Merge branch 'master' into fix-context-cancel-leak

.github/workflows/ci.yml

@@ -88,8 +88,8 @@ jobs:
         run: |
           if [[ "$job" == "verify" ]]; then
             make check
-            echo "Please make check before creating a PR"
-            git diff --quiet -- . || (git diff | cat && false)
+            echo "Please run [make check] before creating a PR"
+            git diff --quiet
           elif [[ "$job" == "build" ]]; then
             make image
           elif [[ "$job" == "test" ]]; then

CHANGELOG.md

@@ -10,6 +10,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 
 ### Added
 
+- Allow if condition for creating chaos-controller-manager ServiceAccount and allow setting securityContext for chaos-daemon pods [#4390](https://github.com/chaos-mesh/chaos-mesh/pull/4390)
 - Allow annotations on chaos-controller-manager and chaos-daemon ServiceAccount [#4106](https://github.com/chaos-mesh/chaos-mesh/pull/4106)
 - Support for deploying chaos-dashboard under the subpath [#4093](https://github.com/chaos-mesh/chaos-mesh/pull/4093)
 - Support more rate units for networkchaos [#4129](https://github.com/chaos-mesh/chaos-mesh/pull/4129)
@@ -23,6 +24,8 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 - Support for setting `loadBalancerSourceRanges` in chaos-dashboard service in helm chart [#4172](https://github.com/chaos-mesh/chaos-mesh/pull/4172)
 - Helm: allow templating of dashboard rootUrl [#4370](https://github.com/chaos-mesh/chaos-mesh/pull/4370)
 - Support for reading database connection string from secret [#4363](https://github.com/chaos-mesh/chaos-mesh/pull/4363)
+- Allow if condition for creating chaos-controller-manager ServiceAccount and allow setting securityContext for chaos-daemon pods [#4390](https://github.com/chaos-mesh/chaos-mesh/pull/4390)
+- Integrate helm-values-schema-json to generate schema for values.yaml [#4435](https://github.com/chaos-mesh/chaos-mesh/pull/4435)
 
 ### Changed
 

Makefile

@@ -132,7 +132,7 @@ swagger_spec: images/dev-env/.dockerbuilt ## Generate OpenAPI/Swagger spec for f
 
 ##@ Linters, formatters and others
 
-check: generate manifests/crd.yaml vet boilerplate lint tidy install.sh fmt ## Run prerequisite checks for PR
+check: generate manifests/crd.yaml vet boilerplate lint fmt tidy install.sh helm-values-schema ## Run prerequisite checks for PR
 
 SKYWALKING_EYES_HEADER = /go/bin/license-eye header -c ./.github/.licenserc.yaml
 boilerplate: SHELL:=$(RUN_IN_DEV_SHELL)
@@ -172,6 +172,10 @@ vet: SHELL:=$(RUN_IN_DEV_SHELL)
 vet: images/dev-env/.dockerbuilt ## Lint go files with go vet
 	$(CGOENV) go vet ./...
 
+helm-values-schema: SHELL:=$(RUN_IN_DEV_SHELL)
+helm-values-schema: images/dev-env/.dockerbuilt
+	helm schema -input helm/chaos-mesh/values.yaml -output helm/chaos-mesh/values.schema.json
+
 ##@ Common used building targets
 
 all: manifests/crd.yaml image ## Build all CRD yaml manifests and components container images
@@ -287,7 +291,6 @@ pkg/time/fakeclock/fake_gettimeofday.o: pkg/time/fakeclock/fake_gettimeofday.c i
 	[[ "$$TARGET_PLATFORM" == "arm64" ]] && CFLAGS="-mcmodel=tiny" ;\
 	cc -c ./pkg/time/fakeclock/fake_gettimeofday.c -fPIE -O2 -o pkg/time/fakeclock/fake_gettimeofday.o $$CFLAGS
 
-
 CLEAN_TARGETS += e2e-test/image/e2e/manifests e2e-test/image/e2e/chaos-mesh
 
 e2e-test/image/e2e/manifests: manifests ## Copy CRD manifests to e2e image build directory

build/get_env_shell.py

@@ -78,6 +78,7 @@ def main():
 
     cwd = os.getcwd()
     cmd += ["--volume", f"{cwd}:{cwd}"]
+    # HACK: if you have permission issues when using Docker Desktop for Mac, you can try removing this line to see if it works.
     cmd += ["--user", f"{os.getuid()}:{os.getgid()}"]
 
     target_platform = utils.get_target_platform()

cmd/generate-makefile/doc.go

@@ -13,5 +13,6 @@
 // limitations under the License.
 //
 
-// This command line tool would generate Makefile like binary.generated.mk, contains targets for building executable binaries.
+// This command line tool is used to generate partial Makefiles, such as binary.generated.mk,
+// containing targets for building executable binaries.
 package main

cmd/generate-makefile/funcmaps.go

@@ -16,8 +16,4 @@ package main
 
 import "strings"
 
-var defaultFuncMap = map[string]interface{}{"StringsJoin": StringsJoin}
-
-func StringsJoin(s []string, sep string) string {
-	return strings.Join(s, sep)
-}
+var defaultFuncMap = map[string]interface{}{"StringsJoin": strings.Join}

helm/chaos-mesh/README.md

@@ -29,9 +29,10 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `imagePullSecrets` | Global Docker registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
 | `controllerManager.securityContext` | Pod securityContext if needed | `{}` |
 | `controllerManager.hostNetwork` | Running chaos-controller-manager on host network | `false` |
-| `controllerManager.allowHostNetworkTesting` | Allow testing on `hostNetwork` pods | `false` |
+| `controllerManager.allowHostNetworkTesting`   | Allow testing on `hostNetwork` pods | `false` |
 | `controllerManager.serviceAccount` | The serviceAccount for chaos-controller-manager | `chaos-controller-manager` |
 | `controllerManager.serviceAccountAnnotations` | ServiceAccount annotations for chaos-controller-manager | `{}` |
+| `controllerManager.serviceAccountCreate` | Create the serviceAccount for chaos-controller-manager | `true` |
 | `controllerManager.priorityClassName` | Custom priorityClassName for using pod priorities | `` |
 | `controllerManager.replicaCount` | Replicas for chaos-controller-manager | `3` |
 | `controllerManager.image.registry` | Override global registry, empty value means using the global images.registry | `` |
@@ -60,14 +61,15 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `chaosDaemon.grpcPort` | The port which grpc server listens on | `31767` |
 | `chaosDaemon.httpPort` | The port which http server listens on | `31766` |
 | `chaosDaemon.env` | Extra chaosDaemon envs | `{}` |
+| `chaosDaemon.securityContext` | Pod securityContext if needed | `{}`|
 | `chaosDaemon.hostNetwork` | Running chaosDaemon on host network | `false` |
 | `chaosDaemon.mtls.enabled` | Enable mtls on the grpc connection between chaos-controller-manager and chaos-daemon | `true` |
 | `chaosDaemon.privileged` | Run chaos-daemon container in privileged mode. If it is set to false, chaos-daemon will be run in some specified capabilities. capabilities: SYS_PTRACE, NET_ADMIN, MKNOD, SYS_CHROOT, SYS_ADMIN, KILL, IPC_LOCK | `true` |
 | `chaosDaemon.priorityClassName` | Custom priorityClassName for using pod priorities | `` |
 | `chaosDaemon.podAnnotations` | Pod annotations of chaos-daemon | `{}` |
 | `chaosDaemon.serviceAccount` | ServiceAccount name for chaos-daemon | `chaos-daemon` |
 | `chaosDaemon.serviceAccountAnnotations` | ServiceAccount annotations for chaos-daemon | `{}` |
-| `chaosDaemon.podSecurityPolicy` | Specify PodSecurityPolicy(psp) on chaos-daemon pods | `false` |
+| `chaosDaemon.podSecurityPolicy` | Specify PodSecurityPolicy(psp) on chaos-daemon pods | `false`|
 | `chaosDaemon.runtime` | Runtime specifies which container runtime to use. Currently we only supports docker, containerd and CRI-O. | `docker` |
 | `chaosDaemon.socketPath` | Specifiesthe path of container runtime socket on the host. | `/var/run/docker.sock` |
 | `chaosDaemon.resources` | CPU/Memory resource requests/limits for chaosDaemon container | `{}` |

helm/chaos-mesh/templates/chaos-daemon-daemonset.yaml

@@ -57,6 +57,9 @@ spec:
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
+      {{- if .Values.chaosDaemon.securityContext }}
+      securityContext: {{ toYaml .Values.chaosDaemon.securityContext | nindent 8 }}
+      {{- end }}
       containers:
         - name: chaos-daemon
           image: {{template "chaos-daemon.image" . }}
@@ -176,7 +179,7 @@ spec:
         {{- end }}
       volumes:
         - name: socket-path
-          hostPath: 
+          hostPath:
             path: {{template "chaos-daemon.socket-path" . }}
         - name: sys-path
           hostPath:

helm/chaos-mesh/templates/controller-manager-deployment.yaml

@@ -48,7 +48,7 @@ spec:
       {{- if .Values.controllerManager.hostNetwork }}
       hostNetwork: true
       {{- end }}
-      {{- if .Values.controllerManager.serviceAccount }}
+      {{- if .Values.controllerManager.serviceAccountCreate }}
       serviceAccountName: {{ .Values.controllerManager.serviceAccount }}
       {{- end }}
       {{- if  .Values.controllerManager.priorityClassName }}

helm/chaos-mesh/templates/controller-manager-rbac.yaml

@@ -13,6 +13,7 @@
 # limitations under the License.
 #
 {{- if .Values.rbac.create }}
+{{- if .Values.controllerManager.serviceAccountCreate }}
 kind: ServiceAccount
 apiVersion: v1
 metadata:
@@ -25,7 +26,7 @@ metadata:
   labels:
     {{- include "chaos-mesh.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller-manager
-
+{{- end }}
 ---
 # roles
 kind: ClusterRole