initial commit

elasticroentgen · elasticroentgen · commit 0899a2f9e7d1 · 2025-05-22T14:31:10.000+02:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,19 @@
+name: Build and Deploy Vue.js App
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main  # Set to the branch name you use for releases
+    tags: ['v*.*.*']
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  call-docker-build:
+    uses: ethdevops/workflows/.github/workflows/basic-docker-build.yaml@main
+    secrets:
+      docker_registry_user: ${{ secrets.DOCKER_REGISTRY_USER }}
+      docker_registry_password: ${{ secrets.DOCKER_REGISTRY_SECRET }}
+ 
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,11 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY service_monitor.py .
+RUN chmod +x service_monitor.py
+
+CMD ["./service_monitor.py"]
diff --git a/README.md b/README.md
@@ -0,0 +1,103 @@
+# Kubernetes LoadBalancer Service Monitor
+
+This tool monitors Kubernetes LoadBalancer services for changes and triggers GitHub Actions workflows in response to those changes.
+
+## Overview
+
+The service monitor watches for any changes (creation, modification, or deletion) to LoadBalancer services across all namespaces in your Kubernetes cluster. When a change is detected, it triggers the `ansible.yaml` workflow in the `ethdevops/internal-stack-iac` repository with specific parameters.
+
+## Prerequisites
+
+- Kubernetes cluster access
+- GitHub Personal Access Token with workflow permissions
+- Docker (for building the container image)
+- kubectl configured with cluster access
+
+## Configuration
+
+### 1. Build the Docker Image
+
+```bash
+docker build -t your-registry/service-monitor:latest .
+docker push your-registry/service-monitor:latest
+```
+
+### 2. Create GitHub Token Secret
+
+Create a GitHub Personal Access Token with workflow permissions and create the secret:
+
+```bash
+# Replace YOUR_GITHUB_TOKEN with your actual token
+kubectl create namespace monitoring
+echo -n 'YOUR_GITHUB_TOKEN' | base64 | kubectl create secret generic github-token \
+    --namespace monitoring \
+    --from-file=GITHUB_TOKEN=/dev/stdin
+```
+
+### 3. Update Deployment Image
+
+Edit `k8s/deployment.yaml` and update the image field with your registry path:
+
+```yaml
+image: your-registry/service-monitor:latest
+```
+
+### 4. Deploy to Kubernetes
+
+```bash
+kubectl apply -f k8s/rbac.yaml
+kubectl apply -f k8s/deployment.yaml
+```
+
+## Verification
+
+Check if the pod is running:
+
+```bash
+kubectl get pods -n monitoring
+```
+
+View the logs:
+
+```bash
+kubectl logs -n monitoring -l app=service-monitor -f
+```
+
+## How It Works
+
+1. The service monitor uses the Kubernetes API to watch for changes in LoadBalancer services
+2. When a change is detected, it triggers the GitHub Actions workflow with:
+   - Tenant: ethquokkaops
+   - Project: colo-loadbalancers
+
+## Troubleshooting
+
+### Check Pod Status
+```bash
+kubectl describe pod -n monitoring -l app=service-monitor
+```
+
+### Check Logs
+```bash
+kubectl logs -n monitoring -l app=service-monitor -f
+```
+
+### Common Issues
+
+1. **Pod can't pull image**: Check your image registry credentials and image path
+2. **Permission denied**: Verify RBAC permissions are correctly configured
+3. **GitHub workflow not triggering**: Check the GitHub token permissions and validity
+
+## Security Considerations
+
+- The service runs with minimal permissions using RBAC
+- The container runs as a non-root user
+- The filesystem is read-only
+- The container has resource limits defined
+
+## Maintenance
+
+- Regularly update the dependencies in `requirements.txt`
+- Monitor the pod's resource usage and adjust limits as needed
+- Rotate the GitHub token periodically
+- Keep the Docker base image updated for security patches
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: service-monitor
+  namespace: monitoring
+  labels:
+    app: service-monitor
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: service-monitor
+  template:
+    metadata:
+      labels:
+        app: service-monitor
+    spec:
+      serviceAccountName: service-monitor
+      containers:
+      - name: service-monitor
+        image: service-monitor:latest  # Update this with your registry/image:tag
+        imagePullPolicy: Always
+        env:
+        - name: GITHUB_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: github-token
+              key: GITHUB_TOKEN
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "200m"
+            memory: "256Mi"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          readOnlyRootFilesystem: true
diff --git a/k8s/rbac.yaml b/k8s/rbac.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: service-monitor
+  namespace: monitoring
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: service-monitor
+rules:
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: service-monitor
+subjects:
+- kind: ServiceAccount
+  name: service-monitor
+  namespace: monitoring
+roleRef:
+  kind: ClusterRole
+  name: service-monitor
+  apiGroup: rbac.authorization.k8s.io
diff --git a/k8s/secret.yaml b/k8s/secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-token
+  namespace: monitoring
+type: Opaque
+data:
+  # Replace this with your base64 encoded GitHub token
+  # Example: echo -n "your-token" | base64
+  GITHUB_TOKEN: "YOUR_BASE64_ENCODED_TOKEN"
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,2 @@
+kubernetes==29.0.0
+PyGithub==2.2.0
diff --git a/service_monitor.py b/service_monitor.py
@@ -0,0 +1,110 @@
+#!/usr/bin/env python3
+
+import os
+import logging
+from kubernetes import client, config, watch
+from github import Github
+
+# Configure logging
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+# GitHub configuration
+GITHUB_TOKEN = os.environ.get('GITHUB_TOKEN')
+GITHUB_REPO = "ethdevops/internal-stack-iac"
+WORKFLOW_FILE = "ansible.yaml"
+TENANT = "ethquokkaops"
+PROJECT = "colo-loadbalancers"
+
+def trigger_github_workflow(gh_token, event_type):
+    """
+    Trigger GitHub Actions workflow with the specified parameters
+    """
+    try:
+        g = Github(gh_token)
+        repo = g.get_repo(GITHUB_REPO)
+        
+        # Get the workflow by filename
+        workflow = None
+        for wf in repo.get_workflows():
+            if wf.path.endswith(WORKFLOW_FILE):
+                workflow = wf
+                break
+        
+        if workflow is None:
+            logger.error(f"Workflow {WORKFLOW_FILE} not found")
+            return False
+
+        # Create workflow dispatch event with inputs
+        workflow.create_dispatch(
+            ref="main",  # You might want to make this configurable
+            inputs={
+                "tenant": TENANT,
+                "project": PROJECT
+            }
+        )
+        
+        logger.info(f"Successfully triggered workflow for event: {event_type}")
+        return True
+    
+    except Exception as e:
+        logger.error(f"Failed to trigger workflow: {str(e)}")
+        return False
+
+def watch_services():
+    """
+    Watch for changes in LoadBalancer services
+    """
+    try:
+        # Try to load in-cluster config first
+        try:
+            config.load_incluster_config()
+        except config.ConfigException:
+            config.load_kube_config()
+
+        v1 = client.CoreV1Api()
+        w = watch.Watch()
+        
+        logger.info("Starting to watch LoadBalancer services...")
+        
+        for event in w.stream(v1.list_service_for_all_namespaces):
+            service = event['object']
+            
+            # Only process LoadBalancer services
+            if service.spec.type == 'LoadBalancer':
+                event_type = event['type']
+                logger.info(f"LoadBalancer service event: {event_type} - {service.metadata.namespace}/{service.metadata.name}")
+                
+                # Trigger workflow for relevant events
+                if event_type in ['ADDED', 'MODIFIED', 'DELETED']:
+                    if GITHUB_TOKEN:
+                        trigger_github_workflow(GITHUB_TOKEN, event_type)
+                    else:
+                        logger.error("GITHUB_TOKEN environment variable not set")
+
+    except Exception as e:
+        logger.error(f"Error watching services: {str(e)}")
+        raise
+
+def main():
+    """
+    Main function to start the service monitor
+    """
+    if not GITHUB_TOKEN:
+        logger.error("GITHUB_TOKEN environment variable must be set")
+        exit(1)
+
+    while True:
+        try:
+            watch_services()
+        except Exception as e:
+            logger.error(f"Error in main loop: {str(e)}")
+            # Wait a bit before retrying
+            import time
+            time.sleep(5)
+
+if __name__ == "__main__":
+    main()

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+kubernetes==29.0.0`
	`2`	`+PyGithub==2.2.0`