From 2f5cfc139f69364400d57f6a2ee9f6f5c384e077 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=E1=B4=87=CA=80=C9=B4=E1=B4=85=20S=E1=B4=84=CA=9C?= =?UTF-8?q?=E1=B4=8F=CA=80=C9=A2=E1=B4=87=CA=80s?= Date: Thu, 27 Jul 2023 19:10:21 +0200 Subject: [PATCH] feat(k8s-ycl): Add Helm chart (#165) --- .ci/repo-config.yaml | 18 +---- .github/renovate.json5 | 1 - .github/workflows/pr-metadata.yaml | 3 +- .github/workflows/pr-validate.yaml | 4 +- charts/apps/.gitkeep | 0 charts/apps/k8s-ycl/.helmignore | 30 +++++++++ charts/apps/k8s-ycl/Chart.yaml | 30 +++++++++ charts/apps/k8s-ycl/templates/_helpers.tpl | 23 +++++++ .../templates/admissionregistration.yaml | 39 +++++++++++ charts/apps/k8s-ycl/templates/common.yaml | 66 ++++++++++++++++++ charts/apps/k8s-ycl/templates/pki.yaml | 67 +++++++++++++++++++ charts/apps/k8s-ycl/values.yaml | 10 +++ 12 files changed, 270 insertions(+), 21 deletions(-) delete mode 100644 charts/apps/.gitkeep create mode 100644 charts/apps/k8s-ycl/.helmignore create mode 100644 charts/apps/k8s-ycl/Chart.yaml create mode 100644 charts/apps/k8s-ycl/templates/_helpers.tpl create mode 100644 charts/apps/k8s-ycl/templates/admissionregistration.yaml create mode 100644 charts/apps/k8s-ycl/templates/common.yaml create mode 100644 charts/apps/k8s-ycl/templates/pki.yaml create mode 100644 charts/apps/k8s-ycl/values.yaml diff --git a/.ci/repo-config.yaml b/.ci/repo-config.yaml index 7dc44462..eb6cfdb5 100644 --- a/.ci/repo-config.yaml +++ b/.ci/repo-config.yaml @@ -1,21 +1,5 @@ excluded-charts-lint: [] excluded-charts-install: - - apps/alertmanager-bot - - apps/alertmanager-discord - - apps/amcrest2mqtt - - apps/facebox - - apps/factorio - - apps/foundryvtt - - apps/heimdall - - apps/multus - - apps/pod-gateway - - apps/promcord - - apps/reg - - apps/ser2sock - - apps/satisfactory - - apps/zalando-postgres-cluster - - apps/zigbee2mqtt - - apps/wireguard - - incubator/sdtd + - apps/k8s-ycl - library/common diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 001b9e79..7517fc83 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -6,5 +6,4 @@ platform: "github", username: "bjw-s-bot[bot]", gitAuthor: "bjw-s-bot <87358111+bjw-s-bot[bot]@users.noreply.github.com>", - repositories: ["bjw-s/helm-charts"], } diff --git a/.github/workflows/pr-metadata.yaml b/.github/workflows/pr-metadata.yaml index a426b7b9..4fc56b55 100644 --- a/.github/workflows/pr-metadata.yaml +++ b/.github/workflows/pr-metadata.yaml @@ -23,7 +23,7 @@ on: chartsToInstall: value: ${{ jobs.pr-changes.outputs.chartsToInstall }} commonLibraryUpdated: - value: ${{ contains(fromJSON(jobs.pr-changes.outputs.addedOrModifiedCharts), 'library/common') }} + value: ${{ jobs.pr-changes.outputs.commonLibraryUpdated }} jobs: pr-metadata: @@ -61,6 +61,7 @@ jobs: addedOrModifiedApplicationCharts: ${{ steps.changed-charts.outputs.chartsApplication }} chartsToLint: ${{ steps.changed-charts.outputs.chartsToLint }} chartsToInstall: ${{ steps.changed-charts.outputs.chartsToInstall }} + commonLibraryUpdated: ${{ contains(fromJSON(steps.changed-charts.outputs.charts), 'library/common') }} steps: - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/pr-validate.yaml b/.github/workflows/pr-validate.yaml index b3c03493..9305a7e8 100644 --- a/.github/workflows/pr-validate.yaml +++ b/.github/workflows/pr-validate.yaml @@ -52,14 +52,14 @@ jobs: chartsToTest: |- ${{ ( - needs.pr-metadata.outputs.commonLibraryUpdated && + (needs.pr-metadata.outputs.commonLibraryUpdated=='true') && '["other/app-template"]' ) || needs.pr-metadata.outputs.chartsToInstall }} overrideDeps: |- ${{ ( - needs.pr-metadata.outputs.commonLibraryUpdated && + (needs.pr-metadata.outputs.commonLibraryUpdated=='true') && '[{"name": "common", "repository": "file://../../library/common", "version": "*"}]' ) || '[]' }} diff --git a/charts/apps/.gitkeep b/charts/apps/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/apps/k8s-ycl/.helmignore b/charts/apps/k8s-ycl/.helmignore new file mode 100644 index 00000000..ab04375e --- /dev/null +++ b/charts/apps/k8s-ycl/.helmignore @@ -0,0 +1,30 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# OWNERS file for Kubernetes +OWNERS + +# helm-docs templates +*.gotmpl + +# helm unit tests +tests/ diff --git a/charts/apps/k8s-ycl/Chart.yaml b/charts/apps/k8s-ycl/Chart.yaml new file mode 100644 index 00000000..548ebfc5 --- /dev/null +++ b/charts/apps/k8s-ycl/Chart.