_k8s.py to create registry secret before deployment - Document feature in deployment_patterns.md The token-env pattern keeps credentials out of git - the spec references an environment variable name, and the actual token is passed at runtime. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 17:25:33 +00:00
"""
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
result: dict[str, str] | None = self.obj.get("registry-credentials")
return result
Add private registry authentication support Add ability to configure private container registry credentials in spec.yml for deployments using images from registries like GHCR. - Add get_image_registry_config() to spec.py for parsing image-registry config - Add create_registry_secret() to create K8s docker-registry secrets - Update cluster_info.py to use dynamic {deployment}-registry secret names - Update deploy_k8s.py to create registry secret before deployment - Document feature in deployment_patterns.md The token-env pattern keeps credentials out of git - the spec references an environment variable name, and the actual token is passed at runtime. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 17:25:33 +00:00
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
def get_volumes(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.volumes_key, {})
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
def get_configmaps(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.configmaps_key, {})
Add ConfigMap support for k8s. (#714) * Minor fixes for deploying with k8s and podman. * ConfigMap support
2024-01-31 05:09:48 +00:00
Add resource limit options to spec.
2024-02-07 22:48:02 +00:00
def get_container_resources(self):
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
return Resources(self.obj.get(constants.resources_key, {}).get("containers", {}))
Add resource limit options to spec.
2024-02-07 22:48:02 +00:00
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
def get_container_resources_for(self, container_name: str) -> Resources | None:
feat(k8s): per-service resource layering in deployer Resolve container resources using layered priority: 1. spec.yml per-container override (resources.containers.<name>) 2. Compose file deploy.resources block 3. spec.yml global resources 4. DEFAULT_CONTAINER_RESOURCES fallback This prevents monitoring sidecars from inheriting the validator's resource requests (e.g., 256G memory). Each service gets appropriate resources from its compose definition unless explicitly overridden. Note: existing deployments with a global resources block in spec.yml can remove it once compose files declare per-service defaults. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 10:26:10 +00:00
"""Look up per-container resource overrides from spec.yml.
Checks resources.containers.<container_name> in the spec. Returns None
if no per-container override exists (caller falls back to other sources).
"""
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
containers_block = self.obj.get(constants.resources_key, {}).get("containers", {})
feat(k8s): per-service resource layering in deployer Resolve container resources using layered priority: 1. spec.yml per-container override (resources.containers.<name>) 2. Compose file deploy.resources block 3. spec.yml global resources 4. DEFAULT_CONTAINER_RESOURCES fallback This prevents monitoring sidecars from inheriting the validator's resource requests (e.g., 256G memory). Each service gets appropriate resources from its compose definition unless explicitly overridden. Note: existing deployments with a global resources block in spec.yml can remove it once compose files declare per-service defaults. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 10:26:10 +00:00
if container_name in containers_block:
entry = containers_block[container_name]
# Only treat it as a per-container override if it's a dict with
# reservations/limits nested inside (not a top-level global key)
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
if isinstance(entry, dict) and ("reservations" in entry or "limits" in entry):
feat(k8s): per-service resource layering in deployer Resolve container resources using layered priority: 1. spec.yml per-container override (resources.containers.<name>) 2. Compose file deploy.resources block 3. spec.yml global resources 4. DEFAULT_CONTAINER_RESOURCES fallback This prevents monitoring sidecars from inheriting the validator's resource requests (e.g., 256G memory). Each service gets appropriate resources from its compose definition unless explicitly overridden. Note: existing deployments with a global resources block in spec.yml can remove it once compose files declare per-service defaults. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 10:26:10 +00:00
return Resources(entry)
return None
Add resource limit options to spec.
2024-02-07 22:48:02 +00:00
def get_volume_resources(self):
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
return Resources(self.obj.get(constants.resources_key, {}).get(constants.volumes_key, {}))
Add resource limit options to spec.
