From fec0a838361b3993f3bcedfb65318d91b2cbdbb5 Mon Sep 17 00:00:00 2001 From: Yevgeniy Valeyev Date: Sat, 2 Nov 2024 21:44:35 +0100 Subject: [PATCH] Helm chart refactoring (#963) Co-authored-by: mazay --- charts/s3sync-service/.helmignore | 2 + charts/s3sync-service/ci/no-rbac.yaml | 1 + charts/s3sync-service/ci/secret-custom.yaml | 4 ++ charts/s3sync-service/ci/secret.yaml | 3 ++ charts/s3sync-service/templates/_helpers.tpl | 29 +++++++++++++ .../s3sync-service/templates/configmap.yaml | 6 +-- .../s3sync-service/templates/deployment.yaml | 35 ++++++---------- charts/s3sync-service/templates/rbac.yaml | 42 +++++++++++++++++++ charts/s3sync-service/templates/role.yaml | 18 -------- .../s3sync-service/templates/rolebinding.yaml | 15 ------- charts/s3sync-service/templates/secret.yaml | 8 ++-- .../templates/serviceaccount.yaml | 7 ---- charts/s3sync-service/values.yaml | 5 +++ docs/helm-charts.md | 2 + 14 files changed, 109 insertions(+), 68 deletions(-) create mode 100644 charts/s3sync-service/ci/no-rbac.yaml create mode 100644 charts/s3sync-service/ci/secret-custom.yaml create mode 100644 charts/s3sync-service/ci/secret.yaml create mode 100644 charts/s3sync-service/templates/_helpers.tpl create mode 100644 charts/s3sync-service/templates/rbac.yaml delete mode 100644 charts/s3sync-service/templates/role.yaml delete mode 100644 charts/s3sync-service/templates/rolebinding.yaml delete mode 100644 charts/s3sync-service/templates/serviceaccount.yaml diff --git a/charts/s3sync-service/.helmignore b/charts/s3sync-service/.helmignore index 3d55dc91..12d1f407 100644 --- a/charts/s3sync-service/.helmignore +++ b/charts/s3sync-service/.helmignore @@ -22,3 +22,5 @@ docs-template.md .idea/ *.tmproj .vscode/ +# CI values +ci/* diff --git a/charts/s3sync-service/ci/no-rbac.yaml b/charts/s3sync-service/ci/no-rbac.yaml new file mode 100644 index 00000000..5c5e9998 --- /dev/null +++ b/charts/s3sync-service/ci/no-rbac.yaml @@ -0,0 +1 @@ +createRbac: false diff --git a/charts/s3sync-service/ci/secret-custom.yaml b/charts/s3sync-service/ci/secret-custom.yaml new file mode 100644 index 00000000..52546b7d --- /dev/null +++ b/charts/s3sync-service/ci/secret-custom.yaml @@ -0,0 +1,4 @@ +secret: + name: s3sync-credentials + AWS_ACCESS_KEY_ID: AKIAI44QH8DHBEXAMPLE + AWS_SECRET_ACCESS_KEY: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY diff --git a/charts/s3sync-service/ci/secret.yaml b/charts/s3sync-service/ci/secret.yaml new file mode 100644 index 00000000..16c3073f --- /dev/null +++ b/charts/s3sync-service/ci/secret.yaml @@ -0,0 +1,3 @@ +secret: + AWS_ACCESS_KEY_ID: AKIAI44QH8DHBEXAMPLE + AWS_SECRET_ACCESS_KEY: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY diff --git a/charts/s3sync-service/templates/_helpers.tpl b/charts/s3sync-service/templates/_helpers.tpl new file mode 100644 index 00000000..81814a2c --- /dev/null +++ b/charts/s3sync-service/templates/_helpers.tpl @@ -0,0 +1,29 @@ +{{- define "s3sync.fullname"}} +{{- .Values.fullnameOverride | default .Release.Name -}} +{{- end -}} + +{{- define "s3sync.configmapName" -}} +{{- .Values.configmap.name | default (include "s3sync.fullname" .) -}} +{{- end -}} + +{{- define "s3sync.serviceAccountName" -}} +{{- .Values.serviceAccountName | default (include "s3sync.fullname" .) -}} +{{- end -}} + +{{- define "s3sync.labels" -}} +app: {{ include "s3sync.fullname" . | quote }} +{{- if .Values.labels -}} +{{ toYaml .Values.labels }} +{{- end -}} +{{- end -}} + +{{- define "s3sync.podAnnotations" -}} +{{- if .Values.podAnnotations -}} +{{ toYaml .Values.podAnnotations }} +{{- end -}} +{{- if .Values.prometheusExporter.enable -}} +prometheus.io/path: {{ .Values.prometheusExporter.path | quote }} +prometheus.io/port: {{ .Values.prometheusExporter.port | quote }} +prometheus.io/scrape: "true" +{{- end -}} +{{- end -}} diff --git a/charts/s3sync-service/templates/configmap.yaml b/charts/s3sync-service/templates/configmap.yaml index 642f5f16..ab4a61a8 100644 --- a/charts/s3sync-service/templates/configmap.yaml +++ b/charts/s3sync-service/templates/configmap.yaml @@ -1,10 +1,10 @@ +--- apiVersion: v1 kind: ConfigMap metadata: + name: {{ include "s3sync.fullname" . }} labels: - app: {{ .Release.Name }} - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} + {{- include "s3sync.labels" . | nindent 4 }} data: config.yml: |- {{- if .Values.config.access_key }} diff --git a/charts/s3sync-service/templates/deployment.yaml b/charts/s3sync-service/templates/deployment.yaml index fbe4939c..2136baf6 100644 --- a/charts/s3sync-service/templates/deployment.yaml +++ b/charts/s3sync-service/templates/deployment.yaml @@ -1,34 +1,25 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} + name: {{ include "s3sync.fullname" . }} + labels: + {{- include "s3sync.labels" . | nindent 4 }} spec: replicas: 1 selector: matchLabels: - app: s3sync-service + {{- include "s3sync.labels" . | nindent 6 }} template: metadata: labels: - app: s3sync-service + {{- include "s3sync.labels" . | nindent 8 }} {{- if or .Values.podAnnotations .Values.prometheusExporter.enable }} annotations: - {{- if .Values.prometheusExporter.enable }} - prometheus.io/path: {{ .Values.prometheusExporter.path | quote }} - prometheus.io/port: {{ .Values.prometheusExporter.port | quote }} - prometheus.io/scrape: "true" - {{- end }} - {{- range $key, $value := .Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- include "s3sync.podAnnotations" . | nindent 8 }} {{- end }} spec: - {{- if .Values.createRbac }} - serviceAccountName: {{ .Release.Name }} - {{- else if .Values.serviceAccountName }} - serviceAccountName: {{ .Values.serviceAccountName }} - {{- end }} + serviceAccountName: {{ include "s3sync.serviceAccountName" . }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- end }} @@ -46,13 +37,13 @@ spec: affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} containers: - - name: {{ .Release.Name }} + - name: "s3sync" image: {{ .Values.image.repository }}:{{- if .Values.image.tag }}{{ .Values.image.tag }}{{- else }}{{ .Chart.AppVersion }}{{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - "./s3sync-service" {{- if .Values.configmap.watch }} - - "-configmap={{ .Release.Namespace }}/{{ .Release.Name }}" + - "-configmap={{ .Release.Namespace }}/{{ include "s3sync.configmapName" . }}" {{- else }} - "-config=/opt/s3sync-service/config.yml" {{- end }} @@ -68,8 +59,8 @@ spec: {{- if or (and .Values.secret.AWS_ACCESS_KEY_ID .Values.secret.AWS_SECRET_ACCESS_KEY) .Values.secret.name }} envFrom: - secretRef: - {{- if and .Values.secret.AWS_ACCESS_KEY_ID .Values.secret.AWS_SECRET_ACCESS_KEY }} - name: {{ .Release.Name }} + {{- if and (and .Values.secret.AWS_ACCESS_KEY_ID .Values.secret.AWS_SECRET_ACCESS_KEY) (eq .Values.secret.name "") }} + name: {{ include "s3sync.fullname" . }} {{- else }} name: {{ .Values.secret.name }} {{- end }} @@ -116,6 +107,6 @@ spec: - name: config-volume configMap: defaultMode: 420 - name: {{ if .Values.configmap.name }}{{ .Values.configmap.name }}{{ else }}{{ .Release.Namespace }}/{{ .Release.Name }}{{ end }} + name: {{ include "s3sync.configmapName" . }} {{- end }} {{- end }} diff --git a/charts/s3sync-service/templates/rbac.yaml b/charts/s3sync-service/templates/rbac.yaml new file mode 100644 index 00000000..8511df95 --- /dev/null +++ b/charts/s3sync-service/templates/rbac.yaml @@ -0,0 +1,42 @@ +{{- if .Values.createRbac }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "s3sync.fullname" . }} + labels: + {{- include "s3sync.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - "{{ include "s3sync.fullname" . }}" + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "s3sync.fullname" . }} + labels: + {{- include "s3sync.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "s3sync.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "s3sync.