Add ability to execute scripts via Kubernetes Jobs #690
Conversation
APErebus
force-pushed
the
ap/k8s-jobs-script-execution
branch
from
562aea6 to
58762ac
Compare
APErebus
force-pushed
the
ap/k8s-jobs-script-execution
branch
from
b6234e2 to
5069e7a
Compare
| { | ||
| public KubernetesClientConfiguration Get() | ||
| { | ||
| return KubernetesClientConfiguration.InClusterConfig(); |
There was a problem hiding this comment.
When we are running in a cluster, this will just use the ambient service account auth
| { | ||
| var versionInfo = await Client.Version.GetCodeAsync(); | ||
|
|
||
| return new ClusterVersion(int.Parse(versionInfo.Major), int.Parse(versionInfo.Minor)); |
There was a problem hiding this comment.
the patch number of a k8s cluster is not provided by the cluster itself (and isn't important for what we need it for)
| } | ||
| } | ||
|
|
||
| public async Task Watch(ScriptTicket scriptTicket, Func<V1Job, bool> onChange, Action<Exception> onError, CancellationToken cancellationToken) |
There was a problem hiding this comment.
Rather than polling the TryGet endpoint continually, this creates an IAsyncEnumerable which yields when there is a change
|
|
||
| format() { | ||
| now=$(date -u +"%Y-%m-%dT%H:%M:%S.%N%z") | ||
| echo "$now|$2" | tee -a "$1" |
There was a problem hiding this comment.
we use tee so the logs are written to the job/pod logs as well as the log files
| # This ungodly hack is to stop the pod from being killed before the last log has been flushed | ||
| sleep 0.250 #250ms |
There was a problem hiding this comment.
It seems like the pod is destroyed before the file logs are flushed. This little hack just gives the pod time to flush the last redirected output to the files
|
This pull request has been linked to Shortcut Story #59580: Add ability for Tentacle to schedule new k8s jobs when running scripts/deployments. |
| { | ||
| public static class KubernetesConfig | ||
| { | ||
| public static string Namespace => Environment.GetEnvironmentVariable("OCTOPUS__K8STENTACLE__NAMESPACE") |
There was a problem hiding this comment.
Minor suggestion, might be a little cleaner with a local helper function since there are a bunch of environment variable lookups with this pattern.
Given its only 3 its borderline that its needed
There was a problem hiding this comment.
I chose to pull out a common method in a2a48b7
| timeoutSeconds: 1800, //same as the TTL of the job itself | ||
| cancellationToken: cancellationToken); | ||
|
|
||
| await foreach (var (type, job) in response.WatchAsync<V1Job, V1JobList>(onError, cancellationToken: cancellationToken)) |
| using var writer = ScriptLog.CreateWriter(); | ||
| try | ||
| { | ||
| using (ScriptIsolationMutex.Acquire(workspace.IsolationLevel, |
There was a problem hiding this comment.
This presumably works because when running one instance, the mutex is accessable by that one Tentacle process.
If/when we allow multiple instances to run within a cluster we may need to answer if this isolationlevel check is still relevant.
There was a problem hiding this comment.
Correct. When/if we get to HA, then we'll need a different approach to how to do the script isolation mutex or, as you say, if it's still relevant
| }, | ||
| ServiceAccountName = KubernetesConfig.JobServiceAccountName, | ||
| RestartPolicy = "Never", | ||
| Volumes = volumes |
There was a problem hiding this comment.
Nice to see that worked :)
| }, | ||
| Env = new List<V1EnvVar> | ||
| { | ||
| new(EnvironmentVariables.TentacleHome, $"/data/tentacle-home/{instanceName}"), |
There was a problem hiding this comment.
Some of those other environment variables sound like they could be relevant for Calamari. TentacleJournal or TentacleInstanceName?
There was a problem hiding this comment.
hrm, good call. I'll investigate. I added these ones because they were needed for the health-check
There was a problem hiding this comment.
Yep, I missed TentacleJournal and TentacleInstanceName. Added in a2a48b7
| new(1, 28, 2), | ||
| }; | ||
|
|
||
| async Task<string> GetDefaultContainer() |
There was a problem hiding this comment.
Minor, consider pulling some parts of this class such as this worker tool container resolution into its own class that can be tested seperately. ALso makes this class easier to grok.
There was a problem hiding this comment.
Done. Created a new KubernetesJobContainerResolver in a2a48b7
| } | ||
|
|
||
| public IScriptExecutor GetExecutor() | ||
| { | ||
| return shellScriptExecutor.Value; | ||
| return KubernetesConfig.UseJobs switch |
There was a problem hiding this comment.
Would it be simpler to push as much of the "if k8s do this" into being container registration concern?
There was a problem hiding this comment.
yeah, fair call. I'll move this into the module and only register the appropriate executor based on the env var
There was a problem hiding this comment.
Done in a2a48b7
There is no longer a factory and the script executors are now conditionaly registered in the Autofac container
|
@zentron I've updated the PR with the changes suggested. I did end up removing the I also pulled the container stuff into a new class, |
Background
This is the big one 😱
This adds support for executing scripts supplied to
ScriptServiceV3Alphaby Kubernetes Jobs.Results
Adds a new
KubernetesJobScriptExecutorthat is used when the environment variableOCTOPUS__TENTACLE__K8SUSEJOBSis set toTrueAt a high level, the new
RunningKubernetesJobScriptcreates a new k8s Job and executes theBootstrapscript sent from server in theoctopuslabs/k8-workertoolscontainer image. It then starts two background processes, one to monitor the status of the job itself (so it knows when it's finished) and another to read the streamed log files (stdout.logandstderr.log) and write them into theOutput.log. For more info on this process, see belowThe tag of the worker tools image used is linked to the version of k8s the tentacle is running in, which we query via the API.
It's implied that there is also a volume called
tentacle-homethat has access to the tentacle's work directory so it can execute the script. This is supplied as raw yaml in theOCTOPUS__TENTACLE__K8SJOBVOLUMEYAMLenvironment variable.Script Logs
As Tentacle needs to write the
Output.login a thread-safe manner (so logs don't get munged), we execute the bootstrap script using abootstrapRunner.shscript which redirects thestdoutandstderrstreams from theBootstrapscript into two files in the work directory,stdout.logandstderr.log. Then there is a process in theKubernetesJobOutputStreamWriterclass that periodically (every 250ms) tail observes those files for new log entries. When there are, they are then written to the tentacle'sOutput.logunder the same locking mechanism as the rest of the code.Once the job is finished, we perform one last read of those files just in case there was final log items flushed.
Testing
Currently there is no automated tests for this code. I'm still working on refining it so manual testing will suffice for now until the codebase stabilises.
I was able to successfully run a health check for the the
Kubernetes Tentaclein my local server.Shortcut story: [sc-59580]
After
How to review this PR
Quality ✔️
Pre-requisites