Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Helm templating of the mutating/validating webhooks and namespaces #91

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/configs/ct-install.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ chart-dirs:
- charts
chart-repos:
- openkruise=https://openkruise.github.io/charts
- minio=https://helm.min.io/
- minio=https://operator.min.io
- stable=https://charts.helm.sh/stable
- incubator=https://charts.helm.sh/incubator
helm-extra-args: "--timeout 600s"
helm-extra-args: "--timeout 600s"
validate-chart-schema: false
validate-maintainers: true
validate-maintainers: false
validate-yaml: true
exclude-deprecated: true
excluded-charts: []
6 changes: 3 additions & 3 deletions .github/configs/ct-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ chart-dirs:
- charts
chart-repos:
- openkruise=https://openkruise.github.io/charts
- minio=https://helm.min.io/
- minio=https://operator.min.io
- stable=https://charts.helm.sh/stable
- incubator=https://charts.helm.sh/incubator
helm-extra-args: "--timeout 600s"
helm-extra-args: "--timeout 600s"
validate-chart-schema: false
validate-maintainers: true
validate-maintainers: false
validate-yaml: true
exclude-deprecated: true
excluded-charts: []
2 changes: 1 addition & 1 deletion charts/kruise
21 changes: 21 additions & 0 deletions versions/kruise/1.6.0/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
43 changes: 43 additions & 0 deletions versions/kruise/1.6.0/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: v1
name: kruise
description: Helm chart for kruise components
version: 1.6.0
appVersion: 1.5.2
kubeVersion: ">= 1.16.0-0"
icon: https://openkruise.io/img/openkruise-logo-bg.jpg
keywords:
- openkruise
- kubernetes
- kruise
- workload
- statefulset
- sidecar
- job
- deployment
- cloneset
home: https://openkruise.io
sources:
- https://github.com/openkruise/kruise
annotations:
artifacthub.io/changes: |
- kind: fixed
description: `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration` will exclude the Pod webhook on the explicitly disabled `PodWebhook` feature gate.
links:
- name: Github Issue
url: https://github.com/openkruise/charts/issues/90
- kind: fixed
description: `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration` will use proper `failurePolicy` for the Pod webhook according to the `webhookConfiguration.failurePolicy.pods` setting.
links:
- name: Github Issue
url: https://github.com/openkruise/charts/issues/90
- kind: changed
description: The `webhookConfiguration.failurePolicy.pods` setting had always been `Ignore` by default but, in fact, hardcoded to `Fail` - now the default `Ignore` setting is applied correctly.
links:
- name: Github Issue
url: https://github.com/openkruise/charts/issues/90
- kind: fixed
description: `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration` will use proper `namespace` according to the `installation.namespace` setting.
- kind: fixed
description: `MutatingWebhookConfiguration` and `ValidatingWebhookConfiguration` will use proper `timeoutSeconds` according to the `webhookConfiguration.timeoutSeconds` setting.
- kind: fixed
description: The `statefulsets.apps.kruise.io` CRD will use proper `namespace` according to the `installation.namespace` setting.
93 changes: 93 additions & 0 deletions versions/kruise/1.6.0/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
# Kruise v1.6.0

## Configuration

The following table lists the configurable parameters of the kruise chart and their default values.

| Parameter | Description | Default |
| ----------------------------------------- | ------------------------------------------------------------ | ----------------------------- |
| `featureGates` | Feature gates for Kruise, empty string means all enabled | ` ` |
| `installation.namespace` | namespace for kruise installation | `kruise-system` |
| `installation.createNamespace` | Whether to create the installation.namespace | `true` |
| `manager.log.level` | Log level that kruise-manager printed | `4` |
| `manager.replicas` | Replicas of kruise-controller-manager deployment | `2` |
| `manager.image.repository` | Repository for kruise-manager image | `openkruise/kruise-manager` |
| `manager.image.tag` | Tag for kruise-manager image | `v1.5.2` |
| `manager.resources.limits.cpu` | CPU resource limit of kruise-manager container | `200m` |
| `manager.resources.limits.memory` | Memory resource limit of kruise-manager container | `512Mi` |
| `manager.resources.requests.cpu` | CPU resource request of kruise-manager container | `100m` |
| `manager.resources.requests.memory` | Memory resource request of kruise-manager container | `256Mi` |
| `manager.metrics.port` | Port of metrics served | `8080` |
| `manager.webhook.port` | Port of webhook served | `9443` |
| `manager.pprofAddr` | Address of pprof served | `localhost:8090` |
| `manager.nodeAffinity` | Node affinity policy for kruise-manager pod | `{}` |
| `manager.nodeSelector` | Node labels for kruise-manager pod | `{}` |
| `manager.tolerations` | Tolerations for kruise-manager pod | `[]` |
| `daemon.extraEnvs` | Extra environment variables that will be pass onto pods | `[]` |
| `daemon.log.level` | Log level that kruise-daemon printed | `4` |
| `daemon.port` | Port of metrics and healthz that kruise-daemon served | `10221` |
| `daemon.pprofAddr` | Address of pprof served | `localhost:10222` |
| `daemon.resources.limits.cpu` | CPU resource limit of kruise-daemon container | `50m` |
| `daemon.resources.limits.memory` | Memory resource limit of kruise-daemon container | `128Mi` |
| `daemon.resources.requests.cpu` | CPU resource request of kruise-daemon container | `0` |
| `daemon.resources.requests.memory` | Memory resource request of kruise-daemon container | `0` |
| `daemon.affinity` | Affinity policy for kruise-daemon pod | `{}` |
| `daemon.socketLocation` | Location of the container manager control socket | `/var/run` |
| `daemon.socketFile` | Specify the socket file name in `socketLocation` (if you are not using containerd/docker/pouch/cri-o) | ` ` |
| `webhookConfiguration.failurePolicy.pods` | The failurePolicy for pods in mutating webhook configuration | `Ignore` |
| `webhookConfiguration.timeoutSeconds` | The timeoutSeconds for all webhook configuration | `30` |
| `crds.managed` | Kruise will not install CRDs with chart if this is false | `true` |
| `manager.resyncPeriod` | Resync period of informer kruise-manager, defaults no resync | `0` |
| `manager.hostNetwork` | Whether kruise-manager pod should run with hostnetwork | `false` |
| `imagePullSecrets` | The list of image pull secrets for kruise image | `false` |
| `enableKubeCacheMutationDetector` | Whether to enable KUBE_CACHE_MUTATION_DETECTOR | `false` |

Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

### Optional: feature-gate

Feature-gate controls some influential features in Kruise:

| Name | Description | Default | Effect (if closed) |
|---------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| ------- |-------------------------------------------------------------------------------------------------------------------|
| `PodWebhook` | Whether to open a webhook for Pod **create** | `true` | SidecarSet/KruisePodReadinessGate disabled |
| `KruiseDaemon` | Whether to deploy `kruise-daemon` DaemonSet | `true` | ImagePulling/ContainerRecreateRequest disabled |
| `DaemonWatchingPod` | Should each `kruise-daemon` watch pods on the same node | `true` | For in-place update with same imageID or env from labels/annotations |
| `CloneSetShortHash` | Enables CloneSet controller only set revision hash name to pod label | `false` | CloneSet name can not be longer than 54 characters |
| `KruisePodReadinessGate` | Enables Kruise webhook to inject 'KruisePodReady' readiness-gate to all Pods during creation | `false` | The readiness-gate will only be injected to Pods created by Kruise workloads |
| `PreDownloadImageForInPlaceUpdate` | Enables CloneSet controller to create ImagePullJobs to pre-download images for in-place update | `true` | No image pre-download for in-place update |
| `CloneSetPartitionRollback` | Enables CloneSet controller to rollback Pods to currentRevision when number of updateRevision pods is bigger than (replicas - partition) | `false` | CloneSet will only update Pods to updateRevision |
| `ResourcesDeletionProtection` | Enables protection for resources deletion | `true` | No protection for resources deletion |
| `TemplateNoDefaults` | Whether to disable defaults injection for pod/pvc template in workloads | `false` | Should not close this feature if it has open |
| `PodUnavailableBudgetDeleteGate` | Enables PodUnavailableBudget for pod deletion, eviction | `true` | No protection for pod deletion, eviction |
| `PodUnavailableBudgetUpdateGate` | Enables PodUnavailableBudget for pod.Spec update | `false` | No protection for in-place update |
| `WorkloadSpread` | Enables WorkloadSpread to manage multi-domain and elastic deploy | `true` | WorkloadSpread disabled |
| `InPlaceUpdateEnvFromMetadata` | Enables Kruise to in-place update a container in Pod when its env from labels/annotations changed and pod is in-place updating | `true` | Only container image can be in-place update |
| `StatefulSetAutoDeletePVC` | Enables policies controlling deletion of PVCs created by a StatefulSet | `true` | No deletion of PVCs by StatefulSet |
| `PreDownloadImageForDaemonSetUpdate` | Enables DaemonSet controller to create ImagePullJobs to pre-download images for in-place update | `false` | No image pre-download for in-place update |
| `PodProbeMarkerGate` | Whether to turn on PodProbeMarker ability | `true` | PodProbeMarker disabled |
| `SidecarSetPatchPodMetadataDefaultsAllowed` | Allow SidecarSet patch any annotations to Pod Object | `false` | Annotations are not allowed to patch randomly and need to be configured via SidecarSet_PatchPodMetadata_WhiteList |
| `SidecarTerminator` | SidecarTerminator enables SidecarTerminator to stop sidecar containers when all main containers exited | `false` | SidecarTerminator disabled |
| `CloneSetEventHandlerOptimization` | CloneSetEventHandlerOptimization enable optimization for cloneset-controller to reduce the queuing frequency cased by pod update | `false` | optimization for cloneset-controller to reduce the queuing frequency cased by pod update disabled |
| `PreparingUpdateAsUpdate` | PreparingUpdateAsUpdate enable CloneSet/Advanced StatefulSet controller to regard preparing-update Pod as updated when calculating update/current revision during scaling. | `false` | Pods at preparing update state will be regarded as current revision instead of update revision |
| `ImagePullJobGate` | ImagePullJobGate enable imagepulljob-controller execute ImagePullJob | `false` | ImagePullJob and PreDownloadImageForInPlaceUpdate are disabled |
| `ResourceDistributionGate` | ResourceDistributionGate enable resourcedistribution-controller execute ResourceDistribution. | `false` | ResourceDistribution disabled |
| `DeletionProtectionForCRDCascadingGate` | DeletionProtectionForCRDCascadingGate enable deletionProtection for crd Cascading | `false` | CustomResourceDefinition deletion protection disabled |

