chore(charts): begin adding a distinct chart for Nx Agents

As we narrow down our recommended deployment strategy for on-premise agents,
we are finding that the separate cluster is the more appropriate method
for reliability. This starts to break out the controller deployment and other
required elements from the core nx-cloud chart.

Once complete, we can publish a third nx-cloud-full chart that will contain
both other charts for the less optimal single-cluster solution.

charts/nx-agents/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: nx-agents
+description: Nx Cloud Agents Helm Chart
+type: application
+version: 0.1.0
+maintainers:
+  - name: nx
+    url: "https://nx.app/"
+appVersion: "v1.alpha"

charts/nx-agents/templates/_helpers.tpl

@@ -0,0 +1,30 @@
+{{- define "nxCloud.app.name" }}
+{{- default .Chart.Name .Values.naming.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "nxCloud.app.chartName" }}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "nxCloud.app.selectorLabels" }}
+app.kubernetes.io/name: {{ include "nxCloud.app.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{/*
+Common labels
+*/}}
+{{- define "nxCloud.app.labels" }}
+helm.sh/chart: {{ include "nxCloud.app.chartName" . }}
+{{- include "nxCloud.app.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}

charts/nx-agents/templates/_images.yml

@@ -0,0 +1,35 @@
+{{/*
+Return the proper image name
+Helper copied from bitnami/common: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_images.tpl
+and modified to support global imageTag
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "image" .Values.image ) }}
+*/}}
+{{- define "nxCloud.images.common" }}
+{{- $registryName := .imageRoot.registry }}
+{{- $repositoryName := default .imageRoot.repository .global.imageRepository }}
+{{- $imageName := .imageRoot.imageName }}
+{{- $separator := ":" }}
+{{- $termination := default .global.imageTag .imageRoot.tag | toString }}
+{{- if .global }}
+    {{- if .global.imageRegistry }}
+     {{- $registryName = .global.imageRegistry }}
+    {{- end }}
+{{- end }}
+{{- if .imageRoot.digest }}
+    {{- $separator = "@" }}
+    {{- $termination = .imageRoot.digest | toString }}
+{{- end }}
+{{- if $registryName }}
+    {{- printf "%s/%s/%s%s%s" $registryName $repositoryName $imageName $separator $termination }}
+{{- else }}
+    {{- printf "%s/%s%s%s"  $repositoryName $imageName $separator $termination }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Return proper nx-cloud-workflow-controller image name
+*/}}
+{{- define "nxCloud.images.workflowController.image" }}
+{{- include "nxCloud.images.common" (dict "imageRoot" .Values.controller.image "global" .Values.global) }}
+{{- end }}

charts/nx-agents/templates/daemonset.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.daemonset.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nx-cloud-workflows-daemon
+  namespace: {{ .Values.global.namespace }}
+  labels:
+    k8s-app: nx-cloud-workflows-daemon
+spec:
+  selector:
+    matchLabels:
+      name: nx-cloud-workflows-daemon
+  template:
+    metadata:
+      labels:
+        name: nx-cloud-workflows-daemon
+    spec:
+      containers:
+      - name: nx-cloud-workflows-daemon
+        image: ubuntu:22.04
+        command: ["/bin/sh","-c"]
+        args: ["/script/daemon.sh; while true; do echo Sleeping && sleep 3600; done"]
+        volumeMounts:
+          - name: nx-cloud-workflows-daemon-script
+            mountPath: /script
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+      volumes:
+        - name: nx-cloud-workflows-daemon-script
+          configMap:
+            name: nx-cloud-workflows-daemon-script
+            defaultMode: 0755
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nx-cloud-workflows-daemon-script
+  namespace: {{ .Values.global.namespace }}
+data:
+  daemon.sh: |
+  {{- .Values.daemonset.script | nindent 4 }}
+{{- end }}

charts/nx-agents/templates/deployment.yaml

@@ -0,0 +1,78 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nx-cloud-workflow-controller
+  namespace: {{ .Values.global.namespace | quote }}
+  labels:
+    {{- include "nxCloud.app.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: nx-cloud-workflow-controller
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nx-cloud-workflow-controller
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - command:
+          - /nx-cloud-workflow-controller
+          - --namespace={{ .Values.global.namespace }}
+          - --in-cluster=true
+          {{- range $key, $value := .Values.executor.env }}
+          - --executor-env={{ $key }}={{ $value }}
+          {{- end }}
+          - --workflow-service-address=http://nx-cloud-workflow-controller-service:9000
+          image: {{ include "nxCloud.images.workflowController.image" . }}
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy | quote }}
+          {{- if .Values.controller.resources }}
+          resources: {{- toYaml .Values.controller.resources | nindent 12 }}
+          {{- end }}
+          name: nx-cloud-workflow-controller
+          securityContext:
+            runAsUser: 1000
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - 'ALL'
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.controller.deployment.port }}
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: {{ .Values.controller.deployment.port }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          {{- if gt (len .Values.controller.env) 0 }}
+          env:
+          {{- range $key, $value := .Values.controller.env }}
+          - name: {{ $key | quote }}
+            value: {{ $value | quote }}
+          {{- end }}
+          {{- with .Values.secret }}
+          {{- if .awsS3AccessKeyId }}
+          {{- if .name }}
+          - name: AWS_S3_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ .name }}
+                key: {{ .awsS3AccessKeyId }}
+          - name: AWS_S3_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .name }}
+                key: {{ .awsS3SecretAccessKey }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
+      serviceAccountName: nx-cloud-workflow-controller
+      terminationGracePeriodSeconds: 10

charts/nx-agents/templates/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.global.namespace }}
+  labels:
+    {{- include "nxCloud.app.labels" . | indent 4 }}

charts/nx-agents/templates/rolebinding.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    {{- include "nxCloud.app.labels" . | indent 4 }}
+  name: nx-cloud-workflow-controller-rolebinding
+  namespace: {{ .Values.global.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nx-cloud-workflow-controller-role
+subjects:
+  - kind: ServiceAccount
+    name: nx-cloud-workflow-controller
+    namespace: {{ .Values.global.namespace }}

charts/nx-agents/templates/roles.yaml

@@ -0,0 +1,62 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: nx-cloud-workflow-controller-role
+  namespace: {{ .Values.global.namespace }}
+rules:
+- apiGroups:
+    - ''
+  resources:
+    - services
+    - pods
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - apps
+  resources:
+    - deployments
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - ''
+  resources:
+    - secrets
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - batch
+  resources:
+    - jobs
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - batch
+  resources:
+    - jobs/status
+  verbs:
+    - get

charts/nx-agents/templates/serviceaccounts.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nx-cloud-workflow-runner
+  namespace: {{ .Values.global.namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    {{- include "nxCloud.app.labels" . | indent 4 }}
+  name: nx-cloud-workflow-controller
+  namespace: {{ .Values.global.namespace }}
+

charts/nx-agents/values.yaml

@@ -0,0 +1,49 @@
+global:
+  imageRegistry: ''
+  imageTag: ''
+  imageRepository: 'nxprivatecloud'
+  namespace: 'nx-cloud-workflows'
+
+naming:
+  nameOverride: ''
+  fullNameOverride: ''
+
+controller:
+  deployment:
+    port: 9000
+  env: {}
+  image:
+    registry: ''
+    imageName: nx-cloud-workflow-controller
+    repository: ''
+    tag: latest
+    pullPolicy: Always
+  resources:
+    limits: 
+      memory: '1Gi'
+      cpu: '1.0'
+    requests:
+      memory: '0.5Gi'
+      cpu: '0.5'
+
+executor:
+  env: {}
+
+daemonset:
+  enabled: true
+  script: |
+    #!/bin/bash
+    set -e
+
+    # change the file-watcher max-count on each node to 1048576
+
+    # insert the new value into the system config
+    sysctl -w fs.inotify.max_user_watches=1048576
+
+    # check that the new value was applied
+    cat /proc/sys/fs/inotify/max_user_watches
+
+secret:
+  name: ''
+  awsS3AccessKeyId: ''
+  awsS3SecretAccessKey: ''