Skip to content

Commit

Permalink
Adding modifiable priority class to controller-manager and audit depl…
Browse files Browse the repository at this point in the history 
…oyment

Signed-off-by: Botond Borbely <botond.borbely@nokia.com>
  • Loading branch information
Botond Borbely committed Dec 7, 2020
1 parent f46bfb2 commit df1f593
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 29 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ IMG := $(REPOSITORY):latest
DEV_TAG ?= dev
USE_LOCAL_IMG ?= false

VERSION := v3.3.0-beta.2
VERSION := v3.3.0-beta.3

KIND_VERSION ?= 0.8.1
# note: k8s version pinned since KIND image availability lags k8s releases
Expand Down
6 changes: 4 additions & 2 deletions cmd/build/helmify/kustomize-for-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ spec:
metadata:
annotations: HELMSUBST_ANNOTATIONS
spec:
priorityClassName: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_CONTAINER_PRIORITYCLASS
containers:
- name: manager
args:
Expand All @@ -67,7 +68,7 @@ spec:
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
image: "{{ .Values.image.repository }}:{{ .Values.image.release }}"
resources: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_CONTAINER_RESOURCES
nodeSelector: HELMSUBST_DEPLOYMENT_POD_SCHEDULING
nodeSelector: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_POD_SCHEDULING
---
apiVersion: apps/v1
kind: Deployment
Expand All @@ -79,6 +80,7 @@ spec:
metadata:
annotations: HELMSUBST_ANNOTATIONS
spec:
priorityClassName: HELMSUBST_DEPLOYMENT_AUDIT__CONTAINER_PRIORITYCLASS
containers:
- name: manager
args:
Expand All @@ -94,7 +96,7 @@ spec:
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
image: "{{ .Values.image.repository }}:{{ .Values.image.release }}"
resources: HELMSUBST_DEPLOYMENT_AUDIT_CONTAINER_RESOURCES
nodeSelector: HELMSUBST_DEPLOYMENT_POD_SCHEDULING
nodeSelector: HELMSUBST_DEPLOYMENT_AUDIT_POD_SCHEDULING
---
apiVersion: v1
kind: Secret
Expand Down
19 changes: 17 additions & 2 deletions cmd/build/helmify/replacements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,29 @@ var replacements = map[string]string{
"HELMSUBST_DEPLOYMENT_AUDIT_CONTAINER_RESOURCES": `
{{ toYaml .Values.audit.resources | indent 10 }}`,

"HELMSUBST_DEPLOYMENT_POD_SCHEDULING": `
"HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_POD_SCHEDULING": `
{{ toYaml .Values.nodeSelector | indent 8 }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}`,
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- if .Values.controllerManager.priorityClassName }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }}`,

"HELMSUBST_DEPLOYMENT_AUDIT_POD_SCHEDULING": `
{{ toYaml .Values.nodeSelector | indent 8 }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}`,

"HELMSUBST_DEPLOYMENT_REPLICAS": `{{ .Values.replicas }}`,

Expand Down
4 changes: 2 additions & 2 deletions cmd/build/helmify/static/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper
name: gatekeeper
keywords:
- open policy agent
version: 3.3.0-beta.2
version: 3.3.0-beta.3
home: https://github.com/open-policy-agent/gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
appVersion: v3.3.0-beta.2
appVersion: v3.3.0-beta.3
46 changes: 24 additions & 22 deletions cmd/build/helmify/static/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,30 @@

## Parameters

| Parameter | Description | Default |
| :------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
| auditInterval | The frequency with which audit is run | `60` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
| disableValidatingWebhook | Disable ValidatingWebhook | `false` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.3.0-beta.2` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `1` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| customResourceDefinitions.create | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true` |
| Parameter | Description | Default |
| :------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
| auditInterval | The frequency with which audit is run | `60` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
| disableValidatingWebhook | Disable ValidatingWebhook | `false` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.3.0-beta.2` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `1` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| customResourceDefinitions.create | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true` |

## Contributing Changes

Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ podAnnotations:
{ container.seccomp.security.alpha.kubernetes.io/manager: runtime/default }
secretAnnotations: {}
controllerManager:
priorityClassName: system-cluster-critical
resources:
limits:
cpu: 1000m
Expand All @@ -27,6 +28,7 @@ controllerManager:
cpu: 100m
memory: 256Mi
audit:
priorityClassName: system-cluster-critical
resources:
limits:
cpu: 1000m
Expand Down

0 comments on commit df1f593

Please sign in to comment.