diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index 11efbce8..0bf04794 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -334,3 +334,17 @@ vaultAuthGlobalRef generates the default VaultAuth spec.vaultAuthGlobalRef. {{- $ret | toYaml | nindent 4 -}} {{- end -}} {{- end -}} + +{{/* +topologySpreadConstraints appends the "vso.chart.selectorLabels" to .Values.controller.topologySpreadConstraints if no labelSelector was specified +*/}} +{{- define "vso.topologySpreadConstraints" -}} +{{- $defaultLabelSelector := dict "labelSelector" (dict "matchLabels" (include "vso.chart.selectorLabels" . | fromYaml)) -}} +{{- range $topologySpreadConstraint := .Values.controller.topologySpreadConstraints -}} +{{- if hasKey $topologySpreadConstraint "labelSelector" -}} +{{- $topologySpreadConstraint | list | toYaml -}} +{{- else -}} +{{- merge $topologySpreadConstraint $defaultLabelSelector | list | toYaml -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 3489ea49..d33e6a76 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -132,6 +132,9 @@ spec: volumeMounts: - mountPath: /var/run/podinfo name: podinfo + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} securityContext: {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} serviceAccountName: {{ include "vso.chart.fullname" . }}-controller-manager @@ -152,6 +155,10 @@ spec: affinity: {{- toYaml .Values.controller.affinity | nindent 8 }} {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "vso.topologySpreadConstraints" . | nindent 8 }} + {{- end }} volumes: - downwardAPI: items: @@ -211,6 +218,9 @@ spec: securityContext: {{- toYaml .| nindent 10 }} {{- end}} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} restartPolicy: Never {{- with .Values.controller.nodeSelector }} nodeSelector: diff --git a/chart/templates/hook-upgrade-crds.yaml b/chart/templates/hook-upgrade-crds.yaml index 3f5b3b13..699806e7 100644 --- a/chart/templates/hook-upgrade-crds.yaml +++ b/chart/templates/hook-upgrade-crds.yaml @@ -106,6 +106,9 @@ spec: securityContext: {{- toYaml .| nindent 10 }} {{- end}} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} restartPolicy: Never {{- with .Values.controller.nodeSelector }} nodeSelector: diff --git a/chart/templates/poddisruptionbudget.yaml b/chart/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..1fe8b8b7 --- /dev/null +++ b/chart/templates/poddisruptionbudget.yaml @@ -0,0 +1,26 @@ +{{/* +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 +*/}} + +{{- if and (gt (int .Values.controller.replicas) 1) .Values.controller.podDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "vso.chart.fullname" . }} + labels: + app.kubernetes.io/component: controller-manager + control-plane: controller-manager + {{- include "vso.chart.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + {{- if (gt (int .Values.controller.podDisruptionBudget.maxUnavailable) 0) }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if (gt (int .Values.controller.podDisruptionBudget.minAvailable) 0) }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + {{- include "vso.chart.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 7623176e..42e4301b 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -8,6 +8,10 @@ controller: # @type: integer replicas: 1 + # Set the priority class for the operator. + # @type: string + priorityClassName: "" + # Configure update strategy for multi-replica deployments. # Kubernetes supports types Recreate, and RollingUpdate # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy @@ -66,6 +70,34 @@ controller: # - antarctica-west1 affinity: {} + # TopologySpreadConstraints settings for vault-secrets-operator pod. + # The value is an array of PodSpec TopologySpreadConstraint maps. + # A labelSelector for the pods will be added automatically to the template in case it is not set. + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + # Example: + # topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: zone + # whenUnsatisfiable: DoNotSchedule + topologySpreadConstraints: [] + + # Configure the PodDisruptionBudget for the controller deployment. + podDisruptionBudget: + + # toggles the deployment of the PodDisruptionBudget for the controller. + # @type: boolean + enabled: false + + # Sets the maximum number of pods that can be unavailable during the eviction. + # This field cannot be set if minAvailable is set. + # @type: integer + maxUnavailable: 0 + + # Sets the numer of pods that must be available during the eviction. + # This field cannot be set if maxUnavailable is set. + # @type: integer + minAvailable: 1 + rbac: # clusterRoleAggregation defines the roles included in the aggregated ClusterRole. clusterRoleAggregation: