anobre/openshift-resource-governance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add GitHub integration and OpenShift deployment automation

Browse Source 
- Adiciona GitHub Actions workflow para CI/CD
- Cria script openshift-deploy.sh para deploy simplificado
- Adiciona template OpenShift com parâmetros configuráveis
- Inclui documentação completa de deploy (DEPLOY.md)
- Configura integração com Quay.io registry
- Facilita deploy direto do repositório GitHub
This commit is contained in:
Anderson
2025-09-25 14:28:34 -03:00
parent 4d60c0e039
commit c79ceac31d
4 changed files with 779 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
.github/workflows/openshift-deploy.yml vendored Normal file
View File

@@ -0,0 +1,101 @@
name: Deploy to OpenShift
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
env:
IMAGE_NAME: resource-governance
REGISTRY: quay.io/andersonid
NAMESPACE: resource-governance
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Run tests
run: |
python -c "import app.main; print('✅ App imports successfully')"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Quay.io
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,prefix={{branch}}-
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Install OpenShift CLI
run: |
curl -L https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/linux/oc.tar.gz | tar -xz -C /usr/local/bin/
chmod +x /usr/local/bin/oc
- name: Deploy to OpenShift
if: github.ref == 'refs/heads/main'
run: |
# Login to OpenShift
echo "${{ secrets.OPENSHIFT_TOKEN }}" | oc login ${{ secrets.OPENSHIFT_SERVER }} --token-stdin
# Update image in DaemonSet
oc set image daemonset/${{ env.IMAGE_NAME }} ${{ env.IMAGE_NAME }}=${{ steps.meta.outputs.tags }} -n ${{ env.NAMESPACE }} || true
# Apply manifests
oc apply -f k8s/namespace.yaml
oc apply -f k8s/rbac.yaml
oc apply -f k8s/configmap.yaml
oc apply -f k8s/daemonset.yaml
oc apply -f k8s/service.yaml
oc apply -f k8s/route.yaml
# Wait for rollout
oc rollout status daemonset/${{ env.IMAGE_NAME }} -n ${{ env.NAMESPACE }} --timeout=300s
# Get route URL
ROUTE_URL=$(oc get route ${{ env.IMAGE_NAME }}-route -n ${{ env.NAMESPACE }} -o jsonpath='{.spec.host}' 2>/dev/null || echo "")
if [ -n "$ROUTE_URL" ]; then
echo "🚀 Application deployed successfully!"
echo "🌐 URL: https://$ROUTE_URL"
fi
env:
OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}

289
DEPLOY.md Normal file
View File

@@ -0,0 +1,289 @@
# 🚀 Deploy no OpenShift
Este documento explica como fazer deploy da OpenShift Resource Governance Tool no seu cluster OpenShift.
## 📋 Pré-requisitos
- Cluster OpenShift 4.x
- OpenShift CLI (oc) instalado e configurado
- Acesso ao cluster com permissões para criar recursos
- Container Registry (Quay.io, Docker Hub, etc.)
