feat(KFLUXVNGD-332): deploy smee-sidecar in production

components/smee-client/base/deployment.yaml

@@ -13,15 +13,27 @@ spec:
       labels:
         app: gosmee-client
     spec:
+      volumes:
+        - name: shared-health
+          emptyDir: {}
       containers:
-        - image: "ghcr.io/chmouel/gosmee:v0.20.2"
+        - image: "ghcr.io/chmouel/gosmee:v0.26.1"
           imagePullPolicy: Always
           name: gosmee
           args:
             - "client"
             - TBA
-            - "http://pipelines-as-code-controller.openshift-pipelines:8080"
+            - "http://localhost:8080"
+          volumeMounts:
+            - name: shared-health
+              mountPath: /shared
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+            seccompProfile:
+              type: RuntimeDefault
             readOnlyRootFilesystem: true
             runAsNonRoot: true
           resources:
@@ -31,3 +43,53 @@ spec:
             requests:
               cpu: 1
               memory: 750Mi
+          livenessProbe:
+            exec:
+              command:
+                - /shared/check-smee-health.sh
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 25
+            failureThreshold: 4
+        - name: health-check-sidecar
+          image: quay.io/konflux-ci/smee-sidecar:to-be-replaced
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 8080
+            - name: metrics
+              containerPort: 9100
+          volumeMounts:
+            - name: shared-health
+              mountPath: /shared
+          env:
+          - name: DOWNSTREAM_SERVICE_URL
+            value: "http://pipelines-as-code-controller.openshift-pipelines:8080"
+          - name: SMEE_CHANNEL_URL
+            value: "TBA"
+          - name: HEALTH_CHECK_TIMEOUT_SECONDS
+            value: "20"
+          livenessProbe:
+            exec:
+              command:
+                - /shared/check-sidecar-health.sh
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 25
+            failureThreshold: 3
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+            seccompProfile:
+              type: RuntimeDefault
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi

components/smee-client/production/base/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+
+images:
+- name: quay.io/konflux-ci/smee-sidecar
+  newName: quay.io/konflux-ci/smee-sidecar
+  newTag: 5015d8c0daa445a106b3c1124d0f4e145fff7a16 

components/smee-client/production/kflux-ocp-p01/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
+  - ../base
 patches:
   - path: sever-url-patch.yaml
     target:

components/smee-client/production/kflux-ocp-p01/sever-url-patch.yaml

@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook14
+- op: replace
+  path: /spec/template/spec/containers/1/env/1/value
+  value: https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook14

components/smee-client/production/kflux-rhel-p01/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
+  - ../base
 patches:
   - path: sever-url-patch.yaml
     target:

components/smee-client/production/kflux-rhel-p01/sever-url-patch.yaml

@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: "https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook15"
+- op: replace
+  path: /spec/template/spec/containers/1/env/1/value
+  value: "https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook15"

components/smee-client/production/stone-prod-p01/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
+  - ../base
 patches:
   - path: sever-url-patch.yaml
     target:

components/smee-client/production/stone-prod-p01/sever-url-patch.yaml

@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook12
+- op: replace
+  path: /spec/template/spec/containers/1/env/1/value
+  value: https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook12

components/smee-client/production/stone-prod-p02/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
+  - ../base
 patches:
   - path: sever-url-patch.yaml
     target:

components/smee-client/production/stone-prod-p02/sever-url-patch.yaml

@@ -2,3 +2,6 @@
 - op: replace
   path: /spec/template/spec/containers/0/args/1
   value: https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook13
+- op: replace
+  path: /spec/template/spec/containers/1/env/1/value
+  value: https://smee-smee.apps.stone-prd-host1.wdlc.p1.openshiftapps.com/redhathook13

components/smee-client/staging/kustomization.yaml

@@ -1,8 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  # TODO: change to point to ../base when deploying sidecar to production
-  - deployment.yaml
+  - ../base
 
 images:
 - name: quay.io/konflux-ci/smee-sidecar

components/smee/base/deployment.yaml

@@ -15,22 +15,29 @@ spec:
       labels:
         app: gosmee
     spec:
+      volumes:
+        - name: shared-health
+          emptyDir: {}
       containers:
-        - image: "ghcr.io/chmouel/gosmee:v0.20.2"
+        - image: "ghcr.io/chmouel/gosmee:v0.26.1"
           imagePullPolicy: Always
           name: gosmee
           args: ["server", "--address", "0.0.0.0"]
           ports:
             - name: "gosmee-http"
               containerPort: 3333
               protocol: TCP
+          volumeMounts:
+            - name: shared-health
+              mountPath: /shared
           livenessProbe:
-            tcpSocket:
-              port: 3333
-          initialDelaySeconds: 30
-          periodSeconds: 5
-          timeoutSeconds: 2
-          failureThreshold: 3
+            exec:
+              command:
+                - /shared/check-smee-health.sh
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 25
+            failureThreshold: 12 # High-enough not to fail if other container crashlooping
           securityContext:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
@@ -41,3 +48,79 @@ spec:
             requests:
               cpu: 1
               memory: 256Mi
+        - image: "ghcr.io/chmouel/gosmee:v0.26.1"
+          imagePullPolicy: Always
+          name: gosmee-liveness-probe-client
+          args:
+            - "client"
+            - "http://localhost:3333/smeesvrmonit"
+            - "http://localhost:8080"
+          volumeMounts:
+            - name: shared-health
+              mountPath: /shared
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+            seccompProfile:
+              type: RuntimeDefault
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          resources:
+            limits:
+              cpu: 100m
+              memory: 64Mi
+            requests:
+              cpu: 100m
+              memory: 64Mi
+          livenessProbe:
+            exec:
+              command:
+                - /shared/check-smee-health.sh
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 25
+            failureThreshold: 12 # High-enough not to fail if other container crashlooping
+        - name: health-check-sidecar
+          image: quay.io/konflux-ci/smee-sidecar:to-be-replaced
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 8080
+            - name: metrics
+              containerPort: 9100
+          volumeMounts:
+            - name: shared-health
+              mountPath: /shared
+          env:
+            - name: DOWNSTREAM_SERVICE_URL
+              value: "http://no.smee.svc.cluster.local:8080"
+            - name: SMEE_CHANNEL_URL
+              value: "http://localhost:3333/smeesvrmonit"
+            - name: HEALTH_CHECK_TIMEOUT_SECONDS
+              value: "20"
+          livenessProbe:
+            exec:
+              command:
+                - /shared/check-sidecar-health.sh
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 25
+            failureThreshold: 3
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+            seccompProfile:
+              type: RuntimeDefault
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi

components/smee/production/kustomization.yaml

@@ -3,6 +3,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../base
+
+images:
+- name: quay.io/konflux-ci/smee-sidecar
+  newName: quay.io/konflux-ci/smee-sidecar
+  newTag: 5015d8c0daa445a106b3c1124d0f4e145fff7a16
+
 patches:
   - path: ip-allow-list.yaml
     target: