Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for HelmLockerPolicy resources to allow admin to specify changes that are allowed #101

Open
aiyengar2 opened this issue May 8, 2022 · 0 comments
Open

Add support for HelmLockerPolicy resources to allow admin to specify changes that are allowed #101

aiyengar2 opened this issue May 8, 2022 · 0 comments
Labels
enhancement New feature or request package/helm-locker team/observability&backup

Comments

@aiyengar2
Copy link

If you have a Helm release deployed but you don't want Helm Locker to reconcile changes to certain resources (identified by GVK), certain subsets of the spec of those resources (e.g. .spec.containers to allow something like Istio to inject a sidecar), or you want certain patches to be applied (e.g. adding nodeSelectors and tolerations to all Workloads deployed by the Helm chart), you need the ability to specify these configurations and persist them to the cluster for Helm Locker to use.

HelmLockerPolicy is a proposed resource that would select a list of HelmReleases (by label selector) and modify the apply call made to the ObjectSet on behalf of the HelmRelease to add an apply.Patcher to it that does custom sanitization based on the reconcile action provided.

The example manifest deploying a HelmLockerPolicy would look something like this:

kind: HelmLockerPolicy
apiVersion: helm.cattle.io/v1alpha1
metadata:
  name: allow-partial-mutation-on-configmaps
  namespace: cattle-helm-system
spec:
  releaseSelector: # required, identifies which HelmRelease objects are selected by metav1.labelSelector. If not provided, this policy is a noop. This HelmLockerPolicy will only apply to HelmRelease CRs in the same namespace as itself.
    matchLabels:
      helm.cattle.io/configmaps: partially-mutable # example label to use
  policies:
  - apiVersion: v1 # required
    kind: ConfigMap # required
    name: my-config-map # optional, mutually exclusive with  .spec.policies[i].selector. If both are provided, this will be chosen.
    selector: # optional, mutually exclusive with .spec.policies[i].name
      matchLabels:
        myworkload: true
    apply: # optional, the map provided here will override the values provided in the manifest for all targeted resources before they are parsed into an ObjectSet. It will not be validated that these patches are valid on the targeted resource, but if they are invalid the HelmRelease that selects this will be marked with the status FailedToApplyPolicy. If multiple selected patchers try to modify the same field, the HelmRelease will also be marked FailedToApplyPolicy. If you need to modify a list, provide _i (e.g. _1, _2, etc.) as the key to the map to indicate changes to resources in that index.
      data:
        config: "hello: world"
    ignorePaths: # paths that should be ignored on reconciling changes
    - '.data.config' # marks a path on which changes made are ignored. Providing `.` here will mark all paths as ignored and will allow changes to occur, although the resource will still be watched and recreated on deletion
@aiyengar2 aiyengar2 added the enhancement New feature or request label May 8, 2022
@aiyengar2 aiyengar2 self-assigned this May 8, 2022
@mallardduck mallardduck transferred this issue from rancher/helm-locker Sep 25, 2024
@mallardduck mallardduck transferred this issue from rancher/helm-project-operator Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request package/helm-locker team/observability&backup
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mallardduck @aiyengar2 @MKlimuszka @jbiers