Adjustments for charts and code to deploy extension by gardener-opera…

…tor (#901) * Adjustments for charts and code to deploy extension by gardener-operator * address review feedback from provider-aws
gardener · Nov 30, 2024 · 36135bf · 36135bf
1 parent 2f15fb8
commit 36135bf
Show file tree

Hide file tree

Showing 28 changed files with 260 additions and 144 deletions.
diff --git a/.ci/pipeline_definitions b/.ci/pipeline_definitions
@@ -16,18 +16,18 @@ gardener-extension-provider-openstack:
       registry: europe-docker.pkg.dev/gardener-project/snapshots/charts/gardener/extensions
       mappings:
       - ref: ocm-resource:gardener-extension-admission-openstack.repository
-        attribute: global.image.repository
+        attribute: image.repository
       - ref: ocm-resource:gardener-extension-admission-openstack.tag
-        attribute: global.image.tag
+        attribute: image.tag
     - &admission-openstack-runtime
       name: admission-openstack-runtime
       dir: charts/gardener-extension-admission-openstack/charts/runtime
       registry: europe-docker.pkg.dev/gardener-project/snapshots/charts/gardener/extensions
       mappings:
       - ref: ocm-resource:gardener-extension-admission-openstack.repository
-        attribute: global.image.repository
+        attribute: image.repository
       - ref: ocm-resource:gardener-extension-admission-openstack.tag
-        attribute: global.image.tag
+        attribute: image.tag
 
   base_definition:
     traits:

diff --git a/charts/gardener-extension-admission-openstack/Chart.yaml b/charts/gardener-extension-admission-openstack/Chart.yaml
diff --git a/...extension-admission-openstack/.helmignore → ...-openstack/charts/application/.helmignore b/...extension-admission-openstack/.helmignore → ...-openstack/charts/application/.helmignore
diff --git a/charts/gardener-extension-admission-openstack/charts/application/Chart.yaml b/charts/gardener-extension-admission-openstack/charts/application/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 description: A Helm chart to deploy the gardener-extension-admission-openstack application related resources
-name: application
+name: admission-openstack-application
 version: 0.1.0
diff --git a/charts/gardener-extension-admission-openstack/charts/application/templates/_helpers.tpl b/charts/gardener-extension-admission-openstack/charts/application/templates/_helpers.tpl
diff --git a/charts/gardener-extension-admission-openstack/charts/application/templates/_helpers.tpl b/charts/gardener-extension-admission-openstack/charts/application/templates/_helpers.tpl
@@ -0,0 +1,15 @@
+{{- define "name" -}}
+gardener-extension-admission-openstack
+{{- end -}}
+
+{{- define "labels.app.key" -}}
+app.kubernetes.io/name
+{{- end -}}
+{{- define "labels.app.value" -}}
+{{ include "name" . }}
+{{- end -}}
+
+{{- define "labels" -}}
+{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
diff --git a/charts/gardener-extension-admission-openstack/charts/application/templates/rbac.yaml b/charts/gardener-extension-admission-openstack/charts/application/templates/rbac.yaml
@@ -62,10 +62,10 @@ roleRef:
   kind: ClusterRole
   name: {{ include "name" . }}
 subjects:
-{{- if and .Values.global.virtualGarden.enabled .Values.global.virtualGarden.user.name }}
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
-  name: {{ .Values.global.virtualGarden.user.name  }}
+{{- if .Values.gardener.virtualCluster.serviceAccount.name }}
+- kind: ServiceAccount
+  name: {{ required ".Values.gardener.virtualCluster.serviceAccount.name is required" .Values.gardener.virtualCluster.serviceAccount.name }}
+  namespace: {{ required ".Values.gardener.virtualCluster.serviceAccount.namespace is required" .Values.gardener.virtualCluster.serviceAccount.namespace }}
 {{- else }}
 - kind: ServiceAccount
   name: {{ include "name" . }}

diff --git a/...s/gardener-extension-admission-openstack/charts/application/templates/serviceaccount.yaml b/...s/gardener-extension-admission-openstack/charts/application/templates/serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.global.virtualGarden.enabled ( not .Values.global.virtualGarden.user.name ) }}
+{{- if not .Values.gardener.virtualCluster.serviceAccount.name }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

