WIP: windows workers

bin/init

@@ -88,7 +88,7 @@ gcloud compute routers nats create nat-config \
     --nat-all-subnet-ip-ranges \
     --auto-allocate-nat-external-ips \
     --min-ports-per-vm=4095 \
-    --tcp-established-idle-timeout=60 
+    --tcp-established-idle-timeout=60
 
 # setup firewall to connect from gke to internal instance vms
 # https://cloud.google.com/kubernetes-engine/docs/troubleshooting#autofirewall
@@ -113,3 +113,26 @@ gcloud projects add-iam-policy-binding ${PROJECT_ID} \
 gcloud iam service-accounts add-iam-policy-binding ${CNRM_SA}@${PROJECT_ID}.iam.gserviceaccount.com \
   --member="serviceAccount:${PROJECT_ID}.svc.id.goog[${CNRM_SA}/cnrm-controller-manager]" \
   --role="roles/iam.workloadIdentityUser"
+
+
+
+export PROJECT_ID=$(gcloud config get-value core/project 2>/dev/null)
+export CONCOURSE_SA=concourse
+export CNRM_SA=cnrm-system
+export CLUSTER_NAME=concourse
+export PROJECT_REGION=europe-west4-a
+gcloud container node-pools create concourse-windows-workers \
+  --cluster=$CLUSTER_NAME \
+  --location-policy
+  --machine-type=n1-standard-4 \
+  --image-type=WINDOWS_LTSC_CONTAINERD \
+  --enable-autoscaling \
+  --enable-autoupgrade \
+  --num-nodes=1 \
+  --min-nodes=1 \
+  --max-nodes=2 \
+  --local-ssd-count 1 \
+  --region "$PROJECT_REGION" \
+  --tags=workers \
+  --node-taints=workers=true:NoSchedule \
+  --service-account=${CONCOURSE_SA}@${PROJECT_ID}.iam.gserviceaccount.com

build/concourse/_vendir/templates/_helpers-windows.tpl

@@ -0,0 +1,8 @@
+{{- define "concourse.windows_worker.fullname" -}}
+{{- $name := default "windows-worker" .Values.windows_worker.nameOverride -}}
+{{- if .Values.fullnameOverride -}}
+{{- printf "%s-%s" .Values.fullnameOverride $name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}

build/concourse/_vendir/templates/_helpers.tpl

@@ -32,6 +32,8 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+
+
 {{/*
 Create a default fully qualified postgresql name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

build/concourse/_vendir/templates/windows-values.yaml

@@ -0,0 +1,2 @@
+windows_image: foundationalinfrastructure/concourse-windows
+windows_imageTag: "latest"

