studio/wfe
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 10 Activity
Files
e00db9e58dae66ed1f8997b31da3a5ea8c16e0e9
wfe/wfe-kubernetes/src/manifests.rs

423 lines
13 KiB
Rust
Raw Normal View History

feat(wfe-kubernetes): Job manifest builder and output parsing
2026-04-06 16:41:55 +01:00
use std::collections::{BTreeMap, HashMap};
use k8s_openapi::api::batch::v1::{Job, JobSpec};
use k8s_openapi::api::core::v1::{
Container, EnvVar, LocalObjectReference, PodSpec, PodTemplateSpec, ResourceRequirements,
};
use k8s_openapi::apimachinery::pkg::api::resource::Quantity;
use kube::api::ObjectMeta;
use crate::config::{ClusterConfig, KubernetesStepConfig};
const LABEL_STEP_NAME: &str = "wfe.sunbeam.pt/step-name";
const LABEL_MANAGED_BY: &str = "wfe.sunbeam.pt/managed-by";
/// Build a Kubernetes Job manifest from step configuration.
pub fn build_job(
config: &KubernetesStepConfig,
step_name: &str,
namespace: &str,
env_overrides: &HashMap<String, String>,
cluster: &ClusterConfig,
) -> Job {
let job_name = sanitize_name(step_name);
// Build container command.
let (command, args) = resolve_command(config);
// Merge environment variables: overrides first, then config (config wins).
let env_vars = build_env_vars(env_overrides, &config.env);
// Resource limits.
let resources = build_resources(&config.memory, &config.cpu);
// Image pull policy.
let pull_policy = config
.pull_policy
.clone()
.unwrap_or_else(|| "IfNotPresent".to_string());
let mut labels = BTreeMap::new();
labels.insert(LABEL_STEP_NAME.into(), step_name.to_string());
labels.insert(LABEL_MANAGED_BY.into(), "wfe-kubernetes".into());
let container = Container {
name: "step".into(),
image: Some(config.image.clone()),
command,
args,
env: Some(env_vars),
working_dir: config.working_dir.clone(),
resources: Some(resources),
image_pull_policy: Some(pull_policy),
..Default::default()
};
let image_pull_secrets = if cluster.image_pull_secrets.is_empty() {
None
} else {
Some(
cluster
.image_pull_secrets
.iter()
.map(|s| LocalObjectReference {
name: s.clone(),
})
.collect(),
)
};
let node_selector = if cluster.node_selector.is_empty() {
None
} else {
Some(cluster.node_selector.iter().map(|(k, v)| (k.clone(), v.clone())).collect::<BTreeMap<_, _>>())
};
Job {
metadata: ObjectMeta {
name: Some(job_name),
namespace: Some(namespace.to_string()),
labels: Some(labels.clone()),
..Default::default()
},
spec: Some(JobSpec {
backoff_limit: Some(0),
ttl_seconds_after_finished: Some(300),
template: PodTemplateSpec {
metadata: Some(ObjectMeta {
labels: Some(labels),
..Default::default()
}),
spec: Some(PodSpec {
containers: vec![container],
restart_policy: Some("Never".into()),
service_account_name: cluster.service_account.clone(),
image_pull_secrets,
node_selector,
..Default::default()
}),
},
..Default::default()
}),
..Default::default()
}
}
/// Resolve command and args from config.
fn resolve_command(config: &KubernetesStepConfig) -> (Option<Vec<String>>, Option<Vec<String>>) {
if let Some(ref cmd) = config.command {
(Some(cmd.clone()), None)
} else if let Some(ref run) = config.run {
(
Some(vec!["/bin/sh".into(), "-c".into()]),
Some(vec![run.clone()]),
)
} else {
(None, None)
}
}
/// Build environment variables, merging overrides and config.
fn build_env_vars(
overrides: &HashMap<String, String>,
config_env: &HashMap<String, String>,
) -> Vec<EnvVar> {
let mut merged: HashMap<String, String> = overrides.clone();
// Config env wins over overrides.
for (k, v) in config_env {
merged.insert(k.clone(), v.clone());
}
let mut vars: Vec<EnvVar> = merged
.into_iter()
.map(|(name, value)| EnvVar {
name,
value: Some(value),
..Default::default()
})
.collect();
vars.sort_by(|a, b| a.name.cmp(&b.name));
vars
}
/// Build resource requirements from memory and CPU strings.
fn build_resources(memory: &Option<String>, cpu: &Option<String>) -> ResourceRequirements {
let mut limits = BTreeMap::new();
let mut requests = BTreeMap::new();
if let Some(mem) = memory {
limits.insert("memory".into(), Quantity(mem.clone()));
requests.insert("memory".into(), Quantity(mem.clone()));
}
if let Some(cpu_val) = cpu {
limits.insert("cpu".into(), Quantity(cpu_val.clone()));
requests.insert("cpu".into(), Quantity(cpu_val.clone()));
}
ResourceRequirements {
limits: if limits.is_empty() {
None
} else {
Some(limits)
},
requests: if requests.is_empty() {
None
} else {
Some(requests)
},
..Default::default()
}
}
/// Sanitize a step name for use as a K8s resource name.
/// Must be lowercase alphanumeric + hyphens, max 63 chars.
pub fn sanitize_name(name: &str) -> String {
let sanitized: String = name
.to_lowercase()
.chars()
.map(|c| if c.is_ascii_alphanumeric() || c == '-' { c } else { '-' })
.take(63)
.collect();
sanitized.trim_end_matches('-').to_string()
}
#[cfg(test)]
mod tests {
use super::*;
use pretty_assertions::assert_eq;
fn default_cluster() -> ClusterConfig {
ClusterConfig::default()
}
#[test]
fn build_job_minimal() {
let config = KubernetesStepConfig {
image: "alpine:3.18".into(),
command: None,
run: None,
env: HashMap::new(),
working_dir: None,
memory: None,
cpu: None,
timeout_ms: None,
pull_policy: None,
namespace: None,
};
let job = build_job(&config, "test-step", "wfe-abc", &HashMap::new(), &default_cluster());
assert_eq!(job.metadata.name, Some("test-step".into()));
assert_eq!(job.metadata.namespace, Some("wfe-abc".into()));
let spec = job.spec.as_ref().unwrap();
assert_eq!(spec.backoff_limit, Some(0));
assert_eq!(spec.ttl_seconds_after_finished, Some(300));
let pod_spec = spec.template.spec.as_ref().unwrap();
assert_eq!(pod_spec.restart_policy, Some("Never".into()));
assert_eq!(pod_spec.containers.len(), 1);
let container = &pod_spec.containers[0];
assert_eq!(container.image, Some("alpine:3.18".into()));
assert_eq!(container.image_pull_policy, Some("IfNotPresent".into()));
assert!(container.command.is_none());
assert!(container.args.is_none());
}
#[test]
fn build_job_with_run_command() {
let config = KubernetesStepConfig {
image: "node:20".into(),
command: None,
run: Some("npm test".into()),
env: HashMap::new(),
working_dir: Some("/app".into()),
memory: None,
cpu: None,
timeout_ms: None,
pull_policy: None,
namespace: None,
};
let job = build_job(&config, "test", "ns", &HashMap::new(), &default_cluster());
let container = &job.spec.unwrap().template.spec.unwrap().containers[0];
assert_eq!(
container.command,
Some(vec!["/bin/sh".into(), "-c".into()])
);
assert_eq!(container.args, Some(vec!["npm test".into()]));
assert_eq!(container.working_dir, Some("/app".into()));
}
#[test]
fn build_job_with_explicit_command() {
let config = KubernetesStepConfig {
image: "gcc:latest".into(),
command: Some(vec!["make".into(), "build".into()]),
run: None,
env: HashMap::new(),
working_dir: None,
memory: None,
cpu: None,
timeout_ms: None,
pull_policy: None,
namespace: None,
};
let job = build_job(&config, "build", "ns", &HashMap::new(), &default_cluster());
let container = &job.spec.unwrap().template.spec.unwrap().containers[0];
assert_eq!(
container.command,
Some(vec!["make".into(), "build".into()])
);
assert!(container.args.is_none());
}
#[test]
fn build_job_merges_env_vars() {
let config = KubernetesStepConfig {
image: "alpine".into(),
command: None,
run: None,
env: [("APP_ENV".into(), "production".into())].into(),
working_dir: None,
memory: None,
cpu: None,
timeout_ms: None,
pull_policy: None,
namespace: None,
};
let overrides: HashMap<String, String> =
[("WORKFLOW_ID".into(), "wf-123".into()), ("APP_ENV".into(), "staging".into())].into();
let job = build_job(&config, "step", "ns", &overrides, &default_cluster());
let container = &job.spec.unwrap().template.spec.unwrap().containers[0];
let env = container.env.as_ref().unwrap();
// Config env wins over overrides.
let app_env = env.iter().find(|e| e.name == "APP_ENV").unwrap();
assert_eq!(app_env.value, Some("production".into()));
// Override still present.
let wf_id = env.iter().find(|e| e.name == "WORKFLOW_ID").unwrap();
assert_eq!(wf_id.value, Some("wf-123".into()));
}
#[test]
fn build_job_with_resources() {
let config = KubernetesStepConfig {
image: "alpine".into(),
command: None,
run: None,
env: HashMap::new(),
working_dir: None,
memory: Some("512Mi".into()),
cpu: Some("500m".into()),
timeout_ms: None,
pull_policy: None,
namespace: None,
};
let job = build_job(&config, "step", "ns", &HashMap::new(), &default_cluster());
let container = &job.spec.unwrap().template.spec.unwrap().containers[0];
let resources = container.resources.as_ref().unwrap();
let limits = resources.limits.as_ref().unwrap();
assert_eq!(limits.get("memory"), Some(&Quantity("512Mi".into())));
assert_eq!(limits.get("cpu"), Some(&Quantity("500m".into())));
let requests = resources.requests.as_ref().unwrap();
assert_eq!(requests.get("memory"), Some(&Quantity("512Mi".into())));
}
#[test]
fn build_job_with_cluster_config() {
let cluster = ClusterConfig {
service_account: Some("wfe-runner".into()),
image_pull_secrets: vec!["ghcr-secret".into()],
node_selector: [("tier".into(), "compute".into())].into(),
..Default::default()
};
let config = KubernetesStepConfig {
image: "alpine".into(),
command: None,
run: None,
env: HashMap::new(),
working_dir: None,
memory: None,
cpu: None,
timeout_ms: None,
pull_policy: Some("Always".into()),
namespace: None,
};
let job = build_job(&config, "step", "ns", &HashMap::new(), &cluster);
let pod_spec = job.spec.unwrap().template.spec.unwrap();
assert_eq!(pod_spec.service_account_name, Some("wfe-runner".into()));
assert_eq!(pod_spec.image_pull_secrets.unwrap().len(), 1);
assert_eq!(
pod_spec.node_selector.unwrap().get("tier"),
Some(&"compute".to_string())
);
let container = &pod_spec.containers[0];
assert_eq!(container.image_pull_policy, Some("Always".into()));
}
#[test]
fn build_job_labels() {
let config = KubernetesStepConfig {
image: "alpine".into(),
command: None,
run: None,
env: HashMap::new(),
working_dir: None,
memory: None,
cpu: None,
timeout_ms: None,
pull_policy: None,
namespace: None,
};
let job = build_job(&config, "my-step", "ns", &HashMap::new(), &default_cluster());
let labels = job.metadata.labels.as_ref().unwrap();
assert_eq!(labels.get(LABEL_STEP_NAME), Some(&"my-step".to_string()));
assert_eq!(
labels.get(LABEL_MANAGED_BY),
Some(&"wfe-kubernetes".to_string())
);
}
#[test]
fn sanitize_name_basic() {
assert_eq!(sanitize_name("my-step"), "my-step");
}
#[test]
fn sanitize_name_special_chars() {
assert_eq!(sanitize_name("my_step.v1"), "my-step-v1");
}
#[test]
fn sanitize_name_uppercase() {
assert_eq!(sanitize_name("MyStep"), "mystep");
}
#[test]
fn sanitize_name_truncates() {
let long = "a".repeat(100);
assert!(sanitize_name(&long).len() <= 63);
}
#[test]
fn sanitize_name_trims_trailing_hyphens() {
assert_eq!(sanitize_name("step---"), "step");
}
#[test]
fn env_vars_sorted_by_name() {
let overrides: HashMap<String, String> =
[("ZZZ".into(), "1".into()), ("AAA".into(), "2".into())].into();
let vars = build_env_vars(&overrides, &HashMap::new());
assert_eq!(vars[0].name, "AAA");
assert_eq!(vars[1].name, "ZZZ");
}
}
Reference in New Issue Copy Permalink