From 294221e7a39f61a641e9a972c281b6d7a469465d Mon Sep 17 00:00:00 2001 From: Andreas Brehmer Date: Wed, 29 Nov 2023 09:57:20 +0100 Subject: [PATCH 1/3] Chart: Ensure atomic override of complex values Partial overrides of complex Helm chart parameters should be avoided because they imply the risk of inconsistent or unintented results in case the default values change with newer Helm chart releases. --- changelog.yaml | 24 +++++++++ charts/steward/Chart.yaml | 4 +- charts/steward/README.md | 27 +++++----- .../templates/deployment-run-controller.yaml | 49 +++++++++++++++---- .../templates/task-jenkinsfile-runner.yaml | 12 ++++- charts/steward/values.yaml | 33 +++---------- 6 files changed, 100 insertions(+), 49 deletions(-) diff --git a/changelog.yaml b/changelog.yaml index 310f2d07..43d46173 100644 --- a/changelog.yaml +++ b/changelog.yaml @@ -52,6 +52,30 @@ date: TBD changes: + - type: enhancement + impact: minor + title: "Helm chart: Ensure atomic override of complex values" + description: |- + The following complex values can no longer be overridden partially: + + - `runController.resources` + - `runController.podSecurityContext` + - `runController.securityContext` + - `runController.nodeSelector` (default was empty) + - `runController.affinity` (default was empty) + - `runController.tolerations` (default was empty) + - `pipelineRuns.resources` + + Partial overrides should be avoided because they imply the + risk of inconsistent or unintented results in case the default + values change with newer Helm chart releases. + upgradeNotes: |- + Ensure that overrides of the above-mentioned values are + complete, i.e. they override _all_ fields which where also set + in the respective chart default in v0.39.1. + If this is not the case, add the missing fields. + pullRequestNumber: 398 + - version: "0.39.1" date: 2023-11-29 changes: diff --git a/charts/steward/Chart.yaml b/charts/steward/Chart.yaml index c8767f71..8ffb942a 100644 --- a/charts/steward/Chart.yaml +++ b/charts/steward/Chart.yaml @@ -5,8 +5,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.39.2-dev +version: 0.40.0-dev # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: 0.39.2-dev +appVersion: 0.40.0-dev diff --git a/charts/steward/README.md b/charts/steward/README.md index 90c994e3..769ef6da 100644 --- a/charts/steward/README.md +++ b/charts/steward/README.md @@ -13,8 +13,13 @@ Install and configure [Steward][] on Kubernetes. - [Chart Configuration](#chart-configuration) - [Target Namespace](#target-namespace) - [Pipeline Run Controller](#pipeline-run-controller) + - [Custom Logging Details](#custom-logging-details) + - [Annotation provider](#annotation-provider) + - [Label provider](#label-provider) - [Monitoring](#monitoring) - [Pipeline Runs](#pipeline-runs) + - [Jenkinsfile Runner](#jenkinsfile-runner) + - [Logging](#logging) - [Feature Flags](#feature-flags) - [List of Defined Feature Flags](#list-of-defined-feature-flags) - [Misc](#misc) @@ -103,12 +108,12 @@ The tables in the following sections list the configurable parameters of the Ste | runController.image.repository
string | The container registry and repository of the Run Controller image. | `stewardci/stewardci-run-controller` | | runController.image.tag
string | The tag of the Run Controller image in the container registry. | A fixed image tag. | | runController.image.pullPolicy
string | The image pull policy for the Run Controller image. For possible values see field `imagePullPolicy` of the `container` spec in the Kubernetes API documentation. | `IfNotPresent` | -| runController.resources
object of [`RecourceRequirements`][k8s-resourcerequirements] | The resource requirements of the Run Controller container. When overriding, override the complete value, not just subvalues, because the default value might change in future versions and a partial override might not make sense anymore. | Limits and requests set (see `values.yaml`) | -| runController.podSecurityContext
object of [`PodSecurityContext`][k8s-podsecuritycontext] | The pod security context of the Run Controller pod. | `{}` | -| runController.securityContext
object of [`SecurityContext`][k8s-securitycontext] | The security context of the Run Controller container. | `{}` | -| runController.nodeSelector
object | The `nodeSelector` field of the Run Controller [pod spec][k8s-podspec]. | `{}` | -| runController.affinity
object of [`Affinity`][k8s-affinity] | The `affinity` field of the Run Controller [pod spec][k8s-podspec]. | `{}` | -| runController.tolerations
array of [`Toleration`][k8s-tolerations] | The `tolerations` field of the Run Controller [pod spec][k8s-podspec]. | `[]` | +| runController.resources
object of [`RecourceRequirements`][k8s-resourcerequirements] | The resource requirements of the Run Controller container. If not set or empty, the default value is used. | `{"limits": {"cpu":1, "memory":"256Mi"}, "requests": {"cpu":"100m", "memory":"256Mi"}}` | +| runController.podSecurityContext
object of [`PodSecurityContext`][k8s-podsecuritycontext] | The pod security context of the Run Controller pod. If not set or empty, the default value is used. | `{}` | +| runController.securityContext
object of [`SecurityContext`][k8s-securitycontext] | The security context of the Run Controller container. If not set or empty, the default value is used. | `{"privileged":false, "seccompProfile": {"type":"RuntimeDefault"}, "allowPrivilegeEscalation":false, "capabilities": {"drop": ["ALL"]}, "readOnlyRootFilesystem":true, "runAsNonRoot":true, "runAsUser":1000, "runAsGroup":"1000}"}` | +| runController.nodeSelector
object | The `nodeSelector` field of the Run Controller [pod spec][k8s-podspec]. If not set or empty, the default value is used. | `{}` | +| runController.affinity
object of [`Affinity`][k8s-affinity] | The `affinity` field of the Run Controller [pod spec][k8s-podspec]. If not set or empty, the default value is used. | `{}` | +| runController.tolerations
array of [`Toleration`][k8s-tolerations] | The `tolerations` field of the Run Controller [pod spec][k8s-podspec]. If not set or empty, the default value is used. | `[]` | | runController.args.qps
integer | The maximum queries per second (QPS) from the controller to the cluster. | 5 | | runController.args.burst
integer | The burst limit for throttle connections (maximum number of concurrent requests). | 10 | | runController.args.threadiness
integer | The maximum number of reconciliations performed in parallel. | 2 | @@ -120,7 +125,7 @@ The tables in the following sections list the configurable parameters of the Ste | runController.podSecurityPolicyName
string | The name of an _existing_ pod security policy that should be used by the run controller. If empty, a default pod security policy will be created. | empty | | runController.logging.customLoggingDetails
list | Define a list of log detail providers. See example below.| {} | -##### Custom Logging Details +#### Custom Logging Details The custom logging details can be defined at `runController.logging.customLoggingDetails`. The content is a list, where each entry defines a log detail provider. @@ -204,13 +209,13 @@ Common parameters: | Parameter | Description | Default | |---|---|---| -| pipelineRuns.podSecurityPolicyName
string | The name of an _existing_ pod security policy that should be used by pipeline run pods. If empty, a default pod security policy will be created. | empty | +| pipelineRuns.podSecurityPolicyName
string | The name of an _existing_ pod security policy that should be used by pipeline run pods. If empty, a default pod security policy will be created. | | | pipelineRuns.timeout
[duration][type-duration] | The maximum execution time of pipelines. | `60m` | | pipelineRuns.networkPolicy
string | Deprecated: Use pipelineRuns.networkPolicies instead. | | | pipelineRuns.defaultNetworkPolicyName | The name of the network policy which is used when no network profile is selected by a pipeline run spec. | `default` if pipelineRuns.networkPolicies is not set or empty. | | pipelineRuns.networkPolicies
map\[string]string | The network policies selectable as network profiles in pipeline run specs. The key can be any valid YAML key not starting with underscore (`_`). The value must be a string containing a complete `networkpolicy.networking.k8s.io` resource manifest in YAML format. The `.metadata` section of the manifest can be omitted, as it will be replaced anyway. See the [Kubernetes documentation of network policies][k8s-networkpolicies] for details about Kubernetes network policies.

Note that Steward ensures that all pods in pipeline run namespaces are _isolated_ in terms of network policies. The policy defined here _adds_ egress and/or ingress rules. | A single entry named `default` whose value is a network policy defining rules that allow ingress traffic from all pods in the same namespace and egress traffic to the internet, the cluster DNS resolver. | | pipelineRuns.limitRange
string | The limit range to be created in every pipeline run namespace. The value must be a string containing a complete `limitrange` resource manifest in YAML format. The `.metadata` section of the manifest can be omitted, as it will be replaced anyway. See the [Kubernetes documentation of limit ranges][k8s-limitranges] for details about Kubernetes limit ranges. | A limit range defining a default CPU request of 0.5 CPUs, a default CPU limit of 3 CPUs, a default memory request of 0.5 GiB and a default memory limit of 3 GiB.

This default limit range might change with newer releases of Steward. It is recommended to set an own limit range to avoid unexpected changes with Steward upgrades. | -| pipelineRuns.resourceQuota
string | The resource quota to be created in every pipeline run namespace. The value must be a string containing a complete `resourcequotas` resource manifest in YAML format. The `.metadata` section of the manifest can be omitted, as it will be replaced anyway. See the [Kubernetes documentation of resource quotas][k8s-resourcequotas] for details about Kubernetes resource quotas.| none | +| pipelineRuns.resourceQuota
string | The resource quota to be created in every pipeline run namespace. The value must be a string containing a complete `resourcequotas` resource manifest in YAML format. The `.metadata` section of the manifest can be omitted, as it will be replaced anyway. See the [Kubernetes documentation of resource quotas][k8s-resourcequotas] for details about Kubernetes resource quotas.| | #### Jenkinsfile Runner @@ -222,13 +227,13 @@ Common parameters: | pipelineRuns.jenkinsfileRunner.image
string | The Jenkinsfile Runner image. | `stewardci/stewardci-jenkinsfile-runner:` | | pipelineRuns.jenkinsfileRunner.imagePullPolicy
string | The image pull policy for the Jenkinsfile Runner image. For possible values see field `imagePullPolicy` of the `container` spec in the Kubernetes API documentation. | `IfNotPresent` | | pipelineRuns.jenkinsfileRunner.javaOpts
string | The JAVA_OPTS environment variable for the Jenkinsfile Runner process. | (see `values.yaml`) | -| pipelineRuns.jenkinsfileRunner.resources
object of [`RecourceRequirements`][k8s-resourcerequirements] | The resource requirements of Jenkinsfile Runner containers. When overriding, override the complete value, not just subvalues, because the default value might change in future versions and a partial override might not make sense anymore. | Limits and requests set (see `values.yaml`) | +| pipelineRuns.jenkinsfileRunner.resources
object of [`RecourceRequirements`][k8s-resourcerequirements] | The resource requirements of Jenkinsfile Runner containers. If not set or empty, the default value is used. | `{"limits": {"cpu":3, "memory":"2Gi"}, "requests": {"cpu":"500m", "memory":"2Gi"}}` | | pipelineRuns.jenkinsfileRunner.podSecurityContext.runAsUser
integer | The user ID (UID) of the container processes of the Jenkinsfile Runner pod. The value must be an integer in the range of \[1,65535]. Corresponds to field `runAsUser` of a [PodSecurityContext][k8s-podsecuritycontext]. | `1000` | | pipelineRuns.jenkinsfileRunner.podSecurityContext.runAsGroup
integer | The group ID (GID) of the container processes of the Jenkinsfile Runner pod. The value must be an integer in the range of \[1,65535]. Corresponds to field `runAsGroup` of a [PodSecurityContext][k8s-podsecuritycontext]. | `1000` | | pipelineRuns.jenkinsfileRunner.podSecurityContext.fsGroup
integer | A special supplemental group ID of the container processes of the Jenkinsfile Runner pod, that defines the ownership of some volume types. The value must be an integer in the range of \[1,65535]. Corresponds to field `fsGroup` of a [PodSecurityContext][k8s-podsecuritycontext]. | `1000` | | pipelineRuns.jenkinsfileRunner.pipelineCloneRetryIntervalSec
string | The retry interval for cloning the pipeline repository (in seconds). | The default value is defined in the Jenkinsfile Runner image. | | pipelineRuns.jenkinsfileRunner.pipelineCloneRetryTimeoutSec
string | The retry timeout for cloning the pipeline repository (in seconds). | The default value is defined in the Jenkinsfile Runner image. | -| pipelineRuns.jenkinsfileRunner.sidecars
list | A list of sidecar containers for the task, as specified by the [Tekton documentation](https://tekton.dev/vault/pipelines-main/tasks/#specifying-sidecars). | empty | +| pipelineRuns.jenkinsfileRunner.sidecars
list | A list of sidecar containers for the task, as specified by the [Tekton documentation](https://tekton.dev/vault/pipelines-main/tasks/#specifying-sidecars). | | #### Logging diff --git a/charts/steward/templates/deployment-run-controller.yaml b/charts/steward/templates/deployment-run-controller.yaml index 13c10479..e2cf5801 100644 --- a/charts/steward/templates/deployment-run-controller.yaml +++ b/charts/steward/templates/deployment-run-controller.yaml @@ -24,11 +24,26 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.runController.podSecurityContext | nindent 8 }} + {{- with .Values.runController.podSecurityContext }} + {{- toYaml . | nindent 8 }} + {{- else }} + # chart default + {{- end }} containers: - name: controller securityContext: - {{- toYaml .Values.runController.securityContext | nindent 10 }} + {{- with .Values.runController.securityContext }} + {{- toYaml . | nindent 10 }} + {{- else }} + # chart default + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + {{- end }} {{- with .Values.runController.image }} image: {{ printf "%s:%s" .repository .tag | quote }} imagePullPolicy: {{ .pullPolicy | quote }} @@ -66,16 +81,32 @@ spec: containerPort: 9090 protocol: TCP resources: - {{- toYaml .Values.runController.resources | nindent 10 }} - {{- with .Values.runController.nodeSelector }} + {{- with .Values.runController.resources }} + {{- toYaml . | nindent 10 }} + {{- else }} + # chart default + limits: + cpu: 1 + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + {{- end }} nodeSelector: + {{- with .Values.runController.nodeSelector }} {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.runController.affinity }} + {{- else }} + # chart default + {{- end }} affinity: + {{- with .Values.runController.affinity }} {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.runController.tolerations }} + {{- else }} + # chart default + {{- end }} tolerations: + {{- with .Values.runController.tolerations }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- else }} + # chart default + {{- end }} diff --git a/charts/steward/templates/task-jenkinsfile-runner.yaml b/charts/steward/templates/task-jenkinsfile-runner.yaml index b47dc029..c47eecb8 100644 --- a/charts/steward/templates/task-jenkinsfile-runner.yaml +++ b/charts/steward/templates/task-jenkinsfile-runner.yaml @@ -213,7 +213,17 @@ spec: - name: TERMINATION_LOG_PATH value: /tekton/results/jfr-termination-log resources: - {{- toYaml .Values.pipelineRuns.jenkinsfileRunner.resources | nindent 6 }} + {{- with .Values.pipelineRuns.jenkinsfileRunner.resources }} + {{- toYaml . | nindent 6 }} + {{- else }} + # chart default + limits: + cpu: 3 + memory: 2Gi + requests: + cpu: 500m + memory: 2Gi + {{- end }} terminationMessagePath: /tekton/results/jfr-termination-log results: - name: jfr-termination-log diff --git a/charts/steward/values.yaml b/charts/steward/values.yaml index 67a98ba7..5be98298 100644 --- a/charts/steward/values.yaml +++ b/charts/steward/values.yaml @@ -16,25 +16,12 @@ runController: repository: stewardci/stewardci-run-controller tag: "0.39.1" #Do not modify this line! RunController tag updated automatically pullPolicy: IfNotPresent - resources: - limits: - cpu: 1 - memory: 256Mi - requests: - cpu: 100m - memory: 256Mi - podSecurityContext: {} - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - nodeSelector: {} - affinity: {} - tolerations: [] + resources: {} # default is defined in template + podSecurityContext: {} # default is defined in template + securityContext: {} # default is defined in template + nodeSelector: {} # default is defined in template + affinity: {} # default is defined in template + tolerations: [] # default is defined in template podSecurityPolicyName: "" logging: customLoggingDetails: [] @@ -83,13 +70,7 @@ pipelineRuns: -Dhudson.slaves.NodeProvisioner.MARGIN0=0.8 -XX:+UseContainerSupport -XX:MaxRAMPercentage=75.0 - resources: - limits: - cpu: 3 - memory: 2Gi - requests: - cpu: 500m - memory: 2Gi + resources: {} # default is defined in template podSecurityContext: runAsUser: 1000 runAsGroup: 1000 From e3137a5b653ed0db7c80472f1436513ebcd52535 Mon Sep 17 00:00:00 2001 From: Andreas Brehmer Date: Wed, 29 Nov 2023 10:11:31 +0100 Subject: [PATCH 2/3] Chart: Allow pods to run with restricted security profile Change default security settings of run controller pod and CRD update hooks to be accepted by Pod Security profile `restricted`. --- changelog.yaml | 16 +++++++++ charts/steward/README.md | 33 +++++++++++++++++++ charts/steward/templates/_hooks.tpl | 24 ++++++++++++++ .../templates/deployment-run-controller.yaml | 4 +++ charts/steward/values.yaml | 3 ++ 5 files changed, 80 insertions(+) diff --git a/changelog.yaml b/changelog.yaml index 43d46173..1b4d25fd 100644 --- a/changelog.yaml +++ b/changelog.yaml @@ -76,6 +76,22 @@ If this is not the case, add the missing fields. pullRequestNumber: 398 + - type: enhancement + impact: minor + title: "Helm chart: Configure pods to run with Pod Security profile 'restricted'" + description: |- + Default security settings for the run controller and Helm hooks + have been changed to be accepted by Kubernetes Pod Security profile + `restricted`. + + The following additional parameters for CRD update hooks are now + available: + + - `hooks.crdUpdate.podSecurityContext` + - `hooks.crdUpdate.securityContext` + pullRequestNumber: 398 + jiraIssueNumber: 725 + - version: "0.39.1" date: 2023-11-29 changes: diff --git a/charts/steward/README.md b/charts/steward/README.md index 769ef6da..1eb9acee 100644 --- a/charts/steward/README.md +++ b/charts/steward/README.md @@ -20,6 +20,8 @@ Install and configure [Steward][] on Kubernetes. - [Pipeline Runs](#pipeline-runs) - [Jenkinsfile Runner](#jenkinsfile-runner) - [Logging](#logging) + - [Helm Hooks](#helm-hooks) + - [CRD Update Hooks](#crd-update-hooks) - [Feature Flags](#feature-flags) - [List of Defined Feature Flags](#list-of-defined-feature-flags) - [Misc](#misc) @@ -277,6 +279,37 @@ This plug-in supports two ways of sending log events: | pipelineRuns.logging.forwarder.maxBufferSize
integer | The maximum total size in bytes of all buffer chunks. Must be greater than `bufferChunkRetentionSize`. | | | pipelineRuns.logging.forwarder.emitTimeoutMillis
integer | The timeout in milliseconds for inserting a single log event into the local in-memory buffer and retrying in case of errors, e.g. when the buffer is full. | | +### Helm Hooks + +#### Images + +This section configures the images used by Helm hooks. + +| Parameter | Description | Default | +|---|---|---| +| hooks.images.<IMAGE_KEY>.repository
string | The container registry and repository of the image. | see `values.yaml` | +| hooks.images.<IMAGE_KEY>.tag
string | The tag of the Run Controller image in the container registry. | see `values.yaml` | +| hooks.images.<IMAGE_KEY>.pullPolicy
string | The image pull policy for the image. For possible values see field `imagePullPolicy` of the `container` spec in the Kubernetes API documentation. | see `values.yaml` | + +Image keys: + +- `kubectl`: An image with Bourne shell and the `kubectl` CLI. + +#### CRD Update Hooks + +The CRD Update hooks are Kubernetes Jobs to update the Steward CRDs. + +Lifecycle: + +- pre-install +- pre-upgrade +- pre-rollback + +| Parameter | Description | Default | +|---|---|---| +| hooks.crdUpdate.podSecurityContext
object of [`PodSecurityContext`][k8s-podsecuritycontext] | The pod security context of the hook pod. If not set or empty, the default value is used. | `{"runAsUser":1000, "runAsGroup":1000, "fsGroup":1000, "runAsNonRoot":true}` | +| hooks.crdUpdate.securityContext
object of [`SecurityContext`][k8s-securitycontext] | The security context of the hook container. If not set or empty, the default value is used. | `{"privileged":false, "seccompProfile": {"type":"RuntimeDefault"}, "allowPrivilegeEscalation":false, "capabilities": {"drop": ["ALL"]}, "readOnlyRootFilesystem":true}` | + ### Feature Flags | Parameter | Description | Default | diff --git a/charts/steward/templates/_hooks.tpl b/charts/steward/templates/_hooks.tpl index 64f97bff..9ddf6f17 100644 --- a/charts/steward/templates/_hooks.tpl +++ b/charts/steward/templates/_hooks.tpl @@ -71,8 +71,32 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} restartPolicy: Never + securityContext: + {{- with .Values.hooks.crdUpdate.podSecurityContext }} + {{- toYaml . | nindent 8 }} + {{- else }} + # chart default + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true + {{- end }} containers: - name: kubectl + securityContext: + {{- with .Values.hooks.crdUpdate.securityContext }} + {{- toYaml . | nindent 10 }} + {{- else }} + # chart default + privileged: false + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + {{- end }} {{- with .Values.hooks.images.kubectl }} image: {{ printf "%s:%s" .repository .tag | quote }} imagePullPolicy: {{ .pullPolicy | quote }} diff --git a/charts/steward/templates/deployment-run-controller.yaml b/charts/steward/templates/deployment-run-controller.yaml index e2cf5801..1addb147 100644 --- a/charts/steward/templates/deployment-run-controller.yaml +++ b/charts/steward/templates/deployment-run-controller.yaml @@ -36,6 +36,10 @@ spec: {{- toYaml . | nindent 10 }} {{- else }} # chart default + privileged: false + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/charts/steward/values.yaml b/charts/steward/values.yaml index 5be98298..94e8479d 100644 --- a/charts/steward/values.yaml +++ b/charts/steward/values.yaml @@ -87,6 +87,9 @@ pipelineRuns: podSecurityPolicyName: "" hooks: + crdUpdate: + podSecurityContext: {} # default is defined in template + securityContext: {} # default is defined in template images: kubectl: repository: docker.io/bitnami/kubectl From e52d68f67ef9e29e66d12715ae0bfe10bdec0ce8 Mon Sep 17 00:00:00 2001 From: Andreas Brehmer Date: Wed, 29 Nov 2023 10:13:57 +0100 Subject: [PATCH 3/3] Chart: Add parameters for crd-update hook pods --- changelog.yaml | 13 +++++++++++++ charts/steward/README.md | 4 ++++ charts/steward/templates/_hooks.tpl | 24 ++++++++++++++++++++++++ charts/steward/values.yaml | 4 ++++ 4 files changed, 45 insertions(+) diff --git a/changelog.yaml b/changelog.yaml index 1b4d25fd..adf1739d 100644 --- a/changelog.yaml +++ b/changelog.yaml @@ -92,6 +92,19 @@ pullRequestNumber: 398 jiraIssueNumber: 725 + - type: enhancement + impact: minor + title: "Helm chart: Add parameters for crd-update hook pods" + description: |- + The following additional parameters for CRD update hooks are now + available: + + - `hooks.crdUpdate.resources` + - `hooks.crdUpdate.nodeSelector` + - `hooks.crdUpdate.affinity` + - `hooks.crdUpdate.tolerations` + pullRequestNumber: 398 + - version: "0.39.1" date: 2023-11-29 changes: diff --git a/charts/steward/README.md b/charts/steward/README.md index 1eb9acee..73b1dee8 100644 --- a/charts/steward/README.md +++ b/charts/steward/README.md @@ -307,8 +307,12 @@ Lifecycle: | Parameter | Description | Default | |---|---|---| +| hooks.crdUpdate.resources
object of [`RecourceRequirements`][k8s-resourcerequirements] | The resource requirements of the hook container. If not set or empty, the default value is used. | `{}` | | hooks.crdUpdate.podSecurityContext
object of [`PodSecurityContext`][k8s-podsecuritycontext] | The pod security context of the hook pod. If not set or empty, the default value is used. | `{"runAsUser":1000, "runAsGroup":1000, "fsGroup":1000, "runAsNonRoot":true}` | | hooks.crdUpdate.securityContext
object of [`SecurityContext`][k8s-securitycontext] | The security context of the hook container. If not set or empty, the default value is used. | `{"privileged":false, "seccompProfile": {"type":"RuntimeDefault"}, "allowPrivilegeEscalation":false, "capabilities": {"drop": ["ALL"]}, "readOnlyRootFilesystem":true}` | +| hooks.crdUpdate.nodeSelector
object | The `nodeSelector` field of the hook [pod spec][k8s-podspec]. If not set or empty, the default value is used. | `{}` | +| hooks.crdUpdate.affinity
object of [`Affinity`][k8s-affinity] | The `affinity` field of the hook [pod spec][k8s-podspec]. If not set or empty, the default value is used. | `{}` | +| hooks.crdUpdate.tolerations
array of [`Toleration`][k8s-tolerations] | The `tolerations` field of the hook [pod spec][k8s-podspec]. If not set or empty, the default value is used. | `[]` | ### Feature Flags diff --git a/charts/steward/templates/_hooks.tpl b/charts/steward/templates/_hooks.tpl index 9ddf6f17..c64e8e40 100644 --- a/charts/steward/templates/_hooks.tpl +++ b/charts/steward/templates/_hooks.tpl @@ -113,6 +113,30 @@ spec: else echo "$CRD_SPEC" | kubectl create -f - fi + resources: + {{- with .Values.hooks.crdUpdate.resources }} + {{- toYaml . | nindent 10 }} + {{- else }} + # chart default + {{- end }} + nodeSelector: + {{- with .Values.hooks.crdUpdate.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- else }} + # chart default + {{- end }} + affinity: + {{- with .Values.hooks.crdUpdate.affinity }} + {{- toYaml . | nindent 8 }} + {{- else }} + # chart default + {{- end }} + tolerations: + {{- with .Values.hooks.crdUpdate.tolerations }} + {{- toYaml . | nindent 8 }} + {{- else }} + # chart default + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/steward/values.yaml b/charts/steward/values.yaml index 94e8479d..0d53f60a 100644 --- a/charts/steward/values.yaml +++ b/charts/steward/values.yaml @@ -90,6 +90,10 @@ hooks: crdUpdate: podSecurityContext: {} # default is defined in template securityContext: {} # default is defined in template + resources: {} # default is defined in template + nodeSelector: {} # default is defined in template + affinity: {} # default is defined in template + tolerations: [] # default is defined in template images: kubectl: repository: docker.io/bitnami/kubectl