feat: add scheduling values (#396)

* chore(makefile): improve helm-testing makes

Signed-off-by: Oliver Bähler <[email protected]>

* feat(helm): add scheduling values

Signed-off-by: Oliver Bähler <[email protected]>

---------

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

Makefile

@@ -103,17 +103,18 @@ helm-docs: docker
 helm-lint: docker
 	@docker run -v "$(SRC_ROOT):/workdir" --entrypoint /bin/sh quay.io/helmpack/chart-testing:v3.3.1 -c "cd /workdir; ct lint --config .github/configs/ct.yaml --lint-conf .github/configs/lintconf.yaml --all --debug"
 
-helm-test: helm-controller-version kind ct ko-build-all
-	@kind create cluster --wait=60s --name capsule-charts
-	@kind load docker-image --name capsule-charts $(CAPSULE_PROXY_IMG):$(VERSION)
-	@kubectl create ns capsule-system
-	@make helm-install
+helm-test: helm-controller-version kind ct ko-build-all helm-create helm-install helm-destroy
 
 helm-install:
 	@kubectl apply --server-side=true -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
 	@make install-capsule
 	@kubectl apply --server-side=true -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
-	@ct install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
+	@$(CT) install --config $(SRC_ROOT)/.github/configs/ct.yaml --namespace=capsule-system --all --debug
+
+helm-create:
+	@kind create cluster --wait=60s --name capsule-charts
+	@kind load docker-image --name capsule-charts $(CAPSULE_PROXY_IMG):$(VERSION)
+	@kubectl create ns capsule-system
 
 helm-destroy:
 	@kind delete cluster --name capsule-charts

charts/capsule-proxy/README.md

@@ -62,6 +62,7 @@ If you only need to make minor customizations, you can specify them on the comma
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Set affinity rules for the capsule-proxy pod. |
 | certManager.certificate.dnsNames | list | `[]` | Additional DNS Names to include in certificate |
+| certManager.certificate.includeInternalServiceNames | bool | `true` | Include internal service names in certificate (disable if you create a public cert) |
 | certManager.certificate.ipAddresses | list | `[]` | Additional IP Addresses to include in certificate |
 | certManager.certificate.uris | list | `[]` | Additional URIs to include in certificate |
 | certManager.externalCA.enabled | bool | `false` | Set if want cert manager to sign certificates with an external CA |
@@ -71,18 +72,25 @@ If you only need to make minor customizations, you can specify them on the comma
 | certManager.issuer.name | string | `""` | Set the name of the ClusterIssuer if issuer kind is ClusterIssuer and if cert manager will generate CA signed SSL certificates |
 | daemonset.hostNetwork | bool | `false` | Use the host network namespace for capsule-proxy pod. |
 | daemonset.hostPort | bool | `false` | Binding the capsule-proxy listening port to the host port. |
+| hostNetwork | bool | `false` | When deployed as DaemonSet use |
 | image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
 | image.registry | string | `"ghcr.io"` | Set the image registry for capsule-proxy |
 | image.repository | string | `"projectcapsule/capsule-proxy"` | Set the image repository for capsule-proxy. |
 | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
+| jobs.affinity | object | `{}` | Set affinity rules |
 | jobs.annotations | object | `{}` | Annotations to add to the certgen job. |
 | jobs.certs.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the post install certgen job |
 | jobs.certs.registry | string | `"docker.io"` | Set the image repository of the post install certgen job |
 | jobs.certs.repository | string | `"jettech/kube-webhook-certgen"` | Set the image repository of the post install certgen job |
 | jobs.certs.tag | string | `"v1.3.0"` | Set the image tag of the post install certgen job |
+| jobs.nodeSelector | object | `{}` | Set the node selector |
 | jobs.podSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the job pods. |
+| jobs.priorityClassName | string | `""` | Set a pod priorityClassName |
+| jobs.restartPolicy | string | `"Never"` | Set the restartPolicy |
 | jobs.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Security context for the job containers. |
+| jobs.tolerations | list | `[]` | Set list of tolerations |
+| jobs.topologySpreadConstraints | list | `[]` | Set Topology Spread Constraints |
 | jobs.ttlSecondsAfterFinished | int | `60` | Sets the ttl in seconds after a finished certgen job is deleted. Set to -1 to never delete. |
 | kind | string | `"Deployment"` | Set the deployment mode of the capsule-proxy as `Deployment` or `DaemonSet`. |
 | nodeSelector | object | `{}` | Set the node selector for the capsule-proxy pod. |

charts/capsule-proxy/ci/ds-values.yaml

@@ -45,6 +45,16 @@ tolerations:
     operator: Exists
   - effect: NoSchedule
     key: node-role.kubernetes.io/master
+affinity:
+  nodeAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+    - weight: 1
+      preference:
+        matchExpressions:
+        - key: another-node-label-key
+          operator: In
+          values:
+          - another-node-label-value
 # Ingress
 ingress:
   enabled: true
@@ -59,3 +69,29 @@ ingress:
 # ServiceMonitor
 serviceMonitor:
   enabled: true
+jobs:
+  affinity:
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        preference:
+          matchExpressions:
+          - key: another-node-label-key
+            operator: In
+            values:
+            - another-node-label-value
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+      labelSelector:
+        matchLabels:
+          app.kubernetes.io/name: capsule-proxy
+  priorityClassName: "system-node-critical"
+  nodeSelector:
+    node-role.kubernetes.io/master: ""
+  tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - effect: NoSchedule
+      key: node-role.kubernetes.io/master

charts/capsule-proxy/templates/certgen-job.yaml

@@ -19,11 +19,30 @@ spec:
       labels:
         {{- include "capsule-proxy.selectorLabels" . | nindent 8 }}
     spec:
-      restartPolicy: Never
+      restartPolicy: {{ $.Values.jobs.restartPolicy }}
       {{- with $.Values.jobs.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.jobs.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.topologySpreadConstraints }}
+      topologySpreadConstraints: 
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.jobs.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
       containers:
       - name: post-install-job
         image: {{ include "capsule.jobs.certsFullyQualifiedDockerImage" $ }}

charts/capsule-proxy/templates/certmanager.yaml

@@ -48,8 +48,10 @@ spec:
   {{- range $dns := .Values.certManager.certificate.dnsNames }}
   - {{ $dns }}
   {{- end }}
+  {{- if $.Values.certManager.certificate.includeInternalServiceNames }}
   - {{ include "capsule-proxy.fullname" . }}
   - {{ include "capsule-proxy.fullname" . }}.{{ .Release.Namespace }}.svc
+  {{- end }}
   {{- with .Values.certManager.certificate.ipAddresses }}
   ipAddresses:
     {{- range $ip := . }}