feat(appliance): nodeexporter service definition (#64399)

<!-- PR description tips:
https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e
-->

Relates to
https://linear.app/sourcegraph/issue/REL-80/service-definition-node-exporter

## Test plan

Golden tests included.

<!-- REQUIRED; info at
https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles
-->

## Changelog

<!-- OPTIONAL; info at
https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c
-->

Author: jdpleiness

internal/appliance/config/spec.go

@@ -88,6 +88,10 @@ type IndexedSearchSpec struct {
 	Replicas int32 `json:"replicas,omitempty"`
 }
 
+type NodeExporterSpec struct {
+	StandardConfig
+}
+
 type OtelAgentSpec struct {
 	StandardConfig
 }
@@ -230,8 +234,12 @@ type SourcegraphSpec struct {
 	// IndexedSearch defines the desired state of the Indexed Search service.
 	IndexedSearch IndexedSearchSpec `json:"indexedSearch,omitempty"`
 
+	// Jaeger defines the desired state of the Jaeger service.
 	Jaeger JaegerSpec `json:"jaeger,omitempty"`
 
+	// NodeExporter defines the desired state of the NodeExporter service.
+	NodeExporter NodeExporterSpec `json:"nodeExporter,omitempty"`
+
 	OtelAgent     OtelAgentSpec     `json:"openTelemetryAgent,omitempty"`
 	OtelCollector OtelCollectorSpec `json:"openTelemetryCollector,omitempty"`
 
@@ -272,24 +280,25 @@ type SourcegraphSpec struct {
 // SourcegraphServicesToReconcile is a list of all Sourcegraph services that will be reconciled by appliance.
 var SourcegraphServicesToReconcile = []string{
 	"blobstore",
-	"repo-updater",
-	"symbols",
-	"gitserver",
-	"redis",
-	"pgsql",
-	"syntect",
-	"precise-code-intel",
+	"cadvisor",
 	"code-insights-db",
 	"code-intel-db",
-	"prometheus",
-	"cadvisor",
-	"worker",
 	"frontend",
-	"searcher",
-	"indexed-searcher",
+	"gitserver",
 	"grafana",
+	"indexed-searcher",
 	"jaeger",
+	"nodeexporter",
 	"otel",
+	"pgsql",
+	"precise-code-intel",
+	"prometheus",
+	"redis",
+	"repo-updater",
+	"searcher",
+	"symbols",
+	"syntect",
+	"worker",
 }
 
 // SourcegraphStatus defines the observed state of Sourcegraph

internal/appliance/reconciler/BUILD.bazel

@@ -14,6 +14,7 @@ go_library(
         "indexed_search.go",
         "jaeger.go",
         "kubernetes.go",
+        "nodeexporter.go",
         "otel_agent.go",
         "pgsql.go",
         "precise_code_intel.go",
@@ -87,6 +88,7 @@ go_test(
         "helpers_test.go",
         "indexed_search_test.go",
         "jaeger_test.go",
+        "nodeexporter_test.go",
         "otel_agent_test.go",
         "pgsql_test.go",
         "precise_code_intel_test.go",

