helm: add profiling support (#9338)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

charts/kyverno/Chart.yaml

@@ -33,6 +33,8 @@ annotations:
       url: https://kyverno.io/docs
   # valid kinds are: added, changed, deprecated, removed, fixed and security
   artifacthub.io/changes: |
+    - kind: added
+      description: Add profiling support
     - kind: added
       description: Add global nodeSelector
     - kind: added

charts/kyverno/README.md

@@ -413,6 +413,10 @@ The chart values are organised per component.
 | admissionController.metering.port | int | `8000` | Prometheus endpoint port |
 | admissionController.metering.collector | string | `""` | Otel collector endpoint |
 | admissionController.metering.creds | string | `""` | Otel collector credentials |
+| admissionController.profiling.enabled | bool | `false` | Enable profiling |
+| admissionController.profiling.port | int | `6060` | Profiling endpoint port |
+| admissionController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| admissionController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
 
 ### Background controller
 
@@ -481,6 +485,10 @@ The chart values are organised per component.
 | backgroundController.metering.port | int | `8000` | Prometheus endpoint port |
 | backgroundController.metering.collector | string | `""` | Otel collector endpoint |
 | backgroundController.metering.creds | string | `""` | Otel collector credentials |
+| backgroundController.profiling.enabled | bool | `false` | Enable profiling |
+| backgroundController.profiling.port | int | `6060` | Profiling endpoint port |
+| backgroundController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| backgroundController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
 
 ### Cleanup controller
 
@@ -556,6 +564,10 @@ The chart values are organised per component.
 | cleanupController.metering.port | int | `8000` | Prometheus endpoint port |
 | cleanupController.metering.collector | string | `""` | Otel collector endpoint |
 | cleanupController.metering.creds | string | `""` | Otel collector credentials |
+| cleanupController.profiling.enabled | bool | `false` | Enable profiling |
+| cleanupController.profiling.port | int | `6060` | Profiling endpoint port |
+| cleanupController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| cleanupController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
 
 ### Reports controller
 
@@ -627,6 +639,10 @@ The chart values are organised per component.
 | reportsController.metering.port | int | `8000` | Prometheus endpoint port |
 | reportsController.metering.collector | string | `nil` | Otel collector endpoint |
 | reportsController.metering.creds | string | `nil` | Otel collector credentials |
+| reportsController.profiling.enabled | bool | `false` | Enable profiling |
+| reportsController.profiling.port | int | `6060` | Profiling endpoint port |
+| reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
 
 ### Grafana
 

charts/kyverno/templates/admission-controller/deployment.yaml

@@ -175,6 +175,10 @@ spec:
             - --{{ $key }}={{ $value }}
             {{- end }}
             {{- end }}
+            {{ if .Values.admissionController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.admissionController.profiling.port }}
+            {{- end }}
           {{- with .Values.admissionController.container.resources }}
           resources:
             {{- tpl (toYaml .) $ | nindent 12 }}
@@ -190,6 +194,11 @@ spec:
           - containerPort: 8000
             name: metrics-port
             protocol: TCP
+          {{ if .Values.admissionController.profiling.enabled }}
+          - containerPort: {{ .Values.admissionController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
           env:
           - name: INIT_CONFIG
             value: {{ template "kyverno.config.configMapName" . }}

charts/kyverno/templates/admission-controller/service.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -20,8 +21,8 @@ spec:
   selector:
     {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
   type: {{ .Values.admissionController.service.type }}
----
 {{- if .Values.admissionController.metricsService.create }}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -45,3 +46,25 @@ spec:
     {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
   type: {{ .Values.admissionController.metricsService.type }}
 {{- end -}}
+{{- if .Values.admissionController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.admissionController.profiling.port }}
+    targetPort: {{ .Values.admissionController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.admissionController.profiling.serviceType "NodePort") (not (empty .Values.admissionController.profiling.nodePort)) }}
+    nodePort: {{ .Values.admissionController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.admissionController.profiling.serviceType }}
+{{- end -}}

charts/kyverno/templates/background-controller/deployment.yaml

@@ -29,7 +29,7 @@ spec:
       {{- end }}
     spec:
       {{- with .Values.backgroundController.imagePullSecrets }}
-      imagePullSecrets: 
+      imagePullSecrets:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
       {{- with .Values.backgroundController.podSecurityContext }}
@@ -86,6 +86,11 @@ spec:
           - containerPort: 8000
             name: metrics
             protocol: TCP
+          {{ if .Values.backgroundController.profiling.enabled }}
+          - containerPort: {{ .Values.backgroundController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
           args:
             {{- if .Values.backgroundController.tracing.enabled }}
             - --enableTracing
@@ -121,6 +126,10 @@ spec:
             - --{{ $key }}={{ $value }}
             {{- end }}
             {{- end }}
+            {{ if .Values.backgroundController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.backgroundController.profiling.port }}
+            {{- end }}
           env:
           - name: KYVERNO_SERVICEACCOUNT_NAME
             value: {{ template "kyverno.background-controller.serviceAccountName" . }}

charts/kyverno/templates/background-controller/service.yaml

@@ -1,5 +1,6 @@
 {{- if .Values.backgroundController.enabled -}}
 {{- if .Values.backgroundController.metricsService.create -}}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -25,3 +26,25 @@ spec:
   type: {{ .Values.backgroundController.metricsService.type }}
 {{- end -}}
 {{- end -}}
+{{- if .Values.backgroundController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.backgroundController.profiling.port }}
+    targetPort: {{ .Values.backgroundController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.backgroundController.profiling.serviceType "NodePort") (not (empty .Values.backgroundController.profiling.nodePort)) }}
+    nodePort: {{ .Values.backgroundController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.backgroundController.profiling.serviceType }}
+{{- end -}}

charts/kyverno/templates/cleanup-controller/deployment.yaml

@@ -29,7 +29,7 @@ spec:
       {{- end }}
     spec:
       {{- with .Values.cleanupController.imagePullSecrets }}
-      imagePullSecrets: 
+      imagePullSecrets:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
       {{- with .Values.cleanupController.podSecurityContext }}
@@ -86,6 +86,11 @@ spec:
           - containerPort: 8000
             name: metrics
             protocol: TCP
+          {{ if .Values.cleanupController.profiling.enabled }}
+          - containerPort: {{ .Values.cleanupController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
           args:
             - --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
             - --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
@@ -122,6 +127,10 @@ spec:
             - --{{ $key }}={{ $value }}
             {{- end }}
             {{- end }}
+            {{ if .Values.cleanupController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.cleanupController.profiling.port }}
+            {{- end }}
           env:
           - name: KYVERNO_DEPLOYMENT
             value: {{ template "kyverno.cleanup-controller.name" . }}

charts/kyverno/templates/cleanup-controller/service.yaml

@@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -48,4 +49,26 @@ spec:
     {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
   type: {{ .Values.cleanupController.metricsService.type }}
 {{- end -}}
+{{- if .Values.cleanupController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.cleanup-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.cleanupController.profiling.port }}
+    targetPort: {{ .Values.cleanupController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.cleanupController.profiling.serviceType "NodePort") (not (empty .Values.cleanupController.profiling.nodePort)) }}
+    nodePort: {{ .Values.cleanupController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.cleanupController.profiling.serviceType }}
+{{- end -}}
 {{- end -}}

