From 3b9af3b085a4e2394e969bb14a752e507c618bc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 3 Mar 2023 15:38:33 +0100 Subject: [PATCH] refactor: helm admission controller config (#6473) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * refactor: helm admission controller config Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * tuf stuff Signed-off-by: Charles-Edouard Brétéché * refactor: helm admission controller config Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- Makefile | 12 ++--- charts/kyverno/README.md | 14 +++--- charts/kyverno/README.md.gotmpl | 2 + charts/kyverno/ci/imageRegistry-values.yaml | 8 ++-- charts/kyverno/templates/NOTES.txt | 2 +- .../admission-controller/deployment.yaml | 9 ++-- charts/kyverno/values.yaml | 46 ++++++++++--------- 7 files changed, 51 insertions(+), 42 deletions(-) diff --git a/Makefile b/Makefile index 48667c8fec..dfc2c27b32 100644 --- a/Makefile +++ b/Makefile @@ -522,7 +522,7 @@ codegen-manifest-install: $(HELM) ## Create install manifest --set templating.enabled=true \ --set templating.version=latest \ --set image.tag=latest \ - --set initImage.tag=latest \ + --set admissionController.initContainer.image.tag=latest \ --set cleanupController.image.tag=latest \ --set reportsController.image.tag=latest \ --set backgroundController.image.tag=latest \ @@ -538,7 +538,7 @@ codegen-manifest-debug: $(HELM) ## Create debug manifest --set templating.version=latest \ --set templating.debug=true \ --set image.tag=latest \ - --set initImage.tag=latest \ + --set admissionController.initContainer.image.tag=latest \ --set cleanupController.image.tag=latest \ --set reportsController.image.tag=latest \ | $(SED) -e '/^#.*/d' \ @@ -553,7 +553,7 @@ codegen-manifest-release: $(HELM) ## Create release manifest --set templating.enabled=true \ --set templating.version=$(GIT_VERSION) \ --set image.tag=$(GIT_VERSION) \ - --set initImage.tag=$(GIT_VERSION) \ + --set admissionController.initContainer.image.tag=$(GIT_VERSION) \ --set cleanupController.image.tag=$(GIT_VERSION) \ --set reportsController.image.tag=$(GIT_VERSION) \ | $(SED) -e '/^#.*/d' \ @@ -819,9 +819,9 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart --set image.registry=$(LOCAL_REGISTRY) \ --set image.repository=$(LOCAL_KYVERNO_REPO) \ --set image.tag=$(IMAGE_TAG_DEV) \ - --set initImage.registry=$(LOCAL_REGISTRY) \ - --set initImage.repository=$(LOCAL_KYVERNOPRE_REPO) \ - --set initImage.tag=$(IMAGE_TAG_DEV) \ + --set admissionController.initContainer.image.registry=$(LOCAL_REGISTRY) \ + --set admissionController.initContainer.image.repository=$(LOCAL_KYVERNOPRE_REPO) \ + --set admissionController.initContainer.image.tag=$(IMAGE_TAG_DEV) \ --set cleanupController.image.registry=$(LOCAL_REGISTRY) \ --set cleanupController.image.repository=$(LOCAL_CLEANUP_REPO) \ --set cleanupController.image.tag=$(IMAGE_TAG_DEV) \ diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index a2cc5b5377..28b93b994a 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -143,6 +143,8 @@ In `v3` chart values changed significantly, please read the instructions below t - `podSecurityContext` has been replaced with `admissionController.podSecurityContext` - `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath` - `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume` +- `initImage` has been replaced with `admissionController.initContainer.image` +- `initResources` has been replaced with `admissionController.initContainer.resources` - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. @@ -204,10 +206,6 @@ The command removes all the Kubernetes components associated with the chart and | image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.pullSecrets | list | `[]` | Image pull secrets | -| initImage.registry | string | `"ghcr.io"` | Image registry | -| initImage.repository | string | `"kyverno/kyvernopre"` | Image repository | -| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag | -| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy | | initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. | | podLabels | object | `{}` | Additional labels to add to each pod | | podAnnotations | object | `{}` | Additional annotations to add to each pod | @@ -219,8 +217,6 @@ The command removes all the Kubernetes components associated with the chart and | extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | | resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | -| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | -| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. | | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | @@ -269,6 +265,12 @@ The command removes all the Kubernetes components associated with the chart and | admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | | admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. | | admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | +| admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry | +| admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository | +| admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag | +| admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy | +| admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | +| admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | | cleanupController.enabled | bool | `true` | Enable cleanup controller. | | cleanupController.rbac.create | bool | `true` | Create RBAC resources | | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index 0a6c1ab4b4..fe0b47150b 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -143,6 +143,8 @@ In `v3` chart values changed significantly, please read the instructions below t - `podSecurityContext` has been replaced with `admissionController.podSecurityContext` - `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath` - `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume` +- `initImage` has been replaced with `admissionController.initContainer.image` +- `initResources` has been replaced with `admissionController.initContainer.resources` - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. diff --git a/charts/kyverno/ci/imageRegistry-values.yaml b/charts/kyverno/ci/imageRegistry-values.yaml index 87a9b5f727..4cd66a5f14 100644 --- a/charts/kyverno/ci/imageRegistry-values.yaml +++ b/charts/kyverno/ci/imageRegistry-values.yaml @@ -7,6 +7,8 @@ image: registry: ko.local repository: github.com/kyverno/kyverno/cmd/kyverno -initImage: - registry: ko.local - repository: github.com/kyverno/kyverno/cmd/initcontainer +admissionController: + initContainer: + image: + registry: ko.local + repository: github.com/kyverno/kyverno/cmd/initcontainer diff --git a/charts/kyverno/templates/NOTES.txt b/charts/kyverno/templates/NOTES.txt index bbeb139d8e..4596f3322e 100644 --- a/charts/kyverno/templates/NOTES.txt +++ b/charts/kyverno/templates/NOTES.txt @@ -1,5 +1,5 @@ Chart version: {{ .Chart.Version }} -Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }} +Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.admissionController.initContainer.image.tag) }} Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}. diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index f75c8753d9..107338b3e7 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -78,14 +78,15 @@ spec: {{- toYaml .Values.extraInitContainers | nindent 8 }} {{- end }} - name: kyverno-pre - image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }} + image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }} + imagePullPolicy: {{ default .Values.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }} {{- if .Values.initContainer.extraArgs }} args: {{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }} {{- end }} - {{- with .Values.initResources }} - resources: {{ tpl (toYaml .) $ | nindent 12 }} + {{- with .Values.admissionController.initContainer.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.securityContext }} securityContext: diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 8465c159e7..ed96d12e78 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -217,18 +217,6 @@ image: pullSecrets: [] # - secretName -initImage: - # -- Image registry - registry: ghcr.io - # -- Image repository - repository: kyverno/kyvernopre - # -- (string) Image tag - # If initImage.tag is missing, defaults to image.tag - tag: ~ - # -- (string) Image pull policy - # If initImage.pullPolicy is missing, defaults to image.pullPolicy - pullPolicy: ~ - initContainer: # -- Extra arguments to give to the kyvernopre binary. extraArgs: @@ -287,16 +275,6 @@ resources: cpu: 100m memory: 128Mi -initResources: - # -- Pod resource limits - limits: - cpu: 100m - memory: 256Mi - # -- Pod resource requests - requests: - cpu: 10m - memory: 64Mi - # -- Additional resources to be added to controller RBAC permissions. generatecontrollerExtraResources: [] # - ResourceA @@ -505,6 +483,30 @@ admissionController: sigstoreVolume: emptyDir: {} + initContainer: + + image: + # -- Image registry + registry: ghcr.io + # -- Image repository + repository: kyverno/kyvernopre + # -- (string) Image tag + # If missing, defaults to image.tag + tag: ~ + # -- (string) Image pull policy + # If missing, defaults to image.pullPolicy + pullPolicy: ~ + + resources: + # -- Pod resource limits + limits: + cpu: 100m + memory: 256Mi + # -- Pod resource requests + requests: + cpu: 10m + memory: 64Mi + # Cleanup controller configuration cleanupController: