Helm do not generate empty resource blocks #7559
Conversation
|
|
There was a problem hiding this comment.
thanks for the PR. I think it makes sense to merge this.
We have some rego policies which keep all manifests in line. I think this change is a good candidate for having a rego policy to make sure the manifests don't drift away and that any new deployments/StatefulSets will follow this convention. I had a go at writing one along with a unit test for it, but it's not doing what I expect it to.
diff --git a/operations/policies/deployment_rollingupdate.rego b/operations/policies/deployment_rollingupdate.rego
index 46e144f8f..629eaed3c 100644
--- a/operations/policies/deployment_rollingupdate.rego
+++ b/operations/policies/deployment_rollingupdate.rego
@@ -47,3 +47,13 @@ deny_deployment_rollingupdate[msg] {
is_ignored_deployment(obj) {
obj.metadata.name in ignored_deployments
}
+
+deny_deployment_empty_nodeselector[msg] {
+ obj := input[i].contents
+ nodeSelector := obj.spec.template.spec.nodeSelector
+ msg = sprintf("%s %v empty nodeSelector", [object_display_name[i], nodeSelector])
+
+ obj.kind == "Deployment"
+ not is_ignored_deployment(obj)
+ count(nodeSelector) == 0
+}
diff --git a/operations/policies/topology_spread_constraints_test.rego b/operations/policies/topology_spread_constraints_test.rego
index 255ad602e..892eb30f2 100644
--- a/operations/policies/topology_spread_constraints_test.rego
+++ b/operations/policies/topology_spread_constraints_test.rego
@@ -18,3 +18,9 @@ test_topology_spread_constraints_use_wrong_labels if {
contains(reason, "TopologySpreadConstraints use labels not present on pods")
}
+
+test_empty_node_selector if {
+ deny[reason] with input as [object.union(passing_deployment, {"contents": {"spec": {"template": {"spec": {"nodeSelector": {}}}}}})]
+
+ contains(reason, "empty nodeSelector")
+}Do you want to give this a try in this PR? It's also ok if you don't have time for it
|
I will give it a try! |
|
I added a policy for each of the blocks which should not be rendered if empty. I hope I implemented it the right way as I'm not that familiar with rego! |
|
@dimitarvdimitrov Could you take a look on the rego policies? |
What this PR does
This PR removes all empty
initContainers,nodeSelector,affinityandtolerationsblocks from the helm output.Which issue(s) this PR fixes or relates to
When using additional tools like ArgoCD and also have mutation hooks, even ignoring differences in eg. ArgoCD might not work as expected! As we do not see this behaviour in deployment or statefulset templates where these blocks were omited when empty, we wanted to make this the default in the mimir-distributed helm chart.
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX].about-versioning.mdupdated with experimental features.