## 🎯 Opções de Deploy
### 1. Deploy Rápido (Recomendado)
```bash
# Clone o repositório
git clone https://github.com/andersonid/openshift-resource-governance.git
cd openshift-resource-governance
# Execute o script de deploy
./openshift-deploy.sh
```
### 2. Deploy via Template OpenShift
```bash
# Processar template com parâmetros
oc process -f openshift-git-deploy.yaml \
-p GITHUB_REPO="https://github.com/andersonid/openshift-resource-governance.git" \
-p IMAGE_TAG="latest" \
-p REGISTRY="quay.io/seu-usuario" \
-p NAMESPACE="resource-governance" | oc apply -f -
```
### 3. Deploy Manual
```bash
# 1. Criar namespace
oc apply -f k8s/namespace.yaml
# 2. Aplicar RBAC
oc apply -f k8s/rbac.yaml
# 3. Aplicar ConfigMap
oc apply -f k8s/configmap.yaml
# 4. Atualizar imagem no DaemonSet
oc set image daemonset/resource-governance resource-governance=quay.io/seu-usuario/resource-governance:latest -n resource-governance
# 5. Aplicar recursos
oc apply -f k8s/daemonset.yaml
oc apply -f k8s/service.yaml
oc apply -f k8s/route.yaml
```
## 🔧 Configuração
### Variáveis de Ambiente
A aplicação pode ser configurada através do ConfigMap:
```yaml
data:
CPU_LIMIT_RATIO: "3.0" # Ratio padrão limit:request para CPU
MEMORY_LIMIT_RATIO: "3.0" # Ratio padrão limit:request para memória
MIN_CPU_REQUEST: "10m" # Mínimo de CPU request
MIN_MEMORY_REQUEST: "32Mi" # Mínimo de memória request
CRITICAL_NAMESPACES: | # Namespaces críticos para VPA
openshift-monitoring
openshift-ingress
openshift-apiserver
PROMETHEUS_URL: "http://prometheus.openshift-monitoring.svc.cluster.local:9090"
```
### Personalizar Configurações
```bash
# Editar ConfigMap
oc edit configmap resource-governance-config -n resource-governance
# Reiniciar pods para aplicar mudanças
oc rollout restart daemonset/resource-governance -n resource-governance
```
## 🌐 Acesso à Aplicação
### Obter URL da Rota
```bash
# Obter URL da rota
oc get route resource-governance-route -n resource-governance -o jsonpath='{.spec.host}'
# Acessar via browser
# https://resource-governance-route-resource-governance.apps.openshift.local
```
### Testar Aplicação
```bash
# Health check
curl https://resource-governance-route-resource-governance.apps.openshift.local/health
# API status
curl https://resource-governance-route-resource-governance.apps.openshift.local/api/v1/cluster/status
```
## 📊 Monitoramento
### Ver Logs
```bash
# Logs do DaemonSet
oc logs -f daemonset/resource-governance -n resource-governance
# Logs de um pod específico
oc logs -f <pod-name> -n resource-governance
```
### Ver Status
```bash
# Status dos recursos
oc get all -n resource-governance
# Status detalhado do DaemonSet
oc describe daemonset/resource-governance -n resource-governance
# Status dos pods
oc get pods -n resource-governance -o wide
```
### Verificar RBAC
```bash
# Verificar permissões do ServiceAccount
oc auth can-i get pods --as=system:serviceaccount:resource-governance:resource-governance-sa
# Verificar ClusterRole
oc describe clusterrole resource-governance-role
```
## 🔄 Atualizações
### Atualizar Imagem
```bash
# Atualizar para nova tag
oc set image daemonset/resource-governance resource-governance=quay.io/seu-usuario/resource-governance:v1.1.0 -n resource-governance
# Aguardar rollout
oc rollout status daemonset/resource-governance -n resource-governance
```
### Atualizar do GitHub
```bash
# Pull das mudanças
git pull origin main
# Deploy com nova tag
./openshift-deploy.sh v1.1.0
```
## 🗑️ Remoção
### Remover Aplicação
```bash
# Usar script de undeploy
./scripts/undeploy.sh
# Ou remover manualmente
oc delete -f k8s/route.yaml