internal/appliance/reconciler/nodeexporter.go

@@ -0,0 +1,163 @@
+package reconciler
+
+import (
+	"context"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/sourcegraph/sourcegraph/internal/appliance/config"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/container"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/daemonset"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/pod"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/role"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/rolebinding"
+	"github.com/sourcegraph/sourcegraph/internal/k8s/resource/service"
+	"github.com/sourcegraph/sourcegraph/lib/pointers"
+)
+
+func (r *Reconciler) reconcileNodeExporter(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	if err := r.reconcileNodeExporterRole(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileNodeExporterRoleBinding(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileNodeExporterService(ctx, sg, owner); err != nil {
+		return err
+	}
+	if err := r.reconcileNodeExporterDaemonSet(ctx, sg, owner); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *Reconciler) reconcileNodeExporterDaemonSet(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "node-exporter"
+	cfg := sg.Spec.NodeExporter
+
+	ctr := container.NewContainer(name, cfg, config.ContainerConfig{
+		Image: config.GetDefaultImage(sg, name),
+		Resources: &corev1.ResourceRequirements{
+			Requests: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("200m"),
+				corev1.ResourceMemory: resource.MustParse("100Mi"),
+			},
+			Limits: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("1"),
+				corev1.ResourceMemory: resource.MustParse("1Gi"),
+			},
+		},
+	})
+	ctr.Args = []string{
+		"--web.listen-address=:9100",
+		"--path.sysfs=/host/sys",
+		"--path.rootfs=/host/root",
+		"--path.procfs=/host/proc",
+		"--no-collector.wifi",
+		"--no-collector.hwmon",
+		"--collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)",
+		"--collector.netclass.ignored-devices=^(veth.*)$",
+		"--collector.netdev.device-exclude=^(veth.*)$",
+	}
+	ctr.SecurityContext = &corev1.SecurityContext{
+		RunAsUser:                pointers.Ptr[int64](65534),
+		RunAsGroup:               pointers.Ptr[int64](65534),
+		AllowPrivilegeEscalation: pointers.Ptr(false),
+		ReadOnlyRootFilesystem:   pointers.Ptr(true),
+	}
+	ctr.Ports = []corev1.ContainerPort{
+		{Name: "metrics", ContainerPort: 9100, Protocol: corev1.ProtocolTCP},
+	}
+	ctr.VolumeMounts = []corev1.VolumeMount{
+		{Name: "rootfs", MountPath: "/host/root", MountPropagation: pointers.Ptr(corev1.MountPropagationHostToContainer), ReadOnly: true},
+		{Name: "sys", MountPath: "/host/sys", MountPropagation: pointers.Ptr(corev1.MountPropagationHostToContainer), ReadOnly: true},
+		{Name: "proc", MountPath: "/host/proc", MountPropagation: pointers.Ptr(corev1.MountPropagationHostToContainer), ReadOnly: true},
+	}
+
+	probe := &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			HTTPGet: &corev1.HTTPGetAction{
+				Port:   intstr.FromString("metrics"),
+				Scheme: corev1.URISchemeHTTP},
+		},
+		InitialDelaySeconds: 0,
+		PeriodSeconds:       10,
+		SuccessThreshold:    1,
+		TimeoutSeconds:      1,
+		FailureThreshold:    3,
+	}
+	ctr.ReadinessProbe = probe
+	ctr.LivenessProbe = probe
+
+	template := pod.NewPodTemplate(name, cfg)
+	template.Template.Spec.Containers = []corev1.Container{ctr}
+	template.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
+		RunAsUser:    pointers.Ptr[int64](65534),
+		RunAsGroup:   pointers.Ptr[int64](65534),
+		FSGroup:      pointers.Ptr[int64](65534),
+		RunAsNonRoot: pointers.Ptr(true),
+	}
+
+	template.Template.Spec.Volumes = []corev1.Volume{
+		pod.NewVolumeHostPath("rootfs", "/"),
+		pod.NewVolumeHostPath("sys", "/sys"),
+		pod.NewVolumeHostPath("proc", "/proc"),
+	}
+
+	ds := daemonset.New(name, sg.Namespace, sg.Spec.RequestedVersion)
+	ds.Spec.Template = template.Template
+
+	return reconcileObject(ctx, r, sg.Spec.NodeExporter, &ds, &appsv1.DaemonSet{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileNodeExporterService(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	svc := service.NewService("node-exporter", sg.Namespace, sg.Spec.NodeExporter)
+	svc.Spec.Ports = []corev1.ServicePort{
+		{Name: "metrics", TargetPort: intstr.FromString("metrics"), Port: 9100},
+	}
+	svc.Spec.Selector = map[string]string{"app": "node-exporter"}
+
+	return reconcileObject(ctx, r, sg.Spec.NodeExporter, &svc, &corev1.Service{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileNodeExporterRole(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "node-exporter"
+	cfg := sg.Spec.NodeExporter
+
+	role := role.NewRole(name, sg.Namespace)
+
+	readVerbs := []string{"use"}
+	role.Rules = []rbacv1.PolicyRule{
+		{
+			APIGroups:     []string{"policy"},
+			Resources:     []string{"podsecuritypolicies"},
+			Verbs:         readVerbs,
+			ResourceNames: []string{name},
+		},
+	}
+
+	return reconcileObject(ctx, r, cfg, &role, &rbacv1.Role{}, sg, owner)
+}
+
+func (r *Reconciler) reconcileNodeExporterRoleBinding(ctx context.Context, sg *config.Sourcegraph, owner client.Object) error {
+	name := "node-exporter"
+	binding := rolebinding.NewRoleBinding(name, sg.Namespace)
+	binding.RoleRef = rbacv1.RoleRef{
+		Kind: "ClusterRole",
+		Name: name,
+	}
+	binding.Subjects = []rbacv1.Subject{
+		{
+			Kind:      "ServiceAccount",
+			Name:      name,
+			Namespace: sg.Namespace,
+		},
+	}
+	return reconcileObject(ctx, r, sg.Spec.NodeExporter, &binding, &rbacv1.RoleBinding{}, sg, owner)
+}

internal/appliance/reconciler/nodeexporter_test.go

@@ -0,0 +1,14 @@
+package reconciler
+
+func (suite *ApplianceTestSuite) TestDeployNodeExporter() {
+	for _, tc := range []struct {
+		name string
+	}{
+		{name: "nodeexporter/default"},
+	} {
+		suite.Run(tc.name, func() {
+			namespace := suite.createConfigMapAndAwaitReconciliation(tc.name)
+			suite.makeGoldenAssertions(namespace, tc.name)
+		})
+	}
+}

internal/appliance/reconciler/otel_agent.go

@@ -70,7 +70,7 @@ func (r *Reconciler) reconcileOtelAgentDaemonset(ctx context.Context, sg *config
 
 	probe := &corev1.Probe{
 		ProbeHandler: corev1.ProbeHandler{
-			HTTPGet: &corev1.HTTPGetAction{Path: "/", Port: intstr.FromInt(13133)},
+			HTTPGet: &corev1.HTTPGetAction{Path: "/", Port: intstr.FromInt32(13133)},
 		},
 	}
 	ctr.ReadinessProbe = probe

internal/appliance/reconciler/reconcile.go

@@ -142,6 +142,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	if err := r.reconcileOtel(ctx, &sourcegraph, &applianceSpec); err != nil {
 		return ctrl.Result{}, errors.Newf("failed to reconcile OpenTelemetry Collector: %w", err)
 	}
+	if err := r.reconcileNodeExporter(ctx, &sourcegraph, &applianceSpec); err != nil {
+		return ctrl.Result{}, errors.Newf("failed to reconcile NodeExporter: %w", err)
+	}
 
 	// Set the current version annotation in case migration logic depends on it.
 	applianceSpec.Annotations[config.AnnotationKeyCurrentVersion] = sourcegraph.Spec.RequestedVersion

internal/appliance/reconciler/testdata/golden-fixtures/blobstore/default.yaml

@@ -114,6 +114,9 @@ resources:
           indexedSearch:
             disabled: true
 
+          nodeExporter:
+            disabled: true
+
           openTelemetryCollector:
             disabled: true
 

internal/appliance/reconciler/testdata/golden-fixtures/cadvisor/default.yaml

@@ -151,6 +151,9 @@ resources:
           indexedSearch:
             disabled: true
 
+          nodeExporter:
+            disabled: true
+
           openTelemetryCollector:
             disabled: true
 

internal/appliance/reconciler/testdata/golden-fixtures/codeinsights/default.yaml

@@ -303,6 +303,9 @@ resources:
           indexedSearch:
             disabled: true
 
+          nodeExporter:
+            disabled: true
+
           openTelemetryCollector:
             disabled: true
 

internal/appliance/reconciler/testdata/golden-fixtures/codeintel/default.yaml

@@ -323,6 +323,9 @@ resources:
           indexedSearch:
             disabled: true
 
+          nodeExporter:
+            disabled: true
+
           openTelemetryCollector:
             disabled: true