missing safe-to-evict podAnnotation

giantswarm · Jan 22, 2025 · d4cdf9c · d4cdf9c
1 parent f2bc88a
commit d4cdf9c
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 31 deletions.
diff --git a/helm/cert-manager/values.yaml b/helm/cert-manager/values.yaml
@@ -343,7 +343,8 @@ volumeMounts: []
 
 # Optional additional annotations to add to the controller Pods.
 # +docs:property
-# podAnnotations: {}
+podAnnotations:
+  cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
 
 # Optional additional labels to add to the controller Pods.
 podLabels: {}

diff --git a/sync/patches/values/000-values.patch b/sync/patches/values/000-values.patch
@@ -1,5 +1,5 @@
 diff --git a/vendor/cert-manager/values.yaml b/helm/cert-manager/values.yaml
-index 7a1c295..97a2971 100644
+index 7a1c295..489b0ef 100644
 --- a/vendor/cert-manager/values.yaml
 +++ b/helm/cert-manager/values.yaml
 @@ -34,6 +34,9 @@ global:
@@ -65,7 +65,17 @@ index 7a1c295..97a2971 100644
  # Additional volumes to add to the cert-manager controller pod.
  volumes: []
 
-@@ -447,7 +458,12 @@ affinity: {}
+@@ -332,7 +343,8 @@ volumeMounts: []
+
+ # Optional additional annotations to add to the controller Pods.
+ # +docs:property
+-# podAnnotations: {}
++podAnnotations:
++  cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+
+ # Optional additional labels to add to the controller Pods.
+ podLabels: {}
+@@ -447,7 +459,12 @@ affinity: {}
  #     operator: Equal
  #     value: master
  #     effect: NoSchedule
@@ -79,7 +89,7 @@ index 7a1c295..97a2971 100644
 
  # A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
  #
-@@ -471,7 +487,7 @@ topologySpreadConstraints: []
+@@ -471,7 +488,7 @@ topologySpreadConstraints: []
  # [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245)
  # +docs:property
  livenessProbe:
@@ -88,7 +98,7 @@ index 7a1c295..97a2971 100644
    initialDelaySeconds: 10
    periodSeconds: 10
    timeoutSeconds: 15
-@@ -498,7 +514,7 @@ prometheus:
+@@ -498,7 +515,7 @@ prometheus:
 
    servicemonitor:
      # Create a ServiceMonitor to add cert-manager to Prometheus.
@@ -97,7 +107,7 @@ index 7a1c295..97a2971 100644
 
      # The namespace that the service monitor should live in, defaults
      # to the cert-manager namespace.
-@@ -544,8 +560,24 @@ prometheus:
+@@ -544,8 +561,24 @@ prometheus:
      #     targetLabel: instance
      #
      # +docs:property
@@ -124,7 +134,7 @@ index 7a1c295..97a2971 100644
    # Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
    podmonitor:
      # Create a PodMonitor to add cert-manager to Prometheus.
-@@ -611,7 +643,7 @@ webhook:
+@@ -611,7 +644,7 @@ webhook:
    # availability.
    #
    # If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
@@ -133,7 +143,7 @@ index 7a1c295..97a2971 100644
 
    # The number of seconds the API server should wait for the webhook to respond before treating the call as a failure.
    # The value must be between 1 and 30 seconds. For more information, see
-@@ -675,6 +707,8 @@ webhook:
+@@ -675,6 +708,8 @@ webhook:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
@@ -142,15 +152,15 @@ index 7a1c295..97a2971 100644
 
    # Container Security Context to be set on the webhook component container.
    # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
-@@ -685,6 +719,7 @@ webhook:
+@@ -685,6 +720,7 @@ webhook:
        drop:
        - ALL
      readOnlyRootFilesystem: true
 +    runAsNonRoot: true
 
    podDisruptionBudget:
      # Enable or disable the PodDisruptionBudget resource.
-@@ -693,7 +728,7 @@ webhook:
+@@ -693,7 +729,7 @@ webhook:
      # For example, the PodDisruptionBudget will block `kubectl drain`
      # if it is used on the Node where the only remaining cert-manager
      # Pod is currently running.
@@ -159,7 +169,7 @@ index 7a1c295..97a2971 100644
 
      # This property configures the minimum available pods for disruptions. Can either be set to
      # an integer (e.g. 1) or a percentage value (e.g. 25%).
-@@ -702,6 +737,8 @@ webhook:
+@@ -702,6 +738,8 @@ webhook:
      # +docs:type=unknown
      # minAvailable: 1
 
@@ -168,7 +178,7 @@ index 7a1c295..97a2971 100644
      # This property configures the maximum unavailable pods for disruptions. Can either be set to
      # an integer (e.g. 1) or a percentage value (e.g. 25%).
      # It cannot be used if `minAvailable` is set.
-@@ -777,7 +814,13 @@ webhook:
+@@ -777,7 +815,13 @@ webhook:
    #    memory: 32Mi
    #
    # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
@@ -183,7 +193,7 @@ index 7a1c295..97a2971 100644
 
    # Liveness probe values.
    # For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
-@@ -823,8 +866,22 @@ webhook:
+@@ -823,8 +867,22 @@ webhook:
    #            operator: In
    #            values:
    #            - master
@@ -208,7 +218,7 @@ index 7a1c295..97a2971 100644
    # A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
    #
    # For example:
-@@ -833,7 +890,12 @@ webhook:
+@@ -833,7 +891,12 @@ webhook:
    #     operator: Equal
    #     value: master
    #     effect: NoSchedule
@@ -222,7 +232,7 @@ index 7a1c295..97a2971 100644
 
    # A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
    #
-@@ -849,7 +911,8 @@ webhook:
+@@ -849,7 +912,8 @@ webhook:
    topologySpreadConstraints: []
 
    # Optional additional labels to add to the Webhook Pods.
@@ -232,7 +242,7 @@ index 7a1c295..97a2971 100644
 
    # Optional additional labels to add to the Webhook Service.
    serviceLabels: {}
-@@ -867,7 +930,8 @@ webhook:
+@@ -867,7 +931,8 @@ webhook:
 
      # The container image for the cert-manager webhook
      # +docs:property
@@ -242,7 +252,7 @@ index 7a1c295..97a2971 100644
 
      # Override the image tag to deploy by setting this variable.
      # If no value is set, the chart's appVersion will be used.
-@@ -940,7 +1004,7 @@ webhook:
+@@ -940,7 +1005,7 @@ webhook:
    # Enables default network policies for webhooks.
    networkPolicy:
      # Create network policies for the webhooks.
@@ -251,7 +261,7 @@ index 7a1c295..97a2971 100644
 
      # Ingress rule for the webhook network policy. By default, it allows all
      # inbound traffic.
-@@ -1042,6 +1106,8 @@ cainjector:
+@@ -1042,6 +1107,8 @@ cainjector:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
@@ -260,23 +270,23 @@ index 7a1c295..97a2971 100644
 
    # Container Security Context to be set on the cainjector component container
    # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
-@@ -1052,6 +1118,7 @@ cainjector:
+@@ -1052,6 +1119,7 @@ cainjector:
        drop:
        - ALL
      readOnlyRootFilesystem: true
 +    runAsNonRoot: true
 
    podDisruptionBudget:
      # Enable or disable the PodDisruptionBudget resource.
-@@ -1068,6 +1135,7 @@ cainjector:
+@@ -1068,6 +1136,7 @@ cainjector:
      # +docs:property
      # +docs:type=unknown
      # minAvailable: 1
 +    minAvailable: "50%"
 
      # `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
      # an integer (e.g. 1) or a percentage value (e.g. 25%).
-@@ -1083,7 +1151,8 @@ cainjector:
+@@ -1083,7 +1152,8 @@ cainjector:
    # Optional additional annotations to add to the cainjector Pods.
    # +docs:property
    # podAnnotations: {}
@@ -286,7 +296,7 @@ index 7a1c295..97a2971 100644
    # Optional additional annotations to add to the cainjector metrics Service.
    # +docs:property
    # serviceAnnotations: {}
-@@ -1100,6 +1169,23 @@ cainjector:
+@@ -1100,6 +1170,23 @@ cainjector:
    #  - name: SOME_VAR
    #    value: 'some value'
    extraEnv: []
@@ -310,7 +320,7 @@ index 7a1c295..97a2971 100644
 
    # Comma separated list of feature gates that should be enabled on the
    # cainjector pod.
-@@ -1113,7 +1199,13 @@ cainjector:
+@@ -1113,7 +1200,13 @@ cainjector:
    #    memory: 32Mi
    #
    # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
@@ -325,7 +335,7 @@ index 7a1c295..97a2971 100644
 
 
    # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
-@@ -1176,7 +1268,8 @@ cainjector:
+@@ -1176,7 +1269,8 @@ cainjector:
 
      # The container image for the cert-manager cainjector
      # +docs:property
@@ -335,7 +345,7 @@ index 7a1c295..97a2971 100644
 
      # Override the image tag to deploy by setting this variable.
      # If no value is set, the chart's appVersion will be used.
-@@ -1235,7 +1328,8 @@ acmesolver:
+@@ -1235,7 +1329,8 @@ acmesolver:
 
      # The container image for the cert-manager acmesolver.
      # +docs:property
@@ -345,7 +355,7 @@ index 7a1c295..97a2971 100644
 
      # Override the image tag to deploy by setting this variable.
      # If no value is set, the chart's appVersion is used.
-@@ -1260,7 +1354,7 @@ acmesolver:
+@@ -1260,7 +1355,7 @@ acmesolver:
 
  startupapicheck:
    # Enables the startup api check.
@@ -354,7 +364,7 @@ index 7a1c295..97a2971 100644
 
    # Pod Security Context to be set on the startupapicheck component Pod.
    # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
-@@ -1279,7 +1373,7 @@ startupapicheck:
+@@ -1279,7 +1374,7 @@ startupapicheck:
        drop:
        - ALL
      readOnlyRootFilesystem: true
@@ -363,7 +373,7 @@ index 7a1c295..97a2971 100644
    # Timeout for 'kubectl check api' command.
    timeout: 1m
 
-@@ -1322,7 +1416,10 @@ startupapicheck:
+@@ -1322,7 +1417,10 @@ startupapicheck:
    #    memory: 32Mi
    #
    # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
@@ -375,7 +385,7 @@ index 7a1c295..97a2971 100644
 
 
    # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
-@@ -1356,7 +1453,11 @@ startupapicheck:
+@@ -1356,7 +1454,11 @@ startupapicheck:
    #     operator: Equal
    #     value: master
    #     effect: NoSchedule
@@ -388,7 +398,7 @@ index 7a1c295..97a2971 100644
 
    # Optional additional labels to add to the startupapicheck Pods.
    podLabels: {}
-@@ -1368,7 +1469,8 @@ startupapicheck:
+@@ -1368,7 +1470,8 @@ startupapicheck:
 
      # The container image for the cert-manager startupapicheck.
      # +docs:property
@@ -398,7 +408,7 @@ index 7a1c295..97a2971 100644
 
      # Override the image tag to deploy by setting this variable.
      # If no value is set, the chart's appVersion is used.
-@@ -1453,3 +1555,11 @@ creator: "helm"
+@@ -1453,3 +1556,11 @@ creator: "helm"
  # for more info.
  # +docs:hidden
  enabled: true