helm: add profiling support (#9338)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
2025-03-29 19:05:27 +00:00 · 2024-01-22 04:08:43 +02:00 · 2024-01-22 04:08:43 +02:00 · 566db3abfd
commit 566db3abfd
parent ea748276bb
12 changed files with 202 additions and 4 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -33,6 +33,8 @@ annotations:
      url: https://kyverno.io/docs
  # valid kinds are: added, changed, deprecated, removed, fixed and security
  artifacthub.io/changes: |
+    - kind: added
+      description: Add profiling support
    - kind: added
      description: Add global nodeSelector
    - kind: added
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -413,6 +413,10 @@ The chart values are organised per component.
 | admissionController.metering.port | int | `8000` | Prometheus endpoint port |
 | admissionController.metering.collector | string | `""` | Otel collector endpoint |
 | admissionController.metering.creds | string | `""` | Otel collector credentials |
+| admissionController.profiling.enabled | bool | `false` | Enable profiling |
+| admissionController.profiling.port | int | `6060` | Profiling endpoint port |
+| admissionController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| admissionController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |

 ### Background controller

@ -481,6 +485,10 @@ The chart values are organised per component.
 | backgroundController.metering.port | int | `8000` | Prometheus endpoint port |
 | backgroundController.metering.collector | string | `""` | Otel collector endpoint |
 | backgroundController.metering.creds | string | `""` | Otel collector credentials |
+| backgroundController.profiling.enabled | bool | `false` | Enable profiling |
+| backgroundController.profiling.port | int | `6060` | Profiling endpoint port |
+| backgroundController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| backgroundController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |

 ### Cleanup controller

@ -556,6 +564,10 @@ The chart values are organised per component.
 | cleanupController.metering.port | int | `8000` | Prometheus endpoint port |
 | cleanupController.metering.collector | string | `""` | Otel collector endpoint |
 | cleanupController.metering.creds | string | `""` | Otel collector credentials |
+| cleanupController.profiling.enabled | bool | `false` | Enable profiling |
+| cleanupController.profiling.port | int | `6060` | Profiling endpoint port |
+| cleanupController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| cleanupController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |

 ### Reports controller

@ -627,6 +639,10 @@ The chart values are organised per component.
 | reportsController.metering.port | int | `8000` | Prometheus endpoint port |
 | reportsController.metering.collector | string | `nil` | Otel collector endpoint |
 | reportsController.metering.creds | string | `nil` | Otel collector credentials |
+| reportsController.profiling.enabled | bool | `false` | Enable profiling |
+| reportsController.profiling.port | int | `6060` | Profiling endpoint port |
+| reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |

 ### Grafana

--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@ -175,6 +175,10 @@ spec:
            - --{{ $key }}={{ $value }}
            {{- end }}
            {{- end }}
+            {{ if .Values.admissionController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.admissionController.profiling.port }}
+            {{- end }}
          {{- with .Values.admissionController.container.resources }}
          resources:
            {{- tpl (toYaml .) $ | nindent 12 }}
@ -190,6 +194,11 @@ spec:
          - containerPort: 8000
            name: metrics-port
            protocol: TCP
+          {{ if .Values.admissionController.profiling.enabled }}
+          - containerPort: {{ .Values.admissionController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
          env:
          - name: INIT_CONFIG
            value: {{ template "kyverno.config.configMapName" . }}
--- a/charts/kyverno/templates/admission-controller/service.yaml
+++ b/charts/kyverno/templates/admission-controller/service.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Service
 metadata:
@ -20,8 +21,8 @@ spec:
  selector:
    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
  type: {{ .Values.admissionController.service.type }}
---
 {{- if .Values.admissionController.metricsService.create }}
+---
 apiVersion: v1
 kind: Service
 metadata:
@ -45,3 +46,25 @@ spec:
    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
  type: {{ .Values.admissionController.metricsService.type }}
 {{- end -}}
+{{- if .Values.admissionController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.admissionController.profiling.port }}
+    targetPort: {{ .Values.admissionController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.admissionController.profiling.serviceType "NodePort") (not (empty .Values.admissionController.profiling.nodePort)) }}
+    nodePort: {{ .Values.admissionController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.admissionController.profiling.serviceType }}
+{{- end -}}
--- a/charts/kyverno/templates/background-controller/deployment.yaml
+++ b/charts/kyverno/templates/background-controller/deployment.yaml
@ -29,7 +29,7 @@ spec:
      {{- end }}
    spec:
      {{- with .Values.backgroundController.imagePullSecrets }}
-      imagePullSecrets: 
+      imagePullSecrets:
        {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- with .Values.backgroundController.podSecurityContext }}
@ -86,6 +86,11 @@ spec:
          - containerPort: 8000
            name: metrics
            protocol: TCP
+          {{ if .Values.backgroundController.profiling.enabled }}
+          - containerPort: {{ .Values.backgroundController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
          args:
            {{- if .Values.backgroundController.tracing.enabled }}
            - --enableTracing
@ -121,6 +126,10 @@ spec:
            - --{{ $key }}={{ $value }}
            {{- end }}
            {{- end }}
+            {{ if .Values.backgroundController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.backgroundController.profiling.port }}
+            {{- end }}
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: {{ template "kyverno.background-controller.serviceAccountName" . }}
--- a/charts/kyverno/templates/background-controller/service.yaml
+++ b/charts/kyverno/templates/background-controller/service.yaml
@ -1,5 +1,6 @@
 {{- if .Values.backgroundController.enabled -}}
 {{- if .Values.backgroundController.metricsService.create -}}
+---
 apiVersion: v1
 kind: Service
 metadata:
@ -25,3 +26,25 @@ spec:
  type: {{ .Values.backgroundController.metricsService.type }}
 {{- end -}}
 {{- end -}}
+{{- if .Values.backgroundController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.backgroundController.profiling.port }}
+    targetPort: {{ .Values.backgroundController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.backgroundController.profiling.serviceType "NodePort") (not (empty .Values.backgroundController.profiling.nodePort)) }}
+    nodePort: {{ .Values.backgroundController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.backgroundController.profiling.serviceType }}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup-controller/deployment.yaml
+++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml
@ -29,7 +29,7 @@ spec:
      {{- end }}
    spec:
      {{- with .Values.cleanupController.imagePullSecrets }}
-      imagePullSecrets: 
+      imagePullSecrets:
        {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- with .Values.cleanupController.podSecurityContext }}
@ -86,6 +86,11 @@ spec:
          - containerPort: 8000
            name: metrics
            protocol: TCP
+          {{ if .Values.cleanupController.profiling.enabled }}
+          - containerPort: {{ .Values.cleanupController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
          args:
            - --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
            - --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
@ -122,6 +127,10 @@ spec:
            - --{{ $key }}={{ $value }}
            {{- end }}
            {{- end }}
+            {{ if .Values.cleanupController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.cleanupController.profiling.port }}
+            {{- end }}
          env:
          - name: KYVERNO_DEPLOYMENT
            value: {{ template "kyverno.cleanup-controller.name" . }}
--- a/charts/kyverno/templates/cleanup-controller/service.yaml
+++ b/charts/kyverno/templates/cleanup-controller/service.yaml
@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+---
 apiVersion: v1
 kind: Service
 metadata:
@ -48,4 +49,26 @@ spec:
    {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
  type: {{ .Values.cleanupController.metricsService.type }}
 {{- end -}}
+{{- if .Values.cleanupController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.cleanup-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.cleanupController.profiling.port }}
+    targetPort: {{ .Values.cleanupController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.cleanupController.profiling.serviceType "NodePort") (not (empty .Values.cleanupController.profiling.nodePort)) }}
+    nodePort: {{ .Values.cleanupController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.cleanupController.profiling.serviceType }}
+{{- end -}}
 {{- end -}}
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@ -29,7 +29,7 @@ spec:
      {{- end }}
    spec:
      {{- with .Values.reportsController.imagePullSecrets }}
-      imagePullSecrets: 
+      imagePullSecrets:
        {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
      {{- with .Values.reportsController.podSecurityContext }}
@ -86,6 +86,11 @@ spec:
          - containerPort: 8000
            name: metrics
            protocol: TCP
+          {{ if .Values.reportsController.profiling.enabled }}
+          - containerPort: {{ .Values.reportsController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
          args:
            {{- if .Values.reportsController.tracing.enabled }}
            - --enableTracing
@ -129,6 +134,10 @@ spec:
            - --{{ $key }}={{ $value }}
            {{- end }}
            {{- end }}
+            {{ if .Values.reportsController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.reportsController.profiling.port }}
+            {{- end }}
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: {{ template "kyverno.reports-controller.serviceAccountName" . }}
--- a/charts/kyverno/templates/reports-controller/service.yaml
+++ b/charts/kyverno/templates/reports-controller/service.yaml
@ -1,5 +1,6 @@
 {{- if .Values.reportsController.enabled -}}
 {{- if .Values.reportsController.metricsService.create -}}
+---
 apiVersion: v1
 kind: Service
 metadata:
@ -25,3 +26,25 @@ spec:
  type: {{ .Values.reportsController.metricsService.type }}
 {{- end -}}
 {{- end -}}
+{{- if .Values.reportsController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.reportsController.profiling.port }}
+    targetPort: {{ .Values.reportsController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.reportsController.profiling.serviceType "NodePort") (not (empty .Values.reportsController.profiling.nodePort)) }}
+    nodePort: {{ .Values.reportsController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.reportsController.profiling.serviceType }}
+{{- end -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -1166,6 +1166,17 @@ admissionController:
    # -- Otel collector credentials
    creds: ''

