Skip to content

Commit

Permalink
feat(chart): align crd lifecycle (#542)
Browse files Browse the repository at this point in the history
Signed-off-by: Oliver Bähler <[email protected]>
  • Loading branch information
oliverbaehler authored Oct 10, 2024
1 parent 206d40f commit aa75cee
Show file tree
Hide file tree
Showing 17 changed files with 493 additions and 94 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ rbac-fix:

.PHONY: manifests
manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule-proxy/crd
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=charts/capsule-proxy/crds

.PHONY: generate
generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
Expand Down
12 changes: 8 additions & 4 deletions charts/capsule-proxy/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ keywords:
- namespace
- proxy
sources:
- https://capsule.clastix.io/docs/general/proxy
- https://projectcapsule.dev/integrations/addons/capsule-proxy/
maintainers:
- name: capsule-maintainers
email: [email protected]
Expand All @@ -31,7 +31,11 @@ annotations:
email: [email protected]
artifacthub.io/links: |
- name: Documentation
url: https://capsule.clastix.io/
url: https://projectcapsule.dev/
artifacthub.io/changes: |
- kind: added
description: crd lifecycle
- kind: refactor
description: crd lifecycle (aligned with main project)
- kind: refactor
description: job values (global key)
- kind: fix
description: cert-manager values corrected (should no longer trigger job)
77 changes: 53 additions & 24 deletions charts/capsule-proxy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,20 +82,45 @@ If you only need to make minor customizations, you can specify them on the comma
| crds.install | bool | `false` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
| crds.keep | bool | `true` | Keep the CustomResourceDefinitions (when the chart is deleted) |

### Global Parameters

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.jobs.certs.affinity | object | `{}` | Set affinity rules |
| global.jobs.certs.annotations | object | `{}` | Annotations to add to the certgen job. |
| global.jobs.certs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the post install certgen job |
| global.jobs.certs.image.registry | string | `"docker.io"` | Set the image repository of the post install certgen job |
| global.jobs.certs.image.repository | string | `"jettech/kube-webhook-certgen"` | Set the image repository of the post install certgen job |
| global.jobs.certs.image.tag | string | `"v1.3.0"` | Set the image tag of the post install certgen job |
| global.jobs.certs.nodeSelector | object | `{}` | Set the node selector |
| global.jobs.certs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
| global.jobs.certs.priorityClassName | string | `""` | Set a pod priorityClassName |
| global.jobs.certs.restartPolicy | string | `"Never"` | Set the restartPolicy |
| global.jobs.certs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
| global.jobs.certs.tolerations | list | `[]` | Set list of tolerations |
| global.jobs.certs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
| global.jobs.certs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
| global.jobs.kubectl.affinity | object | `{}` | Set affinity rules |
| global.jobs.kubectl.annotations | object | `{"helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded"}` | Annotations to add to the certgen job. |
| global.jobs.kubectl.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
| global.jobs.kubectl.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
| global.jobs.kubectl.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
| global.jobs.kubectl.image.tag | string | `""` | Set the image tag of the helm chart job |
| global.jobs.kubectl.nodeSelector | object | `{}` | Set the node selector |
| global.jobs.kubectl.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
| global.jobs.kubectl.priorityClassName | string | `""` | Set a pod priorityClassName |
| global.jobs.kubectl.resources | object | `{}` | Job resources |
| global.jobs.kubectl.restartPolicy | string | `"Never"` | Set the restartPolicy |
| global.jobs.kubectl.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
| global.jobs.kubectl.tolerations | list | `[]` | Set list of tolerations |
| global.jobs.kubectl.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
| global.jobs.kubectl.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |

### General Parameters

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Set affinity rules for the capsule-proxy pod. |
| certManager.certificate.dnsNames | list | `[]` | Additional DNS Names to include in certificate |
| certManager.certificate.includeInternalServiceNames | bool | `true` | Include internal service names in certificate (disable if you create a public cert) |
| certManager.certificate.ipAddresses | list | `[]` | Additional IP Addresses to include in certificate |
| certManager.certificate.uris | list | `[]` | Additional URIs to include in certificate |
| certManager.externalCA.enabled | bool | `false` | Set if want cert manager to sign certificates with an external CA |
| certManager.externalCA.secretName | string | `""` | |
| certManager.generateCertificates | bool | `false` | Set if the cert manager will generate SSL certificates (self-signed or CA-signed) |
| certManager.issuer.kind | string | `"Issuer"` | Set if the cert manager will generate either self-signed or CA signed SSL certificates. Its value will be either Issuer or ClusterIssuer |
| certManager.issuer.name | string | `""` | Set the name of the ClusterIssuer if issuer kind is ClusterIssuer and if cert manager will generate CA signed SSL certificates |
| crds.install | bool | `false` | Install the CustomResourceDefinitions (This also manages the lifecycle of the CRDs for update operations) |
| crds.keep | bool | `true` | Keep the CustomResourceDefinitions (when the chart is deleted) |
| daemonset.hostNetwork | bool | `false` | Use the host network namespace for capsule-proxy pod. |
Expand All @@ -107,20 +132,7 @@ If you only need to make minor customizations, you can specify them on the comma
| image.repository | string | `"projectcapsule/capsule-proxy"` | Set the image repository for capsule-proxy. |
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
| jobs.affinity | object | `{}` | Set affinity rules |
| jobs.annotations | object | `{}` | Annotations to add to the certgen job. |
| jobs.certs.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the post install certgen job |
| jobs.certs.registry | string | `"docker.io"` | Set the image repository of the post install certgen job |
| jobs.certs.repository | string | `"jettech/kube-webhook-certgen"` | Set the image repository of the post install certgen job |
| jobs.certs.tag | string | `"v1.5.2"` | Set the image tag of the post install certgen job |
| jobs.nodeSelector | object | `{}` | Set the node selector |
| jobs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
| jobs.priorityClassName | string | `""` | Set a pod priorityClassName |
| jobs.restartPolicy | string | `"Never"` | Set the restartPolicy |
| jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
| jobs.tolerations | list | `[]` | Set list of tolerations |
| jobs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
| jobs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
| jobs | object | `{"certs":{}}` | Deprecated: Use `global.jobs.certs` instead |
| kind | string | `"Deployment"` | Set the deployment mode of the capsule-proxy as `Deployment` or `DaemonSet`. |
| livenessProbe | object | `{"enabled":true,"httpGet":{"path":"/healthz/","port":"probe","scheme":"HTTP"},"initialDelaySeconds":20}` | Proxy Liveness-Probe |
| nodeSelector | object | `{}` | Set the node selector for the capsule-proxy pod. |
Expand All @@ -140,7 +152,7 @@ If you only need to make minor customizations, you can specify them on the comma
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the capsule-proxy container. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.name | string | `capsule-proxy`` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
| serviceAccount.name | string | `capsule-proxy` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
| tolerations | list | `[]` | Set list of tolerations for the capsule-proxy pod. |
| topologySpreadConstraints | list | `[]` | Topology Spread Constraints for the capsule-proxy pod. |
| volumeMounts | list | `[]` | Additional volume mounts |
Expand Down Expand Up @@ -169,6 +181,23 @@ If you only need to make minor customizations, you can specify them on the comma
| options.oidcUsernameClaim | string | `"preferred_username"` | Specify if capsule-proxy will use SSL |
| options.rolebindingsResyncPeriod | string | `"10h"` | Set the role bindings reflector resync period, a local cache to store mappings between users and their namespaces. [Use a lower value in case of flaky etcd server connections.](https://github.com/projectcapsule/capsule-proxy/issues/174) |

### Cert-Manager Parameters

You can manage the certificate with the help of [cert-manager](https://cert-manager.io/docs/). By default the chart will create a self-signed certificate.

