Add support for reading Cluster ID from a secret (#458)

castai · Jan 29, 2025 · 8b5ce10 · 8b5ce10
1 parent b309f77
commit 8b5ce10
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 22 deletions.
diff --git a/charts/kvisor/templates/agent.yaml b/charts/kvisor/templates/agent.yaml
@@ -81,12 +81,12 @@ spec:
         {{- end }}
           envFrom:
         {{- if .Values.castai.enabled }}
-          - secretRef:
-              name: {{ include "kvisor.castaiSecretName" . }}
+            - secretRef:
+                name: {{ include "kvisor.castaiSecretName" . }}
         {{- end }}
         {{- if.Values.clickhouse.enabled }}
-          - secretRef:
-              name:  {{ include "kvisor.clickhouse.fullname" . }}
+            - secretRef:
+                name:  {{ include "kvisor.clickhouse.fullname" . }}
         {{- end }}
           env:
             - name: NODE_NAME
@@ -107,8 +107,24 @@ spec:
                      {{- else -}}
                        {{ .Values.castai.grpcAddr | quote }}
                      {{- end }}
+          {{- if .Values.castai.clusterIdSecretKeyRef.name }}
+          {{- if ne .Values.castai.clusterID "" }}
+          {{- fail "clusterID and clusterIdSecretKeyRef are mutually exclusive" }}
+          {{- end }}
+            - name: CASTAI_CLUSTER_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ required "clusterID or clusterIdSecretKeyRef must be provided" .Values.castai.clusterIdSecretKeyRef.name }}
+                  key: {{ .Values.castai.clusterIdSecretKeyRef.key }}
+          {{- else }}
+          {{- if not .Values.castai.clusterID }}
+          {{- fail "either clusterID or clusterIdSecretKeyRef must be provided" }}
+          {{- end }}
+          {{- if .Values.castai.clusterID }}
             - name: CASTAI_CLUSTER_ID
               value: {{ .Values.castai.clusterID | quote }}
+          {{- end }}
+          {{- end }}
           {{- if .Values.agent.debug.ebpf }}
             - name: KVISOR_EBPF_DEBUG
               value: "1"
@@ -247,14 +263,14 @@ subjects:
 apiVersion: v1
 kind: ResourceQuota
 metadata:
-    name: {{ include "kvisor.agent.fullname" . }}-critical-pods
-    namespace: {{ .Release.Namespace }}
+  name: {{ include "kvisor.agent.fullname" . }}-critical-pods
+  namespace: {{ .Release.Namespace }}
 spec:
-    scopeSelector:
-        matchExpressions:
-            - operator: In
-              scopeName: PriorityClass
-              values:
-                - {{ .Values.agent.priorityClass }}
+  scopeSelector:
+    matchExpressions:
+      - operator: In
+        scopeName: PriorityClass
+        values:
+          - {{ .Values.agent.priorityClass }}
 {{- end }}
 {{- end }}
diff --git a/charts/kvisor/templates/controller.yaml b/charts/kvisor/templates/controller.yaml
@@ -80,8 +80,24 @@ spec:
                      {{- else -}}
                        {{ .Values.castai.grpcAddr | quote }}
                      {{- end }}
+        {{- if .Values.castai.clusterIdSecretKeyRef.name }}
+          {{- if ne .Values.castai.clusterID "" }}
+          {{- fail "clusterID and clusterIdSecretKeyRef are mutually exclusive" }}
+          {{- end }}
+            - name: CASTAI_CLUSTER_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ required "clusterID or clusterIdSecretKeyRef must be provided" .Values.castai.clusterIdSecretKeyRef.name }}
+                  key: {{ .Values.castai.clusterIdSecretKeyRef.key }}
+          {{- else }}
+          {{- if not .Values.castai.clusterID }}
+          {{- fail "either clusterID or clusterIdSecretKeyRef must be provided" }}
+          {{- end }}
+          {{- if .Values.castai.clusterID }}
             - name: CASTAI_CLUSTER_ID
-              value: {{  .Values.castai.clusterID | quote }}
+              value: {{ .Values.castai.clusterID | quote }}
+          {{- end }}
+          {{- end }}
         {{- range $key, $value := .Values.controller.extraEnv }}
             - name: {{ $key }}
               value: {{ $value }}

diff --git a/charts/kvisor/values.yaml b/charts/kvisor/values.yaml
@@ -16,8 +16,13 @@ castai:
   # CASTAI grpc public api address.
   grpcAddr: "kvisor.prod-master.cast.ai:443"
 
-  # CASTAI Cluster unique identifier.
+  # clusterID and clusterIdSecretKeyRef are mutually exclusive
   clusterID: ""
+  # clusterIdSecretKeyRef -- Name and Key of secret with ClusterID
+  # The referenced secret must provide the ClusterID in .data[<<.Values.castai.clusterIdSecretKeyRef.key>>]
+  clusterIdSecretKeyRef:
+    name: ""
+    key: "CLUSTER_ID"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -96,7 +101,7 @@ agent:
     # limits:
     #   cpu: 100m
     #   memory: 128Mi
-    # requests:
+  # requests:
   #   cpu: 100m
   #   memory: 128Mi
 
@@ -156,17 +161,17 @@ controller:
   securityContext:
     fsGroup: 1001
     runAsNonRoot: true
-#    fsGroup: 10001
-#    runAsGroup: 10001
-#    runAsUser: 10001
-#    seccompProfile:
-#      type: RuntimeDefault
+  #    fsGroup: 10001
+  #    runAsGroup: 10001
+  #    runAsUser: 10001
+  #    seccompProfile:
+  #      type: RuntimeDefault
 
   containerSecurityContext:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
-#    capabilities:
-#      drop: [ ALL ]
+  #    capabilities:
+  #      drop: [ ALL ]
 
   resources:
     requests: