Use generic fog provider for external blobstore

cloudfoundry-incubator · Nov 3, 2020 · 9166918 · 9166918
1 parent 5bf018c
commit 9166918
Show file tree

Hide file tree

Showing 14 changed files with 247 additions and 182 deletions.
diff --git a/chart/assets/operations/instance_groups/singleton-blobstore.yaml b/chart/assets/operations/instance_groups/singleton-blobstore.yaml
@@ -13,7 +13,7 @@
 
 - type: replace
   path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/blobstore/internal_access_rules?
-  value: [ "allow 10.0.0.0/8;","allow 172.16.0.0/12;", "allow 192.168.0.0/16;" , "allow 100.64.0.0/10;"]
+  value: [ "allow 10.0.0.0/8;","allow 172.16.0.0/12;", "allow 192.168.0.0/16;", "allow 100.64.0.0/10;"]
 - type: replace
   path: /instance_groups/name=singleton-blobstore/jobs/name=blobstore/properties/quarks?
   value:
@@ -50,4 +50,37 @@
 {{- range $bytes := .Files.Glob "assets/operations/pre_render_scripts/singleton-blobstore_*" }}
 {{ $bytes | toString }}
 {{- end }}
+
+{{- else }}
+- type: remove
+  path: /instance_groups/name=singleton-blobstore
+
+# remove unnecessary variables for internal blobstore
+- type: remove
+  path: /variables/name=blobstore_admin_users_password
+
+- type: remove
+  path: /variables/name=blobstore_secure_link_secret
+
+- type: remove
+  path: /variables/name=blobstore_tls
+
+{{- $buckets := dict }}
+{{- $_ := set $buckets "buildpacks" "buildpack" }}
+{{- $_ := set $buckets "droplets" "droplet" }}
+{{- $_ := set $buckets "packages" "app_package" }}
+{{- $_ := set $buckets "resource_pool" "resource" }}
+
+{{- range $bucket, $index := $buckets }}
+{{- include "_capi.setProperty" (list $bucket) }}
+
+{{- $path := printf "%s.fog_connection" $bucket }}
+{{- /* XXX Value should be "((fog_connection))" because it contains secrets */}}
+{{- include "_capi.setProperty" (list $path $.Values.features.blobstore.fog.connection) }}
+
+{{- $key := printf "%s_directory_key" $index }}
+{{- $path = printf "%s.%s" $bucket $key }}
+{{- include "_capi.setProperty" (list $path (index $.Values.features.blobstore.fog $key)) }}
+{{- end }}
+
 {{- end }}
diff --git a/chart/templates/_capi.tpl b/chart/templates/_capi.tpl
@@ -12,20 +12,28 @@
 ==========================================================================================
 */}}
 {{- define "_capi.setProperty" }}
-  {{- $property := index . 0 }}
-  {{- $value := index . 1 }}
+  {{- $params := . }}
+  {{- $property := index $params 0 }}
 
   {{- $ig := dict }}
   {{- $_ := set $ig "cloud_controller_ng"     "api"       }}
   {{- $_ := set $ig "cloud_controller_worker" "cc-worker" }}
   {{- $_ := set $ig "cloud_controller_clock"  "scheduler" }}
-  {{- $_ := set $ig "cc_deployment_updater"   "scheduler" }}
-  {{- /* XXX cc_route_syncer is not in cf-deployment; see CF-K8s-Networking */}}
-  {{- /* $_ := set $ig "cc_route_syncer" "???" */}}
+
+  {{- /* The buildpacks properties are only defined for the CC jobs */}}
+  {{- if not (hasPrefix "buildpacks" $property) }}
+    {{- $_ := set $ig "cc_deployment_updater"   "scheduler" }}
+    {{- /* XXX cc_route_syncer is not in cf-deployment; see CF-K8s-Networking */}}
+    {{- /* $_ := set $ig "cc_route_syncer" "???" */}}
+  {{- end }}
 
