fix(runner-config): fix proxyCA field (#21)

* fix(runner-config): fix proxyCA field

* add grafana-agent proxyca volumes examples and disable grafana annoymous stats reporting

* cleanup, comments, and disable annoymous telemetry from grafana-agent to grafana HQ

* update task resource defaults and version bump

* version bump

---------

Co-authored-by: Shea Stewart <[email protected]>

charts/runwhen-local/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: runwhen-local
 description: A Helm chart RunWhen Local - A community powered troubleshooting cheat sheet
 type: application
-version: 0.1.13
-appVersion: "0.5.12"
+version: 0.1.14
+appVersion: "0.5.14"
 icon: https://storage.googleapis.com/runwhen-nonprod-shared-images/icons/runwhen_icon.png
 dependencies:
   - name: grafana-agent

charts/runwhen-local/templates/local-deployment.yaml

@@ -42,14 +42,14 @@ spec:
             value: "{{ .Values.runwhenLocal.autoRun.uploadEnabled }}"
           - name: RW_LOCAL_UPLOAD_MERGE_MODE
             value: "{{ .Values.runwhenLocal.autoRun.uploadMergeMode }}"
-          {{ if .Values.runwhenLocal.debugLogs }}
+          {{- if .Values.runwhenLocal.debugLogs }}
           - name: DEBUG_LOGGING
             value: "true"
-          {{ end }}
-          {{ if .Values.runwhenLocal.discoveryKubeconfig.inClusterAuth.createKubeconfigSecret }}
+          {{- end }}
+          {{- if .Values.runwhenLocal.discoveryKubeconfig.inClusterAuth.createKubeconfigSecret }}
           - name: RW_CREATE_KUBECONFIG_SECRET
             value: "true"
-          {{ end }}
+          {{- end }}
           - name: KUBERNETES_CLUSTER_NAME
             value: {{ .Values.runwhenLocal.clusterName }}
           {{- if .Values.proxy.enabled }}
@@ -65,6 +65,17 @@ spec:
           - name: NO_PROXY
             value: {{ . }}
           {{- end }}
+          {{- if or .Values.proxyCA .Values.runwhenLocal.proxyCA }}
+          - name: SLI_CERT_FILE
+            value: "/etc/ssl/certs/ca-certificates.crt"
+          - name: REQUESTS_CA_BUNDLE
+            value: "/etc/ssl/certs/ca-certificates.crt"
+          - name: NODE_EXTRA_CA_CERTS
+            value: "/etc/ssl/certs/ca-certificates.crt"
+          {{- end }}
+          {{- end }}
+          {{- with .Values.runwhenLocal.extraEnv }}
+          {{- toYaml . | nindent 8 }}
           {{- end }}
           ports:
             - name: mkdocs
@@ -96,6 +107,13 @@ spec:
           {{- with .Values.runwhenLocal.volumeMounts }}
             {{- toYaml . | nindent 10 }}
           {{- end }}
+          {{- if or .Values.proxy.enabled .Values.runwhenLocal.proxy }}
+          {{- if or .Values.proxyCA .Values.runwhenLocal.proxyCA }}
+          - name: proxy-ca
+            mountPath: /etc/ssl/certs/ca-certificates.crt
+            subPath: ca-certificates.crt
+          {{- end }}
+          {{- end }}
           - name: shared-volume
             mountPath: "/shared"
           {{- if .Values.runwhenLocal.discoveryKubeconfig.secretProvided.enabled }}
@@ -112,9 +130,25 @@ spec:
             subPath: "uploadInfo.yaml"
           {{- end }}
       volumes:
-      {{ with .Values.runwhenLocal.volumes }}
+      {{- with .Values.runwhenLocal.volumes }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
+      {{- if or .Values.proxy.enabled .Values.runwhenLocal.proxy }}
+      {{- with or .Values.proxyCA .Values.runwhenLocal.proxyCA }}
+      - name: proxy-ca
+        {{- if .secretName }}
+        secret:
+          secretName: {{ .secretName }}
+        {{- else if .configMapName }}
+        configMap:
+          name: {{.configMapName }}
+        {{- end }}
+          items:
+          - key: {{ .key | default "ca.crt" }}
+            path: ca-certificates.crt
+          defaultMode: 420
+      {{- end }}
+      {{- end }}
       - name: shared-volume
         emptyDir: {}
       {{- if .Values.runwhenLocal.discoveryKubeconfig.secretProvided.enabled }}

charts/runwhen-local/templates/runner-configmap.yaml

@@ -45,8 +45,21 @@ data:
           enabled: {{ or .Values.runner.runEnvironment.proxy.enabled .Values.proxy.enabled }}
           httpProxy: "{{ or .Values.runner.runEnvironment.proxy.httpProxy .Values.proxy.httpProxy }}"
           httpsProxy: "{{ or .Values.runner.runEnvironment.proxy.httpsProxy .Values.proxy.httpProxy }}"
-          noProxy: "{{ or .Values.runner.runEnvironment.proxy.httpsProxy .Values.proxy.httpProxy }}"
-          proxyCA: "{{ or .Values.runner.runEnvironment.proxy.proxyCA .Values.proxy.httpProxy }}"
+          noProxy: "{{ or .Values.runner.runEnvironment.proxy.noProxy .Values.proxy.noProxy }}"
+          proxyCA: "{{ or .Values.runner.runEnvironment.proxy.proxyCA .Values.proxy.proxyCA }}"
+        {{- if or .Values.proxy.enabled .Values.runner.proxy }}
+        {{- with or .Values.proxyCA .Values.runner.proxyCA }}
+        proxyCA:
+          {{- if .secretName }}
+          secret:
+            name: {{ .secretName }}
+          {{- else if .configMapName }}
+          configMap:
+            name: {{.configMapName }}
+          {{- end }}
+            key: {{ .key }}
+        {{- end }}
+        {{- end }}
         deployment:
           {{- with .Values.runner.runEnvironment.deployment.annotations }}
           annotations:

charts/runwhen-local/templates/runner-deployment.yaml

@@ -27,7 +27,7 @@ spec:
     spec:
       containers:
       - image: {{ .Values.runner.image | default "us-docker.pkg.dev/runwhen-nonprod-shared/public-images/runner:stable" }}
-        imagePullPolicy: {{ .Values.runner.imagePullPolicy | default "IfNotPresent" }}
+        imagePullPolicy: {{ .Values.runner.imagePullPolicy | default "Always" }}
         name: runner
         ports:
         - containerPort: 9090
@@ -45,6 +45,13 @@ spec:
         - name: runner-config-volume
           mountPath: "/etc/runwhen/runner/config.yaml"
           subPath: "config.yaml"
+        {{- if or .Values.proxy.enabled .Values.runner.proxy }}
+        {{- if or .Values.proxyCA .Values.runner.proxyCA }}
+        - name: proxy-ca
+          mountPath: /etc/ssl/certs/proxy-ca.pem
+          subPath: proxy-ca.pem
+        {{- end }}
+        {{- end }}
         {{- with .Values.runner.volumeMounts }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -103,7 +110,23 @@ spec:
       - name: runner-config-volume
         configMap:
           name: {{ .Values.runner.configMap.name }}
-      {{ with .Values.runner.volumes }}
-      {{- toYaml . | nindent 6 }}
+      {{- if or .Values.proxy.enabled .Values.runner.proxy }}
+      {{- with or .Values.proxyCA .Values.runner.proxyCA }}
+      - name: proxy-ca
+        {{- if .secretName }}
+        secret:
+          secretName: {{ .secretName }}
+        {{- else if .configMapName }}
+        configMap:
+          name: {{.configMapName }}
+        {{- end }}
+          items:
+          - key: {{ .key }}
+            path: proxy-ca.pem
+          defaultMode: 420
+      {{- end }}
+      {{- end }}
+      {{ with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
 {{- end }}

charts/runwhen-local/templates/runner-grafana-agent-configmap.yaml

@@ -33,10 +33,14 @@ data:
             {{- end }}
             {{- end }}
             tls_config {
-            ca_file = "/tls/ca.crt"
-            cert_file = "/tls/tls.crt"
-            key_file =  "/tls/tls.key"
-            insecure_skip_verify    = true
+                {{- if .Values.proxyCA }}
+                ca_file = "/etc/ssl/certs/proxy-ca.crt"
+                {{- else }}
+                ca_file = "/tls/ca.crt"
+                {{- end }}
+                cert_file = "/tls/tls.crt"
+                key_file =  "/tls/tls.key"
+                insecure_skip_verify    = true
             }
         }
         external_labels = {

charts/runwhen-local/values.yaml

@@ -33,13 +33,24 @@ tolerations: []
 
 affinity: {}
 
-# Set proxy details for the runner & runwhenLocal deployments
+# Set proxy env for RunWhen Local and Runner Deployments and any supporting infrastructure such as the grafana-agent
 proxy:
   enabled: false
+  # HTTP_PROXY environment variable
   httpProxy: ""
+  # HTTPS_PROXY environment variable
   httpsProxy: ""
-  noProxy: ""
-  proxyCA: ""
+  # NO_PROXY environment variable
+  noProxy: "127.0.0.1,localhost,$($KUBERNETES_SERVICE_HOST),pushgateway"
+
+# Set the proxy CA details, if the runner is being deployed be sure to set
+# the grafana-agent mounts and volumes to match the proxyCA configuration
+# -- Those are not set by default as the secretName or ConfigMapName and Key
+#    are not directly templatable from this chart.
+proxyCA: {}
+  # secretNname: ""
+  # configMapName: "" # not fully templated yet
+  # key: ""
 
 # Is this a platform the requires special configuration?
 # Currently supports EKS_Fargate, kubernetes
@@ -326,7 +337,7 @@ runner:
     # Block the use of a specific secret being mounted to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
     # - "myvault@/dev/data/simple-test-secret"
 
-    # The configurations applied to the SLI (CronCodeRun) Deployments
+    #### The configurations applied to the SLI (CronCodeRun) Deployments ####
     deployment:
       annotations: {}
       podAnnotations: {}
@@ -340,7 +351,7 @@ runner:
             cpu: "50m"
             memory: "64Mi"
           limits:
-            cpu: "300m"
+            cpu: "500m"
             memory: "196Mi"
         EKS_Fargate:
           requests:
@@ -349,7 +360,7 @@ runner:
           limits:
             cpu: "300m"
             memory: "196Mi"
-    # The configurations applired to the TaskSet (CodeRun) Pods
+    #### The configurations applied to the TaskSet (CodeRun) Pods ####
     pod:
       annotations: {}
       affinity: {}
@@ -359,24 +370,31 @@ runner:
       resources:
         default:
           requests:
-            cpu: "50m"
+            cpu: "300m"
             memory: "128Mi"
           limits:
-            cpu: "300m"
-            memory: "256Mi"
+            cpu: "1"
+            memory: "512Mi"
         EKS_Fargate:
           requests:
             cpu: "300m"
-            memory: "64Mi"
+            memory: "256Mi"
           limits:
             cpu: "300m"
             memory: "256Mi"
-    proxy:
-      enabled: false
-      httpProxy: ""
-      httpsProxy: ""
-      noProxy: ""
-      proxyCA: ""
+    # The proxy configurations applied to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # By default the global values for .Values.proxy and .Values.proxyCA are used.
+    proxy: {}
+      # enabled: false
+      # httpProxy: ""
+      # httpsProxy: ""
+      # noProxy: "127.0.0.1,$($KUBERNETES_SERVICE_HOST),pushgateway"
+    # The proxy CA details, if the runner is being deployed be sure to set
+    # the grafana-agent mounts and volumes to match the proxyCA configuration
+    proxyCA: {}
+      # secretNname: ""
+      # configMapName: ""
+      # key: ""
 
   # proxy configuration for the runner container, set runEnvironment.proxy.enabled to true to use this configuration
   # for the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods as well, or configure custom proxy settings in the runEnvironment.proxy fields
@@ -403,6 +421,7 @@ grafana-agent:
     # -- Whether to install CRDs for monitoring.
     create: false
   agent:
+    enableReporting: false
     mode: 'flow'
     configMap:
       create: false
@@ -413,13 +432,26 @@ grafana-agent:
         - name: tls-secret-volume
           mountPath: /tls
           readOnly: true
+        # Note: must be used when using .Values.ProxyCA
+        # - name: proxy-ca-volume
+        #   mountPath: /etc/ssl/certs/proxy-ca.crt
+        #   readOnly: true
+        #   subPath: proxy-ca.crt
   controller:
     type: deployment
     volumes:
       extra:
         - name: tls-secret-volume
           secret:
             secretName: runner-metrics-tls
+        # Note: must be configured when using .Values.ProxyCA -- can also be transitioned to
+        # a configMap if needed -- just match the values from .Values.ProxyCA.ConfigMapName and .Values.ProxyCA.Key
+        # - name: proxy-ca-volume # DO NOT CHANGE
+        #   secret:
+        #     secretName: # Value from .Values.proxyCA.secretName
+        #     items:
+        #       - key: ca.crt # Value from .Values.proxyCA.key
+        #         path: proxy-ca.crt # DO NOT CHANGE
   rbac:
     create: false
   serviceAccount: