Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Improve common library support #106

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions charts/k8s-agents-operator/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -239,28 +239,40 @@ If you want to see a list of all available charts and releases, check [index.yam
| admissionWebhooks.certFile | string | `""` | Path to your own PEM-encoded certificate. |
| admissionWebhooks.certManager.enabled | bool | `false` | If true and autoGenerateCert.enabled is false, cert-manager will create a self-signed cert and secret for you. |
| admissionWebhooks.keyFile | string | `""` | Path to your own PEM-encoded private key. |
| affinity | object | `{}` | Sets all pods' affinities. Can be configured also with `global.affinity` |
| containerSecurityContext | object | `{}` | Sets all security context (at container level). Can be configured also with `global.securityContext.container` |
| controllerManager.kubeRbacProxy.containerSecurityContext | object | `{}` | Sets security context (at container level) for kubeRbacProxy. Overrides `containerSecurityContext` and `global.containerSecurityContext` |
| controllerManager.kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | |
| controllerManager.kubeRbacProxy.image.tag | string | `"v0.14.0"` | |
| controllerManager.kubeRbacProxy.resources.limits.cpu | string | `"500m"` | |
| controllerManager.kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | |
| controllerManager.kubeRbacProxy.resources.requests.cpu | string | `"5m"` | |
| controllerManager.kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | |
| controllerManager.manager.containerSecurityContext | object | `{}` | Sets security context (at container level) for the manager. Overrides `containerSecurityContext` and `global.containerSecurityContext` |
| controllerManager.manager.image.pullPolicy | string | `nil` | |
| controllerManager.manager.image.repository | string | `"newrelic/k8s-agents-operator"` | |
| controllerManager.manager.image.tag | string | `nil` | |
| controllerManager.manager.leaderElection | object | `{"enabled":true}` | Enable leader election mechanism for protecting against split brain if multiple operator pods/replicas are started |
| controllerManager.manager.resources.requests.cpu | string | `"100m"` | |
| controllerManager.manager.resources.requests.memory | string | `"64Mi"` | |
| controllerManager.manager.serviceAccount.create | bool | `true` | |
| controllerManager.replicas | int | `1` | |
| dnsConfig | object | `{}` | Sets pod's dnsConfig. Can be configured also with `global.dnsConfig` |
| kubernetesClusterDomain | string | `"cluster.local"` | |
| labels | object | `{}` | Additional labels for chart objects |
| licenseKey | string | `""` | This set this license key to use. Can be configured also with `global.licenseKey` |
| metricsService.ports[0].name | string | `"https"` | |
| metricsService.ports[0].port | int | `8443` | |
| metricsService.ports[0].protocol | string | `"TCP"` | |
| metricsService.ports[0].targetPort | string | `"https"` | |
| metricsService.type | string | `"ClusterIP"` | |
| securityContext | object | `{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | SecurityContext holds pod-level security attributes and common container settings |
| nodeSelector | object | `{}` | Sets all pods' node selector. Can be configured also with `global.nodeSelector` |
| podAnnotations | object | `{}` | Annotations to be added to the deployment. |
| podLabels | object | `{}` | Additional labels for chart pods |
| podSecurityContext | object | `{"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | SecurityContext holds pod-level security attributes and common container settings |
| priorityClassName | string | `""` | Sets pod's priorityClassName. Can be configured also with `global.priorityClassName` |
| serviceAccount | object | See `values.yaml` | Settings controlling ServiceAccount creation |
| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created |
| tolerations | list | `[]` | Sets all pods' tolerations to node taints. Can be configured also with `global.tolerations` |
| webhookService.ports[0].port | int | `443` | |
| webhookService.ports[0].protocol | string | `"TCP"` | |
| webhookService.ports[0].targetPort | int | `9443` | |
Expand Down
21 changes: 21 additions & 0 deletions charts/k8s-agents-operator/templates/_security_context.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- /*
A helper to return the container security context to apply to kubeRbacProxy.
*/ -}}
{{- define "k8s-agents-operator.kubeRbacProxy.securityContext.container" -}}
{{- if .Values.controllerManager.kubeRbacProxy.containerSecurityContext -}}
{{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext -}}
{{- else if include "newrelic.common.securityContext.container" . -}}
{{- include "newrelic.common.securityContext.container" . -}}
{{- end -}}
{{- end -}}

{{- /*
A helper to return the container security context to apply to the manager.
*/ -}}
{{- define "k8s-agents-operator.manager.securityContext.container" -}}
{{- if .Values.controllerManager.manager.containerSecurityContext -}}
{{- toYaml .Values.controllerManager.manager.containerSecurityContext -}}
{{- else if include "newrelic.common.securityContext.container" . -}}
{{- include "newrelic.common.securityContext.container" . -}}
{{- end -}}
{{- end -}}
65 changes: 46 additions & 19 deletions charts/k8s-agents-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,3 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "newrelic.common.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "newrelic.common.labels" . | nindent 4 }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand All @@ -24,10 +16,32 @@ spec:
metadata:
labels:
control-plane: controller-manager
{{- include "newrelic.common.labels" . | nindent 8 }}
{{- include "newrelic.common.labels.podLabels" . | nindent 8 }}
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }}
{{- with include "newrelic.common.securityContext.pod" . }}
securityContext:
{{- . | nindent 8 }}
{{- end }}
{{- with include "newrelic.common.priorityClassName" . }}
priorityClassName: {{ . }}
{{- end }}
{{- with include "newrelic.common.dnsConfig" . }}
dnsConfig:
{{- . | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 10
containers:
- args:
- name: manager
{{- with include "k8s-agents-operator.manager.securityContext.container" . }}
securityContext:
{{- . | nindent 10 }}
{{- end }}
args:
- --metrics-addr=127.0.0.1:8080
{{- if .Values.controllerManager.manager.leaderElection.enabled }}
- --enable-leader-election
Expand All @@ -51,7 +65,6 @@ spec:
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 9443
name: webhook-server
Expand All @@ -62,12 +75,18 @@ spec:
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }}
resources:
{{- toYaml .Values.controllerManager.manager.resources | nindent 10 }}
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- args:
- name: kube-rbac-proxy
{{- with include "k8s-agents-operator.kubeRbacProxy.securityContext.container" . }}
securityContext:
{{- . | nindent 10 }}
{{- end }}
args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
Expand All @@ -76,20 +95,28 @@ spec:
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ quote .Values.kubernetesClusterDomain }}
image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default .Chart.AppVersion }}
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }}
serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }}
terminationGracePeriodSeconds: 10
resources:
{{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }}
{{- if or .Values.admissionWebhooks.create (include "k8s-agents-operator.certificateSecret.name" . ) }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "k8s-agents-operator.certificateSecret.name" . }}
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 8 }}
{{- with include "newrelic.common.nodeSelector" . }}
nodeSelector:
{{- . | nindent 8 }}
{{- end }}
{{- with include "newrelic.common.affinity" . }}
affinity:
{{- . | nindent 8 }}
{{- end }}
{{- with include "newrelic.common.tolerations" . }}
tolerations:
{{- . | nindent 8 }}
{{- end }}
11 changes: 11 additions & 0 deletions charts/k8s-agents-operator/templates/service-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{{- if include "newrelic.common.serviceAccount.create" . }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "newrelic.common.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "newrelic.common.labels" . | nindent 4 }}
annotations:
{{- include "newrelic.common.serviceAccount.annotations" . | nindent 4 }}
{{- end -}}
107 changes: 107 additions & 0 deletions charts/k8s-agents-operator/tests/affinity_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
suite: affinity
templates:
- templates/deployment.yaml
release:
name: my-release
namespace: my-namespace
tests:
- it: sets affinity to default when no values provided
set:
licenseKey: us-whatever
asserts:
- notExists:
path: spec.template.spec.affinity
template: templates/deployment.yaml
- it: sets affinity from global by common-library
set:
licenseKey: us-whatever
global:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: globalKey
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
asserts:
- equal:
path: spec.template.spec.affinity
value:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: globalKey
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
template: templates/deployment.yaml
- it: sets affinity from values by common-library
set:
licenseKey: us-whatever
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: topLevelKey
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
asserts:
- equal:
path: spec.template.spec.affinity
value:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: topLevelKey
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
template: templates/deployment.yaml
- it: sets affinity from values by common-library overriding global values
set:
licenseKey: us-whatever
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: topLevelKey
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
global:
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: globalKey
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
asserts:
- equal:
path: spec.template.spec.affinity
value:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: topLevelKey
operator: In
values:
- S1
topologyKey: failure-domain.beta.kubernetes.io/zone
template: templates/deployment.yaml
29 changes: 29 additions & 0 deletions charts/k8s-agents-operator/tests/annotations_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
suite: annotations
templates:
- templates/deployment.yaml
release:
name: my-release
namespace: my-namespace
tests:
- it: sets pod annotations to default when no values provided
set:
licenseKey: us-whatever
asserts:
- notExists:
path: spec.template.metadata.annotations
template: templates/deployment.yaml
- it: sets pod annotations from values
set:
licenseKey: us-whatever
podAnnotations:
deploymentKey1: "deploymentValue1"
deploymentKey2: "deploymentValue2"
asserts:
- equal:
path: spec.template.metadata.annotations.deploymentKey1
value: deploymentValue1
template: templates/deployment.yaml
- equal:
path: spec.template.metadata.annotations.deploymentKey2
value: deploymentValue2
template: templates/deployment.yaml
40 changes: 40 additions & 0 deletions charts/k8s-agents-operator/tests/images_test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
suite: images
templates:
- templates/deployment.yaml
release:
name: my-release
namespace: my-namespace
tests:
- it: has a default image tag
set:
licenseKey: us-whatever
asserts:
- notMatchRegex:
path: spec.template.spec.containers[0].image
pattern: ".*nil.*"
template: templates/deployment.yaml
- notMatchRegex:
path: spec.template.spec.containers[1].image
pattern: ".*nil.*"
template: templates/deployment.yaml
- it: loads image and version
set:
licenseKey: us-whatever
controllerManager:
manager:
image:
repository: nr/test-1
tag: "1.1.1"
kubeRbacProxy:
image:
repository: nr/test-2
tag: "1.1.2"
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: nr/test-1:1.1.1
template: templates/deployment.yaml
- equal:
path: spec.template.spec.containers[1].image
value: nr/test-2:1.1.2
template: templates/deployment.yaml
Loading
Loading