charts/kyverno/templates/reports-controller/deployment.yaml

@@ -29,7 +29,7 @@ spec:
       {{- end }}
     spec:
       {{- with .Values.reportsController.imagePullSecrets }}
-      imagePullSecrets: 
+      imagePullSecrets:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
       {{- with .Values.reportsController.podSecurityContext }}
@@ -86,6 +86,11 @@ spec:
           - containerPort: 8000
             name: metrics
             protocol: TCP
+          {{ if .Values.reportsController.profiling.enabled }}
+          - containerPort: {{ .Values.reportsController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
           args:
             {{- if .Values.reportsController.tracing.enabled }}
             - --enableTracing
@@ -129,6 +134,10 @@ spec:
             - --{{ $key }}={{ $value }}
             {{- end }}
             {{- end }}
+            {{ if .Values.reportsController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.reportsController.profiling.port }}
+            {{- end }}
           env:
           - name: KYVERNO_SERVICEACCOUNT_NAME
             value: {{ template "kyverno.reports-controller.serviceAccountName" . }}

charts/kyverno/templates/reports-controller/service.yaml

@@ -1,5 +1,6 @@
 {{- if .Values.reportsController.enabled -}}
 {{- if .Values.reportsController.metricsService.create -}}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -25,3 +26,25 @@ spec:
   type: {{ .Values.reportsController.metricsService.type }}
 {{- end -}}
 {{- end -}}
+{{- if .Values.reportsController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.reportsController.profiling.port }}
+    targetPort: {{ .Values.reportsController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.reportsController.profiling.serviceType "NodePort") (not (empty .Values.reportsController.profiling.nodePort)) }}
+    nodePort: {{ .Values.reportsController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.reportsController.profiling.serviceType }}
+{{- end -}}

charts/kyverno/values.yaml

@@ -1166,6 +1166,17 @@ admissionController:
     # -- Otel collector credentials
     creds: ''
 
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
 # Background controller configuration
 backgroundController:
 
@@ -1454,6 +1465,17 @@ backgroundController:
     # -- Otel collector credentials
     creds: ''
 
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
 # Cleanup controller configuration
 cleanupController:
 
@@ -1749,6 +1771,17 @@ cleanupController:
     # -- Otel collector credentials
     creds: ''
 
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
 # Reports controller configuration
 reportsController:
 
@@ -2010,3 +2043,14 @@ reportsController:
     collector: ~
     # -- (string) Otel collector credentials
     creds: ~
+
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:

config/install-latest-testing.yaml

@@ -50323,6 +50323,7 @@ spec:
             - --protectManagedResources=false
             - --allowInsecureRegistry=false
             - --registryCredentialHelpers=default,google,amazon,azure,github
+            
           resources:
             limits:
               memory: 384Mi
@@ -50346,6 +50347,7 @@ spec:
           - containerPort: 8000
             name: metrics-port
             protocol: TCP
+          
           env:
           - name: INIT_CONFIG
             value: kyverno
@@ -50458,6 +50460,7 @@ spec:
           - containerPort: 8000
             name: metrics
             protocol: TCP
+          
           args:
             - --disableMetrics=false
             - --otelConfig=prometheus
@@ -50467,6 +50470,7 @@ spec:
             - --loggingFormat=text
             - --v=2
             - --enablePolicyException=true
+            
           env:
           - name: KYVERNO_SERVICEACCOUNT_NAME
             value: kyverno-background-controller
@@ -50557,6 +50561,7 @@ spec:
           - containerPort: 8000
             name: metrics
             protocol: TCP
+          
           args:
             - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
             - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
@@ -50571,6 +50576,7 @@ spec:
             - --loggingFormat=text
             - --v=2
             - --ttlReconciliationInterval=1m
+            
           env:
           - name: KYVERNO_DEPLOYMENT
             value: kyverno-cleanup-controller
@@ -50691,6 +50697,7 @@ spec:
           - containerPort: 8000
             name: metrics
             protocol: TCP
+          
           args:
             - --disableMetrics=false
             - --otelConfig=prometheus
@@ -50711,6 +50718,7 @@ spec:
             - --reportsChunkSize=1000
             - --allowInsecureRegistry=false
             - --registryCredentialHelpers=default,google,amazon,azure,github
+            
           env:
           - name: KYVERNO_SERVICEACCOUNT_NAME
             value: kyverno-reports-controller