From 9521057e6ebfa21acaf79882464aaecdd37425a5 Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Thu, 3 Oct 2024 21:11:48 +0300 Subject: [PATCH 1/9] Add support autoscaling/v2 API to HorizontalPodAutoscaler Change also default apiVersion to autoscaling/v2 but support still autoscaling/v2beta1. Signed-off-by: Samuli Silvius --- README.md | 138 ++++++++++++++++++++++----------------------- templates/hpa.yaml | 14 ++++- 2 files changed, 82 insertions(+), 70 deletions(-) diff --git a/README.md b/README.md index bef2a14..adbb0df 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ nxs-universal-chart is a Helm chart you can use to install any of your applicati ### Who can use this tool * Development -* DevOps engineers +* DevOps engineers Who deploy into Kubernetes/OpenShift on regular basis. @@ -156,20 +156,20 @@ the parameters that can be configured during installation. To check deployment e | `allocateLoadBalancerNodePorts` | Load Balancer NodePort allocation | `true` | | `externalTrafficPolicy` | Service external traffic policy | `"Cluster"` | | `healthCheckNodePort` | Health check node port (numeric port number) for the service | `` | -| `externalIPs` | Array of the external IPs that route to one or more cluster nodes | `[]` | -| `ports` | Array of the service [port](#service-ports-object-parameters) objects | `[]` | -| `extraSelectorLabels` | Extra selectorLabels for select workload | `{}` | -| `clusterIP` | Service clusterIP parameter value | `""` | +| `externalIPs` | Array of the external IPs that route to one or more cluster nodes | `[]` | +| `ports` | Array of the service [port](#service-ports-object-parameters) objects | `[]` | +| `extraSelectorLabels` | Extra selectorLabels for select workload | `{}` | +| `clusterIP` | Service clusterIP parameter value | `""` | #### Service `ports` object parameters: | Name | Description | Value | |--------------|------------------------------|---------| -| `name` | Name of the service port | `""` | -| `protocol` | Protocol of the service port | `"TCP"` | -| `port` | Service port number | `` | -| `targetPort` | Service target port number | `` | -| `nodePort` | Service NodePort number | `` | +| `name` | Name of the service port | `""` | +| `protocol` | Protocol of the service port | `"TCP"` | +| `port` | Service port number | `` | +| `targetPort` | Service target port number | `` | +| `nodePort` | Service NodePort number | `` | ### Deployments parameters @@ -304,14 +304,14 @@ the parameters that can be configured during installation. To check deployment e | Name | Description | Value | |------------------------------|-----------------------------------------------------------------------------------------|-----------| -| `labels` | Extra ServiceAccount, role and binding labels | `{}` | -| `annotations` | Extra ServiceAccount annotations | `{}` | -| `role` | Map of role parametres to create and bind | `{}` | -| `role.name` | Name of role to create/bind | `{}` | -| `role.rules` | List of rules for role | `{}` | -| `clusterRole` | Map of clusterRole parametres to create and bind | `{}` | -| `clusterRole.name` | Name of clusterRole to create/bind | `{}` | -| `clusterRole.rules` | List of rules for clusterRole | `{}` | +| `labels` | Extra ServiceAccount, role and binding labels | `{}` | +| `annotations` | Extra ServiceAccount annotations | `{}` | +| `role` | Map of role parametres to create and bind | `{}` | +| `role.name` | Name of role to create/bind | `{}` | +| `role.rules` | List of rules for role | `{}` | +| `clusterRole` | Map of clusterRole parametres to create and bind | `{}` | +| `clusterRole.name` | Name of clusterRole to create/bind | `{}` | +| `clusterRole.rules` | List of rules for clusterRole | `{}` | `role/clusterRole` is a map of parameters of role/clusterrole. If *rules* are not set then only binding to existing role/clusterrole will be created. If *rules* are set then corresponding role/clusterrole will be created and binded to service account. Service account can be created without corresponding roles and bindings. @@ -321,10 +321,10 @@ the parameters that can be configured during installation. To check deployment e | Name | Description | Value | |--------------------|----------------------------------------------|------------| -| `type` | Secret type | `"Opaque"` | -| `labels` | Extra secret labels | `{}` | -| `annotations` | Extra secret annotations | `{}` | -| `data` | Map of Secret data | `{}` | +| `type` | Secret type | `"Opaque"` | +| `labels` | Extra secret labels | `{}` | +| `annotations` | Extra secret annotations | `{}` | +| `data` | Map of Secret data | `{}` | Secret `data` object is a map where value can be a string, json or base64 encoded string with prefix `b64:`. @@ -334,9 +334,9 @@ Secret `data` object is a map where value can be a string, json or base64 encode | Name | Description | Value | |--------------------|-------------------------------------------------|-----------| -| `labels` | Extra ConfigMap labels | `{}` | -| `annotations` | Extra ConfigMap annotations | `{}` | -| `data` | Map of ConfigMap data | `{}` | +| `labels` | Extra ConfigMap labels | `{}` | +| `annotations` | Extra ConfigMap annotations | `{}` | +| `data` | Map of ConfigMap data | `{}` | ### PersistentVolumeClaims parameters @@ -344,13 +344,13 @@ Secret `data` object is a map where value can be a string, json or base64 encode | Name | Description | Value | |--------------------|------------------------------------------------------|----------------| -| `labels` | Extra Persistent Volume Claim labels | `{}` | -| `annotations` | Extra Persistent Volume Claim annotations | `{}` | -| `accessModes` | Persistent Volume access modes | `[]` | -| `volumeMode` | Persistent Volume volume mode | `"Filesystem"` | +| `labels` | Extra Persistent Volume Claim labels | `{}` | +| `annotations` | Extra Persistent Volume Claim annotations | `{}` | +| `accessModes` | Persistent Volume access modes | `[]` | +| `volumeMode` | Persistent Volume volume mode | `"Filesystem"` | | `volumeName` | Persistent Volume volume name (if already exists) | `` | -| `storageClassName` | Persistent Volume Storage Class name | `""` | -| `selector` | Labels selector to further filter the set of volumes | `{}` | +| `storageClassName` | Persistent Volume Storage Class name | `""` | +| `selector` | Labels selector to further filter the set of volumes | `{}` | ### typed Volumes parameters @@ -375,11 +375,11 @@ Secret `data` object is a map where value can be a string, json or base64 encode | `hooksGeneral.envConfigmaps` | Array of Configmaps names with extra envs | `[]` | | `hooksGeneral.envSecrets` | Array of Secrets names with extra envs | `[]` | | `hooksGeneral.envFrom` | Array of extra envFrom objects | `[]` | -| `hooksGeneral.parallelism` | How much Jobs can be run in parallel (ignored if defined on Hook level) | `1` | -| `hooksGeneral.completions` | How much Pods should finish to finish Job (ignored if defined on Hook level) | `1` | -| `hooksGeneral.activeDeadlineSeconds` | Duration of the Job (ignored if defined on Hook level) | `100` | -| `hooksGeneral.backoffLimit` | Number of retries before considering a Job as failed (ignored if defined on Hook level) | `6` | -| `hooksGeneral.ttlSecondsAfterFinished` | TTL for delete finished Hook Job (ignored if defined on Hook level) | `100` | +| `hooksGeneral.parallelism` | How much Jobs can be run in parallel (ignored if defined on Hook level) | `1` | +| `hooksGeneral.completions` | How much Pods should finish to finish Job (ignored if defined on Hook level) | `1` | +| `hooksGeneral.activeDeadlineSeconds` | Duration of the Job (ignored if defined on Hook level) | `100` | +| `hooksGeneral.backoffLimit` | Number of retries before considering a Job as failed (ignored if defined on Hook level) | `6` | +| `hooksGeneral.ttlSecondsAfterFinished` | TTL for delete finished Hook Job (ignored if defined on Hook level) | `100` | | `hooksGeneral.podLabels` | Extra pod labels for Hook Job (ignored if defined on Hook level) | `{}` | | `hooksGeneral.podAnnotations` | Extra pod annotations for Hook Job (ignored if defined on Hook level) | `{}` | | `hooksGeneral.serviceAccountName` | The name of the ServiceAccount to use by Hook Job (ignored if defined on Hook level) | `""` | @@ -394,16 +394,16 @@ Secret `data` object is a map where value can be a string, json or base64 encode | Name | Description | Value | |---------------------------|------------------------------------------------------------------------------------------|-----------------------------| -| `labels` | Extra Hook Job labels | `{}` | -| `annotations` | Extra Hook Job annotations | `{}` | -| `kind` | Kind of the Helm Hook | `"pre-install,pre-upgrade"` | -| `weight` | Weight of the Helm Hook | `"5"` | -| `deletePolicy` | Delete Policy of the Helm Hook | `"before-hook-creation"` | -| `parallelism` | How much pods of Jobs can be run in parallel | `1` | -| `completions` | How much pods should finish to finish Job | `1` | -| `activeDeadlineSeconds` | Duration of the Job | `100` | -| `backoffLimit` | Number of retries before considering a Job as failed | `6` | -| `ttlSecondsAfterFinished` | TTL for delete finished Hook Job | `100` | +| `labels` | Extra Hook Job labels | `{}` | +| `annotations` | Extra Hook Job annotations | `{}` | +| `kind` | Kind of the Helm Hook | `"pre-install,pre-upgrade"` | +| `weight` | Weight of the Helm Hook | `"5"` | +| `deletePolicy` | Delete Policy of the Helm Hook | `"before-hook-creation"` | +| `parallelism` | How much pods of Jobs can be run in parallel | `1` | +| `completions` | How much pods should finish to finish Job | `1` | +| `activeDeadlineSeconds` | Duration of the Job | `100` | +| `backoffLimit` | Number of retries before considering a Job as failed | `6` | +| `ttlSecondsAfterFinished` | TTL for delete finished Hook Job | `100` | | `podLabels` | Extra pod labels for Hook Job | `{}` | | `podAnnotations` | Extra pod annotations for Hook Job | `{}` | | `serviceAccountName` | The name of the ServiceAccount to use by Hook Job | `""` | @@ -458,18 +458,18 @@ Secret `data` object is a map where value can be a string, json or base64 encode | Name | Description | Value | |------------------------------|-----------------------------------------------------------------------------------------|-----------| -| `labels` | Extra CronJob labels | `{}` | -| `annotations` | Extra CronJob annotations | `{}` | +| `labels` | Extra CronJob labels | `{}` | +| `annotations` | Extra CronJob annotations | `{}` | | `singleOnly` | Forbid concurrency policy | `"false"` | | `schedule` | Cronjob scheduling | `` | -| `startingDeadlineSeconds` | Duration for starting CronJob | `` | -| `successfulJobsHistoryLimit` | Limitation of completed jobs should be kept | `3` | -| `failedJobsHistoryLimit` | Limitation of failed jobs should be kept | `1` | -| `parallelism` | How much pods of CronJob can be run in parallel | `1` | -| `completions` | How much pods should finish to finish Job | `1` | -| `activeDeadlineSeconds` | Duration of the Job | `100` | -| `backoffLimit` | Number of retries before considering a Job as failed | `6` | -| `ttlSecondsAfterFinished` | TTL for delete finished CronJob | `100` | +| `startingDeadlineSeconds` | Duration for starting CronJob | `` | +| `successfulJobsHistoryLimit` | Limitation of completed jobs should be kept | `3` | +| `failedJobsHistoryLimit` | Limitation of failed jobs should be kept | `1` | +| `parallelism` | How much pods of CronJob can be run in parallel | `1` | +| `completions` | How much pods should finish to finish Job | `1` | +| `activeDeadlineSeconds` | Duration of the Job | `100` | +| `backoffLimit` | Number of retries before considering a Job as failed | `6` | +| `ttlSecondsAfterFinished` | TTL for delete finished CronJob | `100` | | `podLabels` | Extra pod labels for CronJob | `{}` | | `podAnnotations` | Extra pod annotations for CronJob | `{}` | | `serviceAccountName` | The name of the ServiceAccount to use by CronJob | `""` | @@ -502,11 +502,11 @@ Secret `data` object is a map where value can be a string, json or base64 encode | `jobsGeneral.envConfigmaps` | Array of Configmaps names with extra envs | `[]` | | `jobsGeneral.envSecrets` | Array of Secrets names with extra envs | `[]` | | `jobsGeneral.envFrom` | Array of extra envFrom objects | `[]` | -| `jobsGeneral.parallelism` | How much Jobs can be run in parallel (ignored if defined on Job level) | `1` | -| `jobsGeneral.completions` | How much Pods should finish to finish Job (ignored if defined on Job level) | `1` | -| `jobsGeneral.activeDeadlineSeconds` | Duration of the Job (ignored if defined on Job level) | `100` | -| `jobsGeneral.backoffLimit` | Number of retries before considering a Job as failed (ignored if defined on Job level) | `6` | -| `jobsGeneral.ttlSecondsAfterFinished` | TTL for delete finished Job (ignored if defined on Job level) | `100` | +| `jobsGeneral.parallelism` | How much Jobs can be run in parallel (ignored if defined on Job level) | `1` | +| `jobsGeneral.completions` | How much Pods should finish to finish Job (ignored if defined on Job level) | `1` | +| `jobsGeneral.activeDeadlineSeconds` | Duration of the Job (ignored if defined on Job level) | `100` | +| `jobsGeneral.backoffLimit` | Number of retries before considering a Job as failed (ignored if defined on Job level) | `6` | +| `jobsGeneral.ttlSecondsAfterFinished` | TTL for delete finished Job (ignored if defined on Job level) | `100` | | `jobsGeneral.podLabels` | Extra pod labels for Job (ignored if defined on Job level) | `{}` | | `jobsGeneral.podAnnotations` | Extra pod annotations for Job (ignored if defined on Job level) | `{}` | | `jobsGeneral.serviceAccountName` | The name of the ServiceAccount to use by Job (ignored if defined on Job level) | `""` | @@ -521,13 +521,13 @@ Secret `data` object is a map where value can be a string, json or base64 encode | Name | Description | Value | |---------------------------|------------------------------------------------------------------------------------------|-----------| -| `labels` | Extra Job labels | `{}` | -| `annotations` | Extra Job annotations | `{}` | -| `parallelism` | How much pods of Job can be run in parallel | `1` | -| `completions` | How much pods should finish to finish Job | `1` | -| `activeDeadlineSeconds` | Duration of the Job | `100` | -| `backoffLimit` | Number of retries before considering a Job as failed | `6` | -| `ttlSecondsAfterFinished` | TTL for delete finished Hook Job | `100` | +| `labels` | Extra Job labels | `{}` | +| `annotations` | Extra Job annotations | `{}` | +| `parallelism` | How much pods of Job can be run in parallel | `1` | +| `completions` | How much pods should finish to finish Job | `1` | +| `activeDeadlineSeconds` | Duration of the Job | `100` | +| `backoffLimit` | Number of retries before considering a Job as failed | `6` | +| `ttlSecondsAfterFinished` | TTL for delete finished Hook Job | `100` | | `podLabels` | Extra pod labels for Hook Job | `{}` | | `podAnnotations` | Extra pod annotations for Hook Job | `{}` | | `serviceAccountName` | The name of the ServiceAccount to use by deployment | `""` | @@ -575,7 +575,7 @@ Secret `data` object is a map where value can be a string, json or base64 encode |------------------|-------------------------------------------------------------------------|-------------------------| | `labels` | Extra HPA labels | `{}` | | `annotations` | Extra HPA annotations | `{}` | -| `apiVersion` | apiVersion for HPA object | `"autoscaling/v2beta1"` | +| `apiVersion` | apiVersion for HPA object | `"autoscaling/v2"` | | `minReplicas` | minimum replicas for HPA | `2` | | `maxReplicas` | maximum replicas for HPA | `3` | | `scaleTargetRef` | Required [scaleTargetRef](#hpa-scaletargetref-object-parameters) object | | diff --git a/templates/hpa.yaml b/templates/hpa.yaml index abf7e87..505eeab 100644 --- a/templates/hpa.yaml +++ b/templates/hpa.yaml @@ -1,7 +1,7 @@ {{- range $name, $hpa := .Values.hpas }} --- kind: HorizontalPodAutoscaler -apiVersion: {{ .apiVersion | default "autoscaling/v2beta1" }} +apiVersion: {{ .apiVersion | default "autoscaling/v2" }} metadata: name: {{ include "helpers.app.fullname" (dict "name" $name "context" $) }} namespace: {{ $.Release.Namespace | quote }} @@ -24,13 +24,25 @@ spec: - type: Resource resource: name: cpu + {{- if eq (include "hpa.apiVersion" .) "autoscaling/v2beta1" }} targetAverageUtilization: {{ .targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .targetCPU }} + {{- end }} {{- end }} {{- if not (empty .targetMemory) }} - type: Resource resource: name: memory + {{- if eq (include "hpa.apiVersion" .) "autoscaling/v2beta1" }} targetAverageUtilization: {{ .targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .targetMemory }} + {{- end }} {{- end }} {{- if .metrics }} {{- toYaml .metrics | nindent 4 }} From 039bdf87e28b4163ba25f036d5ab8affa509ae1e Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Thu, 3 Oct 2024 21:30:24 +0300 Subject: [PATCH 2/9] Add support of servicesGeneral for services. Added servicesGeneral.labels servicesGeneral.annotations Signed-off-by: Samuli Silvius --- README.md | 7 +++++++ templates/svc.yml | 3 +++ values.yaml | 27 ++++++++++++++------------- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index adbb0df..194d742 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,13 @@ the parameters that can be configured during installation. To check deployment e ### Services parameters +`servicesGeneral` is a map of the Services parameters, which uses for all Services. + +| Name | Description | Value | +|---------------------------------------|------------------------------------------------------|-------------| +| `servicesGeneral.labels` | Labels to add to all services | `{}` | +| `servicesGeneral.annotations` | Annotations to add to all services | `{}` | + `services` is a map of the Service parameters, where key is a name of Service. | Name | Description | Value | diff --git a/templates/svc.yml b/templates/svc.yml index f7a22a1..10c0294 100644 --- a/templates/svc.yml +++ b/templates/svc.yml @@ -1,3 +1,4 @@ +{{- $general := $.Values.servicesGeneral -}} {{- range $name, $s := $.Values.services }} --- kind: Service @@ -7,9 +8,11 @@ metadata: namespace: {{ $.Release.Namespace | quote }} labels: {{- include "helpers.app.labels" $ | nindent 4 }} + {{- with $general.labels }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} {{- with .labels }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} annotations: {{- with $.Values.generic.annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} + {{- with $general.annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} {{- with .annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} spec: {{- if not (empty .clusterIP ) }} diff --git a/values.yaml b/values.yaml index b1b4b7b..46b77cc 100644 --- a/values.yaml +++ b/values.yaml @@ -113,6 +113,7 @@ ingresses: {} # secretName: "nixys-tls" +servicesGeneral: {} services: {} # nginx: # clusterIP: None @@ -362,8 +363,8 @@ extraDeploy: {} ingressroutes: {} - # test: - # entryPoints: + # test: + # entryPoints: # - test # routes: # Host(`prod-vault.ru`): @@ -373,7 +374,7 @@ ingressroutes: {} # port: 8200 # serversTransport: vault # responseForwardingflushInterval: 10ms - # stickyCookie: + # stickyCookie: # httpOnly: true # name: cookie # secure: true @@ -383,7 +384,7 @@ ingressroutes: {} # port: 8201 # serversTransport: vault # responseForwardingflushInterval: 10ms - # stickyCookie: + # stickyCookie: # httpOnly: false # name: cookie-2 # secure: false @@ -396,14 +397,14 @@ ingressroutes: {} # namespace: default # - name: test # tls: - # secretName: supersecret + # secretName: supersecret # store: # name: storetets # namespace: default # options: # name: opt # namespace: default - # certResolver: foo + # certResolver: foo # domains: # - main: example.net # sans: @@ -423,8 +424,8 @@ middlewares: {} # scheme: https ingressroutesUDP: {} - # test: - # entryPoints: + # test: + # entryPoints: # - test # routes: # vault-active: @@ -442,7 +443,7 @@ traefikservices: {} # - name: svc2 # port: 80 # percent: 20 - # - name: svc3 + # - name: svc3 # kind: TraefikService # percent: 15 # test2: @@ -484,11 +485,11 @@ TLSOptions: {} # sniStrict: true # alpnProtocols: # - foobar - + TLSStores: {} # teststore: # certificates: - # - foo + # - foo # - bar # defaultCertificate: secret # defaultGeneratedCert: @@ -501,9 +502,9 @@ TLSStores: {} ServersTransport: {} - # test: + # test: # serverName: foobar - # insecureSkipVerify: true + # insecureSkipVerify: true # rootCAsSecrets: # - foobar # - foobar From fa7e5958eecacfb91d9f3b1ff98fcf2a7881cdb5 Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Sun, 6 Oct 2024 19:20:36 +0300 Subject: [PATCH 3/9] Fix serviceAccountName for the pod serviceAccountName in pod did not matched the given name in values as ServiceAccount resource in using helpers.app.fullname template ``` name: {{ include "helpers.app.fullname" (dict "name" $name "context" $) }} ``` So, use same template in pod to reference serviceAccount name to make them match. Signed-off-by: Samuli Silvius --- templates/helpers/_pod.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/helpers/_pod.tpl b/templates/helpers/_pod.tpl index 2726c9d..519d992 100644 --- a/templates/helpers/_pod.tpl +++ b/templates/helpers/_pod.tpl @@ -7,9 +7,9 @@ {{- $name := .name -}} {{- with .value -}} {{- if .serviceAccountName }} -serviceAccountName: {{- include "helpers.tplvalues.render" (dict "value" .serviceAccountName "context" $) | nindent 2 }} +serviceAccountName: {{- include "helpers.app.fullname" (dict "name" .serviceAccountName "context" $) | nindent 2 }} {{- else if $.Values.generic.serviceAccountName }} -serviceAccountName: {{- include "helpers.tplvalues.render" (dict "value" $.Values.generic.serviceAccountName "context" $) | nindent 2 }} +serviceAccountName: {{- include "helpers.app.fullname" (dict "name" $.Values.generic.serviceAccountName "context" $) | nindent 2 }} {{- end }} {{- if .hostAliases }} hostAliases: {{- include "helpers.tplvalues.render" (dict "value" .hostAliases "context" $) | nindent 2 }} From d4c5008acbb624728ab96a06d742852032d92a51 Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Sun, 6 Oct 2024 20:08:09 +0300 Subject: [PATCH 4/9] Fix previous HPA change Conditional part used template that did not existed. Signed-off-by: Samuli Silvius --- templates/hpa.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/hpa.yaml b/templates/hpa.yaml index 505eeab..61e53d3 100644 --- a/templates/hpa.yaml +++ b/templates/hpa.yaml @@ -24,7 +24,7 @@ spec: - type: Resource resource: name: cpu - {{- if eq (include "hpa.apiVersion" .) "autoscaling/v2beta1" }} + {{- if eq .apiVersion "autoscaling/v2beta1" }} targetAverageUtilization: {{ .targetCPU }} {{- else }} target: @@ -36,7 +36,7 @@ spec: - type: Resource resource: name: memory - {{- if eq (include "hpa.apiVersion" .) "autoscaling/v2beta1" }} + {{- if eq .apiVersion "autoscaling/v2beta1" }} targetAverageUtilization: {{ .targetMemory }} {{- else }} target: From 8b4913465a459d78696c7e7236716b86812b048f Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Tue, 8 Oct 2024 14:05:38 +0300 Subject: [PATCH 5/9] Aupport for generic lifecycle, startupProbe, readinessProbe and livenessProbe Container specific properties are merged with generic ones so that specific ones will override generic properties. Signed-off-by: Samuli Silvius --- README.md | 4 ++++ templates/helpers/_pod.tpl | 20 ++++++++++++-------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 194d742..bd7b2eb 100644 --- a/README.md +++ b/README.md @@ -81,6 +81,10 @@ the parameters that can be configured during installation. To check deployment e | `generic.tolerations.operator` | Operator used to compare the key. Allowed values: `Exists` or `Equal` | `""` | | `generic.tolerations.value` | The value associated with the key, used when the operator is `Equal` | `""` | | `generic.tolerations.effect` | Effect of the toleration. Allowed values: `NoSchedule`, `PreferNoSchedule`, `NoExecute` | `""` | +| `generic.lifecycle` | lifecycle hooks to add all workloads by default. Properties overridden by the specific resource's | `{}` | +| `generic.startupProbe` | startupProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | +| `generic.readinessProbe` | readinessProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | +| `generic.livenessProbe` | livenessProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | ### Common parameters diff --git a/templates/helpers/_pod.tpl b/templates/helpers/_pod.tpl index 519d992..49697d7 100644 --- a/templates/helpers/_pod.tpl +++ b/templates/helpers/_pod.tpl @@ -154,17 +154,21 @@ containers: {{- with .ports }} ports: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 2 }} {{- end }} - {{- with .lifecycle }} - lifecycle: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 4 }} + {{- $lifecycle := merge (default (dict) .lifecycle) (default (dict) $.Values.generic.lifecycle) -}} + {{- $startupProbe := merge (default (dict) .startupProbe) (default (dict) $.Values.generic.startupProbe) -}} + {{- $livenessProbe := merge (default (dict) .livenessProbe) (default (dict) $.Values.generic.livenessProbe) -}} + {{- $readinessProbe := merge (default (dict) .readinessProbe) (default (dict) $.Values.generic.readinessProbe) -}} + {{- with $lifecycle }} + lifecycle: {{- include "helpers.tplvalues.render" ( dict "value" $lifecycle "context" $) | nindent 4 }} {{- end }} - {{- with .startupProbe }} - startupProbe: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 4 }} + {{- with $startupProbe }} + startupProbe: {{- include "helpers.tplvalues.render" ( dict "value" $startupProbe "context" $) | nindent 4 }} {{- end }} - {{- with .livenessProbe }} - livenessProbe: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 4 }} + {{- with $livenessProbe }} + livenessProbe: {{- include "helpers.tplvalues.render" ( dict "value" $livenessProbe "context" $) | nindent 4 }} {{- end }} - {{- with .readinessProbe }} - readinessProbe: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 4 }} + {{- with $readinessProbe }} + readinessProbe: {{- include "helpers.tplvalues.render" ( dict "value" $readinessProbe "context" $) | nindent 4 }} {{- end }} {{- with .resources }} resources: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 4 }} From 01cae623464f4a24bcd30a27ff3b4581aa73af19 Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Tue, 15 Oct 2024 09:43:41 +0300 Subject: [PATCH 6/9] Add support for common parameters parentChart.name and parentChart.version When nxs-universal-chart used as library chart as dependency, parent chart name and version can be used to override following values in labels: app.kubernetes.io/name helm.sh/chart app.kubernetes.io/version instead of nxs chart values. `app.kubernetes.io/name` is important to be override as used as part of selectorLabels and this way parent chart's name is used in each resource in addition to release name. Without this override this label get release name as the value, i.e. value is same as for the other label `app.kubernetes.io/instance` in the selector. If both parentChart.name and parentChart.version is given `helm.sh/chart` will be using those values instead of Chart.Name and Chart.Version whihc are values of nxs chart. For `app.kubernetes.io/version` label the value from parentChart.version is used if given instead of Chart.Appversion or Chart.version. Signed-off-by: Samuli Silvius --- README.md | 2 ++ templates/helpers/_app.tpl | 48 ++++++++++++++++++++++++++++++++------ 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index bd7b2eb..4523153 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,8 @@ the parameters that can be configured during installation. To check deployment e | `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | | `releasePrefix` | Override prefix for all manifests names. Release name used by default. You should use `"-"` to make it empty. | `""` | +| `parentChart.name` | When nxs-universal-chart used as library chart as dependency, parent chart name can be used in label app.kubernetes.io/name and helm.sh/chart instead of xs-universal-char chart values. This is important to uniquely identify app's resources with selector labels. | `""` | +| `parentChart.version` | When nxs-universal-chart used as library chart as dependency, parent chart version can be used in label helm.sh/chart and app.kubernetes.io/version instead of xs-universal-char chart values | `""` | ### Ingresses parameters diff --git a/templates/helpers/_app.tpl b/templates/helpers/_app.tpl index c81900d..d26cad3 100644 --- a/templates/helpers/_app.tpl +++ b/templates/helpers/_app.tpl @@ -1,4 +1,15 @@ {{- define "helpers.app.name" -}} +{{- if and .Values.parentChart .Values.parentChart.name -}} + {{- .Values.parentChart.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "helpers.app.release.name" .context -}} +{{- end -}} +{{- end -}} + +{{/* +Chart release name +*/}} +{{- define "helpers.app.release.name" -}} {{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -6,8 +17,27 @@ Create chart name and version as used by the chart label. */}} {{- define "helpers.app.chart" -}} +{{- if and .Values.parentChart .Values.parentChart.name .Values.parentChart.version -}} + {{- printf "%s-%s" .Values.parentChart.name .Values.parentChart.version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- else -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- end -}} + +{{/* +Create chart version as used by the chart label. +*/}} +{{- define "helpers.app.chart.version" -}} +{{- if .Chart.AppVersion }} +{{ .Chart.AppVersion | quote }} +{{- else -}} +{{- if and .Values.parentChart .Values.parentChart.version -}} + {{ .Values.parentChart.version | quote }} +{{- else -}} + {{ .Chart.version | quote }} +{{- end -}} +{{- end -}} +{{- end -}} {{/* Create a default fully qualified app name. @@ -19,31 +49,35 @@ If release name contains chart name it will be used as a full name. {{- if .context.Values.releasePrefix -}} {{- printf "%s-%s" .context.Values.releasePrefix .name | trunc 63 | trimAll "-" -}} {{- else -}} -{{- printf "%s-%s" (include "helpers.app.name" .context) .name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" (include "helpers.app.release.name" .context) .name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- else -}} {{- include "helpers.app.name" .context -}} {{- end -}} {{- end -}} + {{- define "helpers.app.labels" -}} {{ include "helpers.app.selectorLabels" . }} helm.sh/chart: {{ include "helpers.app.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- with .Values.generic.labels }} -{{ include "helpers.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} +app.kubernetes.io/version: {{ include "helpers.app.chart.version" . }} +{{ include "helpers.app.genericLabels" $ }} {{- end }} + {{- define "helpers.app.selectorLabels" -}} app.kubernetes.io/name: {{ include "helpers.app.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{ include "helpers.app.genericSelectorLabels" $ }} {{- end }} +{{- define "helpers.app.genericLabels" -}} +{{- with .Values.generic.labels }} +{{ include "helpers.tplvalues.render" (dict "value" . "context" .) }} +{{- end }} +{{- end }} + {{- define "helpers.app.genericSelectorLabels" -}} {{- with .Values.generic.extraSelectorLabels }} {{ include "helpers.tplvalues.render" (dict "value" . "context" .) }} From 6d66a4577248cc3b570d46cb3f4a54ea037f8afd Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Fri, 20 Dec 2024 21:34:21 +0200 Subject: [PATCH 7/9] Added support for serviceAccount to have multiple Roles and ClusterRoles Previously only single Role and ClusterRole was possible per serviceAccount as role/clusterrole was a map entry. Changed to both to list allows multiple roles/clusterroles. Rules under each role/clusterrole are same as earlier. Signed-off-by: Samuli Silvius --- README.md | 29 ++++++++++++++++----------- templates/serviceaccount.yml | 39 ++++++++++++++++++------------------ 2 files changed, 37 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index f9f07a3..fbbd5ae 100644 --- a/README.md +++ b/README.md @@ -315,18 +315,23 @@ the parameters that can be configured during installation. To check deployment e `serviceAccount` is a map of the ServiceAccount parameters, where key is name of the service account. -| Name | Description | Value | -|------------------------------|-----------------------------------------------------------------------------------------|-----------| -| `labels` | Extra ServiceAccount, role and binding labels | `{}` | -| `annotations` | Extra ServiceAccount annotations | `{}` | -| `role` | Map of role parametres to create and bind | `{}` | -| `role.name` | Name of role to create/bind | `{}` | -| `role.rules` | List of rules for role | `{}` | -| `clusterRole` | Map of clusterRole parametres to create and bind | `{}` | -| `clusterRole.name` | Name of clusterRole to create/bind | `{}` | -| `clusterRole.rules` | List of rules for clusterRole | `{}` | - -`role/clusterRole` is a map of parameters of role/clusterrole. If *rules* are not set then only binding to existing role/clusterrole will be created. If *rules* are set then corresponding role/clusterrole will be created and binded to service account. Service account can be created without corresponding roles and bindings. +| Name | Description | Value | +|------------------------------|-------------------------------------------------------------------------------------------------------|-----------| +| `labels` | Extra ServiceAccount, role and binding labels | `{}` | +| `annotations` | Extra ServiceAccount annotations | `{}` | +| `roles` | List of [role](#role-or-clusterrole-rules-object-parameters) parameters to create and bind | `[]` | +| `clusterRoles` | List of [clusterRole](#role-or-clusterrole-rules-object-parameters) parameters to create and bind | `[]` | + +`roles/clusterRoles` are list of maps of parameters of role/clusterrole. Service account can be created without corresponding roles and bindings. + +#### Role or ClusterRole rules object parameters + +| Name | Description | Value | +|--------------------|----------------------------------------------|------------| +| `name` | Name of role/clusterRole to create/bind | `""` | +| `rules` | List of rules for Role/ClusterRole | `[]` | + +If *rules* is empty then only binding to existing role/clusterrole will be created. If any *rules* exist then corresponding role/clusterrole will be created and binded to service account. ### Secrets parameters diff --git a/templates/serviceaccount.yml b/templates/serviceaccount.yml index 56e4917..b00207a 100644 --- a/templates/serviceaccount.yml +++ b/templates/serviceaccount.yml @@ -22,13 +22,14 @@ metadata: {{- with $general.annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} {{- with .annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} -{{- if .role }} -{{- if .role.rules }} +{{- if .roles }} +{{- range $role := .roles }} +{{- if $role.rules }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "helpers.app.fullname" (dict "name" $val.role.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $role.name "context" $) }} namespace: {{ $.Release.Namespace | quote }} labels: {{- include "helpers.app.labels" $ | nindent 4 }} @@ -39,12 +40,12 @@ metadata: {{- with $general.annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} {{- with .annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} rules: -{{ include "helpers.tplvalues.render" ( dict "value" $val.role.rules "context" $ )}} +{{ include "helpers.tplvalues.render" ( dict "value" $role.rules "context" $ )}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "helpers.app.fullname" (dict "name" $val.role.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $role.name "context" $) }} namespace: {{ $.Release.Namespace | quote }} labels: {{- include "helpers.app.labels" $ | nindent 4 }} @@ -57,7 +58,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "helpers.app.fullname" (dict "name" $val.role.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $role.name "context" $) }} subjects: - kind: ServiceAccount name: {{ include "helpers.app.fullname" (dict "name" $name "context" $) }} @@ -67,7 +68,7 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "helpers.app.fullname" (dict "name" $val.role.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $role.name "context" $) }} namespace: {{ $.Release.Namespace | quote }} labels: {{- include "helpers.app.labels" $ | nindent 4 }} @@ -80,20 +81,22 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ $val.role.name }} + name: {{ $role.name }} subjects: - kind: ServiceAccount name: {{ include "helpers.app.fullname" (dict "name" $name "context" $) }} namespace: {{ $.Release.Namespace | quote }} {{- end }} {{- end }} -{{- if .clusterRole }} -{{- if .clusterRole.rules }} +{{- end }} +{{- if .clusterRoles }} +{{- range $clusterRole := .clusterRoles }} +{{- if $clusterRole.rules }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "helpers.app.fullname" (dict "name" $val.clusterRole.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $clusterRole.name "context" $) }} labels: {{- include "helpers.app.labels" $ | nindent 4 }} {{- with $general.labels }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} @@ -103,12 +106,12 @@ metadata: {{- with $general.annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} {{- with .annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} rules: -{{ include "helpers.tplvalues.render" ( dict "value" $val.clusterRole.rules "context" $ )}} +{{ include "helpers.tplvalues.render" ( dict "value" $clusterRole.rules "context" $ )}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "helpers.app.fullname" (dict "name" $val.clusterRole.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $clusterRole.name "context" $) }} labels: {{- include "helpers.app.labels" $ | nindent 4 }} {{- with $general.labels }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} @@ -120,7 +123,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "helpers.app.fullname" (dict "name" $val.clusterRole.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $clusterRole.name "context" $) }} subjects: - kind: ServiceAccount name: {{ include "helpers.app.fullname" (dict "name" $name "context" $) }} @@ -130,7 +133,7 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "helpers.app.fullname" (dict "name" $val.clusterRole.name "context" $) }} + name: {{ include "helpers.app.fullname" (dict "name" $clusterRole.name "context" $) }} labels: {{- include "helpers.app.labels" $ | nindent 4 }} {{- with $general.labels }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} @@ -142,7 +145,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ $val.clusterRole.name }} + name: {{ $clusterRole.name }} subjects: - kind: ServiceAccount name: {{ include "helpers.app.fullname" (dict "name" $name "context" $) }} @@ -151,6 +154,4 @@ subjects: {{- end }} {{- end }} {{- end }} - - - \ No newline at end of file +{{- end }} \ No newline at end of file From 591dbcea5f2884707e2a8106fc9abf9abf26df03 Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Sat, 21 Dec 2024 12:08:17 +0200 Subject: [PATCH 8/9] Add support for RoleBinding to bind also ClusterRole It's possible and normal valid use case to bind ClusterRole with RoleBinding to allow clusterlevel privileges to namespace level. Added new `clusterScope` boolean parameter for role object and if value is true ClusterRole is used in releRef, otherwice Role is used. Default value is false. Signed-off-by: Samuli Silvius --- README.md | 8 +++++--- templates/serviceaccount.yml | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index fbbd5ae..f9407ca 100644 --- a/README.md +++ b/README.md @@ -306,6 +306,7 @@ the parameters that can be configured during installation. To check deployment e | `volumeMounts` | Array of the [k8s Volume mounts](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#volumemount-v1-core) | `[]` | ### Service accounts parameters + `serviceAccountGeneral` is a map of the ServiceAccount parameters, which uses for all service accounts and its roles/clusterroles and corresponding bindings. | Name | Description | Value | @@ -329,9 +330,10 @@ the parameters that can be configured during installation. To check deployment e | Name | Description | Value | |--------------------|----------------------------------------------|------------| | `name` | Name of role/clusterRole to create/bind | `""` | +| `clusterScope` | If rules not present, for RoleBinding it's possible to bind either Role or ClusterRole (clusterScope=true). This parameter is ignored for clusterRoles and roles with rules. Default value is false | `false` | | `rules` | List of rules for Role/ClusterRole | `[]` | -If *rules* is empty then only binding to existing role/clusterrole will be created. If any *rules* exist then corresponding role/clusterrole will be created and binded to service account. +If *rules* is empty then only binding to existing role/clusterRole will be created. If any *rules* exist then corresponding role/clusterRole will be created and binded to service account. ### Secrets parameters @@ -352,8 +354,8 @@ Secret `data` object is a map where value can be a string, json or base64 encode | Name | Description | Value | |--------------------|----------------------------------------------|------------| -| `labels` | Extra SealedSecret labels | `{}` | -| `annotations` | Extra SealedSecret annotations | `{}` | +| `labels` | Extra SealedSecret labels | `{}` | +| `annotations` | Extra SealedSecret annotations | `{}` | | `encryptedData` | Map of SealedSecret encrypted data | `{}` | ### ConfigMaps parameters diff --git a/templates/serviceaccount.yml b/templates/serviceaccount.yml index b00207a..81f5844 100644 --- a/templates/serviceaccount.yml +++ b/templates/serviceaccount.yml @@ -80,7 +80,7 @@ metadata: {{- with .annotations }}{{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }}{{- end }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: {{ if $role.clusterScope }}ClusterRole{{ else }}Role{{ end }} name: {{ $role.name }} subjects: - kind: ServiceAccount From 40426bdae714601522208c3fdc629c4248e8cf1a Mon Sep 17 00:00:00 2001 From: Samuli Silvius Date: Wed, 15 Jan 2025 14:29:41 +0200 Subject: [PATCH 9/9] Support for generic.podSecurityContext and generic.containerSecurityContext Generic new properties if defined will add securityContext by default to all workloads into pod level or container level respectively. User defined securityContext on those workload resources will override these generic definitions. But it's also possible to merge with generic definition by adding `securityContext.mergeWithGeneric` with value `true`. Signed-off-by: Samuli Silvius --- README.md | 52 ++++++++++--------- docs/samples/whoami/app-deployment.values.yml | 6 +++ templates/helpers/_pod.tpl | 45 +++++++++++++++- 3 files changed, 76 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index c9d0def..261deed 100644 --- a/README.md +++ b/README.md @@ -60,31 +60,33 @@ the parameters that can be configured during installation. To check deployment e ### Generic parameters -| Name | Description | Value | -|---------------------------------|-----------------------------------------------------------------------------------------------------|--------| -| `generic.labels` | Labels to add to all deployed objects | `{}` | -| `generic.annotations` | Annotations to add to all deployed objects | `{}` | -| `generic.extraSelectorLabels` | SelectorLabels to add to deployments and services | `{}` | -| `generic.podLabels` | Labels to add to all deployed pods | `{}` | -| `generic.podAnnotations` | Annotations to add to all deployed pods | `{}` | -| `generic.serviceAccountName` | The name of the ServiceAccount to use by workload | `[]` | -| `generic.hostAliases` | Pods host aliases to use by workload | `[]` | -| `generic.dnsPolicy` | DnsPolicy for workload pods | `[]` | -| `generic.priorityClassName` | priorityClassName for workload pods | `[]` | -| `generic.volumes` | Array of typed Volumes to add to all deployed workloads | `[]` | -| `generic.volumeMounts` | Array of k8s VolumeMounts to add to all deployed workloads | `[]` | -| `generic.extraVolumes` | Array of k8s Volumes to add to all deployed workloads | `[]` | -| `generic.extraImagePullSecrets` | Array of existing pull secrets to add to all deployed workloads | `[]` | -| `generic.usePredefinedAffinity` | Use Affinity presets in all workloads by default | `true` | -| `generic.tolerations` | Tolerations to add to all deployed workloads. It's overrided by the specific resource's tolerations | `[]` | -| `generic.tolerations.key` | The key that the toleration applies to | `""` | -| `generic.tolerations.operator` | Operator used to compare the key. Allowed values: `Exists` or `Equal` | `""` | -| `generic.tolerations.value` | The value associated with the key, used when the operator is `Equal` | `""` | -| `generic.tolerations.effect` | Effect of the toleration. Allowed values: `NoSchedule`, `PreferNoSchedule`, `NoExecute` | `""` | -| `generic.lifecycle` | lifecycle hooks to add all workloads by default. Properties overridden by the specific resource's | `{}` | -| `generic.startupProbe` | startupProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | -| `generic.readinessProbe` | readinessProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | -| `generic.livenessProbe` | livenessProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | +| Name | Description | Value | +|---------------------------------------|-----------------------------------------------------------------------------------------------------|--------| +| `generic.labels` | Labels to add to all deployed objects | `{}` | +| `generic.annotations` | Annotations to add to all deployed objects | `{}` | +| `generic.extraSelectorLabels` | SelectorLabels to add to deployments and services | `{}` | +| `generic.podLabels` | Labels to add to all deployed pods | `{}` | +| `generic.podAnnotations` | Annotations to add to all deployed pods | `{}` | +| `generic.serviceAccountName` | The name of the ServiceAccount to use by workload | `[]` | +| `generic.hostAliases` | Pods host aliases to use by workload | `[]` | +| `generic.dnsPolicy` | DnsPolicy for workload pods | `[]` | +| `generic.priorityClassName` | priorityClassName for workload pods | `[]` | +| `generic.volumes` | Array of typed Volumes to add to all deployed workloads | `[]` | +| `generic.volumeMounts` | Array of k8s VolumeMounts to add to all deployed workloads | `[]` | +| `generic.extraVolumes` | Array of k8s Volumes to add to all deployed workloads | `[]` | +| `generic.extraImagePullSecrets` | Array of existing pull secrets to add to all deployed workloads | `[]` | +| `generic.usePredefinedAffinity` | Use Affinity presets in all workloads by default | `true` | +| `generic.tolerations` | Tolerations to add to all deployed workloads. It's overrided by the specific resource's tolerations | `[]` | +| `generic.tolerations.key` | The key that the toleration applies to | `""` | +| `generic.tolerations.operator` | Operator used to compare the key. Allowed values: `Exists` or `Equal` | `""` | +| `generic.tolerations.value` | The value associated with the key, used when the operator is `Equal` | `""` | +| `generic.tolerations.effect` | Effect of the toleration. Allowed values: `NoSchedule`, `PreferNoSchedule`, `NoExecute` | `""` | +| `generic.lifecycle` | lifecycle hooks to add all workloads by default. Properties overridden by the specific resource's | `{}` | +| `generic.startupProbe` | startupProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | +| `generic.readinessProbe` | readinessProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | +| `generic.livenessProbe` | livenessProbe to add to all workloads by default. Properties overridden by the specific resource's | `{}` | +| `generic.podSecurityContext` | podSecurityContext adds `securityContext` to pod level to all workloads by default. Specific resource's `securityContext` can override this or merge with it by defining `securityContext.mergeWithGeneric` with value `true`. | `{}` | +| `generic.containerSecurityContext` | containerSecurityContext adds `securityContext` to container level to all containers by default. Specific resource's `securityContext` can override this or merge with it by defining `securityContext.mergeWithGeneric` with value `true`. | `{}` | ### Common parameters diff --git a/docs/samples/whoami/app-deployment.values.yml b/docs/samples/whoami/app-deployment.values.yml index 2837e05..dc5f40d 100644 --- a/docs/samples/whoami/app-deployment.values.yml +++ b/docs/samples/whoami/app-deployment.values.yml @@ -1,3 +1,7 @@ +generic: + podSecurityContext: + runAsNonRoot: true + services: app-web: type: ClusterIP @@ -10,6 +14,8 @@ services: deployments: app: securityContext: + # mergeWithGeneric will merge generic.podSecurityContext.runAsNonRoot into here (and mergeWithGeneric itself will be removed). + mergeWithGeneric: true runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 diff --git a/templates/helpers/_pod.tpl b/templates/helpers/_pod.tpl index 49697d7..3b6de88 100644 --- a/templates/helpers/_pod.tpl +++ b/templates/helpers/_pod.tpl @@ -55,9 +55,24 @@ tolerations: {{- toYaml $combined | nindent 2 }} {{- end }} +{{- if and .securityContext .securityContext.mergeWithGeneric $.Values.generic.podSecurityContext }} +{{- $podSecurityContext := merge (omit .securityContext "mergeWithGeneric") (omit $.Values.generic.podSecurityContext "mergeWithGeneric") -}} +{{- with $podSecurityContext }} +securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 2 }} +{{- end }} +{{- else }} +{{- if .securityContext }} {{- with .securityContext }} securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 2 }} {{- end }} +{{- else if $.Values.generic.podSecurityContext }} +{{- with $.Values.generic.podSecurityContext }} +securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 2 }} +{{- end }} +{{- end }} +{{- end -}} + + {{ if or $.Values.imagePullSecrets $.Values.generic.extraImagePullSecrets .extraImagePullSecrets .imagePullSecrets }} imagePullSecrets: {{- range $sName, $v := $.Values.imagePullSecrets }} @@ -82,9 +97,22 @@ initContainers: {{- $imageTag := $.Values.defaultImageTag }}{{ with .imageTag }}{{ $imageTag = include "helpers.tplvalues.render" ( dict "value" . "context" $) }}{{ end }} image: {{ $image }}:{{ $imageTag }} imagePullPolicy: {{ .imagePullPolicy | default $.Values.defaultImagePullPolicy }} + {{- if and .securityContext .securityContext.mergeWithGeneric $.Values.generic.containerSecurityContext }} + {{- $containerSecurityContext := merge (omit .securityContext "mergeWithGeneric") (omit $.Values.generic.containerSecurityContext "mergeWithGeneric") -}} + {{- with $containerSecurityContext }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }} + {{- end }} + {{- else }} + {{- if .securityContext }} {{- with .securityContext }} - securityContext: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 4 }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }} + {{- end }} + {{- else if $.Values.generic.containerSecurityContext }} + {{- with $.Values.generic.containerSecurityContext }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }} + {{- end }} {{- end }} + {{- end -}} {{- if $.Values.diagnosticMode.enabled }} args: {{- include "helpers.tplvalues.render" ( dict "value" $.Values.diagnosticMode.args "context" $) | nindent 2 }} {{- else if .args }} @@ -132,9 +160,22 @@ containers: {{- $imageTag := $.Values.defaultImageTag }}{{ with .imageTag }}{{ $imageTag = include "helpers.tplvalues.render" ( dict "value" . "context" $) }}{{ end }} image: {{ $image }}:{{ $imageTag }} imagePullPolicy: {{ .imagePullPolicy | default $.Values.defaultImagePullPolicy }} + {{- if and .securityContext .securityContext.mergeWithGeneric $.Values.generic.containerSecurityContext }} + {{- $containerSecurityContext := merge (omit .securityContext "mergeWithGeneric") (omit $.Values.generic.containerSecurityContext "mergeWithGeneric") -}} + {{- with $containerSecurityContext }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }} + {{- end }} + {{- else }} + {{- if .securityContext }} {{- with .securityContext }} - securityContext: {{- include "helpers.tplvalues.render" ( dict "value" . "context" $) | nindent 4 }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }} + {{- end }} + {{- else if $.Values.generic.containerSecurityContext }} + {{- with $.Values.generic.containerSecurityContext }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 4 }} + {{- end }} {{- end }} + {{- end -}} {{- if $.Values.diagnosticMode.enabled }} args: {{- include "helpers.tplvalues.render" ( dict "value" $.Values.diagnosticMode.args "context" $) | nindent 2 }} {{- else if .args }}