Skip to content

Commit

Permalink
chore: add ability to choose deployment strategy for controller-manag…
Browse files Browse the repository at this point in the history 
…er (#2777)

Signed-off-by: Hy3n4 <hy3nk4@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: sozercan <sozercan@users.noreply.github.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
  • Loading branch information
@Hy3n4 @github-actions @sozercan
4 people committed Jul 7, 2023
1 parent 1878de1 commit 3adf472
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 10 deletions.
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ metadata:
namespace: gatekeeper-system
spec:
replicas: HELMSUBST_DEPLOYMENT_REPLICAS
strategy:
type: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_STRATEGY_TYPE
template:
metadata:
annotations:
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/replacements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ var replacements = map[string]string{

`HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.controllerManager.affinity | nindent 8 }}`,

"HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_STRATEGY_TYPE": `{{ .Values.controllerManager.strategyType }}`,

`HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_SECURITY_CONTEXT: ""`: `{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
Expand Down
19 changes: 14 additions & 5 deletions cmd/build/helmify/static/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
## Upgrade Chart

**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within
the chart. This follows Helm 3 Best Practices.

Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
Expand All @@ -39,7 +40,9 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat
```

Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the
original release, while keeping all of the resources. It then updates the annotations of the resources so that the new
chart can import and manage them.

```console
$ helm_migrate.sh
Expand All @@ -56,9 +59,12 @@ _See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migr

## Exempting Namespace

The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt
the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during
a post-install hook.

_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more
information._

## Parameters

Expand Down Expand Up @@ -186,6 +192,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
| audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |
Expand Down Expand Up @@ -214,4 +221,6 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi

## Contributing Changes

Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart.
Please refer
to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart)
for modifying the Helm chart.
1 change: 1 addition & 0 deletions cmd/build/helmify/static/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ controllerManager:
disableCertRotation: false
tlsMinVersion: 1.3
clientCertName: ""
strategyType: RollingUpdate
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
Expand Down
19 changes: 14 additions & 5 deletions manifest_staging/charts/gatekeeper/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
## Upgrade Chart

**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within
the chart. This follows Helm 3 Best Practices.

Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
Expand All @@ -39,7 +40,9 @@ $ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --creat
```

Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the
original release, while keeping all of the resources. It then updates the annotations of the resources so that the new
chart can import and manage them.

```console
$ helm_migrate.sh
Expand All @@ -56,9 +59,12 @@ _See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migr

## Exempting Namespace

The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt
the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during
a post-install hook.

_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more
information._

## Parameters

Expand Down Expand Up @@ -186,6 +192,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
| audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |
Expand Down Expand Up @@ -214,4 +221,6 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi

## Contributing Changes

Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart.
Please refer
to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart)
for modifying the Helm chart.
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ spec:
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
strategy:
type: {{ .Values.controllerManager.strategyType }}
template:
metadata:
annotations:
Expand Down
1 change: 1 addition & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ controllerManager:
disableCertRotation: false
tlsMinVersion: 1.3
clientCertName: ""
strategyType: RollingUpdate
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
Expand Down

0 comments on commit 3adf472

Please sign in to comment.