Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[scalar-manager] Create the Helm chart for Scalar Manager #254

Merged
merged 12 commits into from
Jun 12, 2024
Merged

[scalar-manager] Create the Helm chart for Scalar Manager #254

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
7ef77d4
Remove the previous Helm chart for scalar-manager
supl Feb 26, 2024
f853e93
Create new Helm chart for Scalar Manager
supl Feb 27, 2024
3182519
Separate role rules by API group
supl May 1, 2024
d9991a4
Don't create service account if it's specified
supl May 6, 2024
1e1f690
Correct the service account name in role binding
supl May 6, 2024
aeb8ee4
Revise the chart template according to the feedback
supl May 10, 2024
819baf3
Add label to ConfigMap
kota2and3kan May 20, 2024
590d911
Update default value description of application.properties
kota2and3kan May 20, 2024
5502ca0
Remove the runAsUser context
supl May 20, 2024
b497bb1
Update Chart.yaml
kota2and3kan May 21, 2024
b870b5a
Update README to fix CI error
kota2and3kan May 21, 2024
b8864eb
Make the snapshot version to 3.0.0
supl Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 10 additions & 6 deletions charts/scalar-manager/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,20 @@ apiVersion: v2
name: scalar-manager
description: Scalar Manager
type: application
version: 2.0.0-SNAPSHOT
appVersion: 2.0.0-SNAPSHOT
version: 3.0.0-SNAPSHOT
appVersion: 3.0.0-SNAPSHOT
deprecated: false
icon: https://scalar-labs.com/wp-content/themes/scalar/assets/img/logo_scalar.svg
keywords:
- scalardb
- scalardl
- scalar-manager
- scalar-manager
- scalardb-cluster
- scalardl-ledger
- scalardl-auditor
- scalar-admin-for-kubernetes
home: https://scalar-labs.com/
sources:
- https://github.com/scalar-labs/scalar-manager
- https://github.com/scalar-labs/scalar-manager-api
- https://github.com/scalar-labs/scalar-manager-web
maintainers:
- name: Takanori Yokoyama
email: [email protected]
Expand Down
44 changes: 27 additions & 17 deletions charts/scalar-manager/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,38 @@
# scalar-manager

![Version: 2.0.0-SNAPSHOT](https://img.shields.io/badge/Version-2.0.0--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0-SNAPSHOT](https://img.shields.io/badge/AppVersion-2.0.0--SNAPSHOT-informational?style=flat-square)
![Version: 3.0.0-SNAPSHOT](https://img.shields.io/badge/Version-3.0.0--SNAPSHOT-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0-SNAPSHOT](https://img.shields.io/badge/AppVersion-3.0.0--SNAPSHOT-informational?style=flat-square)

Scalar Manager
Current chart version is `2.0.0-SNAPSHOT`
Current chart version is `3.0.0-SNAPSHOT`

**Homepage:** <https://scalar-labs.com/>

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| fullnameOverride | string | `""` | Override the fully qualified app name |
| image.pullPolicy | string | `"IfNotPresent"` | Specify a imagePullPolicy |
| image.repository | string | `"ghcr.io/scalar-labs/scalar-manager"` | Docker image |
| image.tag | string | `""` | Override the image tag whose default is the chart appVersion |
| imagePullSecrets | list | `[{"name":"reg-docker-secrets"}]` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace |
| nameOverride | string | `""` | Override the Chart name |
| replicaCount | int | `1` | number of replicas to deploy |
| scalarManager.grafanaUrl | string | `""` | |
| scalarManager.port | int | `5000` | The port that Scalar Manager container exposes |
| scalarManager.refreshInterval | int | `30` | |
| scalarManager.targets | list | `[]` | |
| service.port | int | `8000` | The port that service exposes |
| service.type | string | `"ClusterIP"` | The service type |
| serviceAccount.automountServiceAccountToken | bool | `true` | Specify to mount a service account token or not |
| serviceAccount.serviceAccountName | string | `""` | Name of the existing service account resource |
| api.applicationProperties | string | The minimum template of application.properties is set by default. | The application.properties for Scalar Manager. If you want to customize application.properties, you can override this value with your application.properties. |
| api.image.pullPolicy | string | `"IfNotPresent"` | |
| api.image.repository | string | `"ghcr.io/scalar-labs/scalar-manager-api"` | |
| api.image.tag | string | `""` | |
| api.resources | object | `{}` | |
| fullnameOverride | string | `""` | |
| imagePullSecrets[0].name | string | `"reg-docker-secrets"` | |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
| podLabels | object | `{}` | |
| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| replicaCount | int | `1` | |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.runAsNonRoot | bool | `true` | |
| service.port | int | `80` | |
| service.type | string | `"ClusterIP"` | |
| serviceAccount.automountServiceAccountToken | bool | `true` | |
| serviceAccount.serviceAccountName | string | `""` | |
| tolerations | list | `[]` | |
| web.image.pullPolicy | string | `"IfNotPresent"` | |
| web.image.repository | string | `"ghcr.io/scalar-labs/scalar-manager-web"` | |
| web.image.tag | string | `""` | |
| web.resources | object | `{}` | |
1 change: 1 addition & 0 deletions charts/scalar-manager/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ Selector labels
{{- define "scalar-manager.selectorLabels" -}}
app.kubernetes.io/name: {{ include "scalar-manager.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/app: scalar-manager
{{- end }}

{{/*
Expand Down
58 changes: 0 additions & 58 deletions charts/scalar-manager/templates/deployment.yaml
View file
Open in desktop

This file was deleted.

9 changes: 0 additions & 9 deletions charts/scalar-manager/templates/role.yaml
View file
Open in desktop

This file was deleted.

13 changes: 0 additions & 13 deletions charts/scalar-manager/templates/rolebinding.yaml
View file
Open in desktop

This file was deleted.

19 changes: 19 additions & 0 deletions charts/scalar-manager/templates/scalar-manager/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question. What is the reason why we use ClusterRole instead of Role?

In other words, does Scalar Manager access the following resources that need the ClusterRole?
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrole-example

  • cluster-scoped resources (like nodes)
  • non-resource endpoints (like /healthz)
  • namespaced resources (like Pods), across all namespaces

metadata:
name: {{ include "scalar-manager.fullname" . }}
labels:
{{- include "scalar-manager.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods", "services", "namespaces", "configmaps", "secrets", "serviceaccounts"]
verbs: ["get", "list", "create", "patch", "delete", "update"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["get", "list", "create", "delete"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "create", "delete"]
15 changes: 15 additions & 0 deletions charts/scalar-manager/templates/scalar-manager/clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "scalar-manager.fullname" . }}
labels:
{{- include "scalar-manager.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "scalar-manager.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
apiGroup: ""
roleRef:
kind: ClusterRole
name: {{ include "scalar-manager.fullname" . }}
apiGroup: rbac.authorization.k8s.io
10 changes: 10 additions & 0 deletions charts/scalar-manager/templates/scalar-manager/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question. I think this ConfigMap is used for storing cluster and pause information. And, it seems that this chart adds create permission for ConfigMap resources.

Do we need to create this ConfigMap on the helm chart side?

I want to confirm whether Scalar Manager API can create ConfigMap on the Scalar Manager side or not.

(If Scalar Manager can create ConfigMap, I want to know the reason why we need to create this ConfigMap on the helm chart side.)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we discussed, we will update Scalar Manager API to create ConfigMap by itself and remove this ConfigMap from the helm chart side in the future release.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we discussed, we noticed that this ConfigMap overwrites some stored metadata (e.g., managed cluster or pause duration info) when we run the helm upgrade command. So, it would be better to remove this ConfigMap from the helm chart side and create it on the Scalar Manager API side.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We address this issue on the Scalar Manager API side.
https://github.com/scalar-labs/scalar-manager-api/pull/90

kind: ConfigMap
metadata:
name: {{ include "scalar-manager.fullname" . }}-api-application-properties
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalar-manager.labels" . | nindent 4 }}
data:
scalar-manager-api-application.properties:
{{- toYaml .Values.api.applicationProperties | nindent 4 }}
73 changes: 73 additions & 0 deletions charts/scalar-manager/templates/scalar-manager/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "scalar-manager.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalar-manager.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "scalar-manager.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/scalar-manager/configmap.yaml") . | sha256sum }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
checksum/config: {{ include (print $.Template.BasePath "/scalar-manager/configmap.yaml") . | sha256sum }}

I think this ConfigMap (/scalar-manager/configmap.yaml) is used for storing cluster or pause information. And, we don't update this ConfigMap by using the helm upgrade command directly (it will be updated by Scalar Manager API).

If the above understanding is correct, this checksum/config annotation doesn't work. And, I think we don't need this annotation because we don't need to restart (re-create) pods when the ConfigMap updates.

So, I think we can remove this annotation.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we discussed, we will remove this annotation.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we discussed in another comment, we decided to use application.properties. So, we will keep this annotation to apply the updated application.properties properly when we run the helm upgrade command.

{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "scalar-manager.selectorLabels" . | nindent 8 }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
restartPolicy: Always
serviceAccountName: {{ include "scalar-manager.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
containers:
- name: {{ .Chart.Name }}-api
image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag | default .Chart.AppVersion }}"
resources:
{{- toYaml .Values.api.resources | nindent 12 }}
ports:
- containerPort: 8080
imagePullPolicy: {{ .Values.api.image.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
volumeMounts:
- name: api-application-properties-volume
mountPath: /app/application.properties
subPath: scalar-manager-api-application.properties
- name: {{ .Chart.Name }}-web
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If my remembering is correct, Scalar Manager works as follows.

+-[Kubernetes Cluster A]---+  +-[Kubernetes Cluster B]---+  +-[Kubernetes Cluster C]---+
|                          |  |                          |  |                          |
|  +--------------------+  |  |  +--------------------+  |  |  +--------------------+  |
|  | Scalar products    |  |  |  | Scalar products    |  |  |  | Scalar products    |  |
|  +--------------------+  |  |  +--------------------+  |  |  +--------------------+  |
|                          |  |                          |  |                          |
|  +--------------------+  |  |  +--------------------+  |  |  +--------------------+  |
|  | Scalar Manager API |  |  |  | Scalar Manager API |  |  |  | Scalar Manager API |  |
|  +--------------------+  |  |  +--------------------+  |  |  +--------------------+  |
|            |             |  |            |             |  |            |             |
+------------+-------------+  +------------+-------------+  +------------+-------------+
             |                             |                             |
             |                             |                             |
             |                             |                             |
             +-----------------------------+-----------------------------+
                                           |
                                           |
                                           |
                                 +---------+----------+
                                 | Scalar Manager Web |
                                 +--------------------+

So, we don't need to deploy Scalar Manager API and Scalar Manager Web in the same one pod.

Vice versa, it would be better to deploy Scalar Manager API and Scalar Manager Web separately.

Is my understanding correct? (Sorry, I might miss some Scalar Manager specifications...)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we discussed, at this time, we must deploy api and web containers in one pod. It's a specification of the current Scalar Manager.

image: "{{ .Values.web.image.repository }}:{{ .Values.web.image.tag | default .Chart.AppVersion }}"
resources:
{{- toYaml .Values.web.resources | nindent 12 }}
ports:
- containerPort: 3000
imagePullPolicy: {{ .Values.web.image.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
volumes:
- name: api-application-properties-volume
configMap:
name: {{ include "scalar-manager.fullname" . }}-api-application-properties
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
10 changes: 5 additions & 5 deletions charts/scalar-manager/templates/service.yaml → ...ger/templates/scalar-manager/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
apiVersion: v1
kind: Service
metadata:
namespace: {{ .Release.Namespace }}
name: {{ include "scalar-manager.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalar-manager.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.scalarManager.port }}
protocol: TCP
name: http
- protocol: TCP
name: web
port: {{ .Values.service.port }}
targetPort: 3000
selector:
{{- include "scalar-manager.selectorLabels" . | nindent 4 }}
2 changes: 1 addition & 1 deletion ...lar-manager/templates/serviceaccount.yaml → ...plates/scalar-manager/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: {{ .Release.Namespace }}
name: {{ include "scalar-manager.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalar-manager.labels" . | nindent 4 }}
{{- end }}
Loading
Loading