rewrite

Author: rxbn

README.md

@@ -1,46 +1,69 @@
 # terrascaler
 
-Terrascaler is an external gRPC cloud provider for Kubernetes Cluster Autoscaler.
-Instead of creating machines directly, it updates a configured integer value in a
-Terraform/OpenTofu repository through the GitLab API. The resulting GitLab commit
-can then trigger the repository's CI pipeline to run Terraform/OpenTofu and add
-workers.
+Terrascaler is a small Kubernetes autoscaler for clusters whose worker count is
+managed by Terraform/OpenTofu in GitLab.
 
-The implementation follows the Cluster Autoscaler external gRPC provider service:
-`clusterautoscaler.cloudprovider.v1.externalgrpc.CloudProvider`.
+It does not implement a Kubernetes Cluster Autoscaler cloud provider. Instead,
+Terrascaler runs its own reduced autoscaling loop:
+
+1. Read the current Terraform worker count from GitLab.
+2. List Kubernetes nodes and pods.
+3. Find pending unscheduled pods.
+4. Estimate whether those pods fit on current worker capacity.
+5. If not, compute how many worker nodes are needed.
+6. Commit the updated Terraform worker count to GitLab.
+
+The GitLab commit is expected to trigger the repository's CI pipeline, which then
+runs Terraform/OpenTofu and adds workers.
 
 ## Scope
 
-Terrascaler currently supports scale-up only. `NodeGroupIncreaseSize` reads the
-configured Terraform attribute, adds the autoscaler delta, and commits the updated
-file to GitLab. Node deletion and target-size decreases intentionally return
-`Unimplemented`.
+Terrascaler intentionally supports a narrow feature set:
+
+- scale up only
+- one Terraform-managed worker group
+- CPU, memory, and pod-count bin packing
+- optional node label selector for Terraform-managed workers
+- no cloud provider integrations
+- no scale down
+- no expander strategies, priorities, balancing, or pricing logic
 
 ## Configuration
 
 All settings can be passed as flags or environment variables.
 
-| Flag                   | Environment                      | Required | Default    | Description                                                   |
-| ---------------------- | -------------------------------- | -------- | ---------- | ------------------------------------------------------------- |
-| `--listen`             | `TERRASCALER_LISTEN`             | no       | `:8080`    | gRPC listen address                                           |
-| `--tls-cert-file`      | `TERRASCALER_TLS_CERT_FILE`      | no       |            | Server TLS certificate file                                   |
-| `--tls-key-file`       | `TERRASCALER_TLS_KEY_FILE`       | no       |            | Server TLS key file                                           |
-| `--tls-client-ca-file` | `TERRASCALER_TLS_CLIENT_CA_FILE` | no       |            | Client CA file; enables mTLS when set                         |
-| `--gitlab-base-url`    | `GITLAB_BASE_URL`                | no       | GitLab.com | GitLab URL, for example `https://gitlab.example.com`          |
-| `--gitlab-token`       | `GITLAB_TOKEN`                   | yes      |            | GitLab API token with repository write access                 |
-| `--gitlab-project`     | `GITLAB_PROJECT`                 | yes      |            | GitLab project ID or path, for example `group/platform/infra` |
-| `--gitlab-branch`      | `GITLAB_BRANCH`                  | no       | `main`     | Branch to update                                              |
-| `--file`               | `TERRASCALER_FILE`               | yes      |            | Terraform file path in the repository                         |
-| `--block-type`         | `TERRASCALER_BLOCK_TYPE`         | no       | `module`   | Terraform block type containing the field                     |
-| `--block-labels`       | `TERRASCALER_BLOCK_LABELS`       | no       |            | Comma-separated block labels                                  |
-| `--attribute`          | `TERRASCALER_ATTRIBUTE`          | yes      |            | Integer Terraform attribute to update                         |
-| `--node-group-id`      | `TERRASCALER_NODE_GROUP_ID`      | no       | `default`  | Node group ID exposed to Cluster Autoscaler                   |
-| `--min-size`           | `TERRASCALER_MIN_SIZE`           | no       | `0`        | Node group minimum                                            |
-| `--max-size`           | `TERRASCALER_MAX_SIZE`           | no       | `100`      | Node group maximum                                            |
-| `--template-cpu`       | `TERRASCALER_TEMPLATE_CPU`       | no       | `2`        | Template node CPU capacity for scale-up simulation            |
-| `--template-memory`    | `TERRASCALER_TEMPLATE_MEMORY`    | no       | `8Gi`      | Template node memory capacity                                 |
-| `--template-pods`      | `TERRASCALER_TEMPLATE_PODS`      | no       | `110`      | Template node pod capacity                                    |
-| `--template-labels`    | `TERRASCALER_TEMPLATE_LABELS`    | no       |            | Comma-separated labels for the template node, `key=value`     |
+| Flag                    | Environment                       | Required | Default           | Description                                                                     |
+| ----------------------- | --------------------------------- | -------- | ----------------- | ------------------------------------------------------------------------------- |
+| `--kubeconfig`          | `KUBECONFIG`                      | no       | in-cluster config | Path to kubeconfig                                                              |
+| `--check-interval`      | `TERRASCALER_CHECK_INTERVAL`      | no       | `1m`              | Autoscaling check interval                                                      |
+| `--scale-up-cooldown`   | `TERRASCALER_SCALE_UP_COOLDOWN`   | no       | `5m`              | Minimum time between scale-up commits                                           |
+| `--pending-pod-min-age` | `TERRASCALER_PENDING_POD_MIN_AGE` | no       | `30s`             | Minimum age for pending pods without an Unschedulable condition                 |
