From 8b5ce1071894be07e9d4b85969dcafe4c8b86452 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?And=C5=BEej=20Maciusovi=C4=8D?= Date: Wed, 29 Jan 2025 10:24:35 +0200 Subject: [PATCH] Add support for reading Cluster ID from a secret (#458) --- charts/kvisor/templates/agent.yaml | 40 +++++++++++++++++-------- charts/kvisor/templates/controller.yaml | 18 ++++++++++- charts/kvisor/values.yaml | 23 ++++++++------ 3 files changed, 59 insertions(+), 22 deletions(-) diff --git a/charts/kvisor/templates/agent.yaml b/charts/kvisor/templates/agent.yaml index 6152e8a4..e04f4901 100644 --- a/charts/kvisor/templates/agent.yaml +++ b/charts/kvisor/templates/agent.yaml @@ -81,12 +81,12 @@ spec: {{- end }} envFrom: {{- if .Values.castai.enabled }} - - secretRef: - name: {{ include "kvisor.castaiSecretName" . }} + - secretRef: + name: {{ include "kvisor.castaiSecretName" . }} {{- end }} {{- if.Values.clickhouse.enabled }} - - secretRef: - name: {{ include "kvisor.clickhouse.fullname" . }} + - secretRef: + name: {{ include "kvisor.clickhouse.fullname" . }} {{- end }} env: - name: NODE_NAME @@ -107,8 +107,24 @@ spec: {{- else -}} {{ .Values.castai.grpcAddr | quote }} {{- end }} + {{- if .Values.castai.clusterIdSecretKeyRef.name }} + {{- if ne .Values.castai.clusterID "" }} + {{- fail "clusterID and clusterIdSecretKeyRef are mutually exclusive" }} + {{- end }} + - name: CASTAI_CLUSTER_ID + valueFrom: + secretKeyRef: + name: {{ required "clusterID or clusterIdSecretKeyRef must be provided" .Values.castai.clusterIdSecretKeyRef.name }} + key: {{ .Values.castai.clusterIdSecretKeyRef.key }} + {{- else }} + {{- if not .Values.castai.clusterID }} + {{- fail "either clusterID or clusterIdSecretKeyRef must be provided" }} + {{- end }} + {{- if .Values.castai.clusterID }} - name: CASTAI_CLUSTER_ID value: {{ .Values.castai.clusterID | quote }} + {{- end }} + {{- end }} {{- if .Values.agent.debug.ebpf }} - name: KVISOR_EBPF_DEBUG value: "1" @@ -247,14 +263,14 @@ subjects: apiVersion: v1 kind: ResourceQuota metadata: - name: {{ include "kvisor.agent.fullname" . }}-critical-pods - namespace: {{ .Release.Namespace }} + name: {{ include "kvisor.agent.fullname" . }}-critical-pods + namespace: {{ .Release.Namespace }} spec: - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - {{ .Values.agent.priorityClass }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - {{ .Values.agent.priorityClass }} {{- end }} {{- end }} diff --git a/charts/kvisor/templates/controller.yaml b/charts/kvisor/templates/controller.yaml index 0d2544ba..0fa8d315 100644 --- a/charts/kvisor/templates/controller.yaml +++ b/charts/kvisor/templates/controller.yaml @@ -80,8 +80,24 @@ spec: {{- else -}} {{ .Values.castai.grpcAddr | quote }} {{- end }} + {{- if .Values.castai.clusterIdSecretKeyRef.name }} + {{- if ne .Values.castai.clusterID "" }} + {{- fail "clusterID and clusterIdSecretKeyRef are mutually exclusive" }} + {{- end }} + - name: CASTAI_CLUSTER_ID + valueFrom: + secretKeyRef: + name: {{ required "clusterID or clusterIdSecretKeyRef must be provided" .Values.castai.clusterIdSecretKeyRef.name }} + key: {{ .Values.castai.clusterIdSecretKeyRef.key }} + {{- else }} + {{- if not .Values.castai.clusterID }} + {{- fail "either clusterID or clusterIdSecretKeyRef must be provided" }} + {{- end }} + {{- if .Values.castai.clusterID }} - name: CASTAI_CLUSTER_ID - value: {{ .Values.castai.clusterID | quote }} + value: {{ .Values.castai.clusterID | quote }} + {{- end }} + {{- end }} {{- range $key, $value := .Values.controller.extraEnv }} - name: {{ $key }} value: {{ $value }} diff --git a/charts/kvisor/values.yaml b/charts/kvisor/values.yaml index 9e319435..ec34b65a 100644 --- a/charts/kvisor/values.yaml +++ b/charts/kvisor/values.yaml @@ -16,8 +16,13 @@ castai: # CASTAI grpc public api address. grpcAddr: "kvisor.prod-master.cast.ai:443" - # CASTAI Cluster unique identifier. + # clusterID and clusterIdSecretKeyRef are mutually exclusive clusterID: "" + # clusterIdSecretKeyRef -- Name and Key of secret with ClusterID + # The referenced secret must provide the ClusterID in .data[<<.Values.castai.clusterIdSecretKeyRef.key>>] + clusterIdSecretKeyRef: + name: "" + key: "CLUSTER_ID" imagePullSecrets: [] nameOverride: "" @@ -96,7 +101,7 @@ agent: # limits: # cpu: 100m # memory: 128Mi - # requests: + # requests: # cpu: 100m # memory: 128Mi @@ -156,17 +161,17 @@ controller: securityContext: fsGroup: 1001 runAsNonRoot: true -# fsGroup: 10001 -# runAsGroup: 10001 -# runAsUser: 10001 -# seccompProfile: -# type: RuntimeDefault + # fsGroup: 10001 + # runAsGroup: 10001 + # runAsUser: 10001 + # seccompProfile: + # type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true -# capabilities: -# drop: [ ALL ] + # capabilities: + # drop: [ ALL ] resources: requests: