Merge branch 'master' into dependabot/go_modules/chaoscenter/event-tr…

…acker/golang.org/x/net-0.23.0
litmuschaos · Apr 26, 2024 · e63340f · e63340f
2 parents e172430 + bcdb799
commit e63340f
Show file tree

Hide file tree

Showing 22 changed files with 6,548 additions and 869 deletions.
diff --git a/chaoscenter/README.md b/chaoscenter/README.md
@@ -1,6 +1,6 @@
-# [LitmusChaos 3.4.0](https://docs.litmuschaos.io/)
+# [LitmusChaos 3.6.0](https://docs.litmuschaos.io/)
 
-## Installation steps for Litmus 3.4.0
+## Installation steps for Litmus 3.6.0
 
 ### Mongo installation via Helm - Bitnami Mongo
 
@@ -45,5 +45,5 @@ helm install my-release bitnami/mongodb --values mongo-values.yml -n <NAMESPACE>
 Applying the manifest file will install all the required service account configuration and ChaosCenter in cluster scope.
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/litmuschaos/litmus/master/mkdocs/docs/3.4.0/litmus-cluster-scope-3.4.0.yaml
+kubectl apply -f https://raw.githubusercontent.com/litmuschaos/litmus/master/mkdocs/docs/3.6.0/litmus-cluster-scope-3.6.0.yaml
 ```
diff --git a/chaoscenter/authentication/go.mod b/chaoscenter/authentication/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/gin-contrib/cors v1.3.1
 	github.com/gin-gonic/gin v1.9.1
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/golang/protobuf v1.5.3
+	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/sirupsen/logrus v1.9.3

diff --git a/chaoscenter/authentication/go.sum b/chaoscenter/authentication/go.sum
@@ -47,8 +47,8 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.1 h1:Qgr9rKW7uDUkrbSmQeiDsGa8SjGyCOGtuasMWwvp2P4=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=

diff --git a/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml
@@ -2,54 +2,53 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: argo
+  name: argo-chaos
   namespace: #{INFRA_NAMESPACE}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: argo-cluster-role
+  name: chaos-cluster-role
 rules:
-  - apiGroups: [""]
-    resources: ["pods", "pods/exec"]
-    verbs: ["create", "get", "list", "watch", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["get", "watch", "list"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["create", "delete"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["workflows", "workflows/finalizers"]
-    verbs: ["get", "list", "watch", "update", "patch", "delete", "create"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["workflowtemplates","workflowtemplates/finalizers","clusterworkflowtemplates","clusterworkflowtemplates/finalizers","workflowtasksets"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["workflowtaskresults"]
-    verbs: ["list", "watch", "deletecollection"]
-  - apiGroups: [""]
-    resources: ["serviceaccounts"]
-    verbs: ["get", "list"]
-  - apiGroups: ["argoproj.io"]
-    resources: ["cronworkflows", "cronworkflows/finalizers"]
-    verbs: ["get", "list", "watch", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "patch"]
-  - apiGroups: ["policy"]
-    resources: ["poddisruptionbudgets"]
-    verbs: ["create", "get", "delete"]
+  # for managing the pods created by workflow controller to implement individual steps in the workflow
+  - apiGroups: ['']
+    resources: ['pods', 'services']
+    verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list']
+  - apiGroups: ['']
+    resources: ['namespaces']
+    verbs: ['get', 'watch', 'patch', 'list']
+
+  # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
+  - apiGroups: ['']
+    resources: ['pods/log', 'pods/exec']
+    verbs: ['get', 'watch', 'create', 'delete', 'patch']
+  - apiGroups: ['']
+    resources: ['secrets', 'configmaps']
+    verbs: ['get', 'watch', 'create', 'patch']
+
+  # for creation & deletion of application in predefined workflows
+  - apiGroups: ['apps']
+    resources: ['deployments']
+    verbs: ['delete']
+  - apiGroups: ['apps']
+    resources: ['deployments', 'statefulsets']
+    verbs: ['get', 'watch', 'patch' , 'create']
+
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources:
+      ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
+    verbs: ["create", "list", "get", "patch", "delete", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: argo-binding
+  name: chaos-cluster-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: argo-cluster-role
+  name: chaos-cluster-role
 subjects:
   - kind: ServiceAccount
-    name: argo
+    name: argo-chaos
     namespace: #{INFRA_NAMESPACE}
diff --git a/chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml b/chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml
@@ -67,4 +67,4 @@ spec:
               memory: "500Mi"
               cpu: "225m"
               ephemeral-storage: "1Gi"
-      serviceAccountName: argo
+      serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
diff --git a/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml
@@ -0,0 +1,123 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: litmus-admin
+  namespace: #{INFRA_NAMESPACE}
+  labels:
+    name: litmus-admin
+---
+# Source: openebs/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: litmus-admin
+  labels:
+    name: litmus-admin
+rules:
+  # ***************************************************************************************
+  # Permissions needed for preparing and monitor the chaos resources by chaos-runner
+  # ***************************************************************************************
+
+  # The chaos operator watches the chaosengine resource and orchestrates the chaos experiment..
+  ## .. by creating the chaos-runner
+
+  # for creating and monitoring the chaos-runner pods
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create","get","list","patch","update"]
+
+    # for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "list"]
+
+    # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch"]
+
+    # for configuring and monitor the experiment job by chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create", "list", "get", "delete", "deletecollection"]
+
+  # ********************************************************************
+  # Permissions needed for creation and discovery of chaos experiments
+  # ********************************************************************
+
+  # The helper pods are created by experiment to perform the actual chaos injection ...
+  # ... for a period of chaos duration
+
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec","pods/eviction","replicationcontrollers"]
+    verbs: ["get","list","create"]
+
+    # for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get", "list", "watch"]
+
+  # for creating and monitoring liveness services or monitoring target app services during chaos injection
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["create","get","list"]
+
+    # for checking the app parent resources as deployments or sts and are eligible chaos candidates
+  - apiGroups: ["apps"]
+    resources: ["deployments", "statefulsets"]
+    verbs: ["list", "get", "patch", "update"]
+
+    # for checking the app parent resources as replicasets and are eligible chaos candidates
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["list", "get"]
+
+  # for checking the app parent resources as deamonsets and are eligible chaos candidates
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["list","get"]
+
+    # for checking (openshift) app parent resources if they are eligible chaos candidates
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list", "get"]
+
+    # for checking (argo) app parent resources if they are eligible chaos candidates
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list", "get"]
+
+  # performs CRUD operations on the network policies
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+    verbs: ["create","delete","list","get"]
+
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+
+    # for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["patch", "get", "list", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: litmus-admin
+  labels:
+    name: litmus-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: litmus-admin
+subjects:
+  - kind: ServiceAccount
+    name: litmus-admin
+    namespace: #{INFRA_NAMESPACE}
diff --git a/chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/2b_litmus_rbac.yaml
diff --git a/chaoscenter/graphql/server/manifests/cluster/2c_litmus_deployment.yaml b/chaoscenter/graphql/server/manifests/cluster/2c_litmus_deployment.yaml
@@ -30,7 +30,7 @@ spec:
         app.kubernetes.io/managed-by: kubectl
         name: chaos-operator
     spec:
-      serviceAccountName: litmus-cluster-scope
+      serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
       #{TOLERATIONS}
       #{NODE_SELECTOR}
       containers:
@@ -114,7 +114,7 @@ spec:
               memory: "500Mi"
               cpu: "225m"
               ephemeral-storage: "1Gi"
-      serviceAccountName: litmus-cluster-scope
+      serviceAccountName: #{INFRA_SERVICE_ACCOUNT}
 ---
 apiVersion: v1
 kind: Service