feat: add controller-manager and audit specific podLabels

Signed-off-by: Robert Bublik <[email protected]>
open-policy-agent · May 13, 2024 · 367d0b0 · 367d0b0
1 parent f0bb6b6
commit 367d0b0
Show file tree

Hide file tree

Showing 9 changed files with 54 additions and 5 deletions.
diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go
@@ -132,19 +132,17 @@ func (ks *kindSet) Write() error {
  }
 
  if name == "gatekeeper-controller-manager" && kind == DeploymentKind {
+ obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"controllerManager.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
  obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.controllerManager.priorityClassName }}\n priorityClassName: {{ .Values.controllerManager.priorityClassName }}\n {{- end }}", 1)
  }
 
  if name == "gatekeeper-audit" && kind == DeploymentKind {
  obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n"
+ obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"audit.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
  obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.audit.priorityClassName }}\n priorityClassName: {{ .Values.audit.priorityClassName }}\n {{- end }}", 1)
  obj = strings.Replace(obj, " - emptyDir: {}", " {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1)
  }
 
- if kind == DeploymentKind {
- obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
- }
-
  if name == "gatekeeper-manager-role" && kind == "Role" {
  obj += "{{- with .Values.controllerManager.extraRules }}\n {{- toYaml . | nindent 0 }}\n{{- end }}\n"
  }

diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md
@@ -177,6 +177,7 @@ information._
 | image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
 | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
 | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
+| controllerManager.podLabels | The labels to add to the controller manager pod | `{}` |
 | controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
 | controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
 | controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
@@ -198,6 +199,7 @@ information._
 | controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
 | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
 | controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
+| audit.podLabels | The labels to add to the audit pod | `{}` |
 | audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
 | audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
 | audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |

diff --git a/cmd/build/helmify/static/templates/_helpers.tpl b/cmd/build/helmify/static/templates/_helpers.tpl
@@ -40,6 +40,25 @@ Adds additional pod labels to the common ones
 {{- end }}
 {{- end -}}
 
+{{/*
+Adds additional controller-manager pod labels to the common ones
+*/}}
+{{- define "controllerManager.podLabels" -}}
+{{- if .Values.controllerManager.podLabels }}
+{{- toYaml .Values.controllerManager.podLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Adds additional audit pod labels to the common ones
+*/}}
+{{- define "audit.podLabels" -}}
+{{- if .Values.audit.podLabels }}
+{{- toYaml .Values.audit.podLabels }}
+{{- end }}
+{{- end -}}
+
+
 {{/*
 Mandatory labels
 */}}

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -172,6 +172,7 @@ controllerManager:
  tlsMinVersion: 1.3
  clientCertName: ""
  strategyType: RollingUpdate
+ podLabels: {}
  affinity:
  podAntiAffinity:
  preferredDuringSchedulingIgnoredDuringExecution:
@@ -225,6 +226,7 @@ audit:
  livenessTimeout: 1
  priorityClassName: system-cluster-critical
  disableCertRotation: false
+ podLabels: {}
  affinity: {}
  tolerations: []
  nodeSelector: {kubernetes.io/os: linux}

diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md
@@ -177,6 +177,7 @@ information._
 | image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
 | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
 | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
+| controllerManager.podLabels | The labels to add to the controller manager pod | `{}` |
 | controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
 | controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
 | controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
@@ -198,6 +199,7 @@ information._
 | controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
 | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
 | controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
+| audit.podLabels | The labels to add to the audit pod | `{}` |
 | audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
 | audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
 | audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |

diff --git a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl
@@ -40,6 +40,25 @@ Adds additional pod labels to the common ones
 {{- end }}
 {{- end -}}
 
+{{/*
+Adds additional controller-manager pod labels to the common ones
+*/}}
+{{- define "controllerManager.podLabels" -}}
+{{- if .Values.controllerManager.podLabels }}
+{{- toYaml .Values.controllerManager.podLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Adds additional audit pod labels to the common ones
+*/}}
+{{- define "audit.podLabels" -}}
+{{- if .Values.audit.podLabels }}
+{{- toYaml .Values.audit.podLabels }}
+{{- end }}
+{{- end -}}
+
+
 {{/*
 Mandatory labels
 */}}

diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml
@@ -35,6 +35,7 @@ spec:
  {{- end }}
  labels:
  {{- include "gatekeeper.podLabels" . | nindent 8 }}
+ {{- include "audit.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  app: '{{ template "gatekeeper.name" . }}'
  chart: '{{ template "gatekeeper.name" . }}'

diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml
@@ -33,6 +33,7 @@ spec:
  {{- end }}
  labels:
  {{- include "gatekeeper.podLabels" . | nindent 8 }}
+ {{- include "controllerManager.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  app: '{{ template "gatekeeper.name" . }}'
  chart: '{{ template "gatekeeper.name" . }}'

diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
@@ -153,7 +153,8 @@ preUninstall:
  runAsUser: 1000
 podAnnotations: {}
 auditPodAnnotations: {}
-podLabels: {}
+podLabels:
+ added-to-all: true
 podCountLimit: "100"
 secretAnnotations: {}
 enableRuntimeDefaultSeccompProfile: true
@@ -172,6 +173,8 @@ controllerManager:
  tlsMinVersion: 1.3
  clientCertName: ""
  strategyType: RollingUpdate
+ podLabels:
+ example.com: controller-manager
  affinity:
  podAntiAffinity:
  preferredDuringSchedulingIgnoredDuringExecution:
@@ -225,6 +228,8 @@ audit:
  livenessTimeout: 1
  priorityClassName: system-cluster-critical
  disableCertRotation: false
+ podLabels:
+ example.com: controller-manager
  affinity: {}
  tolerations: []
  nodeSelector: {kubernetes.io/os: linux}