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| certManager.certificate.dnsNames | list | `[]` | Additional DNS Names to include in certificate |
| certManager.certificate.fields | object | `{"privateKey":{"rotationPolicy":"Always"}}` | Additional fields to include in certificate |
| certManager.certificate.includeInternalServiceNames | bool | `true` | Include internal service names in certificate (disable if you create a public cert) |
| certManager.certificate.ipAddresses | list | `[]` | Additional IP Addresses to include in certificate |
| certManager.certificate.uris | list | `[]` | Additional URIs to include in certificate |
| certManager.externalCA.enabled | bool | `false` | Set if want cert manager to sign certificates with an external CA |
| certManager.externalCA.secretName | string | `""` | |
| certManager.generateCertificates | bool | `false` | Set if the cert manager will generate SSL certificates (self-signed or CA-signed) |
| certManager.issuer.kind | string | `"Issuer"` | Set if the cert manager will generate either self-signed or CA signed SSL certificates. Its value will be either Issuer or ClusterIssuer |
| certManager.issuer.name | string | `""` | Set the name of the ClusterIssuer if issuer kind is ClusterIssuer and if cert manager will generate CA signed SSL certificates |

### Service Parameters

| Key | Type | Default | Description |
Expand Down
24 changes: 23 additions & 1 deletion charts/capsule-proxy/README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -85,13 +85,23 @@ If you only need to make minor customizations, you can specify them on the comma
{{- end }}
{{- end }}

### Global Parameters

| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if (hasPrefix "global" .Key) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}


### General Parameters

| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if not (or (hasPrefix "options" .Key) (hasPrefix "service." .Key) (hasPrefix "ingress" .Key) (hasPrefix "autoscaling" .Key) (hasPrefix "serviceMonitor" .Key) ) }}
{{- if not (or (hasPrefix "certManager" .Key) (hasPrefix "global" .Key) (hasPrefix "options" .Key) (hasPrefix "service." .Key) (hasPrefix "ingress" .Key) (hasPrefix "autoscaling" .Key) (hasPrefix "serviceMonitor" .Key) ) }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}
Expand All @@ -107,6 +117,18 @@ If you only need to make minor customizations, you can specify them on the comma
{{- end }}
{{- end }}

### Cert-Manager Parameters

You can manage the certificate with the help of [cert-manager](https://cert-manager.io/docs/). By default the chart will create a self-signed certificate.

| Key | Type | Default | Description |
|-----|------|---------|-------------|
{{- range .Values }}
{{- if hasPrefix "certManager" .Key }}
| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
{{- end }}
{{- end }}


### Service Parameters

Expand Down
8 changes: 8 additions & 0 deletions charts/capsule-proxy/ci/cert-manager-values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
global:
jobs:
kubectl:
ttlSecondsAfterFinished: 120
crds:
install: true
keep: false
Expand All @@ -13,3 +17,7 @@ certManager:
- "127.0.0.1"
uris:
- "spiffe://cluster.local/ns/sandbox/sa/example"
fields:
privateKey:
rotationPolicy: 'Always'
renewBefore: '24h'
14 changes: 14 additions & 0 deletions charts/capsule-proxy/ci/compatbility.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
crds:
install: true
keep: false
global:
jobs:
certs:
nodeSelector:
global-field: "global-value"
jobs:
certs:
registry: custom-registry
repository: jettech/kube-webhook-certgen
pullPolicy: IfNotPresent
tag: "v1.5.2"
7 changes: 0 additions & 7 deletions charts/capsule-proxy/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -68,13 +68,6 @@ Create the fully-qualified Docker image to use
{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository ( .Values.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
{{- end }}

{{/*
Create the certs jobs fully-qualified Docker image to use
*/}}
{{- define "capsule.jobs.certsFullyQualifiedDockerImage" -}}
{{- printf "%s/%s:%s" .Values.jobs.certs.registry .Values.jobs.certs.repository .Values.jobs.certs.tag -}}
{{- end -}}

{{/*
Create CA secret name for the capsule proxy
*/}}
Expand Down
28 changes: 28 additions & 0 deletions charts/capsule-proxy/templates/_jobs.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{{/*
Determine the Kubernetes version to use for jobsFullyQualifiedDockerImage tag
*/}}
{{- define "capsule-proxy.jobsTagKubeVersion" -}}
{{- if contains "-eks-" .Capabilities.KubeVersion.GitVersion }}
{{- print "v" .Capabilities.KubeVersion.Major "." (.Capabilities.KubeVersion.Minor | replace "+" "") -}}
{{- else }}
{{- print "v" .Capabilities.KubeVersion.Major "." .Capabilities.KubeVersion.Minor -}}
{{- end }}
{{- end }}

{{/*
Create the jobs fully-qualified Docker image to use
*/}}
{{- define "capsule-proxy.kubectlFullyQualifiedDockerImage" -}}
{{- if .Values.global.jobs.kubectl.image.tag }}
{{- printf "%s/%s:%s" .Values.global.jobs.kubectl.image.registry .Values.global.jobs.kubectl.image.repository .Values.global.jobs.kubectl.image.tag -}}
{{- else }}
{{- printf "%s/%s:%s" .Values.global.jobs.kubectl.image.registry .Values.global.jobs.kubectl.image.repository (include "capsule-proxy.jobsTagKubeVersion" .) -}}
{{- end }}
{{- end }}

{{/*
Create the certs jobs fully-qualified Docker image to use
*/}}
{{- define "capsule.jobs.certsFullyQualifiedDockerImage" -}}
{{- printf "%s/%s:%s" (default $.Values.global.jobs.certs.image.registry $.Values.jobs.certs.registry) (default $.Values.global.jobs.certs.image.repository $.Values.jobs.certs.repository) (default $.Values.global.jobs.certs.image.tag $.Values.jobs.certs.tag) -}}
{{- end -}}
29 changes: 16 additions & 13 deletions charts/capsule-proxy/templates/certgen-job.yaml
Original file line number Diff line number Diff line change
@@ -1,52 +1,55 @@
{{- if and .Values.options.enableSSL .Values.options.generateCertificates -}}
{{/* Backwards compatibility */}}
{{- $Values := mergeOverwrite $.Values.global.jobs.certs $.Values.jobs -}}

{{- if and .Values.options.enableSSL .Values.options.generateCertificates (not .Values.certManager.generateCertificates) -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "capsule-proxy.fullname" . }}-certgen
labels:
{{- include "capsule-proxy.labels" . | nindent 4 }}
{{- with .Values.jobs.annotations }}
{{- with .Values.global.jobs.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if ge .Values.jobs.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ .Values.jobs.ttlSecondsAfterFinished }}
{{- if ge $Values.ttlSecondsAfterFinished 0.0 }}
ttlSecondsAfterFinished: {{ $Values.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
name: {{ include "capsule-proxy.fullname" . }}-certgen
labels:
{{- include "capsule-proxy.selectorLabels" . | nindent 8 }}
spec:
restartPolicy: {{ $.Values.jobs.restartPolicy }}
{{- with $.Values.jobs.podSecurityContext }}
restartPolicy: {{ $Values.restartPolicy }}
{{- with $Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.nodeSelector }}
{{- with $Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.affinity }}
{{- with $Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.tolerations }}
{{- with $Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.topologySpreadConstraints }}
{{- with $Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.jobs.priorityClassName }}
{{- with $Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: post-install-job
image: {{ include "capsule.jobs.certsFullyQualifiedDockerImage" $ }}
imagePullPolicy: {{ .Values.jobs.certs.pullPolicy }}
imagePullPolicy: {{ default $.Values.global.jobs.certs.image.pullPolicy $.Values.jobs.certs.pullPolicy }}
args:
- create
- --host={{ include "capsule-proxy.certJob.SAN" . }}
Expand All @@ -59,7 +62,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with $.Values.jobs.securityContext }}
{{- with $Values.securityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
Expand Down
Loading

0 comments on commit aa75cee

Please sign in to comment.