From 01b3a82ee23ba803782d0d93a35dae5e1db1afaa Mon Sep 17 00:00:00 2001 From: Timofei Larkin Date: Tue, 1 Apr 2025 20:47:18 +0400 Subject: [PATCH] [linstor] Introduce Reloader to automatically reload certificates (#715) * Add stakater/Reloader to the storage-enabled bundles. * Add annotations to Linstor components to reload when secrets change. Closes #456 ## Summary by CodeRabbit - **New Features** - Introduced a new reloader component that triggers automatic rolling updates when configuration or secret changes are detected. - Delivered a fully customizable Helm chart and configuration schema, including a reload strategy based on annotations for enhanced deployment control. - **Tests** - Added test cases to validate container security settings and environment variable propagation, ensuring robust high-availability configurations. Signed-off-by: Timofei Larkin --- .../core/platform/bundles/distro-full.yaml | 5 + packages/core/platform/bundles/paas-full.yaml | 5 + .../system/linstor/templates/cluster.yaml | 11 + .../templates/plunger/configmap-scripts.yaml | 6 +- .../templates/satellites-reloader.yaml | 18 + packages/system/reloader/Chart.yaml | 3 + packages/system/reloader/Makefile | 10 + .../reloader/charts/reloader/.helmignore | 2 + .../reloader/charts/reloader/Chart.yaml | 19 + .../charts/reloader/templates/NOTES.txt | 7 + .../charts/reloader/templates/_helpers.tpl | 65 ++++ .../reloader/templates/clusterrole.yaml | 112 ++++++ .../templates/clusterrolebinding.yaml | 28 ++ .../charts/reloader/templates/deployment.yaml | 300 +++++++++++++++ .../reloader/templates/networkpolicy.yaml | 39 ++ .../templates/poddisruptionbudget.yaml | 17 + .../charts/reloader/templates/podmonitor.yaml | 60 +++ .../charts/reloader/templates/role.yaml | 103 ++++++ .../reloader/templates/rolebinding.yaml | 29 ++ .../charts/reloader/templates/secret.yaml | 21 ++ .../charts/reloader/templates/service.yaml | 30 ++ .../reloader/templates/serviceaccount.yaml | 26 ++ .../reloader/templates/servicemonitor.yaml | 60 +++ .../templates/verticalpodautoscaler.yaml | 40 ++ .../reloader/tests/deployment_test.yaml | 63 ++++ .../charts/reloader/values.schema.json | 19 + .../reloader/charts/reloader/values.yaml | 342 ++++++++++++++++++ packages/system/reloader/values.yaml | 3 + 28 files changed, 1438 insertions(+), 5 deletions(-) create mode 100644 packages/system/linstor/templates/satellites-reloader.yaml create mode 100644 packages/system/reloader/Chart.yaml create mode 100644 packages/system/reloader/Makefile create mode 100644 packages/system/reloader/charts/reloader/.helmignore create mode 100644 packages/system/reloader/charts/reloader/Chart.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/NOTES.txt create mode 100644 packages/system/reloader/charts/reloader/templates/_helpers.tpl create mode 100644 packages/system/reloader/charts/reloader/templates/clusterrole.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/clusterrolebinding.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/deployment.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/networkpolicy.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/poddisruptionbudget.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/podmonitor.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/role.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/rolebinding.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/secret.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/service.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/serviceaccount.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/servicemonitor.yaml create mode 100644 packages/system/reloader/charts/reloader/templates/verticalpodautoscaler.yaml create mode 100644 packages/system/reloader/charts/reloader/tests/deployment_test.yaml create mode 100644 packages/system/reloader/charts/reloader/values.schema.json create mode 100644 packages/system/reloader/charts/reloader/values.yaml create mode 100644 packages/system/reloader/values.yaml diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index d44eb3df..05a23963 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -218,3 +218,8 @@ releases: privileged: true optional: true dependsOn: [cilium] + +- name: reloader + releaseName: reloader + chart: cozy-reloader + namespace: cozy-reloader diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 7bf3c977..42133a73 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -380,3 +380,8 @@ releases: namespace: cozy-vertical-pod-autoscaler privileged: true dependsOn: [monitoring-agents] + +- name: reloader + releaseName: reloader + chart: cozy-reloader + namespace: cozy-reloader diff --git a/packages/system/linstor/templates/cluster.yaml b/packages/system/linstor/templates/cluster.yaml index fffb170d..4db670f5 100644 --- a/packages/system/linstor/templates/cluster.yaml +++ b/packages/system/linstor/templates/cluster.yaml @@ -43,3 +43,14 @@ spec: configMap: name: linstor-plunger defaultMode: 0755 + patches: + - target: + group: apps + version: v1 + kind: Deployment + patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + annotations: + secret.reloader.stakater.com/auto: "true" diff --git a/packages/system/linstor/templates/plunger/configmap-scripts.yaml b/packages/system/linstor/templates/plunger/configmap-scripts.yaml index 9b5754ba..7dc72ef5 100644 --- a/packages/system/linstor/templates/plunger/configmap-scripts.yaml +++ b/packages/system/linstor/templates/plunger/configmap-scripts.yaml @@ -6,8 +6,4 @@ kind: ConfigMap metadata: name: linstor-plunger namespace: cozy-linstor -data: -{{- range $path, $file := $files }} - {{ $path | base }}: | - {{- $file | toString | nindent 4 }} -{{- end -}} +data: {{- $files.AsConfig | nindent 2 }} diff --git a/packages/system/linstor/templates/satellites-reloader.yaml b/packages/system/linstor/templates/satellites-reloader.yaml new file mode 100644 index 00000000..98ee5429 --- /dev/null +++ b/packages/system/linstor/templates/satellites-reloader.yaml @@ -0,0 +1,18 @@ +apiVersion: piraeus.io/v1 +kind: LinstorSatelliteConfiguration +metadata: + name: cozystack-reloader +spec: + patches: + - target: + group: apps + version: v1 + kind: DaemonSet + name: linstor-satellite + patch: | + apiVersion: apps/v1 + kind: DaemonSet + metadata: + name: linstor-satellite + annotations: + secret.reloader.stakater.com/auto: "true" diff --git a/packages/system/reloader/Chart.yaml b/packages/system/reloader/Chart.yaml new file mode 100644 index 00000000..9c7e9afb --- /dev/null +++ b/packages/system/reloader/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-reloader +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/reloader/Makefile b/packages/system/reloader/Makefile new file mode 100644 index 00000000..378dc23c --- /dev/null +++ b/packages/system/reloader/Makefile @@ -0,0 +1,10 @@ +export NAME=reloader +export NAMESPACE=cozy-$(NAME) + +include ../../../scripts/package.mk + +update: + rm -rf charts + helm repo add stakater https://stakater.github.io/stakater-charts + helm repo update + helm pull stakater/reloader --untar --untardir charts diff --git a/packages/system/reloader/charts/reloader/.helmignore b/packages/system/reloader/charts/reloader/.helmignore new file mode 100644 index 00000000..9e169088 --- /dev/null +++ b/packages/system/reloader/charts/reloader/.helmignore @@ -0,0 +1,2 @@ +# OWNERS file for Kubernetes +OWNERS diff --git a/packages/system/reloader/charts/reloader/Chart.yaml b/packages/system/reloader/charts/reloader/Chart.yaml new file mode 100644 index 00000000..84ea57f6 --- /dev/null +++ b/packages/system/reloader/charts/reloader/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +appVersion: v1.3.0 +description: Reloader chart that runs on kubernetes +home: https://github.com/stakater/Reloader +icon: https://raw.githubusercontent.com/stakater/Reloader/master/assets/web/reloader-round-100px.png +keywords: +- Reloader +- kubernetes +maintainers: +- email: hello@stakater.com + name: Stakater +- email: rasheed@stakater.com + name: rasheedamir +- email: faizan@stakater.com + name: faizanahmad055 +name: reloader +sources: +- https://github.com/stakater/Reloader +version: 2.0.0 diff --git a/packages/system/reloader/charts/reloader/templates/NOTES.txt b/packages/system/reloader/charts/reloader/templates/NOTES.txt new file mode 100644 index 00000000..d437a4f2 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/NOTES.txt @@ -0,0 +1,7 @@ +- For a `Deployment` called `foo` have a `ConfigMap` called `foo-configmap`. Then add this annotation to main metadata of your `Deployment` + {{ .Values.reloader.custom_annotations.configmap | default "configmap.reloader.stakater.com/reload" }}: "foo-configmap" + +- For a `Deployment` called `foo` have a `Secret` called `foo-secret`. Then add this annotation to main metadata of your `Deployment` + {{ .Values.reloader.custom_annotations.secret | default "secret.reloader.stakater.com/reload" }}: "foo-secret" + +- After successful installation, your pods will get rolling updates when a change in data of configmap or secret will happen. diff --git a/packages/system/reloader/charts/reloader/templates/_helpers.tpl b/packages/system/reloader/charts/reloader/templates/_helpers.tpl new file mode 100644 index 00000000..04b3ee4d --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/_helpers.tpl @@ -0,0 +1,65 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} + +{{- define "reloader-name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" | lower -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "reloader-fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "reloader-labels.chart" -}} +app: {{ template "reloader-fullname" . }} +chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +release: {{ .Release.Name | quote }} +heritage: {{ .Release.Service | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end -}} + +{{/* +Create pod anti affinity labels +*/}} +{{- define "reloader-podAntiAffinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ template "reloader-fullname" . }} + topologyKey: "kubernetes.io/hostname" +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "reloader-serviceAccountName" -}} +{{- if .Values.reloader.serviceAccount.create -}} + {{ default (include "reloader-fullname" .) .Values.reloader.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.reloader.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the annotations to support helm3 +*/}} +{{- define "reloader-helm3.annotations" -}} +meta.helm.sh/release-namespace: {{ .Release.Namespace | quote }} +meta.helm.sh/release-name: {{ .Release.Name | quote }} +{{- end -}} diff --git a/packages/system/reloader/charts/reloader/templates/clusterrole.yaml b/packages/system/reloader/charts/reloader/templates/clusterrole.yaml new file mode 100644 index 00000000..5b2ad549 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/clusterrole.yaml @@ -0,0 +1,112 @@ +{{- if and .Values.reloader.watchGlobally (.Values.reloader.rbac.enabled) }} +{{- if (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") }} +apiVersion: rbac.authorization.k8s.io/v1 +{{ else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: ClusterRole +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.rbac.labels }} +{{ toYaml .Values.reloader.rbac.labels | indent 4 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }}-role +rules: + - apiGroups: + - "" + resources: +{{- if .Values.reloader.ignoreSecrets }}{{- else }} + - secrets +{{- end }} +{{- if .Values.reloader.ignoreConfigMaps }}{{- else }} + - configmaps +{{- end }} + verbs: + - list + - get + - watch +{{- if .Values.reloader.namespaceSelector }} + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +{{- end }} +{{- if and (.Capabilities.APIVersions.Has "apps.openshift.io/v1") (.Values.reloader.isOpenshift) }} + - apiGroups: + - "apps.openshift.io" + - "" + resources: + - deploymentconfigs + verbs: + - list + - get + - update + - patch +{{- end }} +{{- if and (.Capabilities.APIVersions.Has "argoproj.io/v1alpha1") (.Values.reloader.isArgoRollouts) }} + - apiGroups: + - "argoproj.io" + - "" + resources: + - rollouts + verbs: + - list + - get + - update + - patch +{{- end }} + - apiGroups: + - "apps" + resources: + - deployments + - daemonsets + - statefulsets + verbs: + - list + - get + - update + - patch + - apiGroups: + - "batch" + resources: + - cronjobs + verbs: + - list + - get + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - create + - delete + - list + - get +{{- if .Values.reloader.enableHA }} + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update +{{- end}} + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/clusterrolebinding.yaml b/packages/system/reloader/charts/reloader/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..0730dba9 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/clusterrolebinding.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.reloader.watchGlobally (.Values.reloader.rbac.enabled) }} +{{- if (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") }} +apiVersion: rbac.authorization.k8s.io/v1 +{{ else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: ClusterRoleBinding +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.rbac.labels }} +{{ toYaml .Values.reloader.rbac.labels | indent 4 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }}-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "reloader-fullname" . }}-role +subjects: + - kind: ServiceAccount + name: {{ template "reloader-serviceAccountName" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/deployment.yaml b/packages/system/reloader/charts/reloader/templates/deployment.yaml new file mode 100644 index 00000000..851230e8 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/deployment.yaml @@ -0,0 +1,300 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} +{{- if .Values.reloader.deployment.annotations }} +{{ toYaml .Values.reloader.deployment.annotations | indent 4 }} +{{- end }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.deployment.labels }} +{{ toYaml .Values.reloader.deployment.labels | indent 4 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +spec: +{{- if not (.Values.reloader.enableHA) }} + replicas: {{ min .Values.reloader.deployment.replicas 1 }} +{{- else }} + replicas: {{ .Values.reloader.deployment.replicas }} +{{- end}} + revisionHistoryLimit: {{ .Values.reloader.deployment.revisionHistoryLimit }} + selector: + matchLabels: + app: {{ template "reloader-fullname" . }} + release: {{ .Release.Name | quote }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 6 }} +{{- end }} + template: + metadata: +{{- if .Values.reloader.deployment.pod.annotations }} + annotations: +{{ toYaml .Values.reloader.deployment.pod.annotations | indent 8 }} +{{- end }} + labels: +{{ include "reloader-labels.chart" . | indent 8 }} +{{- if .Values.reloader.deployment.labels }} +{{ toYaml .Values.reloader.deployment.labels | indent 8 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 8 }} +{{- end }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.reloader.deployment.nodeSelector }} + nodeSelector: +{{ toYaml .Values.reloader.deployment.nodeSelector | indent 8 }} + {{- end }} + {{- if or (.Values.reloader.deployment.affinity) (.Values.reloader.enableHA) }} + affinity: + {{- if .Values.reloader.deployment.affinity }} +{{ toYaml .Values.reloader.deployment.affinity | indent 8 }} + {{- else }} +{{ include "reloader-podAntiAffinity" . | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.reloader.deployment.tolerations }} + tolerations: +{{ toYaml .Values.reloader.deployment.tolerations | indent 8 }} + {{- end }} + {{- if .Values.reloader.deployment.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.reloader.deployment.topologySpreadConstraints | indent 8 }} + {{- end }} + {{- if .Values.reloader.deployment.priorityClassName }} + priorityClassName: {{ .Values.reloader.deployment.priorityClassName }} + {{- end }} + containers: + {{- if .Values.global.imageRegistry }} + - image: "{{ .Values.global.imageRegistry }}/{{ .Values.image.name }}:{{ .Values.image.tag }}" + {{- else }} + {{- if .Values.image.digest }} + - image: "{{ .Values.image.repository }}@{{ .Values.image.digest }}" + {{- else }} + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: {{ template "reloader-fullname" . }} + env: + - name: GOMAXPROCS + {{- if .Values.reloader.deployment.gomaxprocsOverride }} + value: {{ .Values.reloader.deployment.gomaxprocsOverride | quote }} + {{- else }} + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + {{- end }} + - name: GOMEMLIMIT + {{- if .Values.reloader.deployment.gomemlimitOverride }} + value: {{ .Values.reloader.deployment.gomemlimitOverride | quote }} + {{- else }} + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + {{- end }} + {{- range $name, $value := .Values.reloader.deployment.env.open }} + {{- if not (empty $value) }} + - name: {{ $name | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + {{- $secret_name := include "reloader-fullname" . }} + {{- range $name, $value := .Values.reloader.deployment.env.secret }} + {{- if not ( empty $value) }} + - name: {{ $name | quote }} + valueFrom: + secretKeyRef: + name: {{ $secret_name }} + key: {{ $name | quote }} + {{- end }} + {{- end }} + {{- range $secret, $values := .Values.reloader.deployment.env.existing }} + {{- range $name, $key := $values }} + {{- if not ( empty $name) }} + - name: {{ $name | quote }} + valueFrom: + secretKeyRef: + name: {{ $secret | quote }} + key: {{ $key | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- range $name, $value := .Values.reloader.deployment.env.field }} + {{- if not ( empty $value) }} + - name: {{ $name | quote }} + valueFrom: + fieldRef: + fieldPath: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if eq .Values.reloader.watchGlobally false }} + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + {{- if .Values.reloader.enableHA }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + {{- if .Values.reloader.enableMetricsByNamespace }} + - name: METRICS_COUNT_BY_NAMESPACE + value: enabled + {{- end }} + ports: + - name: http + containerPort: 9090 + livenessProbe: + httpGet: + path: /live + port: http + timeoutSeconds: {{ .Values.reloader.deployment.livenessProbe.timeoutSeconds | default "5" }} + failureThreshold: {{ .Values.reloader.deployment.livenessProbe.failureThreshold | default "5" }} + periodSeconds: {{ .Values.reloader.deployment.livenessProbe.periodSeconds | default "10" }} + successThreshold: {{ .Values.reloader.deployment.livenessProbe.successThreshold | default "1" }} + initialDelaySeconds: {{ .Values.reloader.deployment.livenessProbe.initialDelaySeconds | default "10" }} + readinessProbe: + httpGet: + path: /metrics + port: http + timeoutSeconds: {{ .Values.reloader.deployment.readinessProbe.timeoutSeconds | default "5" }} + failureThreshold: {{ .Values.reloader.deployment.readinessProbe.failureThreshold | default "5" }} + periodSeconds: {{ .Values.reloader.deployment.readinessProbe.periodSeconds | default "10" }} + successThreshold: {{ .Values.reloader.deployment.readinessProbe.successThreshold | default "1" }} + initialDelaySeconds: {{ .Values.reloader.deployment.readinessProbe.initialDelaySeconds | default "10" }} + + {{- $containerSecurityContext := .Values.reloader.deployment.containerSecurityContext | default dict }} + {{- if .Values.reloader.readOnlyRootFileSystem }} + {{- $_ := set $containerSecurityContext "readOnlyRootFilesystem" true }} + {{- end }} + + securityContext: + {{- toYaml $containerSecurityContext | nindent 10 }} + + {{- if (or (.Values.reloader.deployment.volumeMounts) (eq .Values.reloader.readOnlyRootFileSystem true)) }} + volumeMounts: + {{- if eq .Values.reloader.readOnlyRootFileSystem true }} + - mountPath: /tmp/ + name: tmp-volume + {{- end }} + {{- with .Values.reloader.deployment.volumeMounts }} + {{- . | toYaml | nindent 10 }} + {{- end }} + {{- end }} + {{- if or (.Values.reloader.logFormat) (.Values.reloader.logLevel) (.Values.reloader.ignoreSecrets) (.Values.reloader.ignoreNamespaces) (.Values.reloader.namespaceSelector) (.Values.reloader.resourceLabelSelector) (.Values.reloader.ignoreConfigMaps) (.Values.reloader.custom_annotations) (eq .Values.reloader.isArgoRollouts true) (eq .Values.reloader.reloadOnCreate true) (eq .Values.reloader.reloadOnDelete true) (ne .Values.reloader.reloadStrategy "default") (.Values.reloader.enableHA) (.Values.reloader.autoReloadAll)}} + args: + {{- if .Values.reloader.logFormat }} + - "--log-format={{ .Values.reloader.logFormat }}" + {{- end }} + {{- if .Values.reloader.logLevel }} + - "--log-level={{ .Values.reloader.logLevel }}" + {{- end }} + {{- if .Values.reloader.ignoreSecrets }} + - "--resources-to-ignore=secrets" + {{- end }} + {{- if .Values.reloader.ignoreConfigMaps }} + - "--resources-to-ignore=configMaps" + {{- end }} + {{- if .Values.reloader.ignoreNamespaces }} + - "--namespaces-to-ignore={{ .Values.reloader.ignoreNamespaces }}" + {{- end }} + {{- if .Values.reloader.namespaceSelector }} + - "--namespace-selector={{ .Values.reloader.namespaceSelector }}" + {{- end }} + {{- if .Values.reloader.resourceLabelSelector }} + - "--resource-label-selector={{ .Values.reloader.resourceLabelSelector }}" + {{- end }} + {{- if .Values.reloader.custom_annotations }} + {{- if .Values.reloader.custom_annotations.configmap }} + - "--configmap-annotation" + - "{{ .Values.reloader.custom_annotations.configmap }}" + {{- end }} + {{- if .Values.reloader.custom_annotations.secret }} + - "--secret-annotation" + - "{{ .Values.reloader.custom_annotations.secret }}" + {{- end }} + {{- if .Values.reloader.custom_annotations.auto }} + - "--auto-annotation" + - "{{ .Values.reloader.custom_annotations.auto }}" + {{- end }} + {{- if .Values.reloader.custom_annotations.secret_auto }} + - "--secret-auto-annotation" + - "{{ .Values.reloader.custom_annotations.secret_auto }}" + {{- end }} + {{- if .Values.reloader.custom_annotations.configmap_auto }} + - "--configmap-auto-annotation" + - "{{ .Values.reloader.custom_annotations.configmap_auto }}" + {{- end }} + {{- if .Values.reloader.custom_annotations.search }} + - "--auto-search-annotation" + - "{{ .Values.reloader.custom_annotations.search }}" + {{- end }} + {{- if .Values.reloader.custom_annotations.match }} + - "--search-match-annotation" + - "{{ .Values.reloader.custom_annotations.match }}" + {{- end }} + {{- if .Values.reloader.webhookUrl }} + - "--webhook-url" + - "{{ .Values.reloader.webhookUrl }}" + {{- end }} + {{- end }} + {{- if eq .Values.reloader.isArgoRollouts true }} + - "--is-Argo-Rollouts={{ .Values.reloader.isArgoRollouts }}" + {{- end }} + {{- if eq .Values.reloader.reloadOnCreate true }} + - "--reload-on-create={{ .Values.reloader.reloadOnCreate }}" + {{- end }} + {{- if eq .Values.reloader.reloadOnDelete true }} + - "--reload-on-delete={{ .Values.reloader.reloadOnDelete }}" + {{- end }} + {{- if eq .Values.reloader.syncAfterRestart true }} + - "--sync-after-restart={{ .Values.reloader.syncAfterRestart }}" + {{- end }} + {{- if ne .Values.reloader.reloadStrategy "default" }} + - "--reload-strategy={{ .Values.reloader.reloadStrategy }}" + {{- end }} + {{- if or (gt (int .Values.reloader.deployment.replicas) 1) (.Values.reloader.enableHA) }} + - "--enable-ha=true" + {{- end}} + {{- if eq .Values.reloader.autoReloadAll true }} + - "--auto-reload-all=true" + {{- end -}} + {{- end }} + {{- if .Values.reloader.deployment.resources }} + resources: +{{ toYaml .Values.reloader.deployment.resources | indent 10 }} + {{- end }} +{{- if .Values.reloader.deployment.securityContext }} + securityContext: {{ toYaml .Values.reloader.deployment.securityContext | nindent 8 }} +{{- end }} + serviceAccountName: {{ template "reloader-serviceAccountName" . }} +{{- if hasKey .Values.reloader.deployment "automountServiceAccountToken" }} + automountServiceAccountToken: {{ .Values.reloader.deployment.automountServiceAccountToken }} +{{- end }} + {{- if (or (.Values.reloader.deployment.volumes) (eq .Values.reloader.readOnlyRootFileSystem true)) }} + volumes: + {{- if eq .Values.reloader.readOnlyRootFileSystem true }} + - emptyDir: {} + name: tmp-volume + {{- end }} + {{- with .Values.reloader.deployment.volumes }} + {{- . | toYaml | nindent 8 }} + {{- end }} + {{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/networkpolicy.yaml b/packages/system/reloader/charts/reloader/templates/networkpolicy.yaml new file mode 100644 index 00000000..ca5f2248 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/networkpolicy.yaml @@ -0,0 +1,39 @@ +{{- if and ( .Values.reloader.netpol.enabled ) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: {{ template "reloader-fullname" . }} + release: {{ .Release.Name | quote }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 6 }} +{{- end }} + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - port: http + {{- with .Values.reloader.netpol.from}} + from: + {{- toYaml .