+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
 # Background controller configuration
 backgroundController:

@ -1454,6 +1465,17 @@ backgroundController:
    # -- Otel collector credentials
    creds: ''

+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
 # Cleanup controller configuration
 cleanupController:

@ -1749,6 +1771,17 @@ cleanupController:
    # -- Otel collector credentials
    creds: ''

+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
 # Reports controller configuration
 reportsController:

@ -2010,3 +2043,14 @@ reportsController:
    collector: ~
    # -- (string) Otel collector credentials
    creds: ~
+
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -50323,6 +50323,7 @@ spec:
            - --protectManagedResources=false
            - --allowInsecureRegistry=false
            - --registryCredentialHelpers=default,google,amazon,azure,github
+            
          resources:
            limits:
              memory: 384Mi
@ -50346,6 +50347,7 @@ spec:
          - containerPort: 8000
            name: metrics-port
            protocol: TCP
+          
          env:
          - name: INIT_CONFIG
            value: kyverno
@ -50458,6 +50460,7 @@ spec:
          - containerPort: 8000
            name: metrics
            protocol: TCP
+          
          args:
            - --disableMetrics=false
            - --otelConfig=prometheus
@ -50467,6 +50470,7 @@ spec:
            - --loggingFormat=text
            - --v=2
            - --enablePolicyException=true
+            
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-background-controller
@ -50557,6 +50561,7 @@ spec:
          - containerPort: 8000
            name: metrics
            protocol: TCP
+          
          args:
            - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
            - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
@ -50571,6 +50576,7 @@ spec:
            - --loggingFormat=text
            - --v=2
            - --ttlReconciliationInterval=1m
+            
          env:
          - name: KYVERNO_DEPLOYMENT
            value: kyverno-cleanup-controller
@ -50691,6 +50697,7 @@ spec:
          - containerPort: 8000
            name: metrics
            protocol: TCP
+          
          args:
            - --disableMetrics=false
            - --otelConfig=prometheus
@ -50711,6 +50718,7 @@ spec:
            - --reportsChunkSize=1000
            - --allowInsecureRegistry=false
            - --registryCredentialHelpers=default,google,amazon,azure,github
+            
          env:
          - name: KYVERNO_SERVICEACCOUNT_NAME
            value: kyverno-reports-controller