Merge pull request #61 from devops-ia/feat/60-topologySpreadConstraints

feat: enable topologySpreadConstraints

charts/opencti/README.md

@@ -144,9 +144,10 @@ helm show values opencti/opencti
 | terminationGracePeriodSeconds | int | `30` | Configure Pod termination grace period </br> Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination |
 | testConnection | bool | `false` | Enable or disable test connection |
 | tolerations | list | `[]` | Tolerations for pod assignment </br> Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
+| topologySpreadConstraints | list | `[]` | Control how Pods are spread across your cluster </br> Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#example-multiple-topologyspreadconstraints |
 | volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition |
 | volumes | list | `[]` | Additional volumes on the output Deployment definition |
-| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"lifecycle":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"nodeSelector":{},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1,"minAvailable":null},"readyChecker":{"enabled":true,"retries":30,"timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"terminationGracePeriodSeconds":30,"tolerations":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration </br> Ref: https://docs.opencti.io/latest/deployment/overview/#workers |
+| worker | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"enabled":true,"env":{"WORKER_LOG_LEVEL":"info","WORKER_TELEMETRY_ENABLED":true},"envFromSecrets":{},"image":{"pullPolicy":"IfNotPresent","repository":"opencti/worker","tag":""},"lifecycle":{},"networkPolicy":{"egress":[],"enabled":false,"ingress":[],"policyTypes":[]},"nodeSelector":{},"podDisruptionBudget":{"enabled":false,"maxUnavailable":1,"minAvailable":null},"readyChecker":{"enabled":true,"retries":30,"timeout":5},"replicaCount":1,"resources":{},"serviceMonitor":{"enabled":false,"interval":"30s","metricRelabelings":[],"relabelings":[],"scrapeTimeout":"10s"},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[],"volumeMounts":[],"volumes":[]}` | OpenCTI worker deployment configuration </br> Ref: https://docs.opencti.io/latest/deployment/overview/#workers |
 | worker.affinity | object | `{}` | Affinity for pod assignment </br> Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity |
 | worker.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling with CPU or memory utilization percentage </br> Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ |
 | worker.enabled | bool | `true` | Enable or disable worker |
@@ -172,5 +173,6 @@ helm show values opencti/opencti
 | worker.serviceMonitor.enabled | bool | `false` | Enable or disable |
 | worker.terminationGracePeriodSeconds | int | `30` | Configure Pod termination grace period </br> Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination |
 | worker.tolerations | list | `[]` | Tolerations for pod assignment </br> Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
+| worker.topologySpreadConstraints | list | `[]` | Control how Pods are spread across your cluster </br> Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#example-multiple-topologyspreadconstraints |
 | worker.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition |
 | worker.volumes | list | `[]` | Additional volumes on the output Deployment definition |

charts/opencti/ci/ci-common-values.yaml

@@ -53,6 +53,14 @@ envFromSecrets:
     name: opencti-ci-credentials
     key: RABBITMQ__PASSWORD
 
+topologySpreadConstraints:
+  - maxSkew: 1
+    topologyKey: zone
+    whenUnsatisfiable: DoNotSchedule
+  - maxSkew: 1
+    topologyKey: test-ci
+    whenUnsatisfiable: DoNotSchedule
+
 worker:
   enabled: true
 
@@ -77,6 +85,14 @@ worker:
   autoscaling:
     enabled: true
 
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: zone
+      whenUnsatisfiable: DoNotSchedule
+    - maxSkew: 1
+      topologyKey: test-ci
+      whenUnsatisfiable: DoNotSchedule
+
 connectors:
 - name: opencti
   enabled: true
@@ -109,6 +125,10 @@ connectors:
     OPENCTI_TOKEN:
       name: opencti-ci-credentials
       key: APP__ADMIN__TOKEN
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: zone
+      whenUnsatisfiable: DoNotSchedule
 
 elasticsearch:
   fullnameOverride: opencti-ci-elasticsearch

charts/opencti/templates/_helpers.tpl

@@ -60,3 +60,109 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+#######################
+SERVER SECTION
+#######################
+*/}}
+
+{{/*
+Default server component
+*/}}
+{{- define "opencti.serverComponentLabel" -}}
+opencti.component: server
+{{- end -}}
+
+{{/*
+Generate labels for server component
+*/}}
+{{- define "opencti.serverLabels" -}}
+{{- toYaml (merge ((include "opencti.labels" .) | fromYaml) ((include "opencti.serverComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Generate selectorLabels for server component
+*/}}
+{{- define "opencti.selectorServerLabels" -}}
+{{- toYaml (merge ((include "opencti.selectorLabels" .) | fromYaml) ((include "opencti.serverComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch the label selector on an object
+This template will add a labelSelector using matchLabels to the object referenced at _target if there is no labelSelector specified.
+The matchLabels are created with the selectorLabels template.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "opencti.patchSelectorServerLabels" -}}
+{{- if not (hasKey ._target "labelSelector") }}
+{{- $selectorLabels := (include "opencti.selectorServerLabels" .) | fromYaml }}
+{{- $_ := set ._target "labelSelector" (dict "matchLabels" $selectorLabels) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch topology spread constraints
+This template uses the opencti.selectorLabels template to add a labelSelector to topologySpreadConstraints if one isn't specified.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "opencti.patchTopologySpreadConstraintsServer" -}}
+{{- range $constraint := .Values.topologySpreadConstraints }}
+{{- include "opencti.patchSelectorServerLabels" (merge (dict "_target" $constraint (include "opencti.selectorServerLabels" $)) $) }}
+{{- end }}
+{{- end }}
+
+{{/*
+#######################
+WORKER SECTION
+#######################
+*/}}
+
+{{/*
+Default worker component
+*/}}
+{{- define "opencti.workerComponentLabel" -}}
+opencti.component: worker
+{{- end -}}
+
+{{/*
+Generate labels for worker component
+*/}}
+{{- define "opencti.workerLabels" -}}
+{{- toYaml (merge ((include "opencti.labels" .) | fromYaml) ((include "opencti.workerComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Generate selectorLabels for worker component
+*/}}
+{{- define "opencti.selectorWorkerLabels" -}}
+{{- toYaml (merge ((include "opencti.selectorLabels" .) | fromYaml) ((include "opencti.workerComponentLabel" .) | fromYaml)) }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch the label selector on an object
+This template will add a labelSelector using matchLabels to the object referenced at _target if there is no labelSelector specified.
+The matchLabels are created with the selectorLabels template.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "opencti.patchSelectorWorkerLabels" -}}
+{{- if not (hasKey ._target "labelSelector") }}
+{{- $selectorLabels := (include "opencti.selectorWorkerLabels" .) | fromYaml }}
+{{- $_ := set ._target "labelSelector" (dict "matchLabels" $selectorLabels) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Ref: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/templates/_helpers.tpl
+Patch topology spread constraints
+This template uses the opencti.selectorLabels template to add a labelSelector to topologySpreadConstraints if one isn't specified.
+This works because Helm treats dictionaries as mutable objects and allows passing them by reference.
+*/}}
+{{- define "opencti.patchTopologySpreadConstraintsWorker" -}}
+{{- range $constraint := .Values.worker.topologySpreadConstraints }}
+{{- include "opencti.patchSelectorWorkerLabels" (merge (dict "_target" $constraint (include "opencti.selectorWorkerLabels" $)) $) }}
+{{- end }}
+{{- end }}

charts/opencti/templates/connector/deployment.yaml

@@ -135,6 +135,16 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- range $constraint := . }}
+        - labelSelector:
+            matchLabels:
+              opencti.connector: {{ $connectorName }}
+              {{- include "opencti.selectorLabels" $ | nindent 14 }}
+          {{- toYaml $constraint | nindent 10 }}
+        {{- end }}
+      {{- end }}
 
 {{- end }}
 {{- end }}

charts/opencti/templates/server/deployment.yaml

@@ -3,25 +3,22 @@ kind: Deployment
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
 spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
   {{- end }}
   selector:
     matchLabels:
-      opencti.component: server
-      {{- include "opencti.selectorLabels" . | nindent 6 }}
+      {{- include "opencti.selectorServerLabels" . | nindent 6 }}
   template:
     metadata:
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        opencti.component: server
-        {{- include "opencti.selectorLabels" . | nindent 8 }}
+        {{- include "opencti.selectorServerLabels" . | nindent 8 }}
         {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -184,3 +181,8 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      {{- $_ := include "opencti.patchTopologySpreadConstraintsServer" $ }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/opencti/templates/server/hpa.yaml

@@ -4,8 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1

charts/opencti/templates/server/ingress.yaml

@@ -17,8 +17,7 @@ kind: Ingress
 metadata:
   name: {{ $fullName }}
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/opencti/templates/server/networkpolicy.yaml

@@ -4,16 +4,14 @@ kind: NetworkPolicy
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
 spec:
   {{- if and (not .Values.networkPolicy.policyTypes) (not .Values.networkPolicy.ingress) (not .Values.networkPolicy.egress) }}
   podSelector: {}
   {{- else }}
   podSelector:
     matchLabels:
-      opencti.component: server
-      {{- include "opencti.selectorLabels" . | nindent 6 }}
+      {{- include "opencti.selectorServerLabels" . | nindent 6 }}
   {{- end }}
 
   {{- if .Values.networkPolicy.policyTypes }}

charts/opencti/templates/server/pdb.yaml

@@ -4,13 +4,11 @@ kind: PodDisruptionBudget
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
-      opencti.component: server
-      {{- include "opencti.selectorLabels" . | nindent 6 }}
+      {{- include "opencti.selectorServerLabels" . | nindent 6 }}
   {{- if .Values.podDisruptionBudget.minAvailable }}
   minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
   {{- end }}

charts/opencti/templates/server/secret.yaml

@@ -5,8 +5,7 @@ type: Opaque
 metadata:
   name: {{ include "opencti.fullname" . }}-credentials
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
   annotations:
     helm.sh/hook: "pre-install,pre-upgrade"
 data:

charts/opencti/templates/server/service.yaml

@@ -3,8 +3,7 @@ kind: Service
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -28,5 +27,4 @@ spec:
       protocol: TCP
     {{- end }}
   selector:
-    opencti.component: server
-    {{- include "opencti.selectorLabels" . | nindent 4 }}
+    {{- include "opencti.selectorServerLabels" . | nindent 4 }}

charts/opencti/templates/server/serviceaccount.yaml

@@ -4,8 +4,7 @@ kind: ServiceAccount
 metadata:
   name: {{ include "opencti.serviceAccountName" . }}
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/opencti/templates/server/servicemonitor.yaml

@@ -4,13 +4,11 @@ kind: ServiceMonitor
 metadata:
   name: {{ include "opencti.fullname" . }}-server
   labels:
-    opencti.component: server
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.serverLabels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
-      opencti.component: server
-      {{- include "opencti.selectorLabels" . | nindent 8 }}
+      {{- include "opencti.selectorServerLabels" . | nindent 8 }}
   endpoints:
   - port: metrics
     interval: {{ .Values.serviceMonitor.interval | quote }}

charts/opencti/templates/worker/deployment.yaml

@@ -4,25 +4,22 @@ kind: Deployment
 metadata:
   name: {{ include "opencti.fullname" . }}-worker
   labels:
-    opencti.component: worker
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.workerLabels" . | nindent 4 }}
 spec:
   {{- if not .Values.worker.autoscaling.enabled }}
   replicas: {{ .Values.worker.replicaCount }}
   {{- end }}
   selector:
     matchLabels:
-      opencti.component: worker
-      {{- include "opencti.selectorLabels" . | nindent 6 }}
+      {{- include "opencti.selectorWorkerLabels" . | nindent 6 }}
   template:
     metadata:
       {{- with .Values.worker.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        opencti.component: worker
-        {{- include "opencti.selectorLabels" . | nindent 8 }}
+        {{- include "opencti.selectorWorkerLabels" . | nindent 8 }}
         {{- with .Values.worker.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -144,4 +141,9 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.worker.topologySpreadConstraints }}
+      {{- $_ := include "opencti.patchTopologySpreadConstraintsWorker" $ }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/opencti/templates/worker/hpa.yaml

@@ -4,8 +4,7 @@ kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "opencti.fullname" . }}-worker
   labels:
-    opencti.component: worker
-    {{- include "opencti.labels" . | nindent 4 }}
+    {{- include "opencti.workerLabels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1