SCALRCORE-35910 rework agent-job template; update documentation

Author: mermoldy

charts/agent-docker/README.md

@@ -80,4 +80,4 @@ the same Kubernetes cluster to increase overall capacity.
 | tolerations | list | `[]` | Tolerations for the Scalr Agent pods, allowing them to run on tainted nodes |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/agent-job/Chart.yaml

@@ -2,12 +2,14 @@ apiVersion: v2
 name: agent-job
 description: |
   A Helm chart for deploying the Scalr Agent on a Kubernetes cluster.
-  Uses a controller/worker model. Each run stage is isolated
-  in Kubernetes containers with specified resource limits.
+  It uses a job-based model, where each Scalr Run is isolated
+  in its own Kubernetes Job.
 type: application
+icon: https://raw.githubusercontent.com/Scalr/agent-helm/master/charts/agent-job/assets/icon.ico
 version: 0.5.62
 appVersion: 0.55.2
 home: https://github.com/Scalr/agent-helm/tree/master/charts/agent-job
 maintainers:
   - name: scalr
     email: [email protected]
+sources: ["https://github.com/Scalr/agent-helm/tree/master/charts/agent-job"]

charts/agent-job/README.md

@@ -60,3 +60,53 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Generate a stable, release-scoped name for chart sub-components.
+*/}}
+{{- define "agent-job.componentName" -}}
+{{- printf "%s-%s" (include "agent-job.fullname" .context) .component | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Resolve the data PVC name, falling back to the chart-managed default.
+*/}}
+{{- define "agent-job.dataPVCName" -}}
+{{- if .Values.persistence.data.persistentVolumeClaim.claimName }}
+{{- .Values.persistence.data.persistentVolumeClaim.claimName -}}
+{{- else }}
+{{- printf "%s-data" (include "agent-job.fullname" .) -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Resolve the cache PVC name, falling back to the chart-managed default.
+*/}}
+{{- define "agent-job.cachePVCName" -}}
+{{- if .Values.persistence.cache.persistentVolumeClaim.claimName }}
+{{- .Values.persistence.cache.persistentVolumeClaim.claimName -}}
+{{- else }}
+{{- printf "%s-cache" (include "agent-job.fullname" .) -}}
+{{- end }}
+{{- end }}
+
+{{/*
+Convert Kubernetes quantity to megabytes
+Supports: Gi, Mi, G, M
+*/}}
+{{- define "agent-job.sizeToMB" -}}
+{{- $size := . -}}
+{{- if hasSuffix "Gi" $size -}}
+  {{- $val := trimSuffix "Gi" $size | float64 -}}
+  {{- $val | mul 1024 | int -}}
+{{- else if hasSuffix "Mi" $size -}}
+  {{- trimSuffix "Mi" $size | int -}}
+{{- else if hasSuffix "G" $size -}}
+  {{- $val := trimSuffix "G" $size | float64 -}}
+  {{- $val | mul 1000 | int -}}
+{{- else if hasSuffix "M" $size -}}
+  {{- trimSuffix "M" $size | int -}}
+{{- else -}}
+  {{- fail (printf "Unsupported size format: %s. Use Gi, Mi, G, or M" $size) -}}
+{{- end -}}
+{{- end -}}

charts/agent-job/README.md.gotmpl

@@ -0,0 +1,141 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: scalr-agent
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "agent-job.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent
+spec:
+  replicas: {{ .Values.agent.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "agent-job.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: agent
+  template:
+    metadata:
+      annotations:
+      {{- with (merge (deepCopy .Values.global.podAnnotations) .Values.agent.podAnnotations) }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if not .Values.agent.tokenExistingSecret.name }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+      {{- end }}
+      labels:
+        {{- with .Values.global.podLabels }}
+        {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.agent.podLabels }}
+        {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- include "agent-job.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: agent
+    spec:
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "agent-job.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }}
+      {{- $controllerPodSecurityContext := merge (deepCopy (default (dict) .Values.global.podSecurityContext)) (default (dict) .Values.agent.podSecurityContext) }}
+      {{- if not (empty $controllerPodSecurityContext) }}
+      securityContext:
+        {{- toYaml $controllerPodSecurityContext | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: controller
+          {{- $registry := .Values.global.imageRegistry }}
+          {{- $image := .Values.agent.image }}
+          {{- if $registry }}
+          image: "{{ $registry }}/{{ $image.repository }}:{{ $image.tag | default .Chart.AppVersion }}"
+          {{- else }}
+          image: "{{ $image.repository }}:{{ $image.tag | default .Chart.AppVersion }}"
+          {{- end }}
+          imagePullPolicy: {{ $image.pullPolicy }}
+          command: ["python", "-m", "tacoagent.cmd"]
+          {{- with .Values.agent.controller.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+            - name: SCALR_URL
+              value: {{ .Values.agent.url | quote }}
+            - name: SCALR_AGENT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.agent.tokenExistingSecret.name | default (include "agent-job.fullname" .) }}
+                  key: {{ .Values.agent.tokenExistingSecret.key }}
+                  optional: false
+            - name: SCALR_AGENT_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: SCALR_AGENT_DEBUG
+              value: {{ .Values.agent.debug | quote }}
+            - name: SCALR_AGENT_LOG_FORMAT
+              value: {{ .Values.agent.logFormat | quote }}
+            - name: SCALR_AGENT_DATA_DIR
+              value: {{ .Values.agent.dataDir | quote }}
+            - name: SCALR_AGENT_CACHE_DIR
+              value: {{ .Values.agent.cacheDir | quote }}
+            - name: SCALR_AGENT_DRIVER
+              value: "kubernetes-job"
+            - name: SCALR_AGENT_KUBERNETES_JOB_TEMPLATE
+              value: "scalr-agent-task"
+            {{- $telemetry := .Values.otel -}}
+            {{- if and $telemetry.enabled $telemetry.endpoint }}
+            - name: SCALR_AGENT_OTLP_ENDPOINT
+              value: {{ $telemetry.endpoint | quote }}
+            {{- if $telemetry.metricsEnabled }}
+            - name: SCALR_AGENT_OTLP_METRICS_ENABLED
+              value: "true"
+            {{- end }}
+            {{- if $telemetry.tracesEnabled }}
+            - name: SCALR_AGENT_OTLP_TRACES_ENABLED
+              value: "true"
+            {{- end }}
+            {{- end }}
+            {{- range $key, $value := .Values.agent.extraEnv }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- with .Values.agent.controller.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with .Values.agent.controller.extraEnvFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.agent.resources | nindent 12 }}
+          volumeMounts:
+            - name: data-dir
+              mountPath: {{ .Values.agent.dataDir | quote }}
+            - name: cache-dir
+              mountPath: {{ .Values.agent.cacheDir | quote }}
+            - name: tmp-dir
+              mountPath: /tmp
+      {{- with .Values.agent.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.agent.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.agent.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        # Note: Controllers have ephemeral data/cache volumes. They are not intended for real use, as agents
+        # in controller mode do not perform actual workloads.
+        - name: data-dir
+          emptyDir: {}
+        - name: cache-dir
+          emptyDir: {}
+        # Note: Default pod's /tmp may not be writable depending on securityContext settings.
+        # It is more robust to mount a dedicated volume.
+        - name: tmp-dir
+          emptyDir: {}
+      terminationGracePeriodSeconds: {{ .Values.agent.terminationGracePeriodSeconds }}

charts/agent-job/assets/icon.ico

@@ -1,13 +1,17 @@
-{{- if .Values.restrictMetadataService }}
+{{- if not .Values.task.allowMetadataService }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: agent-job-network-policy
+  name: {{ include "agent-job.fullname" . }}-task-network-policy
   namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "agent-job.labels" . | nindent 4 }}
+    app.kubernetes.io/component: task
 spec:
   podSelector:
     matchLabels:
       {{- include "agent-job.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: task
   policyTypes:
     - Egress
   egress:
@@ -16,6 +20,6 @@ spec:
           # Allow all egress traffic by default
           cidr: 0.0.0.0/0
           except:
-            # Deny access to IMDS
+            # Deny access to VM metadata service (IMDS)
             - 169.254.169.254/32
 {{- end }}

charts/agent-job/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{- if and (gt (int .Values.agent.replicaCount) 1) .Values.agent.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "agent-job.fullname" . }}-agent
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "agent-job.labels" . | nindent 4 }}
+    app.kubernetes.io/component: agent
+spec:
+  {{- if .Values.agent.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.agent.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.agent.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.agent.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "agent-job.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: agent
+{{- end }}