From 32fa111965a3600237f86b1ad4a5b8413f7fc587 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 17 Mar 2023 13:43:05 +0100 Subject: [PATCH] refactor: make extraArgs objects in helm chart (#6588) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- charts/kyverno/README.md | 9 +++++---- charts/kyverno/README.md.gotmpl | 1 + .../admission-controller/deployment.yaml | 18 ++++++++++-------- .../background-controller/deployment.yaml | 6 ++++-- .../cleanup-controller/deployment.yaml | 6 ++++-- charts/kyverno/values.yaml | 8 ++++---- scripts/config/dev/kyverno.yaml | 15 +++++++++------ scripts/config/standard/kyverno.yaml | 6 +++--- 8 files changed, 40 insertions(+), 29 deletions(-) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index a291092e79..d18b58a92f 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -164,6 +164,7 @@ In `v3` chart values changed significantly, please read the instructions below t - `rbac` has been replaced with `admissionController.rbac` - `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources` - `networkPolicy` has been replaced with `admissionController.networkPolicy` +- all `extraArgs` now use objects instead of arrays - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. @@ -268,7 +269,7 @@ The command removes all the Kubernetes components associated with the chart and | admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | | admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | -| admissionController.initContainer.extraArgs | list | `["--loggingFormat=text"]` | Additional container args. | +| admissionController.initContainer.extraArgs | object | `{"loggingFormat":"text"}` | Additional container args. | | admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. | | admissionController.container.image.registry | string | `"ghcr.io"` | Image registry | | admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository | @@ -277,7 +278,7 @@ The command removes all the Kubernetes components associated with the chart and | admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | | admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | | admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | -| admissionController.container.extraArgs | list | `["--loggingFormat=text"]` | Additional container args. | +| admissionController.container.extraArgs | object | `{"loggingFormat":"text"}` | Additional container args. | | admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. | | admissionController.extraInitContainers | list | `[]` | Array of extra init containers | | admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | @@ -308,7 +309,7 @@ The command removes all the Kubernetes components associated with the chart and | cleanupController.priorityClassName | string | `""` | Optional priority class | | cleanupController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | | cleanupController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | -| cleanupController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line | +| cleanupController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | | cleanupController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | | cleanupController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests | | cleanupController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | @@ -421,7 +422,7 @@ The command removes all the Kubernetes components associated with the chart and | backgroundController.priorityClassName | string | `""` | Optional priority class | | backgroundController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | | backgroundController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | -| backgroundController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line | +| backgroundController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line | | backgroundController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | | backgroundController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests | | backgroundController.nodeSelector | object | `{}` | Node labels for pod assignment | diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index e3b663e843..f54c2756f4 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -164,6 +164,7 @@ In `v3` chart values changed significantly, please read the instructions below t - `rbac` has been replaced with `admissionController.rbac` - `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources` - `networkPolicy` has been replaced with `admissionController.networkPolicy` +- all `extraArgs` now use objects instead of arrays - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 2a62b981b7..d58a7ec331 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -80,10 +80,12 @@ spec: - name: kyverno-pre image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }} imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }} - {{- with .Values.admissionController.initContainer.extraArgs }} args: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} + {{- range $key, $value := .Values.admissionController.initContainer.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} {{- with .Values.admissionController.initContainer.resources }} resources: {{- tpl (toYaml .) $ | nindent 12 }} @@ -115,16 +117,16 @@ spec: - name: kyverno image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }} - {{- if or .Values.admissionController.container.extraArgs .Values.imagePullSecrets }} args: - --servicePort={{ .Values.admissionController.service.port }} - {{- if .Values.admissionController.container.extraArgs -}} - {{ tpl (toYaml .Values.admissionController.container.extraArgs) . | nindent 12 }} - {{- end }} {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} - {{- end }} + {{- range $key, $value := .Values.admissionController.container.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} {{- with .Values.admissionController.container.resources }} resources: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml index 3c8f9abc29..6756f21a31 100644 --- a/charts/kyverno/templates/background-controller/deployment.yaml +++ b/charts/kyverno/templates/background-controller/deployment.yaml @@ -99,8 +99,10 @@ spec: - --transportCreds={{ . }} {{- end }} {{- end }} - {{- range .Values.backgroundController.extraArgs }} - - {{ . }} + {{- range $key, $value := .Values.backgroundController.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} {{- end }} env: - name: METRICS_CONFIG diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml index 305cec8230..4e74e515f9 100644 --- a/charts/kyverno/templates/cleanup-controller/deployment.yaml +++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml @@ -100,8 +100,10 @@ spec: - --transportCreds={{ . }} {{- end }} {{- end }} - {{- range .Values.cleanupController.extraArgs }} - - {{ . }} + {{- range $key, $value := .Values.cleanupController.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- end }} {{- end }} env: - name: METRICS_CONFIG diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 72f593475c..e446384f12 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -444,7 +444,7 @@ admissionController: # -- Additional container args. extraArgs: - - --loggingFormat=text + loggingFormat: text # -- Additional container environment variables. extraEnvVars: [] @@ -485,7 +485,7 @@ admissionController: # -- Additional container args. extraArgs: - - --loggingFormat=text + loggingFormat: text # -- Additional container environment variables. extraEnvVars: [] @@ -606,7 +606,7 @@ cleanupController: dnsPolicy: ClusterFirst # -- Extra arguments passed to the container on the command line - extraArgs: [] + extraArgs: {} resources: # -- Pod resource limits @@ -1107,7 +1107,7 @@ backgroundController: dnsPolicy: ClusterFirst # -- Extra arguments passed to the container on the command line - extraArgs: [] + extraArgs: {} resources: # -- Pod resource limits diff --git a/scripts/config/dev/kyverno.yaml b/scripts/config/dev/kyverno.yaml index d9ac3ad13a..c85fa25069 100644 --- a/scripts/config/dev/kyverno.yaml +++ b/scripts/config/dev/kyverno.yaml @@ -7,15 +7,15 @@ admissionController: initContainer: extraArgs: - - --loggingFormat=json + loggingFormat: json container: extraArgs: - - --loggingFormat=json - - --enableTracing - - --tracingAddress=tempo.monitoring - - --tracingPort=4317 - - --enablePolicyException + loggingFormat: json + enableTracing: true + tracingAddress: tempo.monitoring + tracingPort: 4317 + enablePolicyException: true backgroundController: serviceMonitor: @@ -42,6 +42,9 @@ cleanupController: format: json reportsController: + extraArgs: + enablePolicyException: true + serviceMonitor: enabled: true diff --git a/scripts/config/standard/kyverno.yaml b/scripts/config/standard/kyverno.yaml index 3aee219cfe..7f1da34e55 100644 --- a/scripts/config/standard/kyverno.yaml +++ b/scripts/config/standard/kyverno.yaml @@ -2,12 +2,12 @@ admissionController: initContainer: extraArgs: - - --loggingFormat=json + loggingFormat: json container: extraArgs: - - --loggingFormat=json - - --enablePolicyException + loggingFormat: json + enablePolicyException: true backgroundController: rbac: