Skip to content

Commit

Permalink
feat: make podDisruptionBudget minAvailable/maxUnavailable configurable
Browse files Browse the repository at this point in the history 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
  • Loading branch information
@aramase
aramase committed Apr 6, 2023
1 parent 59b83f2 commit 5e85eeb
Show file tree
Hide file tree
Showing 7 changed files with 88 additions and 49 deletions.
50 changes: 26 additions & 24 deletions manifest_staging/charts/workload-identity-webhook/README.md
View file
Expand Up @@ -29,30 +29,32 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide

## Parameters

| Parameter | Description | Default |
| :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v1.0.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `info` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| podAnnotations | The annotations to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| Parameter | Description | Default |
| :--------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------ |
| replicaCount | The number of azure-workload-identity replicas to deploy for the webhook | `2` |
| image.repository | Image repository | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
| image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| image.release | The image release tag to use | Current release version: `v1.0.0` |
| imagePullSecrets | Image pull secrets to use for retrieving images from private registries | `[]` |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
| service.targetPort | Service target port | `9443` |
| azureTenantID | [**REQUIRED**] Azure tenant ID | `` |
| azureEnvironment | Azure Environment | `AzurePublicCloud` |
| logLevel | The log level to use for the webhook manager. In order of increasing verbosity: unset (empty string), info, debug, trace and all. | `info` |
| metricsAddr | The address to bind the metrics server to | `:8095` |
| metricsBackend | The metrics backend to use (`prometheus`) | `prometheus` |
| priorityClassName | The priority class name for webhook manager | `system-cluster-critical` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| podLabels | The labels to add to the azure-workload-identity webhook pods | `{}` |
| podAnnotations | The annotations to add to the azure-workload-identity webhook pods | `{}` |
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` |
| podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` |

## Contributing Changes

Expand Down
7 changes: 6 additions & 1 deletion ...d-identity-webhook/templates/azure-wi-webhook-controller-manager-poddisruptionbudget.yaml
View file
Expand Up @@ -9,7 +9,12 @@ metadata:
name: azure-wi-webhook-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
minAvailable: 1
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
selector:
matchLabels:
app: '{{ template "workload-identity-webhook.name" . }}'
Expand Down
4 changes: 4 additions & 0 deletions manifest_staging/charts/workload-identity-webhook/values.yaml
View file
Expand Up @@ -34,3 +34,7 @@ mutatingWebhookAnnotations: {}
podLabels: {}
podAnnotations: {}
mutatingWebhookNamespaceSelector: {}
# minAvailable and maxUnavailable are mutually exclusive
podDisruptionBudget:
minAvailable: 1
# maxUnavailable: 0
14 changes: 14 additions & 0 deletions third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml
View file
Expand Up @@ -99,3 +99,17 @@ metadata:
name: azure-wi-webhook-admin
namespace: azure-workload-identity-system
HELMSUBST_SERVICEACCOUNT_IMAGE_PULL_SECRETS: ""
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
azure-workload-identity.io/system: "true"
name: azure-wi-webhook-controller-manager
namespace: azure-workload-identity-system
spec:
minAvailable: HELMSUBST_PODDISRUPTIONBUDGET_MINAVAILABLE
HELMSUBST_PODDISRUPTIONBUDGET_MAXUNAVAILABLE: ""
selector:
matchLabels:
azure-workload-identity.io/system: "true"
8 changes: 8 additions & 0 deletions third_party/open-policy-agent/gatekeeper/helmify/replacements.go
View file
Expand Up @@ -33,4 +33,12 @@ imagePullSecrets:
`HELMSUBST_MUTATING_WEBHOOK_NAMESPACE_SELECTOR`: `{{- toYaml .Values.mutatingWebhookNamespaceSelector | nindent 4 }}`,

`HELMSUBST_POD_ANNOTATIONS: ""`: `{{- toYaml .Values.podAnnotations | trim | nindent 8 }}`,

`minAvailable: HELMSUBST_PODDISRUPTIONBUDGET_MINAVAILABLE`: `{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}`,

`HELMSUBST_PODDISRUPTIONBUDGET_MAXUNAVAILABLE: ""`: `{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}`,
}

0 comments on commit 5e85eeb

Please sign in to comment.