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v2 +description: Kubernetes admission controller to remove CPU limits from Pods. +name: k8s-ycl +version: 0.1.0 +appVersion: 0.1.0 +kubeVersion: ">=1.22.0-0" +sources: + - https://github.com/bjw-s/k8s-ycl +keywords: + - cpu + - resources + - limits + - admission + - controller +maintainers: + - name: bjw-s + email: me@bjw-s.dev +dependencies: + - name: common + repository: https://bjw-s.github.io/helm-charts + version: 1.5.1 +annotations: + artifacthub.io/changes: |- + - kind: changed + description: | + Initial version + artifacthub.io/links: | + - name: "source" + url: "https://github.com/bjw-s/k8s-ycl" diff --git a/charts/apps/k8s-ycl/templates/_helpers.tpl b/charts/apps/k8s-ycl/templates/_helpers.tpl new file mode 100644 index 00000000..aec821a4 --- /dev/null +++ b/charts/apps/k8s-ycl/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{- define "k8s-ycl.webhookPort" -}} +9443 +{{- end -}} + +{{- define "k8s-ycl.webhookPath" -}} +/mutate--v1-pod +{{- end -}} + +{{- define "k8s-ycl.selfSignedIssuer" -}} +{{ printf "%s-webhook-selfsign" (include "bjw-s.common.lib.chart.names.fullname" .) }} +{{- end -}} + +{{- define "k8s-ycl.rootCAIssuer" -}} +{{ printf "%s-webhook-ca" (include "bjw-s.common.lib.chart.names.fullname" .) }} +{{- end -}} + +{{- define "k8s-ycl.rootCACertificate" -}} +{{ printf "%s-webhook-ca" (include "bjw-s.common.lib.chart.names.fullname" .) }} +{{- end -}} + +{{- define "k8s-ycl.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "bjw-s.common.lib.chart.names.fullname" .) }} +{{- end -}} diff --git a/charts/apps/k8s-ycl/templates/admissionregistration.yaml b/charts/apps/k8s-ycl/templates/admissionregistration.yaml new file mode 100644 index 00000000..a07c3c65 --- /dev/null +++ b/charts/apps/k8s-ycl/templates/admissionregistration.yaml @@ -0,0 +1,39 @@ +{{- include "bjw-s.common.loader.init" . -}} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "bjw-s.common.lib.chart.names.fullname" . | quote }} + {{- with (include "bjw-s.common.lib.metadata.allLabels" $ | fromYaml) }} + labels: {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "k8s-ycl.servingCertificate" . }}" +webhooks: + - name: "{{ include "bjw-s.common.lib.chart.names.fullname" . }}.svc.cluster.local" + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace | quote }} + clientConfig: + service: + namespace: {{ .Release.Namespace | quote }} + name: {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook + path: {{ include "k8s-ycl.webhookPath" . }} + port: {{ include "k8s-ycl.webhookPort" . }} + failurePolicy: Fail + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods diff --git a/charts/apps/k8s-ycl/templates/common.yaml b/charts/apps/k8s-ycl/templates/common.yaml new file mode 100644 index 00000000..bbcc37c6 --- /dev/null +++ b/charts/apps/k8s-ycl/templates/common.yaml @@ -0,0 +1,66 @@ +--- +{{/* Make sure all variables are set properly */}} +{{- include "bjw-s.common.loader.init" . }} + +{{/* Append the hardcoded settings */}} +{{- define "k8s-ycl.hardcodedValues" -}} +service: + main: + enabled: true + nameOverride: webhook + ports: + http: + enabled: true + port: 9443 + probe: + enabled: true + port: 8081 + +serviceAccount: + create: true + +persistence: + certs: + enabled: true + type: secret + name: {{ include "k8s-ycl.servingCertificate" . }} + mountPath: /tls + +probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /healthz + port: probe + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /readyz + port: probe + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + startup: + enabled: true + custom: true + spec: + httpGet: + path: /healthz + port: probe + failureThreshold: 30 + periodSeconds: 10 +{{- end -}} + +{{/* Render the templates */}} +{{- $ctx := deepCopy . -}} +{{- $_ := include "k8s-ycl.hardcodedValues" . | fromYaml | merge $ctx.Values -}} +{{- include "bjw-s.common.loader.all" $ctx }} diff --git a/charts/apps/k8s-ycl/templates/pki.yaml b/charts/apps/k8s-ycl/templates/pki.yaml new file mode 100644 index 00000000..3d497fb6 --- /dev/null +++ b/charts/apps/k8s-ycl/templates/pki.yaml @@ -0,0 +1,67 @@ +{{- include "bjw-s.common.loader.init" . -}} +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "k8s-ycl.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "k8s-ycl.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} +spec: + secretName: {{ include "k8s-ycl.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "k8s-ycl.selfSignedIssuer" . }} + kind: Issuer + commonName: "ca.k8s-ycl.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "k8s-ycl.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} +spec: + ca: + secretName: {{ include "k8s-ycl.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "k8s-ycl.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} +spec: + secretName: {{ include "k8s-ycl.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "k8s-ycl.rootCAIssuer" . }} + kind: Issuer + dnsNames: + - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook + - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook.{{ .Release.Namespace }}.svc diff --git a/charts/apps/k8s-ycl/values.yaml b/charts/apps/k8s-ycl/values.yaml new file mode 100644 index 00000000..fbd7b3ed --- /dev/null +++ b/charts/apps/k8s-ycl/values.yaml @@ -0,0 +1,10 @@ +--- +controller: + replicas: 1 + +image: + repository: ghcr.io/bjw-s/k8s-ycl + pullPolicy: Always + +webhook: + path: /mutate--v1-pod