Allow rolling update maxSurge maxUnavailable to be configurable

sjanel · sjanel · commit 92fcad3e95c0 · 2023-02-10T22:02:58.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,6 @@ bin
 *.swp
 *.swo
 *~
+
+# executable
+egress-operator
diff --git a/README.md b/README.md
@@ -1,15 +1,17 @@
 # egress-operator
+
 An operator to produce egress gateway pods and control access to them with network policies, and a coredns plugin to route egress traffic to these pods.
 
 The idea is that instead of authorizing egress traffic with protocol inspection,
 you instead create a internal clusterIP for every external service you use, lock
 it down to only a few pods via a network policy, and then set up your dns server
 to resolve the external service to that clusterIP.
 
-Built with kubebuilder: https://book.kubebuilder.io/
+Built with kubebuilder: <https://book.kubebuilder.io/>
 
 The operator accepts ExternalService objects, which aren't namespaced, which define a dns name and ports for an external service.
 In the `egress-operator-system` namespace, it creates:
+
 - An envoy configmap for a TCP/UDP proxy to that service (UDP not working until the next envoy release that enables it)
 - A deployment for some envoy pods with that config
 - A horizontal pod autoscaler to keep the deployment correctly sized
@@ -31,24 +33,28 @@ In the `egress-operator-system` namespace, it creates:
 ```bash
 make run
 ```
+
 This creates an ExternalService object to see the controller-manager creating managed resources in the remote cluster.
 
 ### Setting up CoreDNS plugin
 
 The CoreDNS plugin rewrites responses for external service hostnames managed by egress-operator.
 
 Build a CoreDNS image which contains the plugin:
+
 ```bash
 cd coredns-plugin
 make docker-build docker-push IMG=yourrepo/egress-operator-coredns:latest
 ```
 
 You'll need to swap out the image of your coredns kubedns Deployment for `yourrepo/egress-operator-coredns:latest`:
+
 ```bash
 kubectl edit deploy coredns -n kube-system   # Your Deployment name may vary
 ```
 
 And edit the coredns Corefile in ConfigMap to put in `egressoperator egress-operator-system cluster.local`:
+
 ```bash
 kubectl edit configmap coredns-config -n kube-system   # Your ConfigMap name may vary
 ```
@@ -171,10 +177,12 @@ spec:
   ...
 ```
 
-| Variable name          | Default                           | Description                                        |
-| ---------------------- | --------------------------------- | -------------------------------------------------- |
-| ENVOY_IMAGE            | `envoyproxy/envoy-alpine:v1.16.5` | Name of the Envoy Proxy image to use               |
-| TAINT_TOLERATION_KEY   | Empty, no tolerations applied     | Toleration key to apply to gateway pods            |
-| TAINT_TOLERATION_VALUE | Empty, no tolerations applied     | Toleration value to apply to gateway pods          |
-| NODE_SELECTOR_KEY      | Empty, no node selector added     | Node selector label key to apply to gateway pods   |
-| NODE_SELECTOR_VALUE    | Empty, no node selector added     | Node selector label value to apply to gateway pods |
+| Variable name                  | Default                           | Description                                             |
+| ------------------------------ | --------------------------------- | ------------------------------------------------------- |
+| ENVOY_IMAGE                    | `envoyproxy/envoy-alpine:v1.16.5` | Name of the Envoy Proxy image to use                    |
+| TAINT_TOLERATION_KEY           | Empty, no tolerations applied     | Toleration key to apply to gateway pods                 |
+| TAINT_TOLERATION_VALUE         | Empty, no tolerations applied     | Toleration value to apply to gateway pods               |
+| NODE_SELECTOR_KEY              | Empty, no node selector added     | Node selector label key to apply to gateway pods        |
+| NODE_SELECTOR_VALUE            | Empty, no node selector added     | Node selector label value to apply to gateway pods      |
+| ROLLING_UPDATE_MAX_UNAVAILABLE | 25%                               | Rolling Update max unavailable to apply to gateway pods |
+| ROLLING_UPDATE_MAX_SURGE       | 25%                               | Rolling Update max surge to apply to gateway pods       |
diff --git a/controllers/deployment.go b/controllers/deployment.go
@@ -76,9 +76,9 @@ func deployment(es *egressv1.ExternalService, configHash string) *appsv1.Deploym
 	tv, vok := os.LookupEnv("TAINT_TOLERATION_VALUE")
 	if kok && vok {
 		tolerations = append(tolerations, corev1.Toleration{
-			Key:      tk,
-			Value: 		tv,
-			Effect:   corev1.TaintEffectNoSchedule,
+			Key:    tk,
+			Value:  tv,
+			Effect: corev1.TaintEffectNoSchedule,
 		})
 	}
 
@@ -91,6 +91,9 @@ func deployment(es *egressv1.ExternalService, configHash string) *appsv1.Deploym
 		}
 	}
 
+	maxUnavailableStr := lookupEnvOr("ROLLING_UPDATE_MAX_UNAVAILABLE", "25%")
+	maxSurgeStr := lookupEnvOr("ROLLING_UPDATE_MAX_SURGE", "25%")
+
 	var resources corev1.ResourceRequirements
 	if es.Spec.Resources != nil {
 		resources = *es.Spec.Resources
@@ -107,6 +110,9 @@ func deployment(es *egressv1.ExternalService, configHash string) *appsv1.Deploym
 		}
 	}
 
+	maxUnavailable := intstr.Parse(maxUnavailableStr)
+	maxSurge := intstr.Parse(maxSurgeStr)
+
 	return &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        es.Name,
@@ -120,8 +126,8 @@ func deployment(es *egressv1.ExternalService, configHash string) *appsv1.Deploym
 			Strategy: appsv1.DeploymentStrategy{
 				Type: appsv1.RollingUpdateDeploymentStrategyType,
 				RollingUpdate: &appsv1.RollingUpdateDeployment{
-					MaxUnavailable: intstr.ValueOrDefault(nil, intstr.FromString("25%")),
-					MaxSurge:       intstr.ValueOrDefault(nil, intstr.FromString("25%")),
+					MaxUnavailable: &maxUnavailable,
+					MaxSurge:       &maxSurge,
 				},
 			},
 			Selector: metav1.SetAsLabelSelector(labelsToSelect(es)),
@@ -131,7 +137,7 @@ func deployment(es *egressv1.ExternalService, configHash string) *appsv1.Deploym
 					Annotations: a,
 				},
 				Spec: corev1.PodSpec{
-					Tolerations: tolerations,
+					Tolerations:  tolerations,
 					NodeSelector: nodeSelector,
 					Containers: []corev1.Container{
 						{
@@ -201,3 +207,11 @@ func deployment(es *egressv1.ExternalService, configHash string) *appsv1.Deploym
 		},
 	}
 }
+
+func lookupEnvOr(envKey, envDefaultValue string) string {
+	valueStr, isSet := os.LookupEnv(envKey)
+	if !isSet || len(valueStr) == 0 {
+		return envDefaultValue
+	}
+	return valueStr
+}