diff --git a/charts/gardener-extension-admission-openstack/charts/application/values.yaml b/charts/gardener-extension-admission-openstack/charts/application/values.yaml
diff --git a/charts/gardener-extension-admission-openstack/charts/application/values.yaml b/charts/gardener-extension-admission-openstack/charts/application/values.yaml
@@ -0,0 +1,5 @@
+gardener:
+  virtualCluster:
+    serviceAccount: {}
+#     name: extension-admission-provider-openstack
+#     namespace: kube-system
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/.helmignore b/charts/gardener-extension-admission-openstack/charts/runtime/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/Chart.yaml b/charts/gardener-extension-admission-openstack/charts/runtime/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 description: A Helm chart to deploy the gardener-extension-admission-openstack runtime related resources
-name: runtime
+name:  admission-openstack-runtime
 version: 0.1.0
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/templates/_helpers.tpl b/charts/gardener-extension-admission-openstack/charts/runtime/templates/_helpers.tpl
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/templates/_helpers.tpl b/charts/gardener-extension-admission-openstack/charts/runtime/templates/_helpers.tpl
@@ -0,0 +1,27 @@
+{{- define "name" -}}
+gardener-extension-admission-openstack
+{{- end -}}
+
+{{- define "labels.app.key" -}}
+app.kubernetes.io/name
+{{- end -}}
+{{- define "labels.app.value" -}}
+{{ include "name" . }}
+{{- end -}}
+
+{{- define "labels" -}}
+{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{-  define "image" -}}
+  {{- if hasPrefix "sha256:" .tag }}
+  {{- printf "%s@%s" .repository .tag }}
+  {{- else }}
+  {{- printf "%s:%s" .repository .tag }}
+  {{- end }}
+{{- end }}
+
+{{- define "leaderelectionid" -}}
+gardener-extension-admission-openstack
+{{- end -}}
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/templates/deployment.yaml b/charts/gardener-extension-admission-openstack/charts/runtime/templates/deployment.yaml
@@ -8,14 +8,14 @@ metadata:
     high-availability-config.resources.gardener.cloud/type: server
 spec:
   revisionHistoryLimit: 1
-  replicas: {{ .Values.global.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
 {{ include "labels" . | indent 6 }}
   template:
     metadata:
       annotations:
-        {{- if .Values.global.kubeconfig }}
+        {{- if .Values.kubeconfig }}
         checksum/gardener-extension-admission-openstack-kubeconfig: {{ include (print $.Template.BasePath "/secret-kubeconfig.yaml") . | sha256sum }}
         {{- end }}
       labels:
@@ -24,104 +24,85 @@ spec:
         networking.resources.gardener.cloud/to-virtual-garden-kube-apiserver-tcp-443: allowed
 {{ include "labels" . | indent 8 }}
     spec:
-      {{- if .Values.global.priorityClassName }}
-      priorityClassName: {{ .Values.global.priorityClassName }}
+      {{- if .Values.gardener.runtimeCluster.priorityClassName }}
+      priorityClassName: {{ .Values.gardener.runtimeCluster.priorityClassName }}
       {{- end }}
       serviceAccountName: {{ include "name" . }}
-      {{- if .Values.global.kubeconfig }}
+      {{- if .Values.kubeconfig }}
       automountServiceAccountToken: false
       {{- end }}
       containers:
       - name: {{ include "name" . }}
-        image: {{ include "image" .Values.global.image }}
-        imagePullPolicy: {{ .Values.global.image.pullPolicy }}
+        image: {{ include "image" .Values.image }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
         - /gardener-extension-admission-openstack
-        - --webhook-config-server-port={{ .Values.global.webhookConfig.serverPort }}
-        {{- if .Values.global.virtualGarden.enabled }}
+        - --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
         - --webhook-config-mode=url
         - --webhook-config-url={{ printf "%s.%s" (include "name" .) (.Release.Namespace) }}
-        {{- else }}
-        - --webhook-config-mode=service
-        {{- end }}
         - --webhook-config-namespace={{ .Release.Namespace }}
-        {{- if .Values.global.kubeconfig }}
+        {{- if .Values.gardener.virtualCluster.namespace }}
+        - --webhook-config-owner-namespace={{ .Values.gardener.virtualCluster.namespace }}
+        {{- end }}
+        {{- if .Values.kubeconfig }}
         - --kubeconfig=/etc/gardener-extension-admission-openstack/kubeconfig/kubeconfig