oc delete -f k8s/service.yaml
oc delete -f k8s/daemonset.yaml
oc delete -f k8s/configmap.yaml
oc delete -f k8s/rbac.yaml
oc delete -f k8s/namespace.yaml
```
## 🐛 Troubleshooting
### Problemas Comuns
#### 1. Pod não inicia
```bash
# Verificar eventos
oc get events -n resource-governance --sort-by='.lastTimestamp'
# Verificar logs
oc logs <pod-name> -n resource-governance
```
#### 2. Erro de permissão
```bash
# Verificar RBAC
oc auth can-i get pods --as=system:serviceaccount:resource-governance:resource-governance-sa
# Verificar ServiceAccount
oc get serviceaccount resource-governance-sa -n resource-governance -o yaml
```
#### 3. Erro de conectividade com Prometheus
```bash
# Verificar se Prometheus está acessível
oc exec -it <pod-name> -n resource-governance -- curl http://prometheus.openshift-monitoring.svc.cluster.local:9090/api/v1/query?query=up
```
#### 4. Rota não acessível
```bash
# Verificar rota
oc get route resource-governance-route -n resource-governance -o yaml
# Verificar ingress controller
oc get pods -n openshift-ingress
```
### Logs de Debug
```bash
# Ativar logs debug (se necessário)
oc set env daemonset/resource-governance LOG_LEVEL=DEBUG -n resource-governance
# Ver logs em tempo real
oc logs -f daemonset/resource-governance -n resource-governance --tail=100
```
## 📈 Escalabilidade
### Ajustar Recursos
```bash
# Aumentar recursos do DaemonSet
oc patch daemonset resource-governance -n resource-governance -p '{
"spec": {
"template": {
"spec": {
"containers": [{
"name": "resource-governance",
"resources": {
"requests": {"cpu": "200m", "memory": "256Mi"},
"limits": {"cpu": "1000m", "memory": "1Gi"}
}
}]
}
}
}
}'
```
### Ajustar ResourceQuota
```bash
# Aumentar quota do namespace
oc patch resourcequota resource-governance-quota -n resource-governance -p '{
"spec": {
"hard": {
"requests.cpu": "4",
"requests.memory": "8Gi",
"limits.cpu": "8",
"limits.memory": "16Gi"
}
}
}'
```
## 🔐 Segurança
### Verificar SecurityContext
```bash
# Verificar se está rodando como usuário não-root
oc get pod <pod-name> -n resource-governance -o jsonpath='{.spec.securityContext}'
```
### Verificar NetworkPolicies
```bash
# Se usando NetworkPolicies, verificar se permite tráfego
oc get networkpolicy -n resource-governance
```
## 📞 Suporte
Para suporte e dúvidas:
- Abra uma issue no [GitHub](https://github.com/andersonid/openshift-resource-governance/issues)
- Consulte a documentação do [OpenShift](https://docs.openshift.com/)
- Verifique os logs da aplicação

95
openshift-deploy.sh Executable file
View File

@@ -0,0 +1,95 @@
#!/bin/bash
# Script de deploy para OpenShift usando GitHub
set -e
# Cores para output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Configurações
REPO_URL="https://github.com/andersonid/openshift-resource-governance.git"
IMAGE_NAME="resource-governance"
REGISTRY="quay.io/andersonid"
TAG="${1:-latest}"
NAMESPACE="resource-governance"
echo -e "${BLUE}🚀 Deploying OpenShift Resource Governance Tool from GitHub${NC}"
echo -e "${BLUE}Repository: ${REPO_URL}${NC}"
echo -e "${BLUE}Image: ${REGISTRY}/${IMAGE_NAME}:${TAG}${NC}"
# Verificar se oc está instalado
if ! command -v oc &> /dev/null; then
echo -e "${RED}❌ OpenShift CLI (oc) não está instalado.${NC}"
echo -e "${YELLOW}Instale o oc CLI: https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html${NC}"
exit 1
fi
# Verificar se está logado no OpenShift
if ! oc whoami &> /dev/null; then
echo -e "${RED}❌ Não está logado no OpenShift.${NC}"
echo -e "${YELLOW}Faça login com: oc login <cluster-url>${NC}"
exit 1
fi
echo -e "${GREEN}✅ Logado como: $(oc whoami)${NC}"
# Criar namespace se não existir
echo -e "${YELLOW}📁 Creating namespace...${NC}"
oc apply -f k8s/namespace.yaml
# Aplicar RBAC
echo -e "${YELLOW}🔐 Applying RBAC...${NC}"
oc apply -f k8s/rbac.yaml
# Aplicar ConfigMap
echo -e "${YELLOW}⚙️ Applying ConfigMap...${NC}"
oc apply -f k8s/configmap.yaml
# Atualizar imagem no DaemonSet
echo -e "${YELLOW}🔄 Updating image in DaemonSet...${NC}"
oc set image daemonset/${IMAGE_NAME} ${IMAGE_NAME}="${REGISTRY}/${IMAGE_NAME}:${TAG}" -n "${NAMESPACE}" || true
# Aplicar DaemonSet
echo -e "${YELLOW}📦 Applying DaemonSet...${NC}"
oc apply -f k8s/daemonset.yaml
# Aplicar Service
echo -e "${YELLOW}🌐 Applying Service...${NC}"
oc apply -f k8s/service.yaml
# Aplicar Route
echo -e "${YELLOW}🛣️ Applying Route...${NC}"
oc apply -f k8s/route.yaml
# Aguardar pods ficarem prontos
echo -e "${YELLOW}⏳ Waiting for pods to be ready...${NC}"
oc wait --for=condition=ready pod -l app.kubernetes.io/name=${IMAGE_NAME} -n "${NAMESPACE}" --timeout=300s
# Obter URL da rota
ROUTE_URL=$(oc get route ${IMAGE_NAME}-route -n "${NAMESPACE}" -o jsonpath='{.spec.host}')
if [ -n "${ROUTE_URL}" ]; then
echo -e "${GREEN}🎉 Deploy completed successfully!${NC}"
echo -e "${BLUE}🌐 Application URL: https://${ROUTE_URL}${NC}"
echo -e "${BLUE}📊 GitHub Repository: ${REPO_URL}${NC}"
else
echo -e "${YELLOW}⚠️ Deploy completed, but route URL not found.${NC}"
echo -e "${BLUE}Check with: oc get routes -n ${NAMESPACE}${NC}"
fi
# Mostrar status
echo -e "${BLUE}📊 Deployment status:${NC}"
oc get all -n "${NAMESPACE}"
echo -e "${BLUE}🔍 To check logs:${NC}"
echo -e " oc logs -f daemonset/${IMAGE_NAME} -n ${NAMESPACE}"
echo -e "${BLUE}🧪 To test health:${NC}"
echo -e " curl https://${ROUTE_URL}/health"
echo -e "${BLUE}📝 To update from GitHub:${NC}"
echo -e " git pull origin main"
echo -e " ./openshift-deploy.sh <new-tag>"

294
openshift-git-deploy.yaml Normal file
View File

@@ -0,0 +1,294 @@
apiVersion: v1
kind: Template
metadata:
name: resource-governance-git-deploy
annotations:
description: "Deploy OpenShift Resource Governance Tool from GitHub repository"
tags: "governance,resources,openshift,github"
parameters:
- name: GITHUB_REPO
displayName: "GitHub Repository URL"
description: "URL do repositório GitHub"
value: "https://github.com/andersonid/openshift-resource-governance.git"
- name: IMAGE_TAG
displayName: "Image Tag"
description: "Tag da imagem Docker"
value: "latest"
- name: REGISTRY
displayName: "Container Registry"
description: "Registry da imagem Docker"
value: "quay.io/andersonid"
- name: NAMESPACE
displayName: "Namespace"
description: "Namespace para deploy"
value: "resource-governance"
objects:
- apiVersion: v1
kind: Namespace
metadata:
name: ${NAMESPACE}
labels:
name: ${NAMESPACE}
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
app.kubernetes.io/part-of: openshift-governance
- apiVersion: v1
kind: ResourceQuota
metadata:
name: resource-governance-quota
namespace: ${NAMESPACE}
spec:
hard:
requests.cpu: "2"
requests.memory: 4Gi
limits.cpu: "4"
limits.memory: 8Gi
pods: "10"
- apiVersion: v1
kind: LimitRange
metadata:
name: resource-governance-limits
namespace: ${NAMESPACE}
spec:
limits:
- default:
cpu: "500m"
memory: "512Mi"
defaultRequest:
cpu: "100m"
memory: "128Mi"
type: Container
- apiVersion: v1
kind: ServiceAccount
metadata:
name: resource-governance-sa
namespace: ${NAMESPACE}
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: resource-governance-role
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
rules:
- apiGroups: [""]
resources: ["pods", "namespaces", "nodes", "events"]
verbs: ["get", "list", "watch", "patch", "update", "create"]
- apiGroups: ["autoscaling.k8s.io"]
resources: ["verticalpodautoscalers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "patch", "update"]
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: resource-governance-binding
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: resource-governance-role
subjects:
- kind: ServiceAccount
name: resource-governance-sa
namespace: ${NAMESPACE}
- apiVersion: v1
kind: ConfigMap
metadata:
name: resource-governance-config
namespace: ${NAMESPACE}
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
data:
CPU_LIMIT_RATIO: "3.0"
MEMORY_LIMIT_RATIO: "3.0"
MIN_CPU_REQUEST: "10m"
MIN_MEMORY_REQUEST: "32Mi"
CRITICAL_NAMESPACES: |
openshift-monitoring
openshift-ingress
openshift-apiserver
openshift-controller-manager
openshift-sdn
PROMETHEUS_URL: "http://prometheus.openshift-monitoring.svc.cluster.local:9090"
REPORT_EXPORT_PATH: "/tmp/reports"
ENABLE_RBAC: "true"
SERVICE_ACCOUNT_NAME: "resource-governance-sa"
GITHUB_REPO: "${GITHUB_REPO}"
- apiVersion: apps/v1
kind: DaemonSet
metadata:
name: resource-governance
namespace: ${NAMESPACE}
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
spec:
selector:
matchLabels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
template:
metadata:
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
annotations:
github.com/repo: "${GITHUB_REPO}"
spec:
serviceAccountName: resource-governance-sa
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: resource-governance
image: ${REGISTRY}/resource-governance:${IMAGE_TAG}
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
protocol: TCP
env:
- name: KUBECONFIG
value: "/var/run/secrets/kubernetes.io/serviceaccount/token"
- name: CPU_LIMIT_RATIO
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: CPU_LIMIT_RATIO
- name: MEMORY_LIMIT_RATIO
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: MEMORY_LIMIT_RATIO
- name: MIN_CPU_REQUEST
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: MIN_CPU_REQUEST
- name: MIN_MEMORY_REQUEST
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: MIN_MEMORY_REQUEST
- name: CRITICAL_NAMESPACES
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: CRITICAL_NAMESPACES
- name: PROMETHEUS_URL
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: PROMETHEUS_URL
- name: REPORT_EXPORT_PATH
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: REPORT_EXPORT_PATH
- name: ENABLE_RBAC
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: ENABLE_RBAC
- name: SERVICE_ACCOUNT_NAME
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: SERVICE_ACCOUNT_NAME
- name: GITHUB_REPO
valueFrom:
configMapKeyRef:
name: resource-governance-config
key: GITHUB_REPO
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
volumeMounts:
- name: reports-volume
mountPath: /tmp/reports
- name: tmp-volume
mountPath: /tmp
volumes:
- name: reports-volume
emptyDir: {}
- name: tmp-volume
emptyDir: {}
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- apiVersion: v1
kind: Service
metadata:
name: resource-governance-service
namespace: ${NAMESPACE}
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http
selector:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
- apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: resource-governance-route
namespace: ${NAMESPACE}
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
annotations:
haproxy.router.openshift.io/timeout: "300s"
haproxy.router.openshift.io/rate-limit: "100"
spec:
host: resource-governance.apps.openshift.local
to:
kind: Service
name: resource-governance-service
weight: 100
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None