2024-02-07 22:48:02 +00:00
Support for k8s ingress and tls (#659)
2023-11-21 23:04:36 +00:00
def get_http_proxy(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.network_key, {}).get(constants.http_proxy_key, [])
Add support for annotations and labels in spec. (#739) ``` stack: webapp-deployer-backend deploy-to: k8s annotations: foo.bar.annot/{name}: baz labels: a.b.c/{name}.blah: "value" ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/739 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-09 00:11:07 +00:00
def get_annotations(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.annotations_key, {})
Add support for annotations and labels in spec. (#739) ``` stack: webapp-deployer-backend deploy-to: k8s annotations: foo.bar.annot/{name}: baz labels: a.b.c/{name}.blah: "value" ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/739 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-09 00:11:07 +00:00
Support multiple NodePorts, static NodePort mapping, and add 'replicas' spec option (#913) NodePort example: ``` network: ports: caddy: - 1234 - 32020:2020 ``` Replicas example: ``` replicas: 2 ``` This also adds an optimization for k8s where if a directory matching the name of a configmap exists in beneath config/ in the stack, its contents will be copied into the corresponding configmap. For example: ``` # Config files in the stack ❯ ls stack-orchestrator/config/caddyconfig Caddyfile Caddyfile.one-req-per-upstream-example # ConfigMap in the spec ❯ cat foo.yml | grep config ... configmaps: caddyconfig: ./configmaps/caddyconfig # Create the deployment ❯ laconic-so --stack ~/cerc/caddy-ethcache/stack-orchestrator/stacks/caddy-ethcache deploy create --spec-file foo.yml # The files from beneath config/<config_map_name> have been copied to the ConfigMap directory from the spec. ❯ ls deployment-001/configmaps/caddyconfig Caddyfile Caddyfile.one-req-per-upstream-example ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/913 Reviewed-by: David Boreham <dboreham@noreply.git.vdb.to> Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-08-09 02:32:06 +00:00
def get_replicas(self):
return self.obj.get(constants.replicas_key, 1)
Add support for k8s pod to node affinity and taint toleration (#917) Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/917 Reviewed-by: Thomas E Lackey <telackey@noreply.git.vdb.to> Co-authored-by: David Boreham <david@bozemanpass.com> Co-committed-by: David Boreham <david@bozemanpass.com>
2024-08-15 20:32:58 +00:00
def get_node_affinities(self):
return self.obj.get(constants.node_affinities_key, [])
def get_node_tolerations(self):
return self.obj.get(constants.node_tolerations_key, [])
Add support for annotations and labels in spec. (#739) ``` stack: webapp-deployer-backend deploy-to: k8s annotations: foo.bar.annot/{name}: baz labels: a.b.c/{name}.blah: "value" ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/739 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-09 00:11:07 +00:00
def get_labels(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.labels_key, {})
Add support for annotations and labels in spec. (#739) ``` stack: webapp-deployer-backend deploy-to: k8s annotations: foo.bar.annot/{name}: baz labels: a.b.c/{name}.blah: "value" ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/739 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-09 00:11:07 +00:00
def get_privileged(self):
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
return (
"true"
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
== str(self.obj.get(constants.security_key, {}).get("privileged", "false")).lower()
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
)
Add support for annotations and labels in spec. (#739) ``` stack: webapp-deployer-backend deploy-to: k8s annotations: foo.bar.annot/{name}: baz labels: a.b.c/{name}.blah: "value" ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/739 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-09 00:11:07 +00:00
def get_capabilities(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.security_key, {}).get("capabilities", [])
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
def get_unlimited_memlock(self):
return (
"true"
== str(
self.obj.get(constants.security_key, {}).get(
constants.unlimited_memlock_key, "false"
)
).lower()
)
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
def get_runtime_class(self):
"""Get runtime class name from spec, or derive from security settings.
The runtime class determines which containerd runtime handler to use,
allowing different pods to have different rlimit profiles (e.g., for
unlimited RLIMIT_MEMLOCK).
Returns:
Runtime class name string, or None to use default runtime.
"""
# Explicit runtime class takes precedence
fix: add pre-commit hooks and fix all lint/type/format errors Process bug fix: no pre-commit existed for this repo's Python code. Added pyproject.toml with unified dependencies (ruff, mypy, ansible-lint), .pre-commit-config.yaml with repo-based hooks (ruff) and local uv-run hooks (mypy, ansible-lint). Fixed 249 ruff errors (B023, B904, B006, B007, UP008, UP031, C408), ~13 mypy type errors, 11 ansible-lint violations, and ruff-format across all Python files including stack-orchestrator subtree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 14:56:22 +00:00
explicit = self.obj.get(constants.security_key, {}).get(constants.runtime_class_key, None)
Add RuntimeClass support for unlimited RLIMIT_MEMLOCK The previous approach of mounting cri-base.json into kind nodes failed because we didn't tell containerd to use it via containerdConfigPatches. RuntimeClass allows different stacks to have different rlimit profiles, which is essential since kind only supports one cluster per host and multiple stacks share the same cluster. Changes: - Add containerdConfigPatches to kind-config.yml to define runtime handlers - Create RuntimeClass resources after cluster creation - Add runtimeClassName to pod specs based on stack's security settings - Rename cri-base.json to high-memlock-spec.json for clarity - Add get_runtime_class() method to Spec that auto-derives from unlimited-memlock setting Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 06:58:38 +00:00
if explicit:
return explicit
# Auto-derive from unlimited-memlock setting
if self.get_unlimited_memlock():
return constants.high_memlock_runtime
return None # Use default runtime
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
def get_deployment_type(self):
Auto-detect which certificate to use (including wildcards). (#779) Rather than always requesting a certificate, attempt to re-use an existing certificate if it already exists in the k8s cluster. This includes matching to a wildcard certificate. Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/779 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-03-07 17:38:36 +00:00
return self.obj.get(constants.deploy_to_key)
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
Fix Caddy ingress ACME email and RBAC issues - Add acme_email_key constant for spec.yml parsing - Add get_acme_email() method to Spec class - Modify install_ingress_for_kind() to patch ConfigMap with email - Pass acme-email from spec to ingress installation - Add 'delete' verb to leases RBAC for certificate lock cleanup The acme-email field in spec.yml was previously ignored, causing Let's Encrypt to fail with "unable to parse email address". The missing delete permission on leases caused lock cleanup failures. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 00:13:10 +00:00
def get_acme_email(self):
Fix restart command for GitOps deployments - Remove init_operation() from restart - don't regenerate spec from commands.py defaults, use existing git-tracked spec.yml instead - Add docs/deployment_patterns.md documenting GitOps workflow - Add pre-commit rule to CLAUDE.md - Fix line length issues in helpers.py Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 03:18:19 +00:00
return self.obj.get(constants.network_key, {}).get(constants.acme_email_key, "")
Fix Caddy ingress ACME email and RBAC issues - Add acme_email_key constant for spec.yml parsing - Add get_acme_email() method to Spec class - Modify install_ingress_for_kind() to patch ConfigMap with email - Pass acme-email from spec to ingress installation - Add 'delete' verb to leases RBAC for certificate lock cleanup The acme-email field in spec.yml was previously ignored, causing Let's Encrypt to fail with "unable to parse email address". The missing delete permission on leases caused lock cleanup failures. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 00:13:10 +00:00
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
def is_kubernetes_deployment(self):
Add unlimited-memlock support for Kind clusters Add spec.yml option `security.unlimited-memlock` that configures RLIMIT_MEMLOCK to unlimited for Kind cluster pods. This is needed for workloads like Solana validators that require large amounts of locked memory for memory-mapped files during snapshot decompression. When enabled, generates a cri-base.json file with rlimits and mounts it into the Kind node to override the default containerd runtime spec. Also includes flake8 line-length fixes for affected files. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 01:20:19 +00:00
return self.get_deployment_type() in [
constants.k8s_kind_deploy_type,
constants.k8s_deploy_type,
]
For k8s, use provisioner-managed volumes when an absolute host path is not specified. (#741) In kind, when we bind-mount a host directory it is first mounted into the kind container at /mnt, then into the pod at the desired location. We accidentally picked this up for full-blown k8s, and were creating volumes at /mnt. This changes the behavior for both kind and regular k8s so that bind mounts are only allowed if a fully-qualified path is specified. If no path is specified at all, a default storageClass is assumed to be present, and the volume managed by a provisioner. Eg, for kind, the default provisioner is: https://github.com/rancher/local-path-provisioner ``` stack: test deploy-to: k8s-kind config: test-variable-1: test-value-1 network: ports: test: - '80' volumes: # this will be bind-mounted to a host-path test-data-bind: /srv/data # this will be managed by the k8s node test-data-auto: configmaps: test-config: ./configmap/test-config ``` Reviewed-on: https://git.vdb.to/cerc-io/stack-orchestrator/pulls/741 Co-authored-by: Thomas E Lackey <telackey@bozemanpass.com> Co-committed-by: Thomas E Lackey <telackey@bozemanpass.com>
2024-02-14 21:45:01 +00:00
def is_kind_deployment(self):
return self.get_deployment_type() in [constants.k8s_kind_deploy_type]
def is_docker_deployment(self):
return self.get_deployment_type() in [constants.compose_deploy_type]