From f439e18fcf15dcc0ca88252705cc089ede4e03e5 Mon Sep 17 00:00:00 2001 From: Daniel Budziwojski Date: Wed, 16 Oct 2024 18:27:00 -0700 Subject: [PATCH 1/4] Add pod labels, labels, dnsConfig, and priorityClassName --- .../k8s-agents-operator/templates/deployment.yaml | 13 ++++++++++--- charts/k8s-agents-operator/values.yaml | 11 +++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/charts/k8s-agents-operator/templates/deployment.yaml b/charts/k8s-agents-operator/templates/deployment.yaml index 2048383f..e45be175 100644 --- a/charts/k8s-agents-operator/templates/deployment.yaml +++ b/charts/k8s-agents-operator/templates/deployment.yaml @@ -24,8 +24,17 @@ spec: metadata: labels: control-plane: controller-manager - {{- include "newrelic.common.labels" . | nindent 8 }} + {{- include "newrelic.common.labels.podLabels" . | nindent 8 }} spec: + serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }} + {{- with include "newrelic.common.priorityClassName" . }} + priorityClassName: {{ . }} + {{- end }} + {{- with include "newrelic.common.dnsConfig" . }} + dnsConfig: + {{- . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 10 containers: - args: - --metrics-addr=127.0.0.1:8080 @@ -82,8 +91,6 @@ spec: name: https protocol: TCP resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }} - serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }} - terminationGracePeriodSeconds: 10 {{- if or .Values.admissionWebhooks.create (include "k8s-agents-operator.certificateSecret.name" . ) }} volumes: - name: cert diff --git a/charts/k8s-agents-operator/values.yaml b/charts/k8s-agents-operator/values.yaml index f2897977..f8f52ecf 100644 --- a/charts/k8s-agents-operator/values.yaml +++ b/charts/k8s-agents-operator/values.yaml @@ -5,6 +5,17 @@ # -- This set this license key to use. Can be configured also with `global.licenseKey` licenseKey: "" +# -- Additional labels for chart pods +podLabels: {} +# -- Additional labels for chart objects +labels: {} + +# -- Sets pod's priorityClassName. Can be configured also with `global.priorityClassName` +priorityClassName: "" + +# -- Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` +dnsConfig: {} + controllerManager: replicas: 1 From 3e3032a0d6d2691ee41b6cbb94717564b2a3cf19 Mon Sep 17 00:00:00 2001 From: Daniel Budziwojski Date: Thu, 17 Oct 2024 18:41:21 -0700 Subject: [PATCH 2/4] Add security context for both pods and containers. Add pod annotations, nodeSelector, tolerations, affinities. Add tests for all common library resources. --- .../templates/_security_context.tpl | 21 ++ .../templates/deployment.yaml | 52 +++-- .../templates/service-account.yaml | 11 + .../tests/affinity_test.yaml | 107 ++++++++++ .../tests/annotations_test.yaml | 29 +++ .../tests/images_test.yaml | 40 ++++ .../tests/node_selector_test.yaml | 51 +++++ .../tests/resources_test.yaml | 28 +++ .../tests/security_context_test.yaml | 191 ++++++++++++++++++ .../tests/service_account_test.yaml | 83 ++++++++ .../tests/tolerations_test.yaml | 65 ++++++ charts/k8s-agents-operator/values.yaml | 70 ++++--- 12 files changed, 709 insertions(+), 39 deletions(-) create mode 100644 charts/k8s-agents-operator/templates/_security_context.tpl create mode 100644 charts/k8s-agents-operator/templates/service-account.yaml create mode 100644 charts/k8s-agents-operator/tests/affinity_test.yaml create mode 100644 charts/k8s-agents-operator/tests/annotations_test.yaml create mode 100644 charts/k8s-agents-operator/tests/images_test.yaml create mode 100644 charts/k8s-agents-operator/tests/node_selector_test.yaml create mode 100644 charts/k8s-agents-operator/tests/resources_test.yaml create mode 100644 charts/k8s-agents-operator/tests/security_context_test.yaml create mode 100644 charts/k8s-agents-operator/tests/service_account_test.yaml create mode 100644 charts/k8s-agents-operator/tests/tolerations_test.yaml diff --git a/charts/k8s-agents-operator/templates/_security_context.tpl b/charts/k8s-agents-operator/templates/_security_context.tpl new file mode 100644 index 00000000..a3b07971 --- /dev/null +++ b/charts/k8s-agents-operator/templates/_security_context.tpl @@ -0,0 +1,21 @@ +{{- /* +A helper to return the container security context to apply to kubeRbacProxy. +*/ -}} +{{- define "k8s-agents-operator.kubeRbacProxy.securityContext.container" -}} +{{- if .Values.controllerManager.kubeRbacProxy.containerSecurityContext -}} + {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext -}} +{{- else if include "newrelic.common.securityContext.container" . -}} + {{- include "newrelic.common.securityContext.container" . -}} +{{- end -}} +{{- end -}} + +{{- /* +A helper to return the container security context to apply to the manager. +*/ -}} +{{- define "k8s-agents-operator.manager.securityContext.container" -}} +{{- if .Values.controllerManager.manager.containerSecurityContext -}} + {{- toYaml .Values.controllerManager.manager.containerSecurityContext -}} +{{- else if include "newrelic.common.securityContext.container" . -}} + {{- include "newrelic.common.securityContext.container" . -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/k8s-agents-operator/templates/deployment.yaml b/charts/k8s-agents-operator/templates/deployment.yaml index e45be175..e46fa6cc 100644 --- a/charts/k8s-agents-operator/templates/deployment.yaml +++ b/charts/k8s-agents-operator/templates/deployment.yaml @@ -1,11 +1,3 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "newrelic.common.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "newrelic.common.labels" . | nindent 4 }} ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -25,8 +17,16 @@ spec: labels: control-plane: controller-manager {{- include "newrelic.common.labels.podLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }} + {{- with include "newrelic.common.securityContext.pod" . }} + securityContext: + {{- . | nindent 8 }} + {{- end }} {{- with include "newrelic.common.priorityClassName" . }} priorityClassName: {{ . }} {{- end }} @@ -36,7 +36,12 @@ spec: {{- end }} terminationGracePeriodSeconds: 10 containers: - - args: + - name: manager + {{- with include "k8s-agents-operator.manager.securityContext.container" . }} + securityContext: + {{- . | nindent 10 }} + {{- end }} + args: - --metrics-addr=127.0.0.1:8080 {{- if .Values.controllerManager.manager.leaderElection.enabled }} - --enable-leader-election @@ -60,7 +65,6 @@ spec: port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager ports: - containerPort: 9443 name: webhook-server @@ -71,12 +75,18 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }} + resources: + {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }} volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert readOnly: true - - args: + - name: kube-rbac-proxy + {{- with include "k8s-agents-operator.kubeRbacProxy.securityContext.container" . }} + securityContext: + {{- . | nindent 10 }} + {{- end }} + args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true @@ -85,12 +95,12 @@ spec: - name: KUBERNETES_CLUSTER_DOMAIN value: {{ quote .Values.kubernetesClusterDomain }} image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default .Chart.AppVersion }} - name: kube-rbac-proxy ports: - containerPort: 8443 name: https protocol: TCP - resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }} + resources: + {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }} {{- if or .Values.admissionWebhooks.create (include "k8s-agents-operator.certificateSecret.name" . ) }} volumes: - name: cert @@ -98,5 +108,15 @@ spec: defaultMode: 420 secretName: {{ include "k8s-agents-operator.certificateSecret.name" . }} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- with include "newrelic.common.nodeSelector" . }} + nodeSelector: + {{- . | nindent 8 }} + {{- end }} + {{- with include "newrelic.common.affinity" . }} + affinity: + {{- . | nindent 8 }} + {{- end }} + {{- with include "newrelic.common.tolerations" . }} + tolerations: + {{- . | nindent 8 }} + {{- end }} diff --git a/charts/k8s-agents-operator/templates/service-account.yaml b/charts/k8s-agents-operator/templates/service-account.yaml new file mode 100644 index 00000000..552e9e1c --- /dev/null +++ b/charts/k8s-agents-operator/templates/service-account.yaml @@ -0,0 +1,11 @@ +{{- if include "newrelic.common.serviceAccount.create" . }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "newrelic.common.serviceAccount.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "newrelic.common.labels" . | nindent 4 }} + annotations: + {{- include "newrelic.common.serviceAccount.annotations" . | nindent 4 }} +{{- end -}} diff --git a/charts/k8s-agents-operator/tests/affinity_test.yaml b/charts/k8s-agents-operator/tests/affinity_test.yaml new file mode 100644 index 00000000..7f12318d --- /dev/null +++ b/charts/k8s-agents-operator/tests/affinity_test.yaml @@ -0,0 +1,107 @@ +suite: affinity +templates: + - templates/deployment.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: sets affinity to default when no values provided + set: + licenseKey: us-whatever + asserts: + - notExists: + path: spec.template.spec.affinity + template: templates/deployment.yaml + - it: sets affinity from global by common-library + set: + licenseKey: us-whatever + global: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: globalKey + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: globalKey + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + template: templates/deployment.yaml + - it: sets affinity from values by common-library + set: + licenseKey: us-whatever + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: topLevelKey + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: topLevelKey + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + template: templates/deployment.yaml + - it: sets affinity from values by common-library overriding global values + set: + licenseKey: us-whatever + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: topLevelKey + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + global: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: globalKey + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: topLevelKey + operator: In + values: + - S1 + topologyKey: failure-domain.beta.kubernetes.io/zone + template: templates/deployment.yaml \ No newline at end of file diff --git a/charts/k8s-agents-operator/tests/annotations_test.yaml b/charts/k8s-agents-operator/tests/annotations_test.yaml new file mode 100644 index 00000000..f84dcce3 --- /dev/null +++ b/charts/k8s-agents-operator/tests/annotations_test.yaml @@ -0,0 +1,29 @@ +suite: annotations +templates: + - templates/deployment.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: sets pod annotations to default when no values provided + set: + licenseKey: us-whatever + asserts: + - notExists: + path: spec.template.metadata.annotations + template: templates/deployment.yaml + - it: sets pod annotations from values + set: + licenseKey: us-whatever + podAnnotations: + deploymentKey1: "deploymentValue1" + deploymentKey2: "deploymentValue2" + asserts: + - equal: + path: spec.template.metadata.annotations.deploymentKey1 + value: deploymentValue1 + template: templates/deployment.yaml + - equal: + path: spec.template.metadata.annotations.deploymentKey2 + value: deploymentValue2 + template: templates/deployment.yaml diff --git a/charts/k8s-agents-operator/tests/images_test.yaml b/charts/k8s-agents-operator/tests/images_test.yaml new file mode 100644 index 00000000..bde3afa0 --- /dev/null +++ b/charts/k8s-agents-operator/tests/images_test.yaml @@ -0,0 +1,40 @@ +suite: images +templates: + - templates/deployment.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: has a default image tag + set: + licenseKey: us-whatever + asserts: + - notMatchRegex: + path: spec.template.spec.containers[0].image + pattern: ".*nil.*" + template: templates/deployment.yaml + - notMatchRegex: + path: spec.template.spec.containers[1].image + pattern: ".*nil.*" + template: templates/deployment.yaml + - it: loads image and version + set: + licenseKey: us-whatever + controllerManager: + manager: + image: + repository: nr/test-1 + tag: "1.1.1" + kubeRbacProxy: + image: + repository: nr/test-2 + tag: "1.1.2" + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: nr/test-1:1.1.1 + template: templates/deployment.yaml + - equal: + path: spec.template.spec.containers[1].image + value: nr/test-2:1.1.2 + template: templates/deployment.yaml \ No newline at end of file diff --git a/charts/k8s-agents-operator/tests/node_selector_test.yaml b/charts/k8s-agents-operator/tests/node_selector_test.yaml new file mode 100644 index 00000000..690fd76f --- /dev/null +++ b/charts/k8s-agents-operator/tests/node_selector_test.yaml @@ -0,0 +1,51 @@ +suite: nodeSelector +templates: + - templates/deployment.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: sets nodeSelector to default when no values provided + set: + licenseKey: us-whatever + asserts: + - notExists: + path: spec.template.spec.nodeSelector + template: templates/deployment.yaml + - it: sets nodeSelector from global by common-library + set: + licenseKey: us-whatever + global: + nodeSelector: + globalKey: globalValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + globalKey: globalValue + template: templates/deployment.yaml + - it: sets nodeSelector from values by common-library + set: + licenseKey: us-whatever + nodeSelector: + topLevelKey: topLevelValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + topLevelKey: topLevelValue + template: templates/deployment.yaml + - it: sets nodeSelector from values by common-library overriding global values + set: + licenseKey: us-whatever + nodeSelector: + topLevelKey: topLevelValue + global: + nodeSelector: + globalKey: globalValue + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + topLevelKey: topLevelValue + template: templates/deployment.yaml \ No newline at end of file diff --git a/charts/k8s-agents-operator/tests/resources_test.yaml b/charts/k8s-agents-operator/tests/resources_test.yaml new file mode 100644 index 00000000..021c8b5a --- /dev/null +++ b/charts/k8s-agents-operator/tests/resources_test.yaml @@ -0,0 +1,28 @@ +suite: resources +templates: + - templates/deployment.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: sets pod resources to default when no values provided + set: + licenseKey: us-whatever + asserts: + - equal: + path: spec.template.spec.containers[0].resources + value: + requests: + cpu: 100m + memory: 64Mi + template: templates/deployment.yaml + - equal: + path: spec.template.spec.containers[1].resources + value: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + template: templates/deployment.yaml \ No newline at end of file diff --git a/charts/k8s-agents-operator/tests/security_context_test.yaml b/charts/k8s-agents-operator/tests/security_context_test.yaml new file mode 100644 index 00000000..aa34c65f --- /dev/null +++ b/charts/k8s-agents-operator/tests/security_context_test.yaml @@ -0,0 +1,191 @@ +suite: securityContext +templates: + - templates/deployment.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: sets pod securityContext set to defaults when no values provided + set: + licenseKey: us-whatever + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + fsGroup: 65532 + template: templates/deployment.yaml + - it: ignores pod securityContext from global by common-library + set: + licenseKey: us-whatever + global: + podSecurityContext: + globalKey: globalValue + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + fsGroup: 65532 + template: templates/deployment.yaml + - it: appends pod securityContext from values by common-library + set: + licenseKey: us-whatever + podSecurityContext: + topLevelKey: topLevelValue + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + fsGroup: 65532 + topLevelKey: topLevelValue + template: templates/deployment.yaml + - it: sets pod securityContext from values by common-library overriding global values + set: + licenseKey: us-whatever + podSecurityContext: + topLevelKey: topLevelValue + global: + podSecurityContext: + globalKey: globalValue + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + fsGroup: 65532 + topLevelKey: topLevelValue + template: templates/deployment.yaml + - it: sets container securityContext set to defaults when no values provided + set: + licenseKey: us-whatever + asserts: + - notExists: + path: spec.template.spec.containers[0].securityContext + template: templates/deployment.yaml + - notExists: + path: spec.template.spec.containers[1].securityContext + template: templates/deployment.yaml + - it: sets container securityContext from global by common-library + set: + licenseKey: us-whatever + global: + containerSecurityContext: + globalKey: globalValue + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + globalKey: globalValue + template: templates/deployment.yaml + - equal: + path: spec.template.spec.containers[1].securityContext + value: + globalKey: globalValue + template: templates/deployment.yaml + - it: sets container securityContext from values by common-library + set: + licenseKey: us-whatever + containerSecurityContext: + topLevelKey: topLevelValue + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + topLevelKey: topLevelValue + template: templates/deployment.yaml + - equal: + path: spec.template.spec.containers[1].securityContext + value: + topLevelKey: topLevelValue + template: templates/deployment.yaml + - it: sets container securityContext from values by common-library overriding global values + set: + licenseKey: us-whatever + containerSecurityContext: + topLevelKey: topLevelValue + global: + containerSecurityContext: + globalKey: globalValue + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + topLevelKey: topLevelValue + template: templates/deployment.yaml + - equal: + path: spec.template.spec.containers[1].securityContext + value: + topLevelKey: topLevelValue + template: templates/deployment.yaml + - it: sets container securityContext from manager values + set: + licenseKey: us-whatever + controllerManager: + manager: + containerSecurityContext: + managerKey: managerValue + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + managerKey: managerValue + template: templates/deployment.yaml + - it: sets container securityContext from kubeRbacProxy values + set: + licenseKey: us-whatever + controllerManager: + kubeRbacProxy: + containerSecurityContext: + kubeRbacProxyKey: kubeRbacProxyValue + asserts: + - equal: + path: spec.template.spec.containers[1].securityContext + value: + kubeRbacProxyKey: kubeRbacProxyValue + template: templates/deployment.yaml + - it: sets container securityContext from manager values overriding top level and global values + set: + licenseKey: us-whatever + containerSecurityContext: + topLevelKey: topLevelValue + global: + containerSecurityContext: + globalKey: globalValue + controllerManager: + manager: + containerSecurityContext: + managerKey: managerValue + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + managerKey: managerValue + template: templates/deployment.yaml + - it: sets container securityContext from kubeRbacProxy values overriding top level and global values + set: + licenseKey: us-whatever + containerSecurityContext: + topLevelKey: topLevelValue + global: + containerSecurityContext: + globalKey: globalValue + controllerManager: + kubeRbacProxy: + containerSecurityContext: + kubeRbacProxyKey: kubeRbacProxyValue + asserts: + - equal: + path: spec.template.spec.containers[1].securityContext + value: + kubeRbacProxyKey: kubeRbacProxyValue + template: templates/deployment.yaml \ No newline at end of file diff --git a/charts/k8s-agents-operator/tests/service_account_test.yaml b/charts/k8s-agents-operator/tests/service_account_test.yaml new file mode 100644 index 00000000..2d48ab22 --- /dev/null +++ b/charts/k8s-agents-operator/tests/service_account_test.yaml @@ -0,0 +1,83 @@ +suite: serviceAccount +templates: + - templates/service-account.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: by default creates a service account + set: + licenseKey: test + asserts: + - hasDocuments: + count: 1 + + - it: creates a service account if there are no global values + set: + licenseKey: test + global: null + asserts: + - hasDocuments: + count: 1 + + - it: creates a global a service account + set: + licenseKey: test + global: + serviceAccount: + create: true + asserts: + - hasDocuments: + count: 1 + + - it: create a local service account + set: + licenseKey: test + serviceAccount: + create: true + asserts: + - hasDocuments: + count: 1 + + - it: disables a global a service account + set: + licenseKey: test + global: + serviceAccount: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: disables a local a service account + set: + licenseKey: test + serviceAccount: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: allows overriding the global enabling of a service account + set: + licenseKey: test + global: + serviceAccount: + create: true + serviceAccount: + create: false + asserts: + - hasDocuments: + count: 0 + + - it: allows overriding the global disabling of a service account + set: + licenseKey: test + global: + serviceAccount: + create: false + serviceAccount: + create: true + asserts: + - hasDocuments: + count: 1 diff --git a/charts/k8s-agents-operator/tests/tolerations_test.yaml b/charts/k8s-agents-operator/tests/tolerations_test.yaml new file mode 100644 index 00000000..71e21e04 --- /dev/null +++ b/charts/k8s-agents-operator/tests/tolerations_test.yaml @@ -0,0 +1,65 @@ +suite: tolerations +templates: + - templates/deployment.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: sets tolerations to default when no values provided + set: + licenseKey: us-whatever + asserts: + - notExists: + path: spec.template.spec.tolerations + template: templates/deployment.yaml + - it: sets tolerations from global by common-library + set: + licenseKey: us-whatever + global: + tolerations: + - key: "globalKey" + operator: "Exists" + effect: "NoSchedule" + asserts: + - equal: + path: spec.template.spec.tolerations + value: + - key: "globalKey" + operator: "Exists" + effect: "NoSchedule" + template: templates/deployment.yaml + - it: sets tolerations from values by common-library + set: + licenseKey: us-whatever + tolerations: + - key: "topLevelKey" + operator: "Exists" + effect: "NoSchedule" + asserts: + - equal: + path: spec.template.spec.tolerations + value: + - key: "topLevelKey" + operator: "Exists" + effect: "NoSchedule" + template: templates/deployment.yaml + - it: sets tolerations from values by common-library overriding global values + set: + licenseKey: us-whatever + tolerations: + - key: "topLevelKey" + operator: "Exists" + effect: "NoSchedule" + global: + tolerations: + - key: "globalKey" + operator: "Exists" + effect: "NoSchedule" + asserts: + - equal: + path: spec.template.spec.tolerations + value: + - key: "topLevelKey" + operator: "Exists" + effect: "NoSchedule" + template: templates/deployment.yaml \ No newline at end of file diff --git a/charts/k8s-agents-operator/values.yaml b/charts/k8s-agents-operator/values.yaml index f8f52ecf..6f912a79 100644 --- a/charts/k8s-agents-operator/values.yaml +++ b/charts/k8s-agents-operator/values.yaml @@ -9,6 +9,8 @@ licenseKey: "" podLabels: {} # -- Additional labels for chart objects labels: {} +# -- Annotations to be added to the deployment. +podAnnotations: {} # -- Sets pod's priorityClassName. Can be configured also with `global.priorityClassName` priorityClassName: "" @@ -16,21 +18,28 @@ priorityClassName: "" # -- Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` dnsConfig: {} +# -- Sets all pods' node selector. Can be configured also with `global.nodeSelector` +nodeSelector: {} +# -- Sets all pods' tolerations to node taints. Can be configured also with `global.tolerations` +tolerations: [] +# -- Sets all pods' affinities. Can be configured also with `global.affinity` +affinity: {} +# -- Sets all security contexts (at pod level). +# -- Source: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# -- SecurityContext holds pod-level security attributes and common container settings +podSecurityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + fsGroup: 65532 +# -- Sets all security context (at container level). Can be configured also with `global.securityContext.container` +containerSecurityContext: {} + +kubernetesClusterDomain: cluster.local + controllerManager: replicas: 1 - kubeRbacProxy: - image: - repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.14.0 - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - manager: image: repository: newrelic/k8s-agents-operator @@ -40,14 +49,37 @@ controllerManager: requests: cpu: 100m memory: 64Mi - serviceAccount: - create: true + # -- Sets security context (at container level) for the manager. Overrides `containerSecurityContext` and `global.containerSecurityContext` + containerSecurityContext: { } # -- Source: https://docs.openshift.com/container-platform/4.10/operators/operator_sdk/osdk-leader-election.html # -- Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started leaderElection: enabled: true -kubernetesClusterDomain: cluster.local + kubeRbacProxy: + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.14.0 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + # -- Sets security context (at container level) for kubeRbacProxy. Overrides `containerSecurityContext` and `global.containerSecurityContext` + containerSecurityContext: {} + +# -- Settings controlling ServiceAccount creation +# @default -- See `values.yaml` +serviceAccount: + # serviceAccount.create -- (bool) Specifies whether a ServiceAccount should be created + # @default -- `true` + create: + # If not set and create is true, a name is generated using the fullname template + name: "" + # Specify any annotations to add to the ServiceAccount + annotations: metricsService: ports: @@ -64,14 +96,6 @@ webhookService: targetPort: 9443 type: ClusterIP -# -- Source: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -# -- SecurityContext holds pod-level security attributes and common container settings -securityContext: - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - fsGroup: 65532 - # -- Admission webhooks make sure only requests with correctly formatted rules will get into the Operator admissionWebhooks: create: true From 6f38b36c18d5d6c59a59faf213d4b7254c6679bd Mon Sep 17 00:00:00 2001 From: Daniel Budziwojski Date: Thu, 17 Oct 2024 18:49:10 -0700 Subject: [PATCH 3/4] Fix lint errors --- charts/k8s-agents-operator/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/k8s-agents-operator/values.yaml b/charts/k8s-agents-operator/values.yaml index 6f912a79..8516a740 100644 --- a/charts/k8s-agents-operator/values.yaml +++ b/charts/k8s-agents-operator/values.yaml @@ -50,7 +50,7 @@ controllerManager: cpu: 100m memory: 64Mi # -- Sets security context (at container level) for the manager. Overrides `containerSecurityContext` and `global.containerSecurityContext` - containerSecurityContext: { } + containerSecurityContext: {} # -- Source: https://docs.openshift.com/container-platform/4.10/operators/operator_sdk/osdk-leader-election.html # -- Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started leaderElection: From d885b2ce9bdf84662205dd7d270e42b4894befe0 Mon Sep 17 00:00:00 2001 From: Daniel Budziwojski Date: Thu, 17 Oct 2024 18:59:04 -0700 Subject: [PATCH 4/4] Update README.md --- charts/k8s-agents-operator/README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/k8s-agents-operator/README.md b/charts/k8s-agents-operator/README.md index 046f18d7..cef8bc21 100644 --- a/charts/k8s-agents-operator/README.md +++ b/charts/k8s-agents-operator/README.md @@ -239,28 +239,40 @@ If you want to see a list of all available charts and releases, check [index.yam | admissionWebhooks.certFile | string | `""` | Path to your own PEM-encoded certificate. | | admissionWebhooks.certManager.enabled | bool | `false` | If true and autoGenerateCert.enabled is false, cert-manager will create a self-signed cert and secret for you. | | admissionWebhooks.keyFile | string | `""` | Path to your own PEM-encoded private key. | +| affinity | object | `{}` | Sets all pods' affinities. Can be configured also with `global.affinity` | +| containerSecurityContext | object | `{}` | Sets all security context (at container level). Can be configured also with `global.securityContext.container` | +| controllerManager.kubeRbacProxy.containerSecurityContext | object | `{}` | Sets security context (at container level) for kubeRbacProxy. Overrides `containerSecurityContext` and `global.containerSecurityContext` | | controllerManager.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | | controllerManager.kubeRbacProxy.image.tag | string | `"v0.14.0"` | | | controllerManager.kubeRbacProxy.resources.limits.cpu | string | `"500m"` | | | controllerManager.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | | | controllerManager.kubeRbacProxy.resources.requests.cpu | string | `"5m"` | | | controllerManager.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | | +| controllerManager.manager.containerSecurityContext | object | `{}` | Sets security context (at container level) for the manager. Overrides `containerSecurityContext` and `global.containerSecurityContext` | | controllerManager.manager.image.pullPolicy | string | `nil` | | | controllerManager.manager.image.repository | string | `"newrelic/k8s-agents-operator"` | | | controllerManager.manager.image.tag | string | `nil` | | | controllerManager.manager.leaderElection | object | `{"enabled":true}` | Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started | | controllerManager.manager.resources.requests.cpu | string | `"100m"` | | | controllerManager.manager.resources.requests.memory | string | `"64Mi"` | | -| controllerManager.manager.serviceAccount.create | bool | `true` | | | controllerManager.replicas | int | `1` | | +| dnsConfig | object | `{}` | Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` | | kubernetesClusterDomain | string | `"cluster.local"` | | +| labels | object | `{}` | Additional labels for chart objects | | licenseKey | string | `""` | This set this license key to use. Can be configured also with `global.licenseKey` | | metricsService.ports[0].name | string | `"https"` | | | metricsService.ports[0].port | int | `8443` | | | metricsService.ports[0].protocol | string | `"TCP"` | | | metricsService.ports[0].targetPort | string | `"https"` | | | metricsService.type | string | `"ClusterIP"` | | -| securityContext | object | `{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | SecurityContext holds pod-level security attributes and common container settings | +| nodeSelector | object | `{}` | Sets all pods' node selector. Can be configured also with `global.nodeSelector` | +| podAnnotations | object | `{}` | Annotations to be added to the deployment. | +| podLabels | object | `{}` | Additional labels for chart pods | +| podSecurityContext | object | `{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | SecurityContext holds pod-level security attributes and common container settings | +| priorityClassName | string | `""` | Sets pod's priorityClassName. Can be configured also with `global.priorityClassName` | +| serviceAccount | object | See `values.yaml` | Settings controlling ServiceAccount creation | +| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created | +| tolerations | list | `[]` | Sets all pods' tolerations to node taints. Can be configured also with `global.tolerations` | | webhookService.ports[0].port | int | `443` | | | webhookService.ports[0].protocol | string | `"TCP"` | | | webhookService.ports[0].targetPort | int | `9443` | |