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "s3sync.fullname" . }} + labels: + {{- include "s3sync.labels" . | nindent 4 }} +{{- end }} diff --git a/charts/s3sync-service/templates/role.yaml b/charts/s3sync-service/templates/role.yaml deleted file mode 100644 index cc042d47..00000000 --- a/charts/s3sync-service/templates/role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.createRbac }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} -rules: - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - "{{ .Release.Name }}" - verbs: - - get - - list - - watch -{{- end }} diff --git a/charts/s3sync-service/templates/rolebinding.yaml b/charts/s3sync-service/templates/rolebinding.yaml deleted file mode 100644 index 496895a1..00000000 --- a/charts/s3sync-service/templates/rolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.createRbac }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Release.Name }} -subjects: - - kind: ServiceAccount - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/s3sync-service/templates/secret.yaml b/charts/s3sync-service/templates/secret.yaml index 66e8621f..8c1a6abe 100644 --- a/charts/s3sync-service/templates/secret.yaml +++ b/charts/s3sync-service/templates/secret.yaml @@ -1,9 +1,11 @@ -{{- if and .Values.secret.AWS_ACCESS_KEY_ID .Values.secret.AWS_SECRET_ACCESS_KEY }} +{{- if and (and .Values.secret.AWS_ACCESS_KEY_ID .Values.secret.AWS_SECRET_ACCESS_KEY) (eq .Values.secret.name "") }} +--- apiVersion: v1 kind: Secret metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} + name: {{ include "s3sync.fullname" . }} + labels: + {{- include "s3sync.labels" . | nindent 4 }} type: Opaque data: AWS_ACCESS_KEY_ID: {{ b64enc .Values.secret.AWS_ACCESS_KEY_ID }} diff --git a/charts/s3sync-service/templates/serviceaccount.yaml b/charts/s3sync-service/templates/serviceaccount.yaml deleted file mode 100644 index 58b3068c..00000000 --- a/charts/s3sync-service/templates/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ -{{- if .Values.createRbac }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/s3sync-service/values.yaml b/charts/s3sync-service/values.yaml index f583800d..8e66e5d0 100644 --- a/charts/s3sync-service/values.yaml +++ b/charts/s3sync-service/values.yaml @@ -18,6 +18,9 @@ serviceAccountName: "" # -- might be useful when using private registry imagePullSecrets: [] +# -- extra labels +labels: {} + # -- extra pod annotations podAnnotations: {} @@ -68,6 +71,8 @@ prometheusExporter: path: /metrics configmap: + # -- configmap.name overrides the default configmap name + name: "" # -- enable the [configmap watch](k8s-integration.md) feature watch: true diff --git a/docs/helm-charts.md b/docs/helm-charts.md index e232cbdf..1d0338f1 100644 --- a/docs/helm-charts.md +++ b/docs/helm-charts.md @@ -46,6 +46,7 @@ Kubernetes: `>=1.13.10-0` | config.upload_queue_buffer | int | `0` | the upload queue buffer, check the [documentation](configuration.md#global-configuration-options) for details | | config.upload_workers | int | `10` | number of the upload workers | | config.watch_interval | string | `"1s"` | [global](configuration.md#global-configuration-options) watch interval settings | +| configmap.name | string | `""` | configmap.name overrides the default configmap name | | configmap.watch | bool | `true` | enable the [configmap watch](k8s-integration.md) feature | | createRbac | bool | `true` | set to false if you not planning on using configmap watch functionality or want to create RBAC objects manually | | httpServer.enable | bool | `true` | enable the s3sync-service [http service](http-server.md) | @@ -54,6 +55,7 @@ Kubernetes: `>=1.13.10-0` | image.repository | string | `"ghcr.io/mazay/s3sync-service"` | docker repository, uses `quay.io` mirror by default | | image.tag | string | `""` | overrides the image tag whose default is the chart appVersion | | imagePullSecrets | list | `[]` | might be useful when using private registry | +| labels | object | `{}` | extra labels | | nodeSelector | object | `{}` | [nodeSelector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for the pod | | podAnnotations | object | `{}` | extra pod annotations | | podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":8888}` | the [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |