feat: separate podlabels in controller-manager and audit deployment

Signed-off-by: Robert Bublik <[email protected]>
open-policy-agent · May 9, 2024 · 3b6e6b1 · 3b6e6b1
1 parent f0bb6b6
commit 3b6e6b1
Show file tree

Hide file tree

Showing 17 changed files with 40 additions and 26 deletions.
diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go
@@ -132,19 +132,17 @@ func (ks *kindSet) Write() error {
  }
 
  if name == "gatekeeper-controller-manager" && kind == DeploymentKind {
+ obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"controllerManager.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
  obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.controllerManager.priorityClassName }}\n priorityClassName: {{ .Values.controllerManager.priorityClassName }}\n {{- end }}", 1)
  }
 
  if name == "gatekeeper-audit" && kind == DeploymentKind {
  obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n"
+ obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"audit.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
  obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.audit.priorityClassName }}\n priorityClassName: {{ .Values.audit.priorityClassName }}\n {{- end }}", 1)
  obj = strings.Replace(obj, " - emptyDir: {}", " {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1)
  }
 
- if kind == DeploymentKind {
- obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
- }
-
  if name == "gatekeeper-manager-role" && kind == "Role" {
  obj += "{{- with .Values.controllerManager.extraRules }}\n {{- toYaml . | nindent 0 }}\n{{- end }}\n"
  }

diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md
@@ -177,6 +177,7 @@ information._
 | image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
 | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
 | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
+| controllerManager.podLabels | The labels to add to the controller manager pod | `{}` |
 | controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
 | controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
 | controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
@@ -198,6 +199,7 @@ information._
 | controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
 | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
 | controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
+| audit.podLabels | The labels to add to the audit pod | `{}` |
 | audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
 | audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
 | audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |
@@ -213,7 +215,6 @@ information._
 | audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` |
 | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
 | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
-| podLabels | The labels to add to the Gatekeeper pods | `{}` |
 | podCountLimit | The maximum number of Gatekeeper pods to run | `100` |
 | secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
 | pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` |

diff --git a/cmd/build/helmify/static/templates/_helpers.tpl b/cmd/build/helmify/static/templates/_helpers.tpl
@@ -32,14 +32,24 @@ Create chart name and version as used by the chart label.
 {{- end -}}
 
 {{/*
-Adds additional pod labels to the common ones
+Adds additional controller-manager pod labels to the common ones
 */}}
-{{- define "gatekeeper.podLabels" -}}
-{{- if .Values.podLabels }}
-{{- toYaml .Values.podLabels }}
+{{- define "controllerManager.podLabels" -}}
+{{- if .Values.controllerManager.podLabels }}
+{{- toYaml .Values.controllerManager.podLabels }}
 {{- end }}
 {{- end -}}
 
+{{/*
+Adds additional audit pod labels to the common ones
+*/}}
+{{- define "audit.podLabels" -}}
+{{- if .Values.audit.podLabels }}
+{{- toYaml .Values.audit.podLabels }}
+{{- end }}
+{{- end -}}
+
+
 {{/*
 Mandatory labels
 */}}

diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml
@@ -20,7 +20,6 @@ spec:
  annotations:
  {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
  labels:
- {{- include "gatekeeper.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  spec:

diff --git a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml
@@ -18,7 +18,6 @@ spec:
  template:
  metadata:
  labels:
- {{- include "gatekeeper.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  spec:

diff --git a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml
@@ -78,7 +78,6 @@ spec:
  annotations:
  {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
  labels:
- {{- include "gatekeeper.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  spec:

diff --git a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml
@@ -17,7 +17,6 @@ spec:
  annotations:
  {{- toYaml .Values.podAnnotations | trim | nindent 8 }}
  labels:
- {{- include "gatekeeper.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.mandatoryLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  spec:

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -153,7 +153,6 @@ preUninstall:
  runAsUser: 1000
 podAnnotations: {}
 auditPodAnnotations: {}
-podLabels: {}
 podCountLimit: "100"
 secretAnnotations: {}
 enableRuntimeDefaultSeccompProfile: true
@@ -172,6 +171,7 @@ controllerManager:
  tlsMinVersion: 1.3
  clientCertName: ""
  strategyType: RollingUpdate
+ podLabels: {}
  affinity:
  podAntiAffinity:
  preferredDuringSchedulingIgnoredDuringExecution:
@@ -225,6 +225,7 @@ audit:
  livenessTimeout: 1
  priorityClassName: system-cluster-critical
  disableCertRotation: false
+ podLabels: {}
  affinity: {}
  tolerations: []
  nodeSelector: {kubernetes.io/os: linux}