-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor and cleanup cilium helm chart #16752
Conversation
test-me-please |
This is amazing work, and I think I agree with all improvements listed in the PR description. Thank you very much! However, due to the large size of the PR and the fact that we have little static safety checks on Helm, this will take a while to be reviewed. I therefore a have a request: Could you split you this PR into a few smaller commits? For example have one commit per newly added folder (i.e. one commit for all |
{{- /* Workaround so that we can set the minimal k8s version that we support */ -}} | ||
{{- $k8sVersion := .Capabilities.KubeVersion.Version -}} | ||
{{- $k8sMajor := .Capabilities.KubeVersion.Major -}} | ||
{{- $k8sMinor := .Capabilities.KubeVersion.Minor -}} | ||
|
||
{{- if .Values.Capabilities -}} | ||
{{- if .Values.Capabilities.KubeVersion -}} | ||
{{- if .Values.Capabilities.KubeVersion.Version -}} | ||
{{- $k8sVersion = .Values.Capabilities.KubeVersion.Version -}} | ||
{{- if .Values.Capabilities.KubeVersion.Major -}} | ||
{{- $k8sMajor = toString (.Values.Capabilities.KubeVersion.Major) -}} | ||
{{- if .Values.Capabilities.KubeVersion.Minor -}} | ||
{{- $k8sMinor = toString (.Values.Capabilities.KubeVersion.Minor) -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't a real review yet, but this caught my eye - please do not remove these. They are here on purpose.
All .Capabilities.KubeVersion
checks must be overwritable via .Values.Capabilities.KubeVersion
, see #14778
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @gandro
.Values.Capabilities.KubeVersion
was used to generate quick-install.yaml
, but since cilium 1.10 MIN_K8S_VERSION
is not using in install/kubernetes/Makefile
anymore.
Furthermore, since 3.6, helm template
support set Kubernetes version used for Capabilities.KubeVersion by using --kube-version string
. Do you think it's safe to remove this workaround?
/cc @aanm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a fair point. I think we have a few users using helm template
, so it's not just the quick-install.yaml - but I wasn't aware of the feature in Helm 3.6, that will be a good replacement going forward.
But I'll let @aanm chime in here as well. Removing Helm values is usually a breaking change, so we if we remove this, we want to communicate this clearly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{{- with .Values.extraArgs }} | ||
{{- toYaml . | trim | nindent 8 }} | ||
{{- end }} | ||
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, we do want to use $k8sVersion
here, not .Capabilities.KubeVersion.Version
* Restructure folder: move each component in it own folder * Remove deprecated & unused resources * Refactor tls logic: provided, helm and cronjob * cleanup code Signed-off-by: Đặng Minh Dũng <dungdm93@live.com>
@gandro Thanks for your suggestion. I going to close this one and split it into few smaller PR |
Ah! So I was actually suggesting to have a single PR with multiple commits. But multiple PRs also work, and might be even better. |
Signed-off-by: Đặng Minh Dũng dungdm93@live.com
Cilium helm charts is quite large (>70 files) with lots of components but all that file are in flatten structure. Some how, it make hard to organized and hard to add new feature. So this PR aim to refactor and cleanup cilium helm chart with following notable changes:
hubble-ca-configmap.yaml
, it has bean marked as deprecated and will be removed in v1.11cilium-etcd-sa
Service Account,etcd-operator
ClusterRole/ClusterRoleBinding which are use in nowhere.Currently, this chart support 3 different kind of TLS: provided, helm-gen, cronjob-gen. But the logic between those 3 types is not the same, for example: helm-gen method always generate both CA and certs (ignore user provided), but cronjob-gen reuse and disable generate cert when user provide CA/cert (this mean no cert auto-rotate).
cilium/install/kubernetes/cilium/templates/_hubble-generate-certs-job-spec.tpl
Lines 47 to 53 in 703b38f
So I simplify and unify this logic as following:
not auto.enabled
), bothcert
andkey
are requirednodeinit
prestop and startup scripts to external file (insidefiles/nodeinit
folder) aim to better highlight and easier to updatenindent
(instead ofindent
) for better look and easier to collapse/expand when using IDEinclude "cilium.image"
named template for generate docker image namepriorityClassName
.priorityClassName
is defined invalues.yaml
but used in nowhere. Now it's supported.