         {{- end }}
-        {{- if .Values.global.projectedKubeconfig }}
-        - --kubeconfig={{ required ".Values.global.projectedKubeconfig.baseMountPath is required" .Values.global.projectedKubeconfig.baseMountPath }}/kubeconfig
+        {{- if .Values.projectedKubeconfig }}
+        - --kubeconfig={{ required ".Values.projectedKubeconfig.baseMountPath is required" .Values.projectedKubeconfig.baseMountPath }}/kubeconfig
         {{- end }}
-        {{- if .Values.global.metricsPort }}
-        - --metrics-bind-address=:{{ .Values.global.metricsPort }}
+        {{- if .Values.metricsPort }}
+        - --metrics-bind-address=:{{ .Values.metricsPort }}
         {{- end }}
-        - --health-bind-address=:{{ .Values.global.healthPort }}
+        - --health-bind-address=:{{ .Values.healthPort }}
         - --leader-election-id={{ include "leaderelectionid" . }}
-        - --enable-overlay-as-default-for-calico={{ .Values.global.enableOverlayAsDefaultForCalico }}
-        - --enable-overlay-as-default-for-cilium={{ .Values.global.enableOverlayAsDefaultForCilium }}
+        - --enable-overlay-as-default-for-calico={{ .Values.enableOverlayAsDefaultForCalico }}
+        - --enable-overlay-as-default-for-cilium={{ .Values.enableOverlayAsDefaultForCilium }}
         livenessProbe:
           httpGet:
             path: /healthz
-            port: {{ .Values.global.healthPort }}
+            port: {{ .Values.healthPort }}
             scheme: HTTP
           initialDelaySeconds: 10
         readinessProbe:
           httpGet:
             path: /readyz
-            port: {{ .Values.global.healthPort }}
+            port: {{ .Values.healthPort }}
             scheme: HTTP
           initialDelaySeconds: 5
         env:
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        {{- if .Values.global.virtualGarden.enabled }}
         - name: SOURCE_CLUSTER
           value: enabled
-        {{- end }}
         ports:
         - name: webhook-server
-          containerPort: {{ .Values.global.webhookConfig.serverPort }}
+          containerPort: {{ .Values.webhookConfig.serverPort }}
           protocol: TCP
-{{- if .Values.global.resources }}
+{{- if .Values.resources }}
         resources:
-{{ toYaml .Values.global.resources | nindent 10 }}
+{{ toYaml .Values.resources | nindent 10 }}
 {{- end }}
         volumeMounts:
-        {{- if .Values.global.kubeconfig }}
+        {{- if .Values.kubeconfig }}
         - name: gardener-extension-admission-openstack-kubeconfig
           mountPath: /etc/gardener-extension-admission-openstack/kubeconfig
           readOnly: true
         {{- end }}
-        {{- if .Values.global.serviceAccountTokenVolumeProjection.enabled }}
-        - name: service-account-token
-          mountPath: /var/run/secrets/projected/serviceaccount
-          readOnly: true
-        {{- end }}
-        {{- if .Values.global.projectedKubeconfig }}
+        {{- if .Values.projectedKubeconfig }}
         - name: kubeconfig
-          mountPath: {{ required ".Values.global.projectedKubeconfig.baseMountPath is required" .Values.global.projectedKubeconfig.baseMountPath }}
+          mountPath: {{ required ".Values.projectedKubeconfig.baseMountPath is required" .Values.projectedKubeconfig.baseMountPath }}
           readOnly: true
         {{- end }}
       volumes:
-      {{- if .Values.global.kubeconfig }}
+      {{- if .Values.kubeconfig }}
       - name: gardener-extension-admission-openstack-kubeconfig
         secret:
           secretName: gardener-extension-admission-openstack-kubeconfig
           defaultMode: 420
       {{- end }}
-      {{- if .Values.global.serviceAccountTokenVolumeProjection.enabled }}
-      - name: service-account-token
-        projected:
-          sources:
-          - serviceAccountToken:
-              path: token
-              expirationSeconds: {{ .Values.global.serviceAccountTokenVolumeProjection.expirationSeconds }}
-              {{- if .Values.global.serviceAccountTokenVolumeProjection.audience }}
-              audience: {{ .Values.global.serviceAccountTokenVolumeProjection.audience }}
-              {{- end }}
-      {{- end }}
-      {{- if .Values.global.projectedKubeconfig }}
+      {{- if .Values.projectedKubeconfig }}
       - name: kubeconfig
         projected:
           defaultMode: 420
@@ -130,12 +111,12 @@ spec:
               items:
               - key: kubeconfig
                 path: kubeconfig