If you want to configure the feature-gate, just set the parameter when install or upgrade. Such as:

```bash
$ helm install kruise https://... --set featureGates="ResourcesDeletionProtection=true\,PreDownloadImageForInPlaceUpdate=true"
...
```

If you want to enable all feature-gates, set the parameter as `featureGates=AllAlpha=true`.

### Optional: the local image for China

If you are in China and have problem to pull image from official DockerHub, you can use the registry hosted on Alibaba Cloud:

```bash
$ helm install kruise https://... --set manager.image.repository=openkruise-registry.cn-hangzhou.cr.aliyuncs.com/openkruise/kruise-manager
...
```
1 change: 1 addition & 0 deletions versions/kruise/1.6.0/ci/default-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# Test with default values
96 changes: 96 additions & 0 deletions versions/kruise/1.6.0/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "kruise.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kruise.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kruise.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Lookup existing immutatble resources
*/}}
{{- define "webhookServiceSpec" -}}
{{- $service := lookup "v1" "Service" .Values.installation.namespace "kruise-webhook-service" -}}
{{- if $service -}}
{{ if $service.spec.clusterIP -}}
clusterIP: {{ $service.spec.clusterIP }}
{{- end }}
{{ if $service.spec.clusterIPs -}}
clusterIPs:
{{ $service.spec.clusterIPs }}
{{- end }}
{{ if $service.spec.ipFamilyPolicy -}}
ipFamilyPolicy: {{ $service.spec.ipFamilyPolicy }}
{{- end }}
{{ if $service.spec.ipFamilies -}}
ipFamilies:
{{ $service.spec.ipFamilies }}
{{- end }}
{{ if $service.spec.type -}}
type: {{ $service.spec.type }}
{{- end }}
{{ if $service.spec.ipFamily -}}
ipFamily: {{ $service.spec.ipFamily }}
{{- end }}
{{- end -}}
ports:
- port: 443
targetPort: {{ .Values.manager.webhook.port }}
selector:
control-plane: controller-manager
{{- end -}}

{{- define "webhookSecretData" -}}
{{- $secret := lookup "v1" "Secret" .Values.installation.namespace "kruise-webhook-certs" -}}
{{- if $secret -}}
data:
{{- range $k, $v := $secret.data }}
{{ $k }}: {{ $v }}
{{- end }}
{{- end }}
{{- end -}}

{{- define "serviceAccountManager" -}}
{{- $sa := lookup "v1" "ServiceAccount" .Values.installation.namespace "kruise-manager" -}}
{{- if $sa -}}
secrets:
{{- range $v := $sa.secrets }}
- name: {{ $v.name }}
{{- end }}
{{- end }}
{{- end -}}

{{- define "serviceAccountDaemon" -}}
{{- $sa := lookup "v1" "ServiceAccount" .Values.installation.namespace "kruise-daemon" -}}
{{- if $sa -}}
secrets:
{{- range $v := $sa.secrets }}
- name: {{ $v.name }}
{{- end }}
{{- end }}
{{- end -}}
Loading
Loading