Chart version 0.6.0: anycable-go 1.6.3; more configurable options for the chart

Author: dragonsmith

README.md

@@ -9,7 +9,6 @@ To install anycable-go to your kubernetes cluster simply run:
 ```shell
 helm repo add anycable https://helm.anycable.io/
 
-# With Helm 3
 helm upgrade -i anycable-go anycable/anycable-go
 ```
 
@@ -23,14 +22,11 @@ AnyCable uses the same protocol as ActionCable, so you can use its JavaScript cl
 
 ## Prerequisites
 
-* Kubernetes 1.4+ with Beta APIs enabled
-
 ## Installing chart
 
 ```shell
 helm repo add anycable https://helm.anycable.io/
 
-# With Helm 3
 helm upgrade -i anycable-go anycable/anycable-go
 ```
 
@@ -53,7 +49,7 @@ Specify each parameter using the `--set key=value[,key=value]` argument to helm
 ```shell
 helm upgrade -i anycable-go \
   --namespace anycable-go \
-  --set image.tag=1.0.1 \
+  --set image.tag=1.6.3 \
   anycable/anycable-go
 ```
 
@@ -68,7 +64,7 @@ These are the values used to configure anycable-go itself:
 |Value|Description|Default|
 |-----|-----------|-------|
 |**image.repository**|Choose between `anycable/anycable-go` and `ghcr.io/anycable/anycable-go-pro`|`anycable/anycable-go`|
-|**image.tag**|Version of docker image to use|`1.4.7`|
+|**image.tag**|Version of docker image to use|`1.6.3`|
 |**image.pullSecrets.enabled**|Enable creating secret for pulling image from AnyCable Pro private registry|`false`|
 |**image.pullSecrets.registry**|URL of a private registry you want to authorize to|`ghcr.io`|
 |**image.pullSecrets.username**|Github username|``|
@@ -162,14 +158,36 @@ These are the values used to configure anycable-go itself:
 |Value|Description|Default|
 |-----|-----------|-------|
 |**replicas**|Number of replicas for `anycable-go` deployment (ignored when HPA is enabled)|`1`|
+
+|**containerSecurityContext.enabled**|Enables container's Security Context|`false`|
+|**containerSecurityContext.runAsUser**|Sets webhook containers' Security Context runAsUser|`1001`|
+|**containerSecurityContext.runAsGroup**|Sets webhook containers' Security Context runAsGroup|`1001`|
+|**containerSecurityContext.runAsNonRoot**|Sets webhook containers' Security Context runAsNonRoot|`true`|
+|**containerSecurityContext.privileged**|Sets webhook container's Security Context privileged|`false`|
+|**containerSecurityContext.allowPrivilegeEscalation**|Sets webhook container's Security Context allowPrivilegeEscalation|`false`|
+|**containerSecurityContext.capabilities.drop**|Sets webhook container's Security Context capabilities.drop|`["ALL"]`|
+|**containerSecurityContext.seccompProfile.type**|Sets webhook container's Security Context seccompProfile.type|`"RuntimeDefault"`|
+|**containerSecurityContext.readOnlyRootFilesystem**|Sets webhook container's Security Context readOnlyRootFilesystem|`true`|
 |**hpa.enabled**|Enable HorizontalPodAutoscaler|`false`|
 |**hpa.minReplicas**|Minimum replicas for HPA|`1`|
 |**hpa.maxReplicas**|Maximum replicas for HPA|`3`|
 |**hpa.targetCPUUtilizationPercentage**|Target CPU utilization for HPA|`50`|
 |**pod.annotations**|User-specified Pod annotations|`{}`|
 |**pod.extraLabels**|User-specified Pod Labels|`{}`|
+|**pod.priorityClassName**|Controller pod priority class name|`""`|
+|**pod.runtimeClassName**|Name of the runtime class to be used by pod(s)|`""`|
+|**pod.schedulerName**|Name of the k8s scheduler (other than default)|`""`|
+|**pod.securityContext.enabled**|Enables Controller pods' Security Context|`false`|
+|**pod.securityContext.fsGroupChangePolicy**|Set filesystem group change policy|`"Always"`|
+|**pod.securityContext.sysctls**|Set kernel settings using the sysctl interface|`[]`|
+|**pod.securityContext.supplementalGroups**|Set filesystem extra groups|`[]`|
+|**pod.securityContext.fsGroup**|Set Controller pod's Security Context fsGroupo|`1001`|
+|**pod.serviceAccountName**|User-specified ServiceAccount for Pod identity|`""`|
 |**pod.tolerations**|User-specified Pod tolerations|`[]`|
-|**pod.serviceAccountName**|User-specified ServiceAccount for Pod identity||
+|**pod.topologySpreadConstraints**|Topology Spread Constraints for pod assignment|`[]`|
+|**pod.disruptionBudget.enabled**|Enables podDisruptionBudget configuration|`true`|
+|**pod.disruptionBudget.minUnavailable**|podDisruptionBudget minimum number unavailable pods|`"50%"`|
+|**pod.disruptionBudget.maxUnavailable**|podDisruptionBudget maximum number of unavailable pods|`""`|
 |**service.annotations**|User-specified Service annotations|`{}`|
 
 ### Monitoring

anycable-go/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 description: A Helm chart for anycable-go websocket server.
 name: anycable-go
-version: 0.5.12
-appVersion: 1.5.6
+version: 0.6.0
+appVersion: 1.6.3
 home: https://anycable.io/
 icon: https://docs.anycable.io/assets/images/logo.svg
 keywords:
@@ -15,7 +15,3 @@ maintainers:
     email: [email protected]
   - name: palkan
     email: [email protected]
-  - name: envek
-    email: [email protected]
-  - name: nepalez
-    email: [email protected]

anycable-go/templates/deployment.yml

@@ -47,12 +47,29 @@ spec:
         {{- end }}
       name: {{ $.Release.Name | quote }}
     spec:
-      {{- if (.pod | default dict).serviceAccountName }}
-      serviceAccountName: {{ .pod.serviceAccountName }}
+      {{- if .image.pullSecrets.enabled }}
+      imagePullSecrets:
+        - name: "{{ $.Release.Name }}-docker-registry-secret"
+      {{- end }}
+      {{- if .pod.securityContext.enabled }}
+      securityContext: {{- omit .pod.securityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .pod.schedulerName }}
+      schedulerName: {{ . | quote }}
+      {{- end }}
+      {{- with .pod.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- . | toYaml 8 | nindent 8 }}
+      {{- end }}
+      {{- with .pod.priorityClassName }}
+      priorityClassName: {{ . | quote }}
       {{- end }}
-      {{- if .nodeSelector }}
-      nodeSelector: {{ toYaml .nodeSelector | nindent 8 }}
+      {{- with .pod.runtimeClassName }}
+      runtimeClassName: {{ . | quote }}
       {{- end }}
+
+      {{- if .affinity }}
+      affinity: {{- .affinity | toYaml | nindent 8 }}
+      {{- else }}
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -63,12 +80,15 @@ spec:
                     app: {{ template "anycableGo.name" $ }}
                     release: {{ $.Release.Name | quote }}
               weight: 100
-      {{- if (.pod | default dict).tolerations }}
-      tolerations: {{- .pod.tolerations | toYaml | nindent 8 }}
       {{- end }}
-      {{- if .image.pullSecrets.enabled }}
-      imagePullSecrets:
-        - name: "{{ $.Release.Name }}-docker-registry-secret"
+      {{- with .nodeSelector }}
+      nodeSelector: {{- . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .pod.tolerations }}
+      tolerations: {{- . | toYaml | nindent 8 }}
+      {{- end }}
+      {{- with .pod.serviceAccountName }}
+      serviceAccountName: {{ . | quote }}
       {{- end }}
       containers:
         - name: anycable-go
@@ -133,6 +153,9 @@ spec:
           {{- if .resources }}
           resources: {{ toYaml .resources | nindent 12 }}
           {{- end }}
+          {{- if .containerSecurityContext.enabled }}
+          securityContext: {{- .containerSecurityContext | toYaml | nindent 12 }}
+          {{- end }}
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           {{- if .tls }}
@@ -144,10 +167,10 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       terminationGracePeriodSeconds: 30
-      {{- if .tls }}
+      {{- with .tls }}
       volumes:
         - name: ssl
           secret:
-            secretName: {{ .tls.secretName | quote }}
+            secretName: {{ .secretName | quote }}
       {{- end }}
 {{- end }}

anycable-go/templates/pdb.yml

@@ -0,0 +1,26 @@
+{{- with .Values.pod.disruptionBudget -}}
+{{- if .enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "anycableGo.fullname" $ }}
+  labels:
+    app: {{ template "anycableGo.name" $ }}
+    component: anycable-go
+    chart: "{{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}"
+    release: {{ $.Release.Name | quote }}
+    heritage: {{ $.Release.Service | quote }}
+spec:
+  {{- if .minAvailable }}
+  minAvailable: {{ .minAvailable }}
+  {{- end }}
+  {{- if .maxUnavailable }}
+  maxUnavailable: {{ .maxUnavailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "anycableGo.name" $ }}
+      component: anycable-go
+      release: {{ $.Release.Name | quote }}
+{{- end -}}
+{{- end }}

anycable-go/values.yaml

@@ -2,23 +2,25 @@ nodeSelector: {}
 
 replicas: 1
 
-hpa:
-  enabled: false
-  minReplicas: 1
-  maxReplicas: 3
-  # ATTENTION: This argument will be renamed in the future.
-  targetCPUUtilizationPercentage: 50
-
 image:
   repository: anycable/anycable-go
-  tag: 1.5.6
+  tag: 1.6.3
   pullPolicy: IfNotPresent
   pullSecrets:
     enabled: false
     registry: "ghcr.io"
     username: ""
     password: ""
 
+affinity: {}
+
+hpa:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 3
+  # ATTENTION: This argument will be renamed in the future.
+  targetCPUUtilizationPercentage: 50
+
 ingress:
   enable: false
   className: ""
@@ -62,6 +64,15 @@ resources:
 pod:
   annotations: {}
   extraLabels: {}
+  priorityClassName: ""
+  runtimeClassName: ""
+  schedulerName: ""
+  securityContext:
+    enabled: false
+    fsGroupChangePolicy: Always
+    sysctls: []
+    supplementalGroups: []
+    fsGroup: 65534
   # Use a different ServiceAccount
   # (leave blank for default)
   serviceAccountName: ""
@@ -72,6 +83,23 @@ pod:
     #   value: value1
     #   effect: NoExecute
     #   tolerationSeconds: 3600
+  topologySpreadConstraints: []
+  disruptionBudget:
+    enabled: true
+    minAvailable: 50%
+
+containerSecurityContext:
+  enabled: false
+  runAsUser: 65534
+  runAsGroup: 65534
+  runAsNonRoot: true
+  privileged: false
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop: ["ALL"]
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
 
 service:
   annotations: {}
@@ -124,6 +152,7 @@ serviceMonitor:
   #   release: prometheus-operator
   labels: {}
 
+
 tls: {}
   # secretName: "anycable-go-tls-secret"
   # Keep empty to use existing secret