feat(helm): new value to set HostPath type for DaemonSet volumes

Still defaults to Directory
enix · Sep 6, 2023 · 290094a · 290094a
1 parent 1d089c6
commit 290094a
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 3 deletions.
diff --git a/deploy/charts/x509-certificate-exporter/README.md b/deploy/charts/x509-certificate-exporter/README.md
@@ -302,6 +302,48 @@ Because all client certificates reside in the `pki` directory, the exporter will
 `kubelet-client-current.pem` and it's target properly. Even though the Operating System cannot resolve the link itself
 in the container namespace.
 
+### HostPath types
+
+When file or directory paths are provided for running DaemonSet exporters, Pods will use HostPath volumes with type
+`Directory` by default. This is a safety so that misconfigurations are easily caught at deployment, and also to prevent
+the creation of paths that don't exist already.
+
+However some Kubernetes distributions may not allow the kubelet to probe for volume paths existence or type, raising
+errors such as:
+```
+MountVolume.SetUp failed for volume "file-f9f012b96b66ef1f9f2c759856d9e752a1691104" :
+  hostPath type check failed: /opt/rke/etc/kubernetes/ssl is not a directory
+```
+
+In this case the use of value `hostPathVolumeType` will let Kubernetes use the default HostPath type and disable checks.  
+Just like other settings it can be set at the `hostPathsExporter` level:
+```yaml
+hostPathsExporter:
+  hostPathVolumeType: null
+  daemonSets:
+    node:
+      [...]
+      watchFiles:
+      - /etc/kubernetes/pki/*.pem
+      - /etc/kubernetes/pki/*.crt
+```
+Or it can be set at the DaemonSet level:
+```yaml
+hostPathsExporter:
+  daemonSets:
+    node:
+      [...]
+      watchFiles:
+      - /etc/kubernetes/pki/*.pem
+      - /etc/kubernetes/pki/*.crt
+    oldnode:
+      hostPathVolumeType: null
+      [...]
+      watchFiles:
+      - /etc/kubernetes/pki/*.pem
+      - /etc/kubernetes/pki/*.crt
+```
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -361,6 +403,7 @@ in the container namespace.
 | hostPathsExporter.securityContext | object | check `values.yaml` | SecurityContext for containers of hostPath exporters (default for all hostPathsExporter.daemonSets) |
 | hostPathsExporter.extraVolumes | list | `[]` | Additionnal volumes added to Pods of hostPath exporters (default for all hostPathsExporter.daemonSets ; combined with global `extraVolumes`) |
 | hostPathsExporter.extraVolumeMounts | list | `[]` | Additionnal volume mounts added to Pod containers of hostPath exporters (default for all hostPathsExporter.daemonSets ; combined with global `extraVolumes`) |
+| hostPathsExporter.hostPathVolumeType | string | `"Directory"` | Type for HostPath volumes used with watched paths. Can be set to `""` or null to use Kubernetes defaults. |
 | hostPathsExporter.watchDirectories | list | `[]` | [SEE README] List of directory paths of the host to scan for PEM encoded certificate files to be watched and exported as metrics (one level deep) |
 | hostPathsExporter.watchFiles | list | `[]` | [SEE README] List of file paths of the host for PEM encoded certificates to be watched and exported as metrics (one level deep) |
 | hostPathsExporter.watchKubeconfFiles | list | `[]` | [SEE README] List of Kubeconf file paths of the host to scan for embedded certificates to export metrics about |

diff --git a/deploy/charts/x509-certificate-exporter/README.md.gotmpl b/deploy/charts/x509-certificate-exporter/README.md.gotmpl
@@ -302,6 +302,48 @@ Because all client certificates reside in the `pki` directory, the exporter will
 `kubelet-client-current.pem` and it's target properly. Even though the Operating System cannot resolve the link itself
 in the container namespace.
 
+### HostPath types
+
+When file or directory paths are provided for running DaemonSet exporters, Pods will use HostPath volumes with type
+`Directory` by default. This is a safety so that misconfigurations are easily caught at deployment, and also to prevent
+the creation of paths that don't exist already.
+
+However some Kubernetes distributions may not allow the kubelet to probe for volume paths existence or type, raising
+errors such as:
+```
+MountVolume.SetUp failed for volume "file-f9f012b96b66ef1f9f2c759856d9e752a1691104" :
+  hostPath type check failed: /opt/rke/etc/kubernetes/ssl is not a directory
+```
+
+In this case the use of value `hostPathVolumeType` will let Kubernetes use the default HostPath type and disable checks.   
+Just like other settings it can be set at the `hostPathsExporter` level:
+```yaml
+hostPathsExporter:
+  hostPathVolumeType: null
+  daemonSets:
+    node:
+      [...]
+      watchFiles:
+      - /etc/kubernetes/pki/*.pem
+      - /etc/kubernetes/pki/*.crt
+```
+Or it can be set at the DaemonSet level:
+```yaml
+hostPathsExporter:
+  daemonSets:
+    node:
+      [...]
+      watchFiles:
+      - /etc/kubernetes/pki/*.pem
+      - /etc/kubernetes/pki/*.crt
+    oldnode:
+      hostPathVolumeType: null
+      [...]
+      watchFiles:
+      - /etc/kubernetes/pki/*.pem
+      - /etc/kubernetes/pki/*.crt
+```
+
 {{ template "chart.valuesSection" . }}
 
 ## ⚖️ License

diff --git a/deploy/charts/x509-certificate-exporter/templates/daemonset.yaml b/deploy/charts/x509-certificate-exporter/templates/daemonset.yaml
@@ -161,23 +161,33 @@ spec:
       {{- end }}
       hostNetwork: {{ $.Values.hostNetwork }}
       volumes:
+      {{- $hostPathType := $.Values.hostPathsExporter.hostPathVolumeType }}
+      {{- if hasKey $dsDef "hostPathVolumeType" }}
+        {{- $hostPathType = $dsDef.hostPathVolumeType }}
+      {{- end }}
       {{- range default $.Values.hostPathsExporter.watchDirectories $dsDef.watchDirectories }}
       - name: dir-{{ . | clean | sha1sum }}
         hostPath:
           path: {{ . | clean }}
-          type: Directory
+          {{- if $hostPathType }}
+          type: {{ $hostPathType | quote }}
+          {{- end }}
       {{- end }}
       {{- range default $.Values.hostPathsExporter.watchFiles $dsDef.watchFiles }}
       - name: file-{{ . | clean | sha1sum }}
         hostPath:
           path: {{ . | clean | dir }}
-          type: Directory
+          {{- if $hostPathType }}
+          type: {{ $hostPathType | quote }}
+          {{- end }}
       {{- end }}
       {{- range default $.Values.hostPathsExporter.watchKubeconfFiles $dsDef.watchKubeconfFiles }}
       - name: kube-{{ . | clean | sha1sum }}
         hostPath:
           path: {{ . | clean | dir }}
-          type: Directory
+          {{- if $hostPathType }}
+          type: {{ $hostPathType | quote }}
+          {{- end }}
       {{- end }}
       {{- if or $.Values.webConfiguration $.Values.webConfigurationExistingSecret }}
       - name: web-configuration

diff --git a/deploy/charts/x509-certificate-exporter/values.yaml b/deploy/charts/x509-certificate-exporter/values.yaml
@@ -168,6 +168,8 @@ hostPathsExporter:
   # -- Additionnal volume mounts added to Pod containers of hostPath exporters (default for all hostPathsExporter.daemonSets ; combined with global `extraVolumes`)
   extraVolumeMounts: []
 
+  # -- Type for HostPath volumes used with watched paths. Can be set to `""` or null to use Kubernetes defaults.
+  hostPathVolumeType: Directory
   # -- [SEE README] List of directory paths of the host to scan for PEM encoded certificate files to be watched and exported as metrics (one level deep)
   watchDirectories: []
   # -- [SEE README] List of file paths of the host for PEM encoded certificates to be watched and exported as metrics (one level deep)