Skip to content

Commit

Permalink
exclude openshift namespaces via regex
Browse files Browse the repository at this point in the history 
Signed-off-by: Zahar Pecherichny <[email protected]>
  • Loading branch information
@zfrhv
zfrhv committed Jun 10, 2024
1 parent a0351d2 commit 8815241
Show file tree
Hide file tree
Showing 4 changed files with 223 additions and 210 deletions.
211 changes: 107 additions & 104 deletions charts/hnc/templates/hnc-controller-manager-ha.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,104 +1,107 @@
{{- if .Values.ha.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
name: {{ include "hnc.fullname" . }}-controller-manager-ha
namespace: {{ include "hnc.namespace" . }}
spec:
replicas: 3
selector:
matchLabels:
control-plane: controller-manager-ha
template:
metadata:
annotations:
prometheus.io/scrape: "true"
labels:
control-plane: controller-manager-ha
spec:
containers:
- args:
{{- if .Values.hrq.enabled }}
- --enable-hrq
{{- end }}
{{- range $hncExcludeNamespace := .Values.hncExcludeNamespaces}}
- --excluded-namespace={{ $hncExcludeNamespace }}
{{- end }}
- --webhook-server-port=9443
- --metrics-addr=:8080
- --max-reconciles=10
- --apiserver-qps-throttle=50
- --nopropagation-label=cattle.io/creator=norman
- --webhooks-only
command:
- /manager
image: {{ .Values.image.repository }}:{{ .Values.image.tag | default "hnc-manager:latest" }}
livenessProbe:
failureThreshold: 1
httpGet:
path: /healthz
port: 8081
periodSeconds: 10
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 8080
name: metrics
protocol: TCP
- containerPort: 8081
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
periodSeconds: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
startupProbe:
failureThreshold: 100
httpGet:
path: /readyz
port: 8081
periodSeconds: 5
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
{{- with .Values.imagePullPolicy }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
{{- end }}
{{- with .Values.ha.manager.resources }}
resources: {{- toYaml . | nindent 12}}
{{- end }}
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 1000
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "hnc.fullname" . }}-webhook-server-cert
{{- with .Values.ha.manager.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8}}
{{- end }}
{{- with .Values.ha.manager.affinity }}
affinity: {{- toYaml . | nindent 8}}
{{- end }}
{{- with .Values.ha.manager.tolerations }}
tolerations: {{- toYaml . | nindent 8}}
{{- end }}
{{- end }}
{{- if .Values.ha.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
name: {{ include "hnc.fullname" . }}-controller-manager-ha
namespace: {{ include "hnc.namespace" . }}
spec:
replicas: 3
selector:
matchLabels:
control-plane: controller-manager-ha
template:
metadata:
annotations:
prometheus.io/scrape: "true"
labels:
control-plane: controller-manager-ha
spec:
containers:
- args:
{{- if .Values.hrq.enabled }}
- --enable-hrq
{{- end }}
{{- if $hncIncludeNamespacesRegex}}
- --included-namespace-regex={{ $hncIncludeNamespacesRegex }}
{{- end }}
{{- range $hncExcludeNamespace := .Values.hncExcludeNamespaces}}
- --excluded-namespace={{ $hncExcludeNamespace }}
{{- end }}
- --webhook-server-port=9443
- --metrics-addr=:8080
- --max-reconciles=10
- --apiserver-qps-throttle=50
- --nopropagation-label=cattle.io/creator=norman
- --webhooks-only
command:
- /manager
image: {{ .Values.image.repository }}:{{ .Values.image.tag | default "hnc-manager:latest" }}
livenessProbe:
failureThreshold: 1
httpGet:
path: /healthz
port: 8081
periodSeconds: 10
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 8080
name: metrics
protocol: TCP
- containerPort: 8081
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
periodSeconds: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
startupProbe:
failureThreshold: 100
httpGet:
path: /readyz
port: 8081
periodSeconds: 5
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
{{- with .Values.imagePullPolicy }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
{{- end }}
{{- with .Values.ha.manager.resources }}
resources: {{- toYaml . | nindent 12}}
{{- end }}
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 1000
terminationGracePeriodSeconds: 10
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "hnc.fullname" . }}-webhook-server-cert
{{- with .Values.ha.manager.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8}}
{{- end }}
{{- with .Values.ha.manager.affinity }}
affinity: {{- toYaml . | nindent 8}}
{{- end }}
{{- with .Values.ha.manager.tolerations }}
tolerations: {{- toYaml . | nindent 8}}
{{- end }}
{{- end }}
Loading

0 comments on commit 8815241

Please sign in to comment.