From 1f04bf090e6b5b321d5f7f98ca120f6050bdcc20 Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Fri, 14 Mar 2025 10:31:07 +1000 Subject: [PATCH 1/8] charts from https://github.com/afreyermuth98/kubernetes-node-specific-sizing/tree/evol/helm-chart --- charts/node-specific-sizing/.helmignore | 23 ++++++ charts/node-specific-sizing/Chart.yaml | 6 ++ .../templates/_helpers.tpl | 81 +++++++++++++++++++ .../node-specific-sizing/templates/_pod.tpl | 24 ++++++ .../templates/clusterrole.yaml | 24 ++++++ .../templates/clusterrolebinding.yaml | 24 ++++++ .../templates/deployment.yaml | 21 +++++ .../templates