   {{- range $job, $instance_group := $ig }}
-- type: replace
-  path: /instance_groups/name={{ $instance_group }}/jobs/name={{ $job }}?/properties/cc/{{ $property | replace "." "/" }}
-  value: {{ $value | toJson }}
+- path: /instance_groups/name={{ $instance_group }}/jobs/name={{ $job }}?/properties/cc/{{ $property | replace "." "/" }}
+    {{- if eq (len $params) 1 }}
+  type: remove
+    {{- else }}
+  type: replace
+  value: {{ index $params 1 | toJson }}
+    {{- end }}
   {{- end }}
 {{- end }}
diff --git a/chart/templates/_features.tpl b/chart/templates/_features.tpl
@@ -8,10 +8,10 @@
 */}}
 {{- define "_features.update" }}
   {{- /* Translate blobstore.provider feature into a proper boolean we can query in the conditions */}}
-  {{- if eq $.Values.features.blobstore.provider "s3" }}
-    {{- $_ := merge $.Values (dict "features" (dict "external_blobstore" (dict "enabled" true))) }}
-  {{- else }}
+  {{- if eq $.Values.features.blobstore.provider "singleton" }}
     {{- $_ := merge $.Values (dict "features" (dict "external_blobstore" (dict "enabled" false))) }}
+  {{- else }}
+    {{- $_ := merge $.Values (dict "features" (dict "external_blobstore" (dict "enabled" true))) }}
   {{- end}}
   {{- /* Fix routing_api to proper (per-scheduler) default when not overriden by user */}}
   {{- if kindIs "invalid" $.Values.features.routing_api.enabled }}

diff --git a/chart/templates/bosh_deployment.yaml b/chart/templates/bosh_deployment.yaml
@@ -38,18 +38,6 @@ spec:
     type: configmap
 {{- end }}
 
-{{- if eq .Values.features.blobstore.provider "s3" }}
-# S3 blobstore operations
-  - name: {{ include "kubecf.ops-name" (dict "Path" "assets/use-external-blobstore.yml") }}
-    type: configmap
-  - name: {{ include "kubecf.ops-name" (dict "Path" "assets/use-s3-blobstore.yml") }}
-    type: configmap
-{{- if .Values.features.eirini.enabled }}
-  - name: {{ include "kubecf.ops-name" (dict "Path" "assets/configure-bits-service-s3.yml") }}
-    type: configmap
-{{- end }}
-{{- end }}
-
 # Instance group operations
 {{- range $path, $bytes := .Files.Glob "assets/operations/instance_groups/*" }}
   - name: {{ include "kubecf.ops-name" (dict "Path" $path) }}

diff --git a/chart/templates/fog-blobstore.yaml b/chart/templates/fog-blobstore.yaml
@@ -0,0 +1,20 @@
+{{- include "_config.load" $ }}
+
+{{- if eq .Values.features.blobstore.provider "fog" }}
+apiVersion: "v1"
+kind: "Secret"
+type: Opaque
+metadata:
+  name: var-fog-connection
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/name: {{ include "kubecf.fullname" . }}
+    app.kubernetes.io/version: {{ default .Chart.Version .Chart.AppVersion | quote }}
+    helm.sh/chart: {{ include "kubecf.chart" . }}
+  annotations:
+    quarks.cloudfoundry.org/json-value: "true"
+stringData:
+  value: {{ .Values.features.blobstore.fog.connection | toJson | quote }}
+{{- end }}
diff --git a/chart/templates/ops.yaml b/chart/templates/ops.yaml
@@ -25,14 +25,6 @@ data:
 {{ include "kubecf.ops" (dict "Root" $root "Path" $path) }}
 {{- end }}
 
-{{- if eq .Values.features.blobstore.provider "s3" }}
-{{ include "kubecf.ops" (dict "Root" $root "Path" "assets/use-external-blobstore.yml") }}
-{{ include "kubecf.ops" (dict "Root" $root "Path" "assets/use-s3-blobstore.yml") }}
-{{- if .Values.features.eirini.enabled }}
-{{ include "kubecf.ops" (dict "Root" $root "Path" "assets/configure-bits-service-s3.yml") }}
-{{- end }}
-{{- end }}
-
 {{- range $path, $_ := .Files.Glob "assets/operations/instance_groups/*" }}
 {{ include "kubecf.ops" (dict "Root" $root "Path" $path) }}
 {{- end }}

diff --git a/chart/templates/s3-blobstore.yaml b/chart/templates/s3-blobstore.yaml
diff --git a/chart/values.schema.yaml b/chart/values.schema.yaml
@@ -251,8 +251,59 @@ properties:
   features:
     type: object
     properties:
-      # "blobstore" doesn't have an "enabled" property
-      blobstore: {}
+      # Note: "blobstore" doesn't have an "enabled" property
+      blobstore:
+        type: object
+        oneOf:
+        - properties:
+            provider: {enum: [singleton]}
+          required: [provider]
+          additionalProperties: false
+        - properties:
+            provider: {enum: [fog]}
+            fog:
+              type: object
+              properties:
+                app_package_directory_key: {type: string}
+                buildpack_directory_key: {type: string}
+                droplet_directory_key: {type: string}
+                resource_directory_key: {type: string}
+                connection:
+                  type: object
+                  oneOf:
+                  - properties:
+                      provider: {enum: [AWS]}
+                      aws_access_key_id: {type: string}
+                      aws_secret_access_key: {type: string}
+                      aws_signature_version: {type: string}
+                      endpoint: {type: string}
+                      # path_style is not supported by bits_service
+                      path_style: {type: boolean}
+                      region: {type: string}
+                    required: [provider, aws_access_key_id, aws_secret_access_key]
+                    additionalProperties: false
+                  - properties:
+                      provider: {enum: [Google]}
+                      google_storage_access_key_id: {type: string}
+                      google_storage_secret_access_key: {type: string}
+                    required: [provider, google_storage_access_key_id, google_storage_secret_access_key]
+                    additionalProperties: false
+                  - properties:
+                      provider: {enum: [AzureRM]}
+                      azure_storage_access_key: {type: string}
+                      azure_storage_account_name: {type: string}
+                      environment: {type: string}
+                    required: [provider, environment, azure_storage_account_name, azure_storage_access_key]
+                    additionalProperties: false
+              required:
+              - app_package_directory_key
+              - buildpack_directory_key
+              - droplet_directory_key
+              - resource_directory_key
+              - connection
+              additionalProperties: false
+          required: [provider, fog]
+          additionalProperties: false
 
       memory_limits:
         # should "null" be allowed too?

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -360,18 +360,44 @@ features:
     # Number of seconds to wait for the database to be ready, per iteration of the waiter loop
     connect_timeout: 3
   blobstore:
-    # Possible values for provider: singleton and s3.
+    # Possible values for provider: fog or singleton.
     provider: singleton
-    s3:
-      aws_region: ~
-      blobstore_access_key_id: ~
-      blobstore_secret_access_key: ~
-      blobstore_admin_users_password: ~
-      # The following values are used as S3 bucket names.
-      app_package_directory_key: ~
-      buildpack_directory_key: ~
-      droplet_directory_key: ~
-      resource_directory_key: ~
+    # fog:
+    #   app_package_directory_key: YOUR-APP-PACKAGE-BUCKET
+    #   buildpack_directory_key: YOUR-BUILDPACK-BUCKET
+    #   droplet_directory_key: YOUR-DROPLET-BUCKET
+    #   resource_directory_key: YOUR-RESOURCE-BUCKET
+    #
+    #   Example config for S3
+    #   ---------------------
+    #   connection:
+    #     provider: AWS
+    #     aws_access_key_id: S3-ACCESS-KEY
+    #     aws_secret_access_key: S3-SECRET-ACCESS-KEY
+    #     region: "''"
+    #
+    #   Additional settings for e.g. MinIO
+    #   ----------------------------------
+    #     aws_signature_version: '2'
+    #     endpoint: S3-ENDPOINT
+    #     # path_style is only supported by Diego, but not by Eirini (bits-service).
+    #     # MinIO can be configured to use vhost addressing using MINIO_DOMAIN and a wildcard cert.
+    #     path_style: true
+    #
+    #   Example config for Google Cloud Storage
+    #   ---------------------------------------
+    #   connection:
+    #     provider: Google
+    #     google_storage_access_key_id: GCS-ACCESS-KEY
+    #     google_storage_secret_access_key: GCS-SECRET-ACCESS-KEY
+    #
+    #   Example config for Azure Cloud Storage
+    #   --------------------------------------
+    #   connection:
+    #     provider: AzureRM
+    #     environment: AzureCloud
+    #     azure_storage_account_name: YOUR-AZURE-STORAGE-ACCOUNT-NAME
+    #     azure_storage_access_key: YOUR-AZURE-STORAGE-ACCESS-KEY
 
   # Configuration for the external database; see also features.embedded_database.  Please refer to
   # https://kubecf.io/docs/deployment/kubernetes-deploy/#external-database for details.