diff --git a/charts/vcluster/Chart.yaml b/charts/vcluster/Chart.yaml index 7aa293d1..0151e757 100644 --- a/charts/vcluster/Chart.yaml +++ b/charts/vcluster/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: vcluster description: Virtual Kubernetes Cluster type: application -version: 0.2.0 +version: 0.2.1 appVersion: 0.1.0 keywords: - vcluster diff --git a/charts/vcluster/README.md b/charts/vcluster/README.md index 851862f2..4686adeb 100644 --- a/charts/vcluster/README.md +++ b/charts/vcluster/README.md @@ -2,7 +2,7 @@ __This Chart is under active development! We try to improve documentation and values consistency over time__ -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Virtual Kubernetes Cluster @@ -152,35 +152,38 @@ We use a lifecycle Job/Cronjob to manage certain configurations within the vclus | lifecycle.cilium.enabled | bool | `true` | Install Cilium CNI | | lifecycle.cilium.on_install | bool | `true` | Install only on chart install (First install) | | lifecycle.cilium.version | string | `"1.9.18"` | Cilium version | -| lifecycle.cleanup.enabled | bool | `true` | Enable/Disable Cleanup | +| lifecycle.cleanup.annotations | object | `{"helm.sh/hook":"pre-delete","helm.sh/hook-delete-policy":"before-hook-creation"}` | Job Annotations | +| lifecycle.cleanup.enabled | bool | `false` | Enable/Disable Cleanup | +| lifecycle.cleanup.labels | object | `{}` | Job Labels | +| lifecycle.current.cleanupScript | string | `nil` | Additional configuration script for the vcluster during cleanup (supports templating) | | lifecycle.current.extraManifests | object | See values.yaml | These manifests will be applied inside the cluster (supports templating) | | lifecycle.current.extraManifestsOnInstall | object | See values.yaml | These manifests will be applied inside the cluster, but only on $.Release.Install and wont be touched again (supports templating) | -| lifecycle.current.script | string | `nil` | Additional configuration script for the current cluster (supports templating) | -| lifecycle.job.affinity | object | `{}` | Affinity | -| lifecycle.job.annotations | object | `{"helm.sh/hook":"post-install,post-upgrade","helm.sh/hook-delete-policy":"before-hook-creation"}` | Job Annotations | -| lifecycle.job.extraVolumeMounts | list | `[]` | Additional Pod VolumeMounts | -| lifecycle.job.extraVolumes | list | `[]` | Additional Pod Volumes | -| lifecycle.job.failedJobsHistoryLimit | int | `3` | Cronjob failed jobs history limit | -| lifecycle.job.image | object | `{"digest":"","pullPolicy":"Always","pullSecrets":[],"registry":"registry-group.mgmtbi.ch","repository":"sre/gitops/cluster_bootstrap","tag":"dev.clusterbuild"}` | Run Installer Jobs again (Only execute on Helm install) | -| lifecycle.job.labels | object | `{}` | Job Labels | -| lifecycle.job.nodeSelector | object | `{}` | Node Selector | -| lifecycle.job.podAnnotations | object | `{}` | Pod Annotations | -| lifecycle.job.podLabels | object | `{}` | Pod Labels | -| lifecycle.job.podSecurityContext | object | `{"enabled":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod Security Context | -| lifecycle.job.priorityClassName | string | `""` | Pod PriorityClassName | -| lifecycle.job.reconciler | bool | `true` | Deploy as Cronjob to run periodically | -| lifecycle.job.resources | object | `{}` | Resources configuration | -| lifecycle.job.schedule | string | `"0 0 1 */6 *"` | Cronjob Schedule | -| lifecycle.job.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"privileged":false,"runAsGroup":20000,"runAsUser":20000}` | Container Security Context | -| lifecycle.job.successfulJobsHistoryLimit | int | `3` | Cronjob successful jobs history limit | -| lifecycle.job.tolerations | list | `[]` | Tolerations | -| lifecycle.job.topologySpreadConstraints | list | `[]` | TopologySpreadConstraints | +| lifecycle.current.setupScript | string | `nil` | Additional configuration script for the current cluster (supports templating) | +| lifecycle.jobs.affinity | object | `{}` | Affinity | +| lifecycle.jobs.extraVolumeMounts | list | `[]` | Additional Pod VolumeMounts | +| lifecycle.jobs.extraVolumes | list | `[]` | Additional Pod Volumes | +| lifecycle.jobs.nodeSelector | object | `{}` | Node Selector | +| lifecycle.jobs.podAnnotations | object | `{}` | Pod Annotations | +| lifecycle.jobs.podLabels | object | `{}` | Pod Labels | +| lifecycle.jobs.podSecurityContext | object | `{"enabled":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod Security Context | +| lifecycle.jobs.priorityClassName | string | `""` | Pod PriorityClassName | +| lifecycle.jobs.resources | object | `{}` | Resources configuration | +| lifecycle.jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"privileged":false,"runAsGroup":20000,"runAsUser":20000}` | Container Security Context | +| lifecycle.jobs.tolerations | list | `[]` | Tolerations | +| lifecycle.jobs.topologySpreadConstraints | list | `[]` | TopologySpreadConstraints | | lifecycle.serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | lifecycle.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | lifecycle.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| lifecycle.setup.annotations | object | `{"helm.sh/hook":"post-install,post-upgrade","helm.sh/hook-delete-policy":"before-hook-creation"}` | Job Annotations | +| lifecycle.setup.cronjob | bool | `true` | Deploy as Cronjob to run periodically | +| lifecycle.setup.failedJobsHistoryLimit | int | `3` | Cronjob failed jobs history limit | +| lifecycle.setup.labels | object | `{}` | Job Labels | +| lifecycle.setup.schedule | string | `"0 0 1 */6 *"` | Cronjob Schedule | +| lifecycle.setup.successfulJobsHistoryLimit | int | `3` | Cronjob successful jobs history limit | +| lifecycle.vcluster.cleanupScript | string | `nil` | Additional configuration script for the vcluster during cleanup (supports templating) | | lifecycle.vcluster.extraManifests | object | See values.yaml | These manifests will be applied inside the vcluster (supports templating) | | lifecycle.vcluster.extraManifestsOnInstall | object | See values.yaml | These manifests will be applied inside the vcluster, but only on $.Release.Install and wont be touched again (supports templating) | -| lifecycle.vcluster.script | string | `nil` | Additional configuration script for the vcluster (supports templating) | +| lifecycle.vcluster.setupScript | string | `nil` | Additional configuration script for the vcluster during reconciler (supports templating) | ## Machine Values diff --git a/charts/vcluster/ci/test-values.yaml b/charts/vcluster/ci/components-values.yaml similarity index 100% rename from charts/vcluster/ci/test-values.yaml rename to charts/vcluster/ci/components-values.yaml diff --git a/charts/vcluster/ci/konnectivity-default-values.yaml b/charts/vcluster/ci/konnectivity-default-values.yaml new file mode 100644 index 00000000..6332638d --- /dev/null +++ b/charts/vcluster/ci/konnectivity-default-values.yaml @@ -0,0 +1,14 @@ +kubernetes: + enabled: true + apiServer: + service: + type: LoadBalancer + controlPlane: + endpoint: 0.0.0.0 + konnectivity: + server: + enabled: true + service: + type: LoadBalancer + agent: + enabled: true \ No newline at end of file diff --git a/charts/vcluster/manifests/kubernetes/konnectivity-agent.yaml b/charts/vcluster/manifests/kubernetes/konnectivity-agent.yaml index 0d6337e3..a00ed7e4 100644 --- a/charts/vcluster/manifests/kubernetes/konnectivity-agent.yaml +++ b/charts/vcluster/manifests/kubernetes/konnectivity-agent.yaml @@ -1,5 +1,5 @@ +{{- $kubernetes := $.Values.kubernetes -}} {{- if and $kubernetes.konnectivity.enabled $kubernetes.konnectivity.agent.enabled }} - {{- $kubernetes := $.Values.kubernetes -}} {{- $fullName := include "kubernetes.fullname" . -}} --- apiVersion: v1 @@ -115,23 +115,27 @@ spec: - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token {{- if not (hasKey $kubernetes.konnectivity.agent.args "proxy-server-host") }} - {{- if and (eq $kubernetes.konnectivity.server.mode "HTTPConnect") $kubernetes.konnectivity.server.service.loadBalancerIP }} + {{- if and $kubernetes.konnectivity.server.sidecar (include "kubernetes.api.endpointIP" $) }} + - --proxy-server-host={{ include "kubernetes.api.endpointIP" $ }} + {{- else if and (eq $kubernetes.konnectivity.server.mode "HTTPConnect") $kubernetes.konnectivity.server.service.loadBalancerIP }} - --proxy-server-host={{ $kubernetes.konnectivity.server.service.loadBalancerIP }} - {{- else if and (eq $kubernetes.konnectivity.server.mode "GRPC") $kubernetes.apiServer.service.loadBalancerIP }} + {{- else if and (eq $kubernetes.konnectivity.server.mode "GRPC") $kubernetes.apiServer.service.loadBalancerIP }} - --proxy-server-host={{ $kubernetes.apiServer.service.loadBalancerIP }} - {{- else }} - {{- fail "kubernetes.konnectivity.agent.args.proxy-server-host must be specified!" }} - {{- end }} + {{- else }} + {{- fail "kubernetes.konnectivity.agent.args.proxy-server-host must be specified!" }} + {{- end }} {{- end }} {{- if not (hasKey $kubernetes.konnectivity.agent.args "proxy-server-port") }} - {{- if eq $kubernetes.konnectivity.server.service.type "LoadBalancer" }} + {{- if and $kubernetes.konnectivity.server.sidecar (include "kubernetes.api.endpointPort" $) }} + - --proxy-server-port={{ include "kubernetes.api.endpointPort" $ }} + {{- else if eq $kubernetes.konnectivity.server.service.type "LoadBalancer" }} - --proxy-server-port={{ $kubernetes.konnectivity.server.service.ports.agent }} - {{- else if $kubernetes.konnectivity.server.service.NodePort }} + {{- else if $kubernetes.konnectivity.server.service.NodePort }} - --proxy-server-port={{ $kubernetes.konnectivity.server.service.nodePorts.agent }} - {{- else }} - {{- fail "kubernetes.konnectivity.agent.args.proxy-server-port must be specified!" }} - {{- end }} + {{- else }} + {{- fail "kubernetes.konnectivity.agent.args.proxy-server-port must be specified!" }} + {{- end }} {{- end }} - --admin-server-port={{ $kubernetes.konnectivity.agent.ports.admin }} - --health-server-port={{ $kubernetes.konnectivity.agent.ports.health }} diff --git a/charts/vcluster/templates/components/kubernetes/apiserver/certs.yaml b/charts/vcluster/templates/components/kubernetes/apiserver/certs.yaml index f9830cc2..e7b832f0 100644 --- a/charts/vcluster/templates/components/kubernetes/apiserver/certs.yaml +++ b/charts/vcluster/templates/components/kubernetes/apiserver/certs.yaml @@ -25,8 +25,7 @@ spec: - "cert sign" isCA: true issuerRef: - name: "{{ $fullName }}-selfsigning-issuer" - kind: Issuer + {{- include "pkg.components.certificates.issuer" $ | nindent 4 }} --- apiVersion: cert-manager.io/v1 kind: Issuer diff --git a/charts/vcluster/templates/components/kubernetes/etcd/certs.yaml b/charts/vcluster/templates/components/kubernetes/etcd/certs.yaml index 022c2f37..14f69daa 100644 --- a/charts/vcluster/templates/components/kubernetes/etcd/certs.yaml +++ b/charts/vcluster/templates/components/kubernetes/etcd/certs.yaml @@ -25,8 +25,7 @@ spec: - "cert sign" isCA: true issuerRef: - name: "{{ $fullName }}-selfsigning-issuer" - kind: Issuer + {{- include "pkg.components.certificates.issuer" $ | nindent 4 }} --- apiVersion: cert-manager.io/v1 kind: Issuer diff --git a/charts/vcluster/templates/components/kubernetes/konnectivity/certs.yaml b/charts/vcluster/templates/components/kubernetes/konnectivity/certs.yaml index 619697a2..954b7546 100644 --- a/charts/vcluster/templates/components/kubernetes/konnectivity/certs.yaml +++ b/charts/vcluster/templates/components/kubernetes/konnectivity/certs.yaml @@ -26,8 +26,7 @@ spec: - "cert sign" isCA: true issuerRef: - name: "{{ $fullName }}-selfsigning-issuer" - kind: Issuer + {{- include "pkg.components.certificates.issuer" $ | nindent 4 }} --- apiVersion: cert-manager.io/v1 kind: Issuer diff --git a/charts/vcluster/templates/components/kubernetes/konnectivity/manifests.yaml b/charts/vcluster/templates/components/kubernetes/konnectivity/manifests.yaml index b2556b67..638b10de 100644 --- a/charts/vcluster/templates/components/kubernetes/konnectivity/manifests.yaml +++ b/charts/vcluster/templates/components/kubernetes/konnectivity/manifests.yaml @@ -1,6 +1,5 @@ -{{/* Always deploy manifests (required for removals */}} +{{- $kubernetes := $.Values.kubernetes -}} {{- if (include "kubernetes.enabled" $) -}} - {{- $kubernetes := $.Values.kubernetes -}} {{- $fullName := include "kubernetes.fullname" . -}} {{- $component_name := "konnectivity" -}} {{- if $kubernetes.konnectivity.enabled -}} diff --git a/charts/vcluster/templates/components/kubernetes/kubernetes-certs.yaml b/charts/vcluster/templates/components/kubernetes/kubernetes-certs.yaml index 4c653c82..766af53c 100644 --- a/charts/vcluster/templates/components/kubernetes/kubernetes-certs.yaml +++ b/charts/vcluster/templates/components/kubernetes/kubernetes-certs.yaml @@ -59,7 +59,7 @@ spec: - "cert sign" isCA: true issuerRef: - name: "{{ $fullName }}-selfsigning-issuer" + name: "{{ $fullName }}-issuer" kind: Issuer --- {{- $svcName1 := printf "%s-controller-manager" $fullName }} diff --git a/charts/vcluster/templates/ingress/certificate.yaml b/charts/vcluster/templates/expose/certificate.yaml similarity index 100% rename from charts/vcluster/templates/ingress/certificate.yaml rename to charts/vcluster/templates/expose/certificate.yaml diff --git a/charts/vcluster/templates/ingress/issuer.yaml b/charts/vcluster/templates/expose/issuer.yaml similarity index 79% rename from charts/vcluster/templates/ingress/issuer.yaml rename to charts/vcluster/templates/expose/issuer.yaml index 93295b6c..2fcf2915 100644 --- a/charts/vcluster/templates/ingress/issuer.yaml +++ b/charts/vcluster/templates/expose/issuer.yaml @@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ include "vcluster.fullname" $ }}-self-signed + name: {{ include "pkg.components.certificates.default_issuer" $ }} namespace: {{ .Release.Namespace }} labels: {{- include "vcluster.labels" $ | nindent 4 }} diff --git a/charts/vcluster/templates/lifecycle/cronjob.yaml b/charts/vcluster/templates/lifecycle/cronjob.yaml index 6794458c..1ceb33ab 100644 --- a/charts/vcluster/templates/lifecycle/cronjob.yaml +++ b/charts/vcluster/templates/lifecycle/cronjob.yaml @@ -30,5 +30,6 @@ spec: {{- end }} spec: template: - {{- (include (print $.Template.BasePath "/lifecycle/job.yaml") . | fromYaml ).spec.template | toYaml | nindent 8 }} + {{- (include (print $.Template.BasePath "/lifecycle/setup.yaml") . | fromYaml ).spec.template | toYaml | nindent 8 }} {{- end -}} + diff --git a/charts/vcluster/templates/pkg/_components.tpl b/charts/vcluster/templates/pkg/_components.tpl index 183e6aee..00e4178c 100644 --- a/charts/vcluster/templates/pkg/_components.tpl +++ b/charts/vcluster/templates/pkg/_components.tpl @@ -208,17 +208,18 @@ {{- end -}} {{- end -}} +{{- define "pkg.components.certificates.default_issuer" -}} +{{ include "pkg.cluster.name" $ }}-self-signed +{{- end -}} -$.Values.global.components.admission.expose - {{- define "pkg.components.certificates.issuer" -}} {{- $components := $.Values.global.components -}} {{- with $components.exposure.certificates.issuer }} {{- if .selfSigned }} kind: Issuer -name: {{ include "vcluster.fullname" $ }}-self-signed +name: {{ include "pkg.components.certificates.default_issuer" $ }} {{- else }} kind: {{ .kind }} name: {{ default (include "vcluster.fullname" $) .name }}