-              name: {{ required ".Values.global.projectedKubeconfig.genericKubeconfigSecretName is required" .Values.global.projectedKubeconfig.genericKubeconfigSecretName }}
+              name: {{ required ".Values.projectedKubeconfig.genericKubeconfigSecretName is required" .Values.projectedKubeconfig.genericKubeconfigSecretName }}
               optional: false
           - secret:
               items:
               - key: token
                 path: token
-              name: {{ required ".Values.global.projectedKubeconfig.tokenSecretName is required" .Values.global.projectedKubeconfig.tokenSecretName }}
+              name: {{ required ".Values.projectedKubeconfig.tokenSecretName is required" .Values.projectedKubeconfig.tokenSecretName }}
               optional: false
       {{- end }}
diff --git a/...ts/gardener-extension-admission-openstack/charts/runtime/templates/secret-kubeconfig.yaml b/...ts/gardener-extension-admission-openstack/charts/runtime/templates/secret-kubeconfig.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.kubeconfig }}
+{{- if .Values.kubeconfig }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,5 +10,5 @@ metadata:
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  kubeconfig: {{ .Values.global.kubeconfig | b64enc }}
+  kubeconfig: {{ .Values.kubeconfig | b64enc }}
 {{- end }}
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/templates/service.yaml b/charts/gardener-extension-admission-openstack/charts/runtime/templates/service.yaml
@@ -4,8 +4,8 @@ metadata:
   name: {{ include "name" . }}
   namespace: {{ .Release.Namespace }}
   annotations:
-    networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":{{ .Values.global.webhookConfig.serverPort }}}]'
-    {{- if .Values.global.service.topologyAwareRouting.enabled }}
+    networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":{{ .Values.webhookConfig.serverPort }}}]'
+    {{- if .Values.service.topologyAwareRouting.enabled }}
     {{- if semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version }}
     service.kubernetes.io/topology-mode: "auto"
     {{- else }}
@@ -14,7 +14,7 @@ metadata:
     {{- end }}
   labels:
 {{ include "labels" . | indent 4 }}
-    {{- if .Values.global.service.topologyAwareRouting.enabled }}
+    {{- if .Values.service.topologyAwareRouting.enabled }}
     endpoint-slice-hints.resources.gardener.cloud/consider: "true"
     {{- end }}
 spec:
@@ -24,4 +24,4 @@ spec:
   ports:
   - port: 443
     protocol: TCP
-    targetPort: {{ .Values.global.webhookConfig.serverPort }}
+    targetPort: {{ .Values.webhookConfig.serverPort }}
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/templates/vpa.yaml b/charts/gardener-extension-admission-openstack/charts/runtime/templates/vpa.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.vpa.enabled}}
+{{- if .Values.vpa.enabled}}
 apiVersion: "autoscaling.k8s.io/v1"
 kind: VerticalPodAutoscaler
 metadata:
@@ -14,5 +14,5 @@ spec:
     kind: Deployment
     name: {{ include "name" . }}
   updatePolicy:
-    updateMode: {{ .Values.global.vpa.updatePolicy.updateMode }}
+    updateMode: {{ .Values.vpa.updatePolicy.updateMode }}
 {{- end }}
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/values.yaml b/charts/gardener-extension-admission-openstack/charts/runtime/values.yaml
diff --git a/charts/gardener-extension-admission-openstack/charts/runtime/values.yaml b/charts/gardener-extension-admission-openstack/charts/runtime/values.yaml
@@ -0,0 +1,37 @@
+image:
+  repository: europe-docker.pkg.dev/gardener-project/public/gardener/extensions/admission-openstack
+  tag: latest
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+resources: {}
+metricsPort: 8080
+healthPort: 8081
+vpa:
+  enabled: true
+  updatePolicy:
+    updateMode: "Auto"
+enableOverlayAsDefaultForCalico: true
+enableOverlayAsDefaultForCilium: true
+webhookConfig:
+  serverPort: 10250
+
+# Kubeconfig to the target cluster. In-cluster configuration will be used if not specified.
+kubeconfig:
+
+#projectedKubeconfig:
+#  baseMountPath: /var/run/secrets/gardener.cloud
+#  genericKubeconfigSecretName: generic-token-kubeconfig
+#  tokenSecretName: access-os-admission
+
+service:
+  topologyAwareRouting:
+    enabled: false
+
+gardener:
+  virtualCluster:
+    serviceAccount: {}
+  #     name: extension-admission-provider-openstack
+  #     namespace: kube-system
+  runtimeCluster: {}
+#   priorityClassName: gardener-garden-system-400