feat: quality of life optional values to leases-cleanup job and webhook deployment (#894)

* feat: add optional resources requests and limits to cleanup job

Signed-off-by: falcorocks <[email protected]>

* feat: add optional podSecurity context to cleanup job

Signed-off-by: falcorocks <[email protected]>

* feat: add optional priorityClass to cleanup job

Signed-off-by: falcorocks <[email protected]>

* feat: add optional priorityClass to webhook

Signed-off-by: falcorocks <[email protected]>

* feat: add optional envFrom to webhook

Signed-off-by: falcorocks <[email protected]>

* feat: add optional automountServiceAccountToken to cleanup job

Signed-off-by: falcorocks <[email protected]>

* feat: add optional automountServiceAccountToken to webhook

Signed-off-by: falcorocks <[email protected]>

* chore: bump version

Signed-off-by: falcorocks <[email protected]>

---------

Signed-off-by: falcorocks <[email protected]>

Author: falcorocks

charts/policy-controller/Chart.yaml

@@ -8,7 +8,7 @@ sources:
 type: application
 
 name: policy-controller
-version: 0.9.1
+version: 0.10.0
 appVersion: 0.12.0
 
 maintainers:

charts/policy-controller/README.md

@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.12.0](https://img.shields.io/badge/AppVersion-0.12.0-informational?style=flat-square)
+![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.12.0](https://img.shields.io/badge/AppVersion-0.12.0-informational?style=flat-square)
 
 The Helm chart for Policy  Controller
 
@@ -157,15 +157,24 @@ helm uninstall [RELEASE_NAME]
 | cosign.webhookTimeoutSeconds | object | `{}` |  |
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` |  |
+| leasescleanup.automountServiceAccountToken | bool | `true` |  |
 | leasescleanup.image.pullPolicy | string | `"IfNotPresent"` |  |
 | leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` |  |
 | leasescleanup.image.version | string | `"latest-dev"` |  |
+| leasescleanup.podSecurityContext.enabled | bool | `false` |  |
+| leasescleanup.priorityClass | string | `""` |  |
+| leasescleanup.resources.limits.cpu | string | `""` |  |
+| leasescleanup.resources.limits.memory | string | `""` |  |
+| leasescleanup.resources.requests.cpu | string | `""` |  |
+| leasescleanup.resources.requests.memory | string | `""` |  |
 | loglevel | string | `"info"` |  |
 | serviceMonitor.enabled | bool | `false` |  |
 | webhook.affinity | object | `{}` |  |
+| webhook.automountServiceAccountToken | bool | `true` |  |
 | webhook.configData | object | `{}` |  |
 | webhook.customLabels | object | `{}` |  |
 | webhook.env | object | `{}` |  |
+| webhook.envFrom | object | `{}` |  |
 | webhook.extraArgs | object | `{}` |  |
 | webhook.failurePolicy | string | `"Fail"` |  |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
@@ -183,6 +192,7 @@ helm uninstall [RELEASE_NAME]
 | webhook.podSecurityContext.enabled | bool | `true` |  |
 | webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
 | webhook.podSecurityContext.runAsUser | int | `1000` |  |
+| webhook.priorityClass | string | `""` |  |
 | webhook.registryCaBundle | object | `{}` |  |
 | webhook.replicaCount | int | `1` |  |
 | webhook.resources.limits.cpu | string | `"200m"` |  |

charts/policy-controller/templates/webhook/cleanup-leases.yaml

@@ -16,6 +16,11 @@ spec:
       name: leases-cleanup
     spec:
       serviceAccountName: {{ template "webhook.serviceAccountName" . }}-cleanup
+      {{- if .Values.leasescleanup.automountServiceAccountToken }}
+      automountServiceAccountToken: true
+      {{- else }}
+      automountServiceAccountToken: false
+      {{- end }}
       containers:
         - name: kubectl
           image: "{{ template "leases-cleanup.image" .Values.leasescleanup.image }}"
@@ -24,7 +29,37 @@ spec:
             - /bin/sh
             - -c
             - kubectl delete leases --all --ignore-not-found -n {{ .Release.Namespace }}
+          {{- if .Values.leasescleanup.resources }}
+          resources:
+            {{- if .Values.leasescleanup.resources.limits }}
+            limits:
+              {{- if .Values.leasescleanup.resources.limits.cpu }}
+              cpu: {{ .Values.leasescleanup.resources.limits.cpu }}
+              {{- end }}
+              {{- if .Values.leasescleanup.resources.limits.memory }}
+              memory: {{ .Values.leasescleanup.resources.limits.memory }}
+              {{- end }}
+            {{- end }}
+            {{- if .Values.leasescleanup.resources.requests }}
+            requests:
+              {{- if .Values.leasescleanup.resources.requests.cpu }}
+              cpu: {{ .Values.leasescleanup.resources.requests.cpu }}
+              {{- end }}
+              {{- if .Values.leasescleanup.resources.requests.memory }}
+              memory: {{ .Values.leasescleanup.resources.requests.memory }}
+              {{- end }}
+            {{- end }}
+          {{- end }}
+          {{- if .Values.leasescleanup.podSecurityContext.enabled }}
+          securityContext:
+            {{- with .Values.leasescleanup.podSecurityContext }}
+            {{- omit . "enabled" | toYaml | nindent 12 }}
+            {{- end }}
+          {{- end }}
       restartPolicy: OnFailure
+      {{- if .Values.leasescleanup.priorityClass }}
+      priorityClassName: {{ .Values.leasescleanup.priorityClass }}
+      {{- end }} 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/policy-controller/templates/webhook/deployment_webhook.yaml

@@ -31,6 +31,14 @@ spec:
       tolerations:
         {{- toYaml .Values.commonTolerations | nindent 8 }}
       serviceAccountName: {{ include "webhook.serviceAccountName" . }}
+      {{- if .Values.webhook.automountServiceAccountToken }}
+      automountServiceAccountToken: true
+      {{- else }}
+      automountServiceAccountToken: false
+      {{- end }}
+      {{- if .Values.webhook.priorityClass }}
+      priorityClassName: {{ .Values.webhook.priorityClass }}
+      {{- end }}
       # To avoid node becoming SPOF, spread our replicas to different nodes.
       affinity:
       {{- if .Values.webhook.affinity }}
@@ -73,6 +81,17 @@ spec:
         - name: "{{ $key }}"
           value: "{{ $value }}"
 {{- end }}
+{{- end }}
+{{- if .Values.webhook.envFrom }}
+        envFrom:
+{{- range $configMapName := .Values.webhook.envFrom.configmaps }}
+        - configMapRef:
+          name: "{{ $configMapName }}"
+{{- end }}
+{{- range $secretName := .Values.webhook.envFrom.secrets }}
+        - secretRef:
+          name: "{{ $secretName }}"
+{{- end }}
 {{- end }}
         {{- if or (semverCompare ">= 1.8-0" .Chart.AppVersion) .Values.webhook.extraArgs }}
         args:

charts/policy-controller/values.schema.json

@@ -69,6 +69,12 @@
     },
     "leasescleanup": {
       "properties": {
+        "automountServiceAccountToken": {
+          "default": true,
+          "required": [],
+          "title": "automountServiceAccountToken",
+          "type": "boolean"
+        },
         "image": {
           "properties": {
             "pullPolicy": {
@@ -93,6 +99,70 @@
           "required": [],
           "title": "image",
           "type": "object"
+        },
+        "podSecurityContext": {
+          "properties": {
+            "enabled": {
+              "default": false,
+              "required": [],
+              "title": "enabled",
+              "type": "boolean"
+            }
+          },
+          "required": [],
+          "title": "podSecurityContext",
+          "type": "object"
+        },
+        "priorityClass": {
+          "default": "",
+          "required": [],
+          "title": "priorityClass",
+          "type": "string"
+        },
+        "resources": {
+          "properties": {
+            "limits": {
+              "properties": {
+                "cpu": {
+                  "default": "",
+                  "required": [],
+                  "title": "cpu",
+                  "type": "string"
+                },
+                "memory": {
+                  "default": "",
+                  "required": [],
+                  "title": "memory",
+                  "type": "string"
+                }
+              },
+              "required": [],
+              "title": "limits",
+              "type": "object"
+            },
+            "requests": {
+              "properties": {
+                "cpu": {
+                  "default": "",
+                  "required": [],
+                  "title": "cpu",
+                  "type": "string"
+                },
+                "memory": {
+                  "default": "",
+                  "required": [],
+                  "title": "memory",
+                  "type": "string"
+                }
+              },
+              "required": [],
+              "title": "requests",
+              "type": "object"
+            }
+          },
+          "required": [],
+          "title": "resources",
+          "type": "object"
         }
       },
       "required": [],
@@ -127,6 +197,12 @@
           "title": "affinity",
           "type": "object"
         },
+        "automountServiceAccountToken": {
+          "default": true,
+          "required": [],
+          "title": "automountServiceAccountToken",
+          "type": "boolean"
+        },
         "configData": {
           "required": [],
           "title": "configData",
@@ -142,7 +218,13 @@
           "title": "env",
           "type": "object"
         },
+        "envFrom": {
+          "required": [],
+          "title": "envFrom",
+          "type": "object"
+        },
         "extraArgs": {
+          "description": "configmaps:\n  - mycm1\n  - mycm2\nsecrets:\n  - mys1\n  - mys2",
           "required": [],
           "title": "extraArgs",
           "type": "object"
@@ -310,6 +392,13 @@
           "title": "podSecurityContext",
           "type": "object"
         },
+        "priorityClass": {
+          "default": "",
+          "description": "defaulting: 10\nvalidating: 10",
+          "required": [],
+          "title": "priorityClass",
+          "type": "string"
+        },
         "registryCaBundle": {
           "required": [],
           "title": "registryCaBundle",

charts/policy-controller/values.yaml

@@ -23,6 +23,13 @@ webhook:
     version: sha256:6b51f336dec9e9adff29606855dbd2c7910c5eb80d6579795a29cb3844428efc
     pullPolicy: IfNotPresent
   env: {}
+  envFrom: {}
+    # configmaps:
+    #   - mycm1
+    #   - mycm2
+    # secrets:
+    #   - mys1
+    #   - mys2
   extraArgs: {}
   resources:
     limits:
@@ -76,12 +83,31 @@ webhook:
   webhookTimeoutSeconds: {}
     # defaulting: 10
     # validating: 10
+  priorityClass: ""
+  automountServiceAccountToken: true
 
 leasescleanup:
+  priorityClass: ""
   image:
     repository: cgr.dev/chainguard/kubectl
     version: latest-dev
     pullPolicy: IfNotPresent
+  resources:
+    limits:
+      cpu: ""
+      memory: ""
+    requests:
+      cpu: ""
+      memory: ""
+  podSecurityContext:
+    enabled: false
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # runAsUser: 1000
+    # capabilities:
+    #   drop:
+    #     - ALL
+  automountServiceAccountToken: true
 
 ## common node selector for all the pods
 commonNodeSelector: {}