refactor and cleanup cilium helm chart #16752
Conversation
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
aanm
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
|
test-me-please |
aanm
added
the
dont-merge/needs-rebase
|
This is amazing work, and I think I agree with all improvements listed in the PR description. Thank you very much! However, due to the large size of the PR and the fact that we have little static safety checks on Helm, this will take a while to be reviewed. I therefore a have a request: Could you split you this PR into a few smaller commits? For example have one commit per newly added folder (i.e. one commit for all |
| {{- /* Workaround so that we can set the minimal k8s version that we support */ -}} | ||
| {{- $k8sVersion := .Capabilities.KubeVersion.Version -}} | ||
| {{- $k8sMajor := .Capabilities.KubeVersion.Major -}} | ||
| {{- $k8sMinor := .Capabilities.KubeVersion.Minor -}} | ||
|
|
||
| {{- if .Values.Capabilities -}} | ||
| {{- if .Values.Capabilities.KubeVersion -}} | ||
| {{- if .Values.Capabilities.KubeVersion.Version -}} | ||
| {{- $k8sVersion = .Values.Capabilities.KubeVersion.Version -}} | ||
| {{- if .Values.Capabilities.KubeVersion.Major -}} | ||
| {{- $k8sMajor = toString (.Values.Capabilities.KubeVersion.Major) -}} | ||
| {{- if .Values.Capabilities.KubeVersion.Minor -}} | ||
| {{- $k8sMinor = toString (.Values.Capabilities.KubeVersion.Minor) -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- end -}} |
There was a problem hiding this comment.
I haven't a real review yet, but this caught my eye - please do not remove these. They are here on purpose.
All .Capabilities.KubeVersion checks must be overwritable via .Values.Capabilities.KubeVersion, see #14778
There was a problem hiding this comment.
Hello @gandro
.Values.Capabilities.KubeVersion was used to generate quick-install.yaml, but since cilium 1.10 MIN_K8S_VERSION is not using in install/kubernetes/Makefile anymore.
Furthermore, since 3.6, helm template support set Kubernetes version used for Capabilities.KubeVersion by using --kube-version string. Do you think it's safe to remove this workaround?
/cc @aanm
There was a problem hiding this comment.
That's a fair point. I think we have a few users using helm template, so it's not just the quick-install.yaml - but I wasn't aware of the feature in Helm 3.6, that will be a good replacement going forward.
But I'll let @aanm chime in here as well. Removing Helm values is usually a breaking change, so we if we remove this, we want to communicate this clearly.
| {{- with .Values.extraArgs }} | ||
| {{- toYaml . | trim | nindent 8 }} | ||
| {{- end }} | ||
| {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} |
There was a problem hiding this comment.
As mentioned above, we do want to use $k8sVersion here, not .Capabilities.KubeVersion.Version
* Restructure folder: move each component in it own folder * Remove deprecated & unused resources * Refactor tls logic: provided, helm and cronjob * cleanup code Signed-off-by: Đặng Minh Dũng <dungdm93@live.com>
@gandro Thanks for your suggestion. I going to close this one and split it into few smaller PR |
Ah! So I was actually suggesting to have a single PR with multiple commits. But multiple PRs also work, and might be even better. |
Signed-off-by: Đặng Minh Dũng dungdm93@live.com
Cilium helm charts is quite large (>70 files) with lots of components but all that file are in flatten structure. Some how, it make hard to organized and hard to add new feature. So this PR aim to refactor and cleanup cilium helm chart with following notable changes:
hubble-ca-configmap.yaml, it has bean marked as deprecated and will be removed in v1.11cilium-etcd-saService Account,etcd-operatorClusterRole/ClusterRoleBinding which are use in nowhere.Currently, this chart support 3 different kind of TLS: provided, helm-gen, cronjob-gen. But the logic between those 3 types is not the same, for example: helm-gen method always generate both CA and certs (ignore user provided), but cronjob-gen reuse and disable generate cert when user provide CA/cert (this mean no cert auto-rotate).
cilium/install/kubernetes/cilium/templates/_hubble-generate-certs-job-spec.tpl
Lines 47 to 53 in 703b38f
So I simplify and unify this logic as following:
not auto.enabled), bothcertandkeyare requirednodeinitprestop and startup scripts to external file (insidefiles/nodeinitfolder) aim to better highlight and easier to updatenindent(instead ofindent) for better look and easier to collapse/expand when using IDEinclude "cilium.image"named template for generate docker image namepriorityClassName.priorityClassNameis defined invalues.yamlbut used in nowhere. Now it's supported.