| nindent 8 }} + {{- end }} + egress: + - ports: + - port: 443 + {{- with .Values.reloader.netpol.to}} + to: + {{- toYaml .| nindent 8 }} + {{- end }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/poddisruptionbudget.yaml b/packages/system/reloader/charts/reloader/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..e13c4783 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/poddisruptionbudget.yaml @@ -0,0 +1,17 @@ +{{- if .Values.reloader.podDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "reloader-fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +spec: +{{- if .Values.reloader.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.reloader.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- if and .Values.reloader.podDisruptionBudget.minAvailable (not .Values.reloader.podDisruptionBudget.maxUnavailable)}} + minAvailable: {{ .Values.reloader.podDisruptionBudget.minAvailable }} +{{- end }} + selector: + matchLabels: + app: {{ template "reloader-fullname" . }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/podmonitor.yaml b/packages/system/reloader/charts/reloader/templates/podmonitor.yaml new file mode 100644 index 00000000..7afeba3b --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/podmonitor.yaml @@ -0,0 +1,60 @@ +{{- if ( .Values.reloader.podMonitor.enabled ) }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: +{{- if .Values.reloader.podMonitor.annotations }} + annotations: +{{ tpl (toYaml .Values.reloader.podMonitor.annotations) . | indent 4 }} +{{- end }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.podMonitor.labels }} +{{ tpl (toYaml .Values.reloader.podMonitor.labels) . | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }} +{{- if .Values.reloader.podMonitor.namespace }} + namespace: {{ tpl .Values.reloader.podMonitor.namespace . }} +{{- else }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +{{- end }} +spec: + podMetricsEndpoints: + - port: http + path: "/metrics" + {{- with .Values.reloader.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.reloader.podMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.reloader.podMonitor.bearerTokenSecret }} + bearerTokenSecret: {{ . }} + {{- end }} + {{- with .Values.reloader.podMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .| nindent 6 }} + {{- end }} + {{- with .Values.reloader.podMonitor.timeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: {{ .Values.reloader.podMonitor.honorLabels }} + {{- with .Values.reloader.podMonitor.metricRelabelings }} + metricRelabelings: + {{- tpl (toYaml . | nindent 6) $ }} + {{- end }} + {{- with .Values.reloader.podMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.reloader.podMonitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + jobLabel: {{ template "reloader-fullname" . }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{ include "reloader-labels.chart" . | nindent 6 }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/role.yaml b/packages/system/reloader/charts/reloader/templates/role.yaml new file mode 100644 index 00000000..13ac4bb2 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/role.yaml @@ -0,0 +1,103 @@ +{{- if and (not (.Values.reloader.watchGlobally)) (.Values.reloader.rbac.enabled) }} +{{- if (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") }} +apiVersion: rbac.authorization.k8s.io/v1 +{{ else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: Role +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.rbac.labels }} +{{ toYaml .Values.reloader.rbac.labels | indent 4 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }}-role + namespace: {{ .Values.namespace | default .Release.Namespace }} +rules: + - apiGroups: + - "" + resources: +{{- if .Values.reloader.ignoreSecrets }}{{- else }} + - secrets +{{- end }} +{{- if .Values.reloader.ignoreConfigMaps }}{{- else }} + - configmaps +{{- end }} + verbs: + - list + - get + - watch +{{- if and (.Capabilities.APIVersions.Has "apps.openshift.io/v1") (.Values.reloader.isOpenshift) }} + - apiGroups: + - "apps.openshift.io" + - "" + resources: + - deploymentconfigs + verbs: + - list + - get + - update + - patch +{{- end }} +{{- if and (.Capabilities.APIVersions.Has "argoproj.io/v1alpha1") (.Values.reloader.isArgoRollouts) }} + - apiGroups: + - "argoproj.io" + - "" + resources: + - rollouts + verbs: + - list + - get + - update + - patch +{{- end }} + - apiGroups: + - "apps" + resources: + - deployments + - daemonsets + - statefulsets + verbs: + - list + - get + - update + - patch + - apiGroups: + - "batch" + resources: + - cronjobs + verbs: + - list + - get + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - create + - delete + - list + - get +{{- if .Values.reloader.enableHA }} + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update +{{- end}} + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/rolebinding.yaml b/packages/system/reloader/charts/reloader/templates/rolebinding.yaml new file mode 100644 index 00000000..abeb721d --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/rolebinding.yaml @@ -0,0 +1,29 @@ +{{- if and (not (.Values.reloader.watchGlobally)) (.Values.reloader.rbac.enabled) }} +{{- if (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") }} +apiVersion: rbac.authorization.k8s.io/v1 +{{ else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: RoleBinding +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.rbac.labels }} +{{ toYaml .Values.reloader.rbac.labels | indent 4 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }}-role-binding + namespace: {{ .Values.namespace | default .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "reloader-fullname" . }}-role +subjects: + - kind: ServiceAccount + name: {{ template "reloader-serviceAccountName" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/secret.yaml b/packages/system/reloader/charts/reloader/templates/secret.yaml new file mode 100644 index 00000000..21723092 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/secret.yaml @@ -0,0 +1,21 @@ +{{- if .Values.reloader.deployment.env.secret -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "reloader-fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +type: Opaque +data: + {{ if .Values.reloader.deployment.env.secret.ALERT_ON_RELOAD -}} + ALERT_ON_RELOAD: {{ .Values.reloader.deployment.env.secret.ALERT_ON_RELOAD | b64enc | quote }} + {{ end }} + {{- if .Values.reloader.deployment.env.secret.ALERT_SINK -}} + ALERT_SINK: {{ .Values.reloader.deployment.env.secret.ALERT_SINK | b64enc | quote }} + {{ end }} + {{- if .Values.reloader.deployment.env.secret.ALERT_WEBHOOK_URL -}} + ALERT_WEBHOOK_URL: {{ .Values.reloader.deployment.env.secret.ALERT_WEBHOOK_URL | b64enc | quote }} + {{ end }} + {{- if .Values.reloader.deployment.env.secret.ALERT_ADDITIONAL_INFO -}} + ALERT_ADDITIONAL_INFO: {{ .Values.reloader.deployment.env.secret.ALERT_ADDITIONAL_INFO | b64enc | quote }} + {{ end }} +{{ end }} diff --git a/packages/system/reloader/charts/reloader/templates/service.yaml b/packages/system/reloader/charts/reloader/templates/service.yaml new file mode 100644 index 00000000..95a8150d --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if .Values.reloader.service }} +apiVersion: v1 +kind: Service +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} +{{- if .Values.reloader.service.annotations }} +{{ toYaml .Values.reloader.service.annotations | indent 4 }} +{{- end }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.service.labels }} +{{ toYaml .Values.reloader.service.labels | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +spec: + selector: +{{- if .Values.reloader.deployment.labels }} +{{ toYaml .Values.reloader.deployment.labels | indent 4 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + ports: + - port: {{ .Values.reloader.service.port }} + name: http + protocol: TCP + targetPort: http +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/serviceaccount.yaml b/packages/system/reloader/charts/reloader/templates/serviceaccount.yaml new file mode 100644 index 00000000..27909edc --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if .Values.reloader.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }} +{{- end }} +{{- if hasKey .Values.reloader.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.reloader.serviceAccount.automountServiceAccountToken }} +{{- end }} +metadata: + annotations: +{{ include "reloader-helm3.annotations" . | indent 4 }} +{{- if .Values.reloader.serviceAccount.annotations }} +{{ toYaml .Values.reloader.serviceAccount.annotations | indent 4 }} +{{- end }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.serviceAccount.labels }} +{{ toYaml .Values.reloader.serviceAccount.labels | indent 4 }} +{{- end }} +{{- if .Values.reloader.matchLabels }} +{{ toYaml .Values.reloader.matchLabels | indent 4 }} +{{- end }} + name: {{ template "reloader-serviceAccountName" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/servicemonitor.yaml b/packages/system/reloader/charts/reloader/templates/servicemonitor.yaml new file mode 100644 index 00000000..c4685fdb --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/servicemonitor.yaml @@ -0,0 +1,60 @@ +{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ( .Values.reloader.serviceMonitor.enabled ) }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: +{{- if .Values.reloader.serviceMonitor.annotations }} + annotations: +{{ tpl (toYaml .Values.reloader.serviceMonitor.annotations) . | indent 4 }} +{{- end }} + labels: +{{ include "reloader-labels.chart" . | indent 4 }} +{{- if .Values.reloader.serviceMonitor.labels }} +{{ tpl (toYaml .Values.reloader.serviceMonitor.labels) . | indent 4 }} +{{- end }} + name: {{ template "reloader-fullname" . }} +{{- if .Values.reloader.serviceMonitor.namespace }} + namespace: {{ tpl .Values.reloader.serviceMonitor.namespace . }} +{{- else }} + namespace: {{ .Values.namespace | default .Release.Namespace }} +{{- end }} +spec: + endpoints: + - targetPort: http + path: "/metrics" + {{- with .Values.reloader.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.reloader.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.reloader.serviceMonitor.bearerTokenFile }} + bearerTokenFile: {{ . }} + {{- end }} + {{- with .Values.reloader.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .| nindent 6 }} + {{- end }} + {{- with .Values.reloader.serviceMonitor.timeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: {{ .Values.reloader.serviceMonitor.honorLabels }} + {{- with .Values.reloader.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- tpl (toYaml . | nindent 6) $ }} + {{- end }} + {{- with .Values.reloader.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.reloader.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + jobLabel: {{ template "reloader-fullname" . }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{ include "reloader-labels.chart" . | nindent 6 }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/templates/verticalpodautoscaler.yaml b/packages/system/reloader/charts/reloader/templates/verticalpodautoscaler.yaml new file mode 100644 index 00000000..9ec2c463 --- /dev/null +++ b/packages/system/reloader/charts/reloader/templates/verticalpodautoscaler.yaml @@ -0,0 +1,40 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.reloader.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ template "reloader-fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "reloader-labels.chart" . | nindent 4 }} +spec: + {{- with .Values.reloader.verticalPodAutoscaler.recommenders }} + recommenders: + {{- toYaml . | nindent 4 }} + {{- end }} + resourcePolicy: + containerPolicies: + - containerName: {{ template "reloader-fullname" . }} + {{- with .Values.reloader.verticalPodAutoscaler.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.reloader.verticalPodAutoscaler.controlledValues }} + controlledValues: {{ .Values.reloader.verticalPodAutoscaler.controlledValues }} + {{- end }} + {{- if .Values.reloader.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{ toYaml .Values.reloader.verticalPodAutoscaler.maxAllowed | nindent 8 }} + {{- end }} + {{- if .Values.reloader.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{ toYaml .Values.reloader.verticalPodAutoscaler.minAllowed | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "reloader-fullname" . }} + {{- with .Values.reloader.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packages/system/reloader/charts/reloader/tests/deployment_test.yaml b/packages/system/reloader/charts/reloader/tests/deployment_test.yaml new file mode 100644 index 00000000..aee0f9fb --- /dev/null +++ b/packages/system/reloader/charts/reloader/tests/deployment_test.yaml @@ -0,0 +1,63 @@ +suite: Deployment + +templates: + - deployment.yaml + +tests: + - it: sets readOnlyRootFilesystem in container securityContext when reloader.readOnlyRootFileSystem is true + set: + reloader: + readOnlyRootFileSystem: true + deployment: + containerSecurityContext: + readOnlyRootFilesystem: false + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + + - it: sets readOnlyRootFilesystem in container securityContext even if reloader.deployment.containerSecurityContext is null + set: + reloader: + readOnlyRootFileSystem: true + deployment: + containerSecurityContext: null + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + + - it: does not override readOnlyRootFilesystem in container securityContext based on reloader.readOnlyRootFileSystem + set: + reloader: + readOnlyRootFileSystem: false + deployment: + containerSecurityContext: + readOnlyRootFilesystem: true + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + + - it: template is still valid with no defined containerSecurityContext + set: + reloader: + readOnlyRootFileSystem: false + deployment: + containerSecurityContext: null + asserts: + - isEmpty: + path: spec.template.spec.containers[0].securityContext + + - it: template still sets POD_NAME and POD_NAMESPACE environment variables when enableHA is true + set: + reloader: + enableHA: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name diff --git a/packages/system/reloader/charts/reloader/values.schema.json b/packages/system/reloader/charts/reloader/values.schema.json new file mode 100644 index 00000000..56eb678a --- /dev/null +++ b/packages/system/reloader/charts/reloader/values.schema.json @@ -0,0 +1,19 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "reloader": { + "type": "object", + "properties": { + "reloadStrategy": { + "type": "string", + "enum": [ + "default", + "env-vars", + "annotations" + ] + } + } + } + } +} \ No newline at end of file diff --git a/packages/system/reloader/charts/reloader/values.yaml b/packages/system/reloader/charts/reloader/values.yaml new file mode 100644 index 00000000..d7f9bf74 --- /dev/null +++ b/packages/system/reloader/charts/reloader/values.yaml @@ -0,0 +1,342 @@ +# Generated from deployments/kubernetes/templates/chart/values.yaml.tmpl +global: + ## Reference to one or more secrets to be used when pulling images + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + imageRegistry: "" + imagePullSecrets: [] + #imagePullSecrets: + # - name: my-pull-secret + +kubernetes: + host: https://kubernetes.default + +nameOverride: "" +fullnameOverride: "" + +image: + name: stakater/reloader + repository: ghcr.io/stakater/reloader + tag: v1.3.0 + # digest: sha256:1234567 + pullPolicy: IfNotPresent + +reloader: + autoReloadAll: false + isArgoRollouts: false + isOpenshift: false + ignoreSecrets: false + ignoreConfigMaps: false + reloadOnCreate: false + reloadOnDelete: false + syncAfterRestart: false + reloadStrategy: default # Set to default, env-vars or annotations + ignoreNamespaces: "" # Comma separated list of namespaces to ignore + namespaceSelector: "" # Comma separated list of k8s label selectors for namespaces selection + resourceLabelSelector: "" # Comma separated list of k8s label selectors for configmap/secret selection + logFormat: "" # json + logLevel: info # Log level to use (trace, debug, info, warning, error, fatal and panic) + watchGlobally: true + # Set to true to enable leadership election allowing you to run multiple replicas + enableHA: false + # Set to true if you have a pod security policy that enforces readOnlyRootFilesystem + readOnlyRootFileSystem: false + legacy: + rbac: false + matchLabels: {} + # Set to true to expose a prometheus counter of reloads by namespace (this metric may have high cardinality in clusters with many namespaces) + enableMetricsByNamespace: false + deployment: + # If you wish to run multiple replicas set reloader.enableHA = true + replicas: 1 + + revisionHistoryLimit: 2 + + nodeSelector: + # cloud.google.com/gke-nodepool: default-pool + + # An affinity stanza to be applied to the Deployment. + # Example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: "node-role.kubernetes.io/infra-worker" + # operator: "Exists" + affinity: {} + + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + + containerSecurityContext: + {} + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + + # A list of tolerations to be applied to the Deployment. + # Example: + # tolerations: + # - key: "node-role.kubernetes.io/infra-worker" + # operator: "Exists" + # effect: "NoSchedule" + tolerations: [] + + # Topology spread constraints for pod assignment + # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # Example: + # topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: my-app + topologySpreadConstraints: [] + + annotations: {} + labels: + provider: stakater + group: com.stakater.platform + version: v1.3.0 + # Support for extra environment variables. + env: + # Open supports Key value pair as environment variables. + open: + # secret supports Key value pair as environment variables. It gets the values based on keys from default reloader secret if any. + secret: + # ALERT_ON_RELOAD: <"true"|"false"> + # ALERT_SINK: <"slack"> # By default it will be a raw text based webhook + # ALERT_WEBHOOK_URL: <"webhook_url"> + # ALERT_ADDITIONAL_INFO: <"Additional Info like Cluster Name if needed"> + # field supports Key value pair as environment variables. It gets the values from other fields of pod. + field: + # existing secret, you can specify multiple existing secrets, for each + # specify the env var name followed by the key in existing secret that + # will be used to populate the env var + existing: + # existing_secret_name: + # ALERT_ON_RELOAD: alert_on_reload_key + # ALERT_SINK: alert_sink_key + # ALERT_WEBHOOK_URL: alert_webhook_key + # ALERT_ADDITIONAL_INFO: alert_additional_info_key + + # Liveness and readiness probe timeout values. + livenessProbe: {} + # timeoutSeconds: 5 + # failureThreshold: 5 + # periodSeconds: 10 + # successThreshold: 1 + readinessProbe: {} + # timeoutSeconds: 15 + # failureThreshold: 5 + # periodSeconds: 10 + # successThreshold: 1 + + # Specify resource requests/limits for the deployment. + # Example: + # resources: + # limits: + # cpu: "100m" + # memory: "512Mi" + # requests: + # cpu: "10m" + # memory: "128Mi" + resources: {} + pod: + annotations: {} + priorityClassName: "" + # imagePullSecrets: + # - name: myregistrykey + + # Put "0" in either to have go runtime ignore the set value. + # Otherwise, see https://pkg.go.dev/runtime#hdr-Environment_Variables for GOMAXPROCS and GOMEMLIMIT + gomaxprocsOverride: "" + gomemlimitOverride: "" + + service: + {} + + # labels: {} + # annotations: {} + # port: 9090 + + rbac: + enabled: true + labels: {} + # Service account config for the agent pods + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + labels: {} + annotations: {} + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + # Optional flags to pass to the Reloader entrypoint + # Example: + # custom_annotations: + # configmap: "my.company.com/configmap" + # secret: "my.company.com/secret" + custom_annotations: {} + + serviceMonitor: + # Deprecated: Service monitor will be removed in future releases of reloader in favour of Pod monitor + # Enabling this requires service to be enabled as well, or no endpoints will be found + enabled: false + # Set the namespace the ServiceMonitor should be deployed + # namespace: monitoring + + # Fallback to the prometheus default unless specified + # interval: 10s + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + # scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + # tlsConfig: {} + + # bearerTokenFile: + # Fallback to the prometheus default unless specified + # timeout: 30s + + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + labels: {} + + ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + annotations: {} + + # Retain the job and instance labels of the metrics pushed to the Pushgateway + # [Scraping Pushgateway](https://github.com/prometheus/pushgateway#configure-the-pushgateway-as-a-target-to-scrape) + honorLabels: true + + ## Metric relabel configs to apply to samples before ingestion. + ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## Relabel configs to apply to samples before ingestion. + ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + targetLabels: [] + + podMonitor: + enabled: false + # Set the namespace the podMonitor should be deployed + # namespace: monitoring + + # Fallback to the prometheus default unless specified + # interval: 10s + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + # scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + # tlsConfig: {} + + # bearerTokenSecret: + # Fallback to the prometheus default unless specified + # timeout: 30s + + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + labels: {} + + ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + annotations: {} + + # Retain the job and instance labels of the metrics pushed to the Pushgateway + # [Scraping Pushgateway](https://github.com/prometheus/pushgateway#configure-the-pushgateway-as-a-target-to-scrape) + honorLabels: true + + ## Metric relabel configs to apply to samples before ingestion. + ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## Relabel configs to apply to samples before ingestion. + ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + + podTargetLabels: [] + + podDisruptionBudget: + enabled: false + # Set the minimum available replicas + # minAvailable: 1 + # OR Set the maximum unavailable replicas + # maxUnavailable: 1 + # If both defined only maxUnavailable will be used + + netpol: + enabled: false + from: [] + # - podSelector: + # matchLabels: + # app.kubernetes.io/name: prometheus + to: [] + + # Enable vertical pod autoscaler + verticalPodAutoscaler: + enabled: false + + # Recommender responsible for generating recommendation for the object. + # List should be empty (then the default recommender will generate the recommendation) + # or contain exactly one recommender. + # recommenders: + # - name: custom-recommender-performance + + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + # Specifies which resource values should be controlled: RequestsOnly or RequestsAndLimits. + # controlledValues: RequestsAndLimits + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + updatePolicy: + # Specifies minimal number of replicas which need to be alive for VPA Updater to attempt pod eviction + # minReplicas: 1 + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + updateMode: Auto + + volumeMounts: [] + + volumes: [] + + webhookUrl: "" diff --git a/packages/system/reloader/values.yaml b/packages/system/reloader/values.yaml new file mode 100644 index 00000000..cbfae7ca --- /dev/null +++ b/packages/system/reloader/values.yaml @@ -0,0 +1,3 @@ +reloader: + reloader: + reloadStrategy: annotations