fix: add tolerations and affinity to the post-upgrate hook (#9156) (#9164)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

charts/kyverno/Chart.yaml

@@ -77,6 +77,8 @@ annotations:
       description: added TUF flags for custom sigstore deployments
     - kind: fixed
       description: Fix Helm chart to not error when replicas defined
+    - kind: added
+      description: allow tolerations and affinity settings for reportsCleanup
 dependencies:
   - name: grafana
     version: "0.0.0"

charts/kyverno/README.md

@@ -722,6 +722,10 @@ The chart values are organised per component.
 | policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
 | policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod |
 | policyReportsCleanup.nodeSelector | object | `{}` | Node labels for pod assignment |
+| policyReportsCleanup.tolerations | list | `[]` | List of node taints to tolerate |
+| policyReportsCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| policyReportsCleanup.podAffinity | object | `{}` | Pod affinity constraints. |
+| policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
 | policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
 
 ## TLS Configuration

charts/kyverno/templates/hooks/post-upgrade.yaml

@@ -54,9 +54,28 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+      {{- with .Values.policyReportsCleanup.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       {{- with .Values.policyReportsCleanup.nodeSelector }}
       nodeSelector:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
+      {{- if or .Values.policyReportsCleanup.podAntiAffinity .Values.policyReportsCleanup.podAffinity .Values.policyReportsCleanup.nodeAffinity }}
+      affinity:
+        {{- with .Values.policyReportsCleanup.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.policyReportsCleanup.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.policyReportsCleanup.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
   {{- end -}}
 {{- end -}}

charts/kyverno/values.yaml

@@ -397,6 +397,18 @@ policyReportsCleanup:
   # -- Node labels for pod assignment
   nodeSelector: {}
 
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  # -- Pod anti affinity constraints.
+  podAntiAffinity: {}
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
   # -- Security context for the hook containers
   securityContext:
     runAsUser: 65534