fix: add tolerations and affinity to the post-upgrate hook (#9156) (#9164)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-12-15 16:00:51 +02:00 · 2023-12-15 16:00:51 +02:00 · c073f7c2ba
commit c073f7c2ba
parent d3d0eb354f
4 changed files with 37 additions and 0 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -77,6 +77,8 @@ annotations:
      description: added TUF flags for custom sigstore deployments
    - kind: fixed
      description: Fix Helm chart to not error when replicas defined
+    - kind: added
+      description: allow tolerations and affinity settings for reportsCleanup
 dependencies:
  - name: grafana
    version: "0.0.0"
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -722,6 +722,10 @@ The chart values are organised per component.
 | policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
 | policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod |
 | policyReportsCleanup.nodeSelector | object | `{}` | Node labels for pod assignment |
+| policyReportsCleanup.tolerations | list | `[]` | List of node taints to tolerate |
+| policyReportsCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| policyReportsCleanup.podAffinity | object | `{}` | Pod affinity constraints. |
+| policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
 | policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |

 ## TLS Configuration
--- a/charts/kyverno/templates/hooks/post-upgrade.yaml
+++ b/charts/kyverno/templates/hooks/post-upgrade.yaml
@ -54,9 +54,28 @@ spec:
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
+      {{- with .Values.policyReportsCleanup.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
      {{- with .Values.policyReportsCleanup.nodeSelector }}
      nodeSelector:
        {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
+      {{- if or .Values.policyReportsCleanup.podAntiAffinity .Values.policyReportsCleanup.podAffinity .Values.policyReportsCleanup.nodeAffinity }}
+      affinity:
+        {{- with .Values.policyReportsCleanup.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.policyReportsCleanup.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.policyReportsCleanup.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
  {{- end -}}
 {{- end -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -397,6 +397,18 @@ policyReportsCleanup:
  # -- Node labels for pod assignment
  nodeSelector: {}

+  # -- List of node taints to tolerate
+  tolerations: []
+
+  # -- Pod anti affinity constraints.
+  podAntiAffinity: {}
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
  # -- Security context for the hook containers
  securityContext:
    runAsUser: 65534