+| `--metrics-address`     | `TERRASCALER_METRICS_ADDRESS`     | no       | `:8080`           | Prometheus metrics listen address; empty disables metrics                       |
+| `--once`                | `TERRASCALER_ONCE`                | no       | `false`           | Run one autoscaling check and exit                                              |
+| `--dry-run`             | `TERRASCALER_DRY_RUN`             | no       | `false`           | Log intended scaling actions without updating GitLab                            |
+| `--gitlab-base-url`     | `GITLAB_BASE_URL`                 | no       | GitLab.com        | GitLab URL, for example `https://gitlab.example.com`                            |
+| `--gitlab-token`        | `GITLAB_TOKEN`                    | yes      |                   | GitLab API token with repository write access                                   |
+| `--gitlab-project`      | `GITLAB_PROJECT`                  | yes      |                   | GitLab project ID or path, for example `group/platform/infra`                   |
+| `--gitlab-branch`       | `GITLAB_BRANCH`                   | no       | `main`            | Branch to update                                                                |
+| `--gitlab-merge-request` | `TERRASCALER_GITLAB_MERGE_REQUEST` | no | `false` | Create or update a GitLab merge request instead of committing directly |
+| `--gitlab-mr-branch-prefix` | `TERRASCALER_GITLAB_MR_BRANCH_PREFIX` | no | `terrascaler/scale` | Branch prefix for merge request mode |
+| `--gitlab-mr-title` | `TERRASCALER_GITLAB_MR_TITLE` | no | `terrascaler: scale worker count` | Merge request title |
+| `--gitlab-mr-description` | `TERRASCALER_GITLAB_MR_DESCRIPTION` | no | automated proposal text | Merge request description prefix |
+| `--gitlab-mr-labels` | `TERRASCALER_GITLAB_MR_LABELS` | no | `terrascaler` | Comma-separated merge request labels |
+| `--gitlab-mr-assignee-ids` | `TERRASCALER_GITLAB_MR_ASSIGNEE_IDS` | no | | Comma-separated GitLab user IDs to assign |
+| `--gitlab-mr-reviewer-ids` | `TERRASCALER_GITLAB_MR_REVIEWER_IDS` | no | | Comma-separated GitLab user IDs to request review from |
+| `--gitlab-mr-remove-source-branch` | `TERRASCALER_GITLAB_MR_REMOVE_SOURCE_BRANCH` | no | `true` | Remove MR source branch after merge |
+| `--file`                | `TERRASCALER_FILE`                | yes      |                   | Terraform file path in the repository                                           |
+| `--block-type`          | `TERRASCALER_BLOCK_TYPE`          | no       | `module`          | Terraform block type containing the field                                       |
+| `--block-labels`        | `TERRASCALER_BLOCK_LABELS`        | no       |                   | Comma-separated Terraform block labels                                          |
+| `--attribute`           | `TERRASCALER_ATTRIBUTE`           | yes      |                   | Integer Terraform attribute to update                                           |
+| `--min-size`            | `TERRASCALER_MIN_SIZE`            | no       | `0`               | Minimum target size                                                             |
+| `--max-size`            | `TERRASCALER_MAX_SIZE`            | no       | `100`             | Maximum target size                                                             |
+| `--node-selector`       | `TERRASCALER_NODE_SELECTOR`       | no       |                   | Comma-separated node labels, `key=value`, identifying Terraform-managed workers |
+| `--template-cpu`        | `TERRASCALER_TEMPLATE_CPU`        | no       | `2`               | New worker CPU capacity                                                         |
+| `--template-memory`     | `TERRASCALER_TEMPLATE_MEMORY`     | no       | `8Gi`             | New worker memory capacity                                                      |
+| `--template-pods`       | `TERRASCALER_TEMPLATE_PODS`       | no       | `110`             | New worker pod capacity                                                         |
+| `--template-labels`     | `TERRASCALER_TEMPLATE_LABELS`     | no       |                   | Reserved metadata for new worker labels                                         |
 
 Example for:
 
@@ -59,30 +82,53 @@ terrascaler \
   --block-type module \
   --block-labels hostedcluster \
   --attribute worker_count \
-  --node-group-id hostedcluster-workers \
   --min-size 3 \
-  --max-size 20
+  --max-size 20 \
+  --node-selector node-role.kubernetes.io/worker= \
+  --template-cpu 4 \
+  --template-memory 16Gi \
+  --template-pods 110
 ```
 
-Cluster Autoscaler should use `--cloud-provider=externalgrpc` and a cloud config
-that points at this service address, as documented by upstream Kubernetes
-Autoscaler.
+## Autoscaling Behavior
 
-```yaml
-address: terrascaler.default.svc.cluster.local:8080
-grpc_timeout: 30s
-```
+Terrascaler considers a pod eligible for scale-up when it is pending, not bound to
+a node, and either:
+
+- has `PodScheduled=False` with reason `Unschedulable`, or
+- is older than `--pending-pod-min-age`.
 
-For TLS or mTLS, provide `--tls-cert-file` and `--tls-key-file` to Terrascaler.
-Providing `--tls-client-ca-file` enables client certificate verification, matching
-the upstream external gRPC provider recommendation.
+It subtracts scheduled pod requests from matching ready schedulable nodes, then
+tries to pack eligible pending pods into the remaining capacity. Any pods that do
+not fit are packed onto synthetic nodes using `--template-cpu`,
+`--template-memory`, and `--template-pods`. The number of synthetic nodes needed
+is added to the current Terraform target, capped at `--max-size`.
 
-## Notes
+## Monitoring
 
-The target Terraform value must currently be a literal integer. Values such as
+Terrascaler exposes Prometheus metrics on `/metrics` at `--metrics-address`.
+
+Important metrics:
+
+- `terrascaler_scale_down_potential_nodes`: approximate number of nodes that may
+  be removable. Terrascaler only reports this and does not scale down.
+- `terrascaler_current_target_nodes`: current Terraform target node count.
+- `terrascaler_desired_target_nodes`: desired target node count from the latest
+  plan.
+- `terrascaler_new_nodes_required`: new nodes needed by the latest plan.
+- `terrascaler_last_check_success`: `1` when the last check succeeded.
+
+The target Terraform value must be a literal integer. Values such as
 `worker_count = var.worker_count` are rejected because Terrascaler cannot safely
 evaluate them from a single file.
 
+## Merge Request Mode
+
+By default Terrascaler commits directly to `--gitlab-branch`. With
+`--gitlab-merge-request`, Terrascaler creates a branch from the target branch,
+commits the Terraform change there, and opens a GitLab merge request. Optional
+assignee and reviewer settings use GitLab numeric user IDs.
+
 ## Development
 
 Common targets follow the other Containeroo Go tools:

cmd/terrascaler/main.go

@@ -1,21 +1,23 @@
 package main
 
 import (
-	"crypto/tls"
-	"crypto/x509"
+	"context"
 	"errors"
 	"log"
 	"log/slog"
-	"net"
+	"net/http"
 	"os"
+	"os/signal"
+	"syscall"
 
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
 
+	"github.com/containeroo/terrascaler/internal/autoscaler"
 	"github.com/containeroo/terrascaler/internal/config"
-	"github.com/containeroo/terrascaler/internal/externalgrpc"
 	"github.com/containeroo/terrascaler/internal/gitlab"
-	"github.com/containeroo/terrascaler/internal/provider"
 	"github.com/containeroo/terrascaler/internal/terraform"
 )
 
@@ -32,12 +34,31 @@ func main() {
 		log.Fatalf("load config: %v", err)
 	}
 
+	kubeConfig, err := loadKubeConfig(cfg.Kubeconfig)
+	if err != nil {
+		log.Fatalf("load Kubernetes config: %v", err)
+	}
+	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
+	if err != nil {
+		log.Fatalf("create Kubernetes client: %v", err)
+	}
+
 	gitlabClient, err := gitlab.New(gitlab.Config{
 		BaseURL: cfg.GitLabBaseURL,
 		Token:   cfg.GitLabToken,
 		Project: cfg.GitLabProject,
 		Branch:  cfg.GitLabBranch,
-		File:    cfg.FilePath,
+		MR: gitlab.MergeRequestConfig{
+			Enabled:            cfg.GitLabMR.Enabled,
+			BranchPrefix:       cfg.GitLabMR.BranchPrefix,
+			Title:              cfg.GitLabMR.Title,
+			Description:        cfg.GitLabMR.Description,
+			Labels:             cfg.GitLabMR.Labels,
+			AssigneeIDs:        cfg.GitLabMR.AssigneeIDs,
+			ReviewerIDs:        cfg.GitLabMR.ReviewerIDs,
+			RemoveSourceBranch: cfg.GitLabMR.RemoveSourceBranch,
+		},
+		File: cfg.FilePath,
 		Target: terraform.Target{
 			BlockType: cfg.BlockType,
 			Labels:    cfg.Labels,
@@ -48,68 +69,89 @@ func main() {
 		log.Fatalf("create GitLab client: %v", err)
 	}
 
-	listener, err := net.Listen("tcp", cfg.ListenAddress)
-	if err != nil {
-		log.Fatalf("listen on %s: %v", cfg.ListenAddress, err)
-	}
-
-	serverOptions, err := grpcServerOptions(cfg)
+	runner, err := autoscaler.NewRunner(cfg, kubeClient, gitlabClient, logger.With("component", "autoscaler"))
 	if err != nil {
-		log.Fatalf("configure gRPC server: %v", err)
+		log.Fatalf("create autoscaler: %v", err)
 	}
+	runner.SetMetrics(autoscaler.NewMetrics(nil))
 
-	grpcServer := grpc.NewServer(serverOptions...)
-	providerServer := provider.New(cfg, gitlabClient, logger.With("component", "provider"))
-	externalgrpc.RegisterCloudProviderServer(grpcServer, providerServer)
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
 
 	logger.Info("starting terrascaler",
 		"version", Version,
-		"listen_address", cfg.ListenAddress,
-		"node_group", cfg.NodeGroupID,
+		"check_interval", cfg.CheckInterval.String(),
+		"scale_up_cooldown", cfg.ScaleUpCooldown.String(),
+		"pending_pod_min_age", cfg.PendingPodMinAge.String(),
+		"metrics_address", cfg.MetricsAddress,
 		"min_size", cfg.MinSize,
 		"max_size", cfg.MaxSize,
+		"dry_run", cfg.DryRun,
+		"once", cfg.Once,
 		"gitlab_base_url", cfg.GitLabBaseURL,
 		"gitlab_project", cfg.GitLabProject,
 		"gitlab_branch", cfg.GitLabBranch,
+		"gitlab_merge_request", cfg.GitLabMR.Enabled,
+		"gitlab_mr_branch_prefix", cfg.GitLabMR.BranchPrefix,
 		"terraform_file", cfg.FilePath,
 		"terraform_block_type", cfg.BlockType,
 		"terraform_block_labels", cfg.Labels,
 		"terraform_attribute", cfg.Attribute,
-		"tls_enabled", cfg.TLSCertFile != "",
-		"mtls_enabled", cfg.TLSClientCA != "",
+		"node_selector", cfg.NodeSelector,
+		"template_cpu", cfg.TemplateCPU,
+		"template_memory", cfg.TemplateMemory,
+		"template_pods", cfg.TemplatePods,
 	)
-	if err := grpcServer.Serve(listener); err != nil {
-		log.Fatalf("serve gRPC: %v", err)
+
+	metricsServer := startMetricsServer(cfg.MetricsAddress, logger)
+	if metricsServer != nil {
+		defer func() {
+			if err := metricsServer.Shutdown(context.Background()); err != nil {
+				logger.Error("shutdown metrics server", "error", err)
+			}
+		}()
+	}
+
+	if err := runner.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
+		log.Fatalf("run autoscaler: %v", err)
 	}
 }
 
-func grpcServerOptions(cfg config.Config) ([]grpc.ServerOption, error) {
-	if cfg.TLSCertFile == "" {
-		return nil, nil
+func startMetricsServer(address string, logger *slog.Logger) *http.Server {
+	if address == "" {
+		logger.Info("metrics server disabled")
+		return nil
 	}
 
-	cert, err := tls.LoadX509KeyPair(cfg.TLSCertFile, cfg.TLSKeyFile)
-	if err != nil {
-		return nil, err
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", promhttp.Handler())
+	server := &http.Server{
+		Addr:    address,
+		Handler: mux,
 	}
+	go func() {
+		logger.Info("starting metrics server", "address", address)
+		if err := server.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+			logger.Error("metrics server failed", "error", err)
+		}
+	}()
+	return server
+}
 
-	tlsConfig := &tls.Config{
-		MinVersion:   tls.VersionTLS12,
-		Certificates: []tls.Certificate{cert},
+func loadKubeConfig(path string) (*rest.Config, error) {
+	if path != "" {
+		return clientcmd.BuildConfigFromFlags("", path)
 	}
 
-	if cfg.TLSClientCA != "" {
-		caPEM, err := os.ReadFile(cfg.TLSClientCA)
-		if err != nil {
-			return nil, err
-		}
-		pool := x509.NewCertPool()
-		if !pool.AppendCertsFromPEM(caPEM) {
-			return nil, errors.New("failed to parse client CA")
-		}
-		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-		tlsConfig.ClientCAs = pool
+	config, err := rest.InClusterConfig()
+	if err == nil {
+		return config, nil
 	}
 
-	return []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsConfig))}, nil
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+		loadingRules,
+		&clientcmd.ConfigOverrides{},
+	)
+	return clientConfig.ClientConfig()
 }