build/concourse/_vendir/templates/windows-worker-deployment.yaml

@@ -0,0 +1,163 @@
+{{- if .Values.windows_worker.enabled -}}
+{{- if eq .Values.windows_worker.kind "Deployment" }}
+apiVersion: {{ template "concourse.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ template "concourse.windows_worker.fullname" . }}
+  labels:
+    app: {{ template "concourse.windows_worker.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  {{- if not .Values.concourse.worker.autoscaling.maxReplicas }}
+  replicas: {{ .Values.windows_worker.replicas }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "concourse.windows_worker.fullname" . }}
+      release: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: {{ template "concourse.windows_worker.fullname" . }}
+        release: "{{ .Release.Name }}"
+        {{- with .Values.windows_worker.labels }}
+{{ toYaml . | trim | indent 8 }}
+        {{- end }}
+      {{- if .Values.windows_worker.annotations }}
+      annotations:
+{{ toYaml .Values.windows_worker.annotations | indent 8 }}
+      {{- end }}
+    spec:
+    {{- if .Values.windows_worker.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.windows_worker.nodeSelector | indent 8 }}
+    {{- end }}
+      serviceAccountName: {{ if .Values.rbac.create }}{{ template "concourse.windows_worker.fullname" . }}{{ else }}{{ .Values.rbac.workerServiceAccountName }}{{ end }}
+      {{- if .Values.windows_worker.tolerations }}
+      tolerations:
+{{ toYaml .Values.windows_worker.tolerations | indent 8 }}
+      {{- end }}
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- range .Values.imagePullSecrets }}
+        - name: {{ . }}
+      {{- end }}
+      {{- end }}
+      {{- if .Values.windows_worker.priorityClassName }}
+      priorityClassName: {{ .Values.windows_worker.priorityClassName }}
+      {{- end }}
+      {{- if .Values.windows_worker.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.windows_worker.terminationGracePeriodSeconds }}
+      {{- end }}
+      initContainers:
+      {{- if .Values.windows_worker.extraInitContainers }}
+      {{- toYaml .Values.windows_worker.extraInitContainers | nindent 8 }}
+      {{- end }}
+      containers:
+      {{- if .Values.windows_worker.sidecarContainers }}
+      {{- toYaml .Values.windows_worker.sidecarContainers | nindent 8 }}
+      {{- end }}
+        - name: {{ template "concourse.windows_worker.fullname" . }}
+          {{- if .Values.windows_imageDigest }}
+          image: "{{ .Values.windows_image }}@{{ .Values.windows_imageDigest }}"
+          {{- else }}
+          image: "{{ .Values.windows_image }}:{{ .Values.windows_imageTag }}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
+          args:
+            - worker
+{{- if .Values.windows_worker.livenessProbe }}
+          livenessProbe:
+{{ toYaml .Values.windows_worker.livenessProbe | indent 12 }}
+{{- end }}
+{{- if .Values.windows_worker.readinessProbe }}
+          readinessProbe:
+{{ toYaml .Values.windows_worker.readinessProbe | indent 12 }}
+{{- end }}
+          env:
+{{- include "concourse.worker.env" . | indent 12 }}
+{{- if .Values.windows_worker.env }}
+{{ toYaml .Values.windows_worker.env | indent 12 }}
+{{- end }}
+          ports:
+            - name: worker-hc
+              containerPort: {{ .Values.concourse.worker.healthcheckBindPort }}
+{{- if .Values.windows_worker.resources }}
+          resources:
+{{ toYaml .Values.windows_worker.resources | indent 12 }}
+{{- end }}
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: concourse-keys
+              mountPath: {{ .Values.windows_worker.keySecretsPath | quote }}
+              readOnly: true
+            {{- if and (not (kindIs "invalid" .Values.secrets.workerAdditionalCerts)) (.Values.secrets.workerAdditionalCerts | toString) }}
+            - name: worker-additional-certs
+              mountPath: "{{ .Values.windows_worker.certsPath }}/worker-additional-certs.pem"
+              subPath: worker-additional-certs.pem
+              readOnly: true
+            {{- end }}
+
+{{- if .Values.windows_worker.additionalVolumeMounts }}
+{{ toYaml .Values.windows_worker.additionalVolumeMounts | indent 12 }}
+{{- end }}
+      affinity:
+{{- if .Values.windows_worker.additionalAffinities }}
+{{ toYaml .Values.windows_worker.additionalAffinities | indent 8 }}
+{{- end }}
+        podAntiAffinity:
+          {{- if .Values.windows_worker.hardAntiAffinity }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+{{- if .Values.windows_worker.hardAntiAffinityLabels }}
+{{ toYaml .Values.windows_worker.hardAntiAffinityLabels | indent 16 }}
+{{- else }}
+                app: {{ template "concourse.windows_worker.fullname" . }}
+                release: {{ .Release.Name | quote }}
+{{- end }}
+            topologyKey: kubernetes.io/hostname
+          {{- else }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  app: {{ template "concourse.windows_worker.fullname" . }}
+                  release: {{ .Release.Name | quote }}
+          {{- end }}
+      volumes:
+{{- if .Values.windows_worker.additionalVolumes }}
+{{ toYaml .Values.windows_worker.additionalVolumes | indent 8 }}
+{{- end }}
+        - name: pre-stop-hook
+          configMap:
+            name: {{ template "concourse.worker.fullname" . }}
+        - name: concourse-keys
+          secret:
+            secretName: {{ template "concourse.worker.fullname" . }}
+            defaultMode: 0400
+            items:
+              - key: host-key-pub
+                path: host_key.pub
+              - key: worker-key
+                path: worker_key
+        {{- if and (not (kindIs "invalid" .Values.secrets.workerAdditionalCerts)) (.Values.secrets.workerAdditionalCerts | toString) }}
+        - name: worker-additional-certs
+          secret:
+            secretName: {{ template "concourse.worker.fullname" . }}
+            optional: true
+            items:
+              - key: worker-additional-certs
+                path: worker-additional-certs.pem
+        {{- end }}
+      {{- if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion }}
+  strategy:
+{{ toYaml .Values.windows_worker.updateStrategy | indent 4 }}
+      {{- end }}
+{{- end }}
+{{- end }}