Merge branch 'main' into workflow_implementation

Author: tanishagoyal2

.github/workflows/integration-gcp.yml

@@ -0,0 +1,163 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Integration Tests - GCP
+
+on:
+  workflow_dispatch: {}  # allow manual runs for testing
+  schedule:
+    - cron: '30 14 * * *' # daily at 14:30 UTC, runs on default branch only
+  push:
+    branches:
+      - main
+      - feature/oidc-gcp
+
+permissions:
+  contents: read
+  actions: read
+  id-token: write
+
+jobs:
+  integration-test-gcp:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    env:
+      CSP: "gcp"
+      PREFIX: "nvs"
+      PROJECT_ID: "nv-dgxck8s-20250306"
+      IDENTITY_PROVIDER: "projects/1015254933832/locations/global/workloadIdentityPools/github-pool/providers/github-provider"
+      SERVICE_ACCOUNT: "github-actions-user"
+      # Terraform Vars
+      TF_VAR_deployment_id: "d${{ github.run_id }}"
+      TF_VAR_project_id: "nv-dgxck8s-20250306"
+      TF_VAR_region: "europe-west4"
+      TF_VAR_zone: "europe-west4-b"
+      TF_VAR_system_node_type: "e2-standard-4"
+      TF_VAR_system_node_count: "3"
+      TF_VAR_gpu_node_pool_name: "gpu-pool"
+      TF_VAR_gpu_machine_type: "a3-megagpu-8g"
+      TF_VAR_gpu_node_count: "1"
+      TF_VAR_gpu_reservation_project: "nv-dgxcloudprodgsc-20240206"
+      TF_VAR_gpu_reservation_name: "gsc-a3-megagpu-8g-shared-res-2"
+      TF_VAR_gpu_driver_version: "INSTALLATION_DISABLED"
+      TF_VAR_resource_labels: '{"environment":"test","team":"nvsentinel","managed_by":"terraform"}'
+      # Debug
+      SKIP_DELETE: "false"  # skip cluster deletion
+      TEST_TAG: "main-33c1d03"
+      
+    steps:
+      # Checkout
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      # Terraform
+      - name: Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd  # v3.1.2
+        with:
+          terraform_version: "1.13.5"
+
+      # Auth
+      - name: Get AuthN Token
+        id: auth
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093  # v3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ env.IDENTITY_PROVIDER }}
+          service_account: "${{ env.SERVICE_ACCOUNT }}@${{ env.PROJECT_ID }}.iam.gserviceaccount.com"
+
+      # Gcloud
+      - name: Setup gcloud CLI
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db  # v3.0.1
+
+      # Cluster
+      - name: Create Cluster
+        id: cluster
+        shell: bash
+        continue-on-error: true 
+        run: |
+          set -euo pipefail
+          cd tests/uat/gcp/cluster
+          terraform init
+          terraform apply -auto-approve
+
+      # Connect
+      - name: Connect to Cluster
+        id: client
+        if: steps.cluster.outcome == 'success'
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "Installing GKE auth plugin..."
+          gcloud components install gke-gcloud-auth-plugin --quiet --project ${{ env.TF_VAR_project_id }}
+          echo "Getting cluster credentials..."
+          gcloud container clusters get-credentials "${{ env.PREFIX }}-${{ env.TF_VAR_deployment_id }}" \
+            --zone ${{ env.TF_VAR_zone }} --project ${{ env.TF_VAR_project_id }}
+
+      # Image Tag
+      - name: Compute ref name with short SHA
+        id: ref-name
+        run: |
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            SAFE_REF="${{ github.ref_name }}"
+          elif [[ "${{ github.ref_name }}" == "main" ]]; then
+            SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+            SAFE_REF="${{ github.ref_name }}-${SHORT_SHA}"
+          else
+            SAFE_REF="${{ env.TEST_TAG }}"
+          fi
+          # Sanitize ref name: replace slashes with hyphens for Docker tag compatibility
+          SAFE_REF=$(echo "$SAFE_REF" | sed 's/\//-/g')
+          echo "value=$SAFE_REF" >> $GITHUB_OUTPUT
+
+      # Apps
+      - name: Install NVS
+        id: apps
+        if: steps.client.outcome == 'success'
+        shell: bash
+        env:
+          GCP_PROJECT_ID: "${{ env.PROJECT_ID }}"
+          GCP_ZONE: "${{ env.TF_VAR_zone }}"
+          GCP_SERVICE_ACCOUNT: "${{ env.SERVICE_ACCOUNT }}"
+          NVSENTINEL_VERSION: "${{ steps.ref-name.outputs.value }}"
+        run: |
+          set -euxo pipefail
+          tests/uat/install-apps.sh
+
+      # Test
+      - name: Run UAT Tests
+        id: tests
+        if: steps.apps.outcome == 'success'
+        shell: bash
+        run: |
+          set -euxo pipefail
+          tests/uat/tests.sh
+
+      # Teardown
+      - name: Destroy Cluster
+        if: always() && steps.cluster.outcome != 'skipped' && env.SKIP_DELETE != 'true'
+        shell: bash
+        run: |
+          set -euxo pipefail
+          cd tests/uat/gcp/cluster
+          terraform destroy -auto-approve
+
+      # Summary
+      - name: Test Summary
+        if: always()
+        run: |
+          echo "## Test Results" >> $GITHUB_STEP_SUMMARY
+          echo "- Cluster: ${{ steps.cluster.outcome }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Connection: ${{ steps.client.outcome }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Apps: ${{ steps.apps.outcome }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Tests: ${{ steps.tests.outcome }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/publish.yml

@@ -106,6 +106,9 @@ jobs:
           - component: syslog-health-monitor
             make_command: 'make -C health-monitors/syslog-health-monitor docker-publish'
             container_name: 'nvsentinel/syslog-health-monitor'
+          - component: kubernetes-object-monitor
+            make_command: 'make -C health-monitors/kubernetes-object-monitor docker-publish'
+            container_name: 'nvsentinel/kubernetes-object-monitor'
           - component: metadata-collector
             make_command: 'make -C metadata-collector docker-publish'
             container_name: 'nvsentinel/metadata-collector'

.gitignore

@@ -446,6 +446,7 @@ fault-quarantine/fault-quarantine
 fault-remediation/fault-remediation
 health-events-analyzer/health-events-analyzer
 health-monitors/syslog-health-monitor/syslog-health-monitor
+health-monitors/kubernetes-object-monitor/kubernetes-object-monitor
 labeler/labeler
 metadata-collector/metadata-collector
 node-drainer/node-drainer

distros/kubernetes/nvsentinel/Chart.yaml

@@ -55,3 +55,6 @@ dependencies:
   - name: metadata-collector
     version: "0.1.0"
     condition: global.metadataCollector.enabled
+  - name: kubernetes-object-monitor
+    version: "0.1.0"
+    condition: global.kubernetesObjectMonitor.enabled

distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/Chart.yaml

@@ -0,0 +1,21 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v2
+name: kubernetes-object-monitor
+description: Monitors Kubernetes objects and publishes health events based on CEL policy predicates
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+

distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/templates/_helpers.tpl

@@ -0,0 +1,41 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubernetes-object-monitor.name" -}}
+{{- .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "kubernetes-object-monitor.fullname" -}}
+{{- "kubernetes-object-monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubernetes-object-monitor.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubernetes-object-monitor.labels" -}}
+helm.sh/chart: {{ include "kubernetes-object-monitor.chart" . }}
+{{ include "kubernetes-object-monitor.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubernetes-object-monitor.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubernetes-object-monitor.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+

distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrole.yaml

@@ -0,0 +1,57 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $resourcesByGroup := dict }}
+{{- range .Values.policies }}
+  {{- $group := .resource.group | default "" }}
+  {{- $kind := .resource.kind | lower }}
+  {{- $resource := printf "%ss" $kind }}
+  {{- $existing := index $resourcesByGroup $group | default list }}
+  {{- if not (has $resource $existing) }}
+    {{- $updated := append $existing $resource }}
+    {{- $_ := set $resourcesByGroup $group $updated }}
+  {{- end }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubernetes-object-monitor.fullname" . }}
+  labels:
+    {{- include "kubernetes-object-monitor.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+  {{- range $group, $resources := $resourcesByGroup }}
+  {{- if ne $group "" }}
+  - apiGroups:
+      - {{ $group | quote }}
+    resources:
+      {{- range $resources }}
+      - {{ . }}
+      {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+  {{- end }}

distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrolebinding.yaml

@@ -0,0 +1,29 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubernetes-object-monitor.fullname" . }}
+  labels:
+    {{- include "kubernetes-object-monitor.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kubernetes-object-monitor.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "kubernetes-object-monitor.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+

distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/templates/configmap.yaml

@@ -0,0 +1,53 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "kubernetes-object-monitor.fullname" . }}
+  labels:
+    {{- include "kubernetes-object-monitor.labels" . | nindent 4 }}
+data:
+  config.toml: |
+    {{- range .Values.policies }}
+    [[policies]]
+      name = {{ .name | quote }}
+      enabled = {{ .enabled }}
+      
+      [policies.resource]
+        group = {{ .resource.group | quote }}
+        version = {{ .resource.version | quote }}
+        kind = {{ .resource.kind | quote }}
+      
+      [policies.predicate]
+        expression = {{ if contains "\n" .predicate.expression }}'''
+{{ .predicate.expression | trim | nindent 10 }}
+        '''{{ else }}{{ .predicate.expression | quote }}{{ end }}
+      
+      {{- if .nodeAssociation }}
+      [policies.nodeAssociation]
+        expression = {{ .nodeAssociation.expression | quote }}
+      {{- end }}
+      
+      [policies.healthEvent]
+        componentClass = {{ .healthEvent.componentClass | quote }}
+        isFatal = {{ .healthEvent.isFatal }}
+        message = {{ .healthEvent.message | quote }}
+        recommendedAction = {{ .healthEvent.recommendedAction | quote }}
+        {{- if .healthEvent.errorCode }}
+        errorCode = [{{- range $index, $code := .healthEvent.errorCode }}{{- if $index }}, {{ end }}{{ $code | quote }}{{- end }}]
+        {{- end }}
+    
+    {{- end }}
+