Cherry-pick #4106, #4390, #4435 (#4436)

* feat: allow annotations on controller manager and daemon ServiceAccount (#4106) Signed-off-by: Philipp Tanlak <philipp.tanlak@form3.tech> * chore: add service account creation as optional and allow podSecurity (#4390) Co-authored-by: Yue Yang <g1enyy0ung@gmail.com> Co-authored-by: Abby Watterson <Abby.Watterson@fmr.com> * chore: integrate helm-values-schema-json to generate schema for values.yaml (#4435) Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> --------- Signed-off-by: Philipp Tanlak <philipp.tanlak@form3.tech> Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> Co-authored-by: Philipp Tanlak <93513276+philipptanlak-form3@users.noreply.github.com> Co-authored-by: Abby Watterson <47790508+awatterson22@users.noreply.github.com> Co-authored-by: Abby Watterson <Abby.Watterson@fmr.com>
chaos-mesh · Jun 19, 2024 · 2431797 · 2431797
1 parent 5f8e217
commit 2431797
Show file tree

Hide file tree

Showing 13 changed files with 69 additions and 15 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -88,8 +88,8 @@ jobs:
         run: |
           if [[ "$job" == "verify" ]]; then
             make check
-            echo "Please make check before creating a PR"
-            git diff --quiet -- . || (git diff | cat && false)
+            echo "Please run [make check] before creating a PR"
+            git diff --quiet
           elif [[ "$job" == "build" ]]; then
             make image
           elif [[ "$job" == "test" ]]; then

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,9 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 ### Added
 
 - Helm: allow templating of dashboard rootUrl [#4370](https://github.com/chaos-mesh/chaos-mesh/pull/4370)
+- Allow annotations on chaos-controller-manager and chaos-daemon ServiceAccount [#4106](https://github.com/chaos-mesh/chaos-mesh/pull/4106)
+- Allow if condition for creating chaos-controller-manager ServiceAccount and allow setting securityContext for chaos-daemon pods [#4390](https://github.com/chaos-mesh/chaos-mesh/pull/4390)
+- Integrate helm-values-schema-json to generate schema for values.yaml [#4435](https://github.com/chaos-mesh/chaos-mesh/pull/4435)
 
 ### Changed
 

diff --git a/Makefile b/Makefile
@@ -132,7 +132,7 @@ swagger_spec: images/dev-env/.dockerbuilt ## Generate OpenAPI/Swagger spec for f
 
 ##@ Linters, formatters and others
 
-check: generate manifests/crd.yaml vet boilerplate lint tidy install.sh fmt ## Run prerequisite checks for PR
+check: generate manifests/crd.yaml vet boilerplate lint fmt tidy install.sh helm-values-schema ## Run prerequisite checks for PR
 
 SKYWALKING_EYES_HEADER = /go/bin/license-eye header -c ./.github/.licenserc.yaml
 boilerplate: SHELL:=$(RUN_IN_DEV_SHELL)
@@ -173,6 +173,10 @@ vet: SHELL:=$(RUN_IN_DEV_SHELL)
 vet: images/dev-env/.dockerbuilt ## Lint go files with go vet
 	$(CGOENV) go vet ./...
 
+helm-values-schema: SHELL:=$(RUN_IN_DEV_SHELL)
+helm-values-schema: images/dev-env/.dockerbuilt
+	helm schema -input helm/chaos-mesh/values.yaml -output helm/chaos-mesh/values.schema.json
+
 ##@ Common used building targets
 
 all: manifests/crd.yaml image ## Build all CRD yaml manifests and components container images
@@ -276,7 +280,6 @@ pkg/time/fakeclock/fake_gettimeofday.o: pkg/time/fakeclock/fake_gettimeofday.c i
 	[[ "$$TARGET_PLATFORM" == "arm64" ]] && CFLAGS="-mcmodel=tiny" ;\
 	cc -c ./pkg/time/fakeclock/fake_gettimeofday.c -fPIE -O2 -o pkg/time/fakeclock/fake_gettimeofday.o $$CFLAGS
 
-
 CLEAN_TARGETS += e2e-test/image/e2e/manifests e2e-test/image/e2e/chaos-mesh
 
 e2e-test/image/e2e/manifests: manifests ## Copy CRD manifests to e2e image build directory

diff --git a/build/get_env_shell.py b/build/get_env_shell.py
@@ -78,6 +78,7 @@ def main():
 
     cwd = os.getcwd()
     cmd += ["--volume", f"{cwd}:{cwd}"]
+    # HACK: if you have permission issues when using Docker Desktop for Mac, you can try removing this line to see if it works.
     cmd += ["--user", f"{os.getuid()}:{os.getgid()}"]
 
     target_platform = utils.get_target_platform()

diff --git a/helm/chaos-mesh/README.md b/helm/chaos-mesh/README.md
@@ -31,6 +31,8 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `controllerManager.hostNetwork` | Running chaos-controller-manager on host network | `false` |
 | `controllerManager.allowHostNetworkTesting`   | Allow testing on `hostNetwork` pods | `false` |
 | `controllerManager.serviceAccount` | The serviceAccount for chaos-controller-manager | `chaos-controller-manager` |
+| `controllerManager.serviceAccountAnnotations` | ServiceAccount annotations for chaos-controller-manager | `{}` |
+| `controllerManager.serviceAccountCreate` | Create the serviceAccount for chaos-controller-manager | `true` |
 | `controllerManager.priorityClassName` | Custom priorityClassName for using pod priorities | `` |
 | `controllerManager.replicaCount` | Replicas for chaos-controller-manager | `3` |
 | `controllerManager.image.registry` | Override global registry, empty value means using the global images.registry | `` |
@@ -59,12 +61,14 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `chaosDaemon.grpcPort` | The port which grpc server listens on | `31767` |
 | `chaosDaemon.httpPort` | The port which http server listens on | `31766` |
 | `chaosDaemon.env` | Extra chaosDaemon envs | `{}` |
+| `chaosDaemon.securityContext` | Pod securityContext if needed | `{}`|
 | `chaosDaemon.hostNetwork` | Running chaosDaemon on host network | `false` |
 | `chaosDaemon.mtls.enabled` | Enable mtls on the grpc connection between chaos-controller-manager and chaos-daemon | `true` |
 | `chaosDaemon.privileged` | Run chaos-daemon container in privileged mode. If it is set to false, chaos-daemon will be run in some specified capabilities. capabilities: SYS_PTRACE, NET_ADMIN, MKNOD, SYS_CHROOT, SYS_ADMIN, KILL, IPC_LOCK | `true` |
 | `chaosDaemon.priorityClassName` | Custom priorityClassName for using pod priorities | `` |
 | `chaosDaemon.podAnnotations` | Pod annotations of chaos-daemon | `{}` |
 | `chaosDaemon.serviceAccount`| ServiceAccount name for chaos-daemon | `chaos-daemon` |
+| `chaosDaemon.serviceAccountAnnotations` | ServiceAccount annotations for chaos-daemon | `{}` |
 | `chaosDaemon.podSecurityPolicy` | Specify PodSecurityPolicy(psp) on chaos-daemon pods | `false`|
 | `chaosDaemon.runtime` | Runtime specifies which container runtime to use. Currently we only supports docker, containerd and CRI-O. | `docker` |
 | `chaosDaemon.socketPath` | Specifiesthe path of container runtime socket on the host. | `/var/run/docker.sock` |

diff --git a/helm/chaos-mesh/templates/chaos-daemon-daemonset.yaml b/helm/chaos-mesh/templates/chaos-daemon-daemonset.yaml
@@ -57,6 +57,9 @@ spec:
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
+      {{- if .Values.chaosDaemon.securityContext }}
+      securityContext: {{ toYaml .Values.chaosDaemon.securityContext | nindent 8 }}
+      {{- end }}
       containers:
         - name: chaos-daemon
           image: {{template "chaos-daemon.image" . }}
@@ -176,7 +179,7 @@ spec:
         {{- end }}
       volumes:
         - name: socket-path
-          hostPath: 
+          hostPath:
             path: {{template "chaos-daemon.socket-path" . }}
         - name: sys-path
           hostPath:

diff --git a/helm/chaos-mesh/templates/chaos-daemon-rbac.yaml b/helm/chaos-mesh/templates/chaos-daemon-rbac.yaml
@@ -19,6 +19,10 @@ apiVersion: v1
 metadata:
   namespace: {{ .Release.Namespace | quote }}
   name: {{ .Values.chaosDaemon.serviceAccount }}
+  {{- with .Values.chaosDaemon.serviceAccountAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+  {{- end }}
   labels:
     {{- include "chaos-mesh.labels" . | nindent 4 }}
     app.kubernetes.io/component: chaos-daemon

diff --git a/helm/chaos-mesh/templates/controller-manager-deployment.yaml b/helm/chaos-mesh/templates/controller-manager-deployment.yaml
@@ -48,7 +48,7 @@ spec:
       {{- if .Values.controllerManager.hostNetwork }}
       hostNetwork: true
       {{- end }}
-      {{- if .Values.controllerManager.serviceAccount }}
+      {{- if .Values.controllerManager.serviceAccountCreate }}
       serviceAccountName: {{ .Values.controllerManager.serviceAccount }}
       {{- end }}
       {{- if  .Values.controllerManager.priorityClassName }}

diff --git a/helm/chaos-mesh/templates/controller-manager-rbac.yaml b/helm/chaos-mesh/templates/controller-manager-rbac.yaml
@@ -13,15 +13,20 @@
 # limitations under the License.
 #
 {{- if .Values.rbac.create }}
+{{- if .Values.controllerManager.serviceAccountCreate }}
 kind: ServiceAccount
 apiVersion: v1
 metadata:
   namespace: {{ .Release.Namespace | quote }}
   name: {{ .Values.controllerManager.serviceAccount }}
+  {{- with .Values.controllerManager.serviceAccountAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+  {{- end }}
   labels:
     {{- include "chaos-mesh.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller-manager
-
+{{- end }}
 ---
 # roles
 kind: ClusterRole

diff --git a/helm/chaos-mesh/values.schema.json b/helm/chaos-mesh/values.schema.json
@@ -112,9 +112,17 @@
                 "runtime": {
                     "type": "string"
                 },
+                "securityContext": {
+                    "properties": {},
+                    "type": "object"
+                },
                 "serviceAccount": {
                     "type": "string"
                 },
+                "serviceAccountAnnotations": {
+                    "properties": {},
+                    "type": "object"
+                },
                 "socketPath": {
                     "type": "string"
                 },
@@ -317,6 +325,13 @@
                 "serviceAccount": {
                     "type": "string"
                 },
+                "serviceAccountAnnotations": {
+                    "properties": {},
+                    "type": "object"
+                },
+                "serviceAccountCreate": {
+                    "type": "boolean"
+                },
                 "targetNamespace": {
                     "type": "string"
                 },
@@ -762,4 +777,4 @@
         }
     },
     "type": "object"
-}
+}
diff --git a/helm/chaos-mesh/values.yaml b/helm/chaos-mesh/values.yaml
@@ -64,6 +64,10 @@ controllerManager:
   allowHostNetworkTesting: false
   # The serviceAccount for chaos-controller-manager
   serviceAccount: chaos-controller-manager
+  # ServiceAccount annotations for chaos-controller-manager
+  serviceAccountAnnotations: {}
+  # Create the serviceAccount for chaos-controller-manager
+  serviceAccountCreate: true
   # Custom priorityClassName for using pod priorities
   priorityClassName: ""
   # Replicas for chaos-controller-manager
@@ -164,6 +168,8 @@ chaosDaemon:
   httpPort: 31766
   # extra chaosDaemon envs
   env: {}
+  # securityContext if needed
+  securityContext: {}
   # running chaosDaemon on host network
   hostNetwork: false
   # configurations about mtls.
@@ -194,6 +200,8 @@ chaosDaemon:
   podAnnotations: {}
   # ServiceAccount name for chaos-daemon
   serviceAccount: chaos-daemon
+  # ServiceAccount annotations for chaos-daemon
+  serviceAccountAnnotations: {}
   # Specify PodSecurityPolicy(psp) on chaos-daemon pods
   podSecurityPolicy: false
   # runtime specifies which container runtime to use. Currently
@@ -216,7 +224,8 @@ chaosDaemon:
   # If you set socketPath and socketDir at the same time, only socketPath will work.
 
   # CPU/Memory resource requests/limits for chaosDaemon container
-  resources: {}
+  resources:
+    {}
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little
     # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -235,7 +244,8 @@ chaosDaemon:
   affinity: {}
 
   # Specify DaemonSetUpdateStrategy for chaos-daemon
-  updateStrategy: {}
+  updateStrategy:
+    {}
     # Example update strategy:
     # type: RollingUpdate
     # rollingUpdate:

diff --git a/images/dev-env/Dockerfile b/images/dev-env/Dockerfile
@@ -54,7 +54,7 @@ RUN case "$TARGET_PLATFORM" in \
     curl -L https://github.com/protocolbuffers/protobuf/releases/download/v3.12.2/protoc-3.12.2-linux-$PROTOC_ARCH.zip > /protoc.zip && \
     unzip /protoc.zip -d /usr/local && \
     rm /protoc.zip
-RUN chmod +xr -R /usr/local/include
+RUN chmod +rx -R /usr/local/include
 RUN chmod +x /usr/local/bin/protoc
 
 RUN mkdir -p /go/bin
@@ -71,9 +71,15 @@ RUN curl -L https://github.com/kubernetes-sigs/kustomize/releases/download/kusto
 
 RUN curl -L https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.19.2-$(go env GOOS)-$(go env GOARCH).tar.gz | tar -xz -C /usr/local/
 
-RUN curl -L https://get.helm.sh/helm-v3.6.3-$(go env GOOS)-$(go env GOARCH).tar.gz | tar -xz -C /usr/local/bin && \
-    mv /usr/local/bin/$(go env GOOS)-$(go env GOARCH)/helm /usr/local/bin/helm && \
-    rm -rf /usr/local/bin/$(go env GOOS)-$(go env GOARCH)
+RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && \
+    chmod 700 get_helm.sh && \
+    ./get_helm.sh && \
+    rm get_helm.sh
+
+# Create and grant permissions to plugins directory.
+RUN mkdir -p /opt/helm/plugins && chmod a+rwx /opt/helm
+ENV HELM_PLUGINS=/opt/helm/plugins
+RUN helm plugin install https://github.com/losisin/helm-values-schema-json.git
 
 RUN mkdir /.cache
 RUN chmod -R 777 /.cache

diff --git a/install.sh b/install.sh
@@ -1650,7 +1650,7 @@ spec:
               containerPort: 31766
       volumes:
         - name: socket-path
-          hostPath: 
+          hostPath:
             path: ${socketDir}
         - name: sys-path
           hostPath: