From 388a7ee0ca9075775db11169b9c22d3b13264265 Mon Sep 17 00:00:00 2001 From: Eron Wright Date: Fri, 27 Sep 2024 10:50:56 -0700 Subject: [PATCH] Helm chart update (#695) ### Proposed changes Updates the Helm chart to install PKOv2, as similarly as possible to `operator/config/default`. Details: - adds an aggregation role (view/edit) for the Pulumi API groups - tweaks the controller's resources such that limits equals resources to have "guaranteed" qos - exposes the metrics port and the fileserver port - supports two rbac modes for the controller - ClusterRole and Role To install: ``` helm upgrade --install pulumi-kubernetes-operator ./deploy/helm/pulumi-operator ``` ### Related issues (optional) Closes #684 --- deploy/helm/pulumi-operator/Chart.yaml | 4 +- .../templates/clusterrole.yaml | 196 +++++++++++++++++- .../templates/clusterrolebinding.yaml | 13 +- .../pulumi-operator/templates/deployment.yaml | 75 +++---- .../templates/edit_clusterrole.yaml | 22 ++ .../templates/leader_election_role.yaml | 38 ++++ .../leader_election_role_binding.yaml | 14 ++ .../helm/pulumi-operator/templates/role.yaml | 146 ++++++++++--- .../templates/rolebinding.yaml | 6 +- .../pulumi-operator/templates/service.yaml | 27 ++- .../{sa.yaml => service_account.yaml} | 0 .../templates/servicemonitor.yaml | 3 +- .../templates/view_clusterrole.yaml | 21 ++ deploy/helm/pulumi-operator/values.yaml | 86 ++++---- operator/config/manager/manager.yaml | 32 ++- operator/examples/random-yaml/program.yaml | 15 ++ .../controller/pulumi/program_controller.go | 2 +- 17 files changed, 546 insertions(+), 154 deletions(-) create mode 100644 deploy/helm/pulumi-operator/templates/edit_clusterrole.yaml create mode 100644 deploy/helm/pulumi-operator/templates/leader_election_role.yaml create mode 100644 deploy/helm/pulumi-operator/templates/leader_election_role_binding.yaml rename deploy/helm/pulumi-operator/templates/{sa.yaml => service_account.yaml} (100%) create mode 100644 deploy/helm/pulumi-operator/templates/view_clusterrole.yaml create mode 100644 operator/examples/random-yaml/program.yaml diff --git a/deploy/helm/pulumi-operator/Chart.yaml b/deploy/helm/pulumi-operator/Chart.yaml index df722101..d7d97547 100755 --- a/deploy/helm/pulumi-operator/Chart.yaml +++ b/deploy/helm/pulumi-operator/Chart.yaml @@ -9,8 +9,8 @@ icon: https://www.pulumi.com/logos/brand/avatar-on-white.svg type: application -version: 0.9.0 -appVersion: 1.14.0 +version: 2.0.0 +appVersion: "v2.0-devel" keywords: - pulumi diff --git a/deploy/helm/pulumi-operator/templates/clusterrole.yaml b/deploy/helm/pulumi-operator/templates/clusterrole.yaml index bf49c800..46b46840 100644 --- a/deploy/helm/pulumi-operator/templates/clusterrole.yaml +++ b/deploy/helm/pulumi-operator/templates/clusterrole.yaml @@ -1,19 +1,193 @@ -{{- if .Values.createClusterRole }} +{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "pulumi-kubernetes-operator.fullname" . }} + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager labels: {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} rules: - {{- if .Values.clusterRoleRules.enabled }} - {{- toYaml .Values.clusterRoleRules.rules | nindent 2 }} - {{- else }} - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' + {{- if .Values.rbac.extraRules }} + {{- toYaml .Values.rbac.extraRules | nindent 2 }} {{- end }} +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auto.pulumi.com + resources: + - updates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auto.pulumi.com + resources: + - updates/finalizers + verbs: + - update +- apiGroups: + - auto.pulumi.com + resources: + - updates/status + verbs: + - get + - patch + - update +- apiGroups: + - auto.pulumi.com + resources: + - workspaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auto.pulumi.com + resources: + - workspaces/finalizers + verbs: + - update +- apiGroups: + - auto.pulumi.com + resources: + - workspaces/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - pulumi.com + resources: + - programs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - pulumi.com + resources: + - programs/finalizers + verbs: + - update +- apiGroups: + - pulumi.com + resources: + - programs/status + verbs: + - get + - patch + - update +- apiGroups: + - pulumi.com + resources: + - stacks + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - pulumi.com + resources: + - stacks/finalizers + verbs: + - update +- apiGroups: + - pulumi.com + resources: + - stacks/status + verbs: + - get + - patch + - update +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - buckets + verbs: + - get + - list + - watch +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - gitrepositories + verbs: + - get + - list + - watch +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - ocirepositories + verbs: + - get + - list + - watch {{- end }} diff --git a/deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml b/deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml index 9764fc37..a47e2bd3 100644 --- a/deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml +++ b/deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml @@ -1,17 +1,16 @@ -{{- if .Values.createClusterRole }} +{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "pulumi-kubernetes-operator.fullname" . }} - namespace: {{ .Release.Namespace | quote }} labels: - {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager subjects: - kind: ServiceAccount name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -roleRef: - kind: ClusterRole - name: {{ include "pulumi-kubernetes-operator.fullname" . }} - apiGroup: rbac.authorization.k8s.io {{- end }} diff --git a/deploy/helm/pulumi-operator/templates/deployment.yaml b/deploy/helm/pulumi-operator/templates/deployment.yaml index 4a9bd9f4..e01e5be7 100644 --- a/deploy/helm/pulumi-operator/templates/deployment.yaml +++ b/deploy/helm/pulumi-operator/templates/deployment.yaml @@ -5,28 +5,24 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} - name: {{ include "pulumi-kubernetes-operator.fullname" . }} + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager labels: {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} strategy: - type: {{ .Values.deploymentStrategy }} + type: {{ default "RollingUpdate" .Values.deploymentStrategy }} selector: matchLabels: {{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 6 }} - app: {{ template "pulumi-kubernetes-operator.name" . }} - release: {{ .Release.Name }} template: metadata: - {{- with .Values.podAnnotations }} annotations: + kubectl.kubernetes.io/default-container: manager + {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: - name: {{ template "pulumi-kubernetes-operator.name" . }} - app: {{ template "pulumi-kubernetes-operator.name" . }} - release: {{ .Release.Name }} {{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 8 }} {{- if .Values.podLabels }} {{ toYaml .Values.podLabels | indent 8 }} @@ -36,35 +32,36 @@ spec: {{- if .Values.extraSidecars }} {{- toYaml .Values.extraSidecars | nindent 8 }} {{- end}} - - args: - {{- with .Values.controller.args }} - {{- toYaml . | nindent 10 }} - {{- end }} + - name: manager + command: + - /manager + args: + - --leader-elect + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8383 + - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local + - --zap-log-level={{ .Values.controller.logLevel }} + - --zap-time-encoding=iso8601 env: {{- if .Values.extraEnv }} {{- toYaml .Values.extraEnv | nindent 8 }} {{- end }} - - name: WATCH_NAMESPACE + - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: {{ include "pulumi-kubernetes-operator.name" . }} - - name: GRACEFUL_SHUTDOWN_TIMEOUT_DURATION - value: {{ .Values.controller.gracefulShutdownTimeoutDuration }} - - name: MAX_CONCURRENT_RECONCILES - value: {{ .Values.controller.maxConcurrentReconciles | quote }} - - name: PULUMI_INFER_NAMESPACE - value: {{ .Values.controller.pulumiInferNamespace | quote }} - - name: KUBERNETES_CLUSTER_DOMAIN - value: {{ .Values.controller.kubernetesClusterDomain }} - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:v{{ .Values.image.tag | default .Chart.AppVersion }}" + ports: + - containerPort: 8383 + name: http-metrics + protocol: TCP + - containerPort: 9090 + name: http-fileserver + protocol: TCP + {{- if .Values.extraPorts }} + {{- toYaml .Values.extraPorts | nindent 8 }} + {{- end }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - name: {{ .Chart.Name }} {{- if .Values.securityContext }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -73,12 +70,22 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} - volumeMounts: {{- with .Values.extraVolumeMounts }} + volumeMounts: {{- toYaml . | nindent 8 }} {{- end }} - - mountPath: /tmp - name: tmp-dir + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -109,9 +116,7 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} {{- end }} - volumes: {{- with .Values.extraVolumes }} + volumes: {{- toYaml . | nindent 6 }} {{- end }} - - emptyDir: {} - name: tmp-dir diff --git a/deploy/helm/pulumi-operator/templates/edit_clusterrole.yaml b/deploy/helm/pulumi-operator/templates/edit_clusterrole.yaml new file mode 100644 index 00000000..1df05183 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/edit_clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.rbac.create .Values.rbac.createClusterAggregationRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-edit + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: + - pulumi.com + - auto.pulumi.com + resources: + - '*' + verbs: + - create + - delete + - deletecollection + - patch + - update +{{- end }} diff --git a/deploy/helm/pulumi-operator/templates/leader_election_role.yaml b/deploy/helm/pulumi-operator/templates/leader_election_role.yaml new file mode 100644 index 00000000..eccdadd0 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/leader_election_role.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-leader-election-role + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch \ No newline at end of file diff --git a/deploy/helm/pulumi-operator/templates/leader_election_role_binding.yaml b/deploy/helm/pulumi-operator/templates/leader_election_role_binding.yaml new file mode 100644 index 00000000..3e4beeac --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/leader_election_role_binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-leader-election-rolebinding + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-leader-election-role +subjects: +- kind: ServiceAccount + name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} \ No newline at end of file diff --git a/deploy/helm/pulumi-operator/templates/role.yaml b/deploy/helm/pulumi-operator/templates/role.yaml index 1b01afc6..828f9efc 100644 --- a/deploy/helm/pulumi-operator/templates/role.yaml +++ b/deploy/helm/pulumi-operator/templates/role.yaml @@ -1,23 +1,37 @@ +{{- if and .Values.rbac.create .Values.rbac.createRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "pulumi-kubernetes-operator.fullname" . }} + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager labels: {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} rules: + {{- if .Values.rbac.extraRules }} + {{- toYaml .Values.rbac.extraRules | nindent 2 }} + {{- end }} - apiGroups: - "" resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - events - - configmaps + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: - secrets verbs: - create + - get + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create - delete - get - list @@ -25,12 +39,9 @@ rules: - update - watch - apiGroups: - - apps + - auto.pulumi.com resources: - - deployments - - daemonsets - - replicasets - - statefulsets + - updates verbs: - create - delete @@ -40,37 +51,73 @@ rules: - update - watch - apiGroups: - - monitoring.coreos.com + - auto.pulumi.com + resources: + - updates/finalizers + verbs: + - update +- apiGroups: + - auto.pulumi.com resources: - - servicemonitors + - updates/status verbs: - get + - patch + - update +- apiGroups: + - auto.pulumi.com + resources: + - workspaces + verbs: - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - - apps - resourceNames: - - pulumi-kubernetes-operator + - auto.pulumi.com resources: - - deployments/finalizers + - workspaces/finalizers verbs: - update +- apiGroups: + - auto.pulumi.com + resources: + - workspaces/status + verbs: + - get + - patch + - update - apiGroups: - "" resources: - pods verbs: + - create + - delete - get + - list + - patch + - update + - watch - apiGroups: - - apps + - "" resources: - - replicasets - - deployments + - services verbs: + - create + - delete - get + - list + - patch + - update + - watch - apiGroups: - pulumi.com resources: - - '*' + - programs verbs: - create - delete @@ -80,20 +127,67 @@ rules: - update - watch - apiGroups: - - coordination.k8s.io + - pulumi.com + resources: + - programs/finalizers + verbs: + - update +- apiGroups: + - pulumi.com resources: - - leases + - programs/status + verbs: + - get + - patch + - update +- apiGroups: + - pulumi.com + resources: + - stacks verbs: - create + - delete - get - list + - patch - update + - watch +- apiGroups: + - pulumi.com + resources: + - stacks/finalizers + verbs: + - update +- apiGroups: + - pulumi.com + resources: + - stacks/status + verbs: + - get + - patch + - update +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - buckets + verbs: + - get + - list + - watch +- apiGroups: + - source.toolkit.fluxcd.io + resources: + - gitrepositories + verbs: + - get + - list + - watch - apiGroups: - source.toolkit.fluxcd.io resources: - - '*' + - ocirepositories verbs: - get - list - watch - +{{- end }} diff --git a/deploy/helm/pulumi-operator/templates/rolebinding.yaml b/deploy/helm/pulumi-operator/templates/rolebinding.yaml index 71f584ed..ccc61d4e 100644 --- a/deploy/helm/pulumi-operator/templates/rolebinding.yaml +++ b/deploy/helm/pulumi-operator/templates/rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.rbac.create .Values.rbac.createRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -7,8 +8,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "pulumi-kubernetes-operator.fullname" . }} + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager subjects: - kind: ServiceAccount name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }} - namespace: '{{ .Release.Namespace }}' + namespace: {{ .Release.Namespace | quote }} +{{ end }} \ No newline at end of file diff --git a/deploy/helm/pulumi-operator/templates/service.yaml b/deploy/helm/pulumi-operator/templates/service.yaml index 06c92e08..ca43e91d 100644 --- a/deploy/helm/pulumi-operator/templates/service.yaml +++ b/deploy/helm/pulumi-operator/templates/service.yaml @@ -1,24 +1,23 @@ -{{- if $.Values.serviceMonitor.enabled }} apiVersion: v1 kind: Service metadata: - name: {{ print (include "pulumi-kubernetes-operator.fullname" .) "-metrics" }} + name: {{ include "pulumi-kubernetes-operator.fullname" . }} labels: - app: {{ template "pulumi-kubernetes-operator.name" . }} + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} + {{- with .Values.serviceAnnotations }} annotations: -{{ toYaml .Values.serviceMonitor.service.annotations | indent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: - type: {{ .Values.serviceMonitor.service.type }} + type: ClusterIP ports: - - port: 8383 - targetPort: metrics + - name: http-fileserver + port: 80 protocol: TCP - name: http-metrics - - port: 8686 - targetPort: http + targetPort: http-fileserver + - name: http-metrics + port: 8383 + targetPort: http-metrics protocol: TCP - name: cr-metrics selector: - app: {{ template "pulumi-kubernetes-operator.name" . }} - release: {{ .Release.Name }} - {{- end }} + {{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 4 }} diff --git a/deploy/helm/pulumi-operator/templates/sa.yaml b/deploy/helm/pulumi-operator/templates/service_account.yaml similarity index 100% rename from deploy/helm/pulumi-operator/templates/sa.yaml rename to deploy/helm/pulumi-operator/templates/service_account.yaml diff --git a/deploy/helm/pulumi-operator/templates/servicemonitor.yaml b/deploy/helm/pulumi-operator/templates/servicemonitor.yaml index 6d8b9858..591176ae 100644 --- a/deploy/helm/pulumi-operator/templates/servicemonitor.yaml +++ b/deploy/helm/pulumi-operator/templates/servicemonitor.yaml @@ -33,8 +33,7 @@ spec: - {{ .Release.Namespace }} selector: matchLabels: - app: {{ template "pulumi-kubernetes-operator.name" . }} - release: {{ .Release.Name }} +{{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 6 }} {{- if .Values.serviceMonitor.targetLabels }} targetLabels: {{- range .Values.serviceMonitor.targetLabels }} diff --git a/deploy/helm/pulumi-operator/templates/view_clusterrole.yaml b/deploy/helm/pulumi-operator/templates/view_clusterrole.yaml new file mode 100644 index 00000000..859330f0 --- /dev/null +++ b/deploy/helm/pulumi-operator/templates/view_clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.rbac.create .Values.rbac.createClusterAggregationRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "pulumi-kubernetes-operator.fullname" . }}-view + labels: + {{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: + - pulumi.com + - auto.pulumi.com + resources: + - '*' + verbs: + - get + - list + - watch +{{- end }} diff --git a/deploy/helm/pulumi-operator/values.yaml b/deploy/helm/pulumi-operator/values.yaml index 42ad80d1..298de84c 100644 --- a/deploy/helm/pulumi-operator/values.yaml +++ b/deploy/helm/pulumi-operator/values.yaml @@ -17,36 +17,28 @@ image: # -- The image tag to pull, default: `Chart.appVersion` tag: "" +# -- The image pull secrets +imagePullSecrets: "" + controller: - # -- Graceful shutdown timeout duration, default: `5m` - gracefulShutdownTimeoutDuration: 5m - # -- Max concurrent reconciles, default: `10` - maxConcurrentReconciles: "10" - # -- Pulumi infer namespace, default: `1` - pulumiInferNamespace: "1" - # -- Kubernetes Cluster Domain, default: `cluster.local` - kubernetesClusterDomain: cluster.local - - # -- List of arguments to pass to the operator - args: - - --zap-level=error - - --zap-time-encoding=iso8601 + # -- Log Level ('debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity) + logLevel: error # -- Extra Environments to be passed to the operator extraEnv: [] -# -- Create a ClusterRole resource for the node-red pod. default: false -createClusterRole: false - -## -- Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. -clusterRoleRules: - # -- Enable custom rules for the application controller's ClusterRole resource default: false - enabled: false - # -- List of custom rules for the application controller's ClusterRole resource default: [] - rules: [] - -# -- The image pull secrets -imagePullSecrets: "" +# RBAC settings +rbac: + # -- Specifies whether RBAC resources should be created + create: true + # -- Specifies whether cluster roles and bindings should be created + createClusterRole: true + # -- Specifies whether namespaced roles and bindings should be created + createRole: false + # -- Specifies whether aggregation roles should be created to extend the built-in view and edit roles + createClusterAggregationRoles: true + # -- Specifies extra rules for the manager role, e.g. for a 3rd party Flux source + extraRules: [] # -- Provide a name in place of pulumi-kubernetes-operator nameOverride: "" @@ -71,30 +63,28 @@ podAnnotations: {} # -- Deployment annotations deploymentAnnotations: {} +# -- Service annotations +serviceAnnotations: {} + # -- Pod Security Context see [values.yaml](values.yaml) podSecurityContext: - # -- pulumi-kubernetes-operator group is 1000 - fsGroup: 1000 - # -- pulumi-kubernetes-operator user is 1000 - runAsUser: 1000 + runAsNonRoot: true + # -- pulumi-kubernetes-operator user is 65532 + runAsUser: 65532 + # -- pulumi-kubernetes-operator group is 65532 + runAsGroup: 65532 + # fsGroup: 65532 # -- Security Context see [values.yaml](values.yaml) securityContext: - privileged: false - runAsNonRoot: true allowPrivilegeEscalation: false # readOnlyRootFilesystem: true - runAsGroup: 10003 - # runAsUser: 10003 - seccompProfile: - type: RuntimeDefault + # seccompProfile: + # type: RuntimeDefault capabilities: drop: - ALL -# -- containers which are run before the app containers are started -initContainers: [] - # -- CPU/Memory resource requests/limits resources: # We usually recommend not to specify default resources and to leave this as a conscious @@ -102,10 +92,10 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: - cpu: 500m - memory: 5123Mi + cpu: 200m + memory: 128Mi requests: - cpu: 100m + cpu: 200m memory: 128Mi # -- Node selector @@ -131,10 +121,18 @@ extraVolumeMounts: # - name: test # mountPath: /test +extraPorts: +# - containerPort: 9091 +# name: http-extra +# protocol: TCP + # -- Labels to add to the pulumi-kubernetes-operator pod. default: {} podLabels: {} -# -- You can configure extra sidecars containers to run alongside the pulumi-kubernetes-operator pod. default: [] +# -- You can configure extra init containers to run within the pulumi-kubernetes-operator pod. default: [] +initContainers: [] + +# -- You can configure extra sidecar containers to run within the pulumi-kubernetes-operator pod. default: [] extraSidecars: [] # - name: sidecar-example # image: busybox @@ -143,11 +141,9 @@ extraSidecars: [] serviceMonitor: # -- When set true then use a ServiceMonitor to configure scraping enabled: false - # Set the namespace the ServiceMonitor should be deployed - # namespace: monitoring # Set how frequently Prometheus should scrape # interval: 30s - # Set path to minecraft-exporter telemtery-path + # Set telemetry path # telemetryPath: /metrics # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator # labels: diff --git a/operator/config/manager/manager.yaml b/operator/config/manager/manager.yaml index 70b144f3..02a416c1 100644 --- a/operator/config/manager/manager.yaml +++ b/operator/config/manager/manager.yaml @@ -28,22 +28,32 @@ spec: labels: control-plane: controller-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 containers: - command: - /manager env: - - name: RUNTIME_NAMESPACE + - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace args: - --leader-elect - --health-probe-bind-address=:8081 - - --program-fs-adv-addr=pulumi-kubernetes-operator.$(RUNTIME_NAMESPACE).svc.cluster.local + - --metrics-bind-address=:8383 + - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local + - --zap-log-level=error + - --zap-time-encoding=iso8601 ports: - - containerPort: 9090 - name: http-fileserver - protocol: TCP + - containerPort: 8383 + name: http-metrics + protocol: TCP + - containerPort: 9090 + name: http-fileserver + protocol: TCP image: controller:latest imagePullPolicy: IfNotPresent name: manager @@ -66,13 +76,13 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m + cpu: 200m memory: 128Mi requests: - cpu: 10m - memory: 64Mi + cpu: 200m + memory: 128Mi serviceAccountName: controller-manager - terminationGracePeriodSeconds: 60 + terminationGracePeriodSeconds: 600 --- # Service is required to expose the file server for workspace pods to fetch Program objects. apiVersion: v1 @@ -90,3 +100,7 @@ spec: port: 80 protocol: TCP targetPort: http-fileserver + - name: http-metrics + port: 8383 + targetPort: http-metrics + protocol: TCP \ No newline at end of file diff --git a/operator/examples/random-yaml/program.yaml b/operator/examples/random-yaml/program.yaml new file mode 100644 index 00000000..ba4cf4bb --- /dev/null +++ b/operator/examples/random-yaml/program.yaml @@ -0,0 +1,15 @@ +apiVersion: pulumi.com/v1 +kind: Program +metadata: + name: random-yaml +program: + resources: + randomPassword: + type: random:RandomPassword + properties: + length: 16 + special: true + overrideSpecial: "_%@" + + outputs: + password: ${randomPassword.result} \ No newline at end of file diff --git a/operator/internal/controller/pulumi/program_controller.go b/operator/internal/controller/pulumi/program_controller.go index 48cb9f0e..f3188cc9 100644 --- a/operator/internal/controller/pulumi/program_controller.go +++ b/operator/internal/controller/pulumi/program_controller.go @@ -252,7 +252,7 @@ func (r *ProgramReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct // Update the status of the Program object. log.Info("Updating Program status") if err := r.Status().Update(ctx, program, client.FieldOwner(FieldManager)); err != nil { - log.Error(err, "unable to update Program status", req.NamespacedName.MarshalLog()) + log.Error(err, "unable to update Program status") return ctrl.Result{}, err }