update common labels and add PDB

Signed-off-by: Dan Bryant <daniel.bryant@linux.com>

deploy/charts/trust-manager/README.md

@@ -39,6 +39,7 @@ Kubernetes: `>= 1.22.0-0`
 | app.webhook.port | int | `6443` | Port that the webhook listens on. |
 | app.webhook.service | object | `{"type":"ClusterIP"}` | Type of Kubernetes Service used by the Webhook |
 | app.webhook.timeoutSeconds | int | `5` | Timeout of webhook HTTP request. |
+| commonLabels | object | `{}` | Labels to apply to all resources |
 | crds.enabled | bool | `true` | Whether or not to install the crds. |
 | defaultPackage.enabled | bool | `true` | Whether to load the default trust package during pod initialization and include it in main container args. This container enables the 'useDefaultCAs' source on Bundles. |
 | defaultPackageImage.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the default package image |
@@ -49,8 +50,10 @@ Kubernetes: `>= 1.22.0-0`
 | image.tag | string | `"v0.5.0"` | Target image version tag. |
 | imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the service account |
 | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Configure the nodeSelector; defaults to any Linux node (trust-manager doesn't support Windows nodes) |
+| podDisruptionBudget.enabled | bool | `false` | Adds a PodDisruptionBudget for the trust-manager deployment |
+| podDisruptionBudget.minAvailable | int/pcnt | `1` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. |
+| podDisruptionBudget.maxUnavailable | int/pcnt | `null` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. |
 | replicaCount | int | `1` | Number of replicas of trust to run. |
 | resources | object | `{}` |  |
 | tolerations | list | `[]` | List of Kubernetes Tolerations; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core |
 | topologySpreadConstraints | list | `[]` | List of Kubernetes TopologySpreadConstraints; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core |
-

deploy/charts/trust-manager/templates/_helpers.tpl

@@ -24,4 +24,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.commonLabels}}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
 {{- end -}}

deploy/charts/trust-manager/templates/deployment.yaml

@@ -14,6 +14,7 @@ spec:
     metadata:
       labels:
         app: {{ include "trust-manager.name" . }}
+{{ include "trust-manager.labels" . | indent 8 }}
     spec:
       serviceAccountName: {{ include "trust-manager.name" . }}
       {{- if .Values.defaultPackage.enabled }}

deploy/charts/trust-manager/templates/poddisruptionbudget.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "trust-manager.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "trust-manager.name" . }}
+{{ include "trust-manager.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "trust-manager.name" . }}
+  {{- with .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ . }}
+  {{- end }}
+  {{- with .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ . }}
+  {{- end }}
+{{- end }}

deploy/charts/trust-manager/values.yaml

@@ -125,3 +125,11 @@ topologySpreadConstraints: []
 crds:
   # -- Whether or not to install the crds.
   enabled: true
+
+podDisruptionBudget:
+  enabled: false
+  minAvailable: 1
+  #  maxUnavailable: 1
+
+# Labels to apply to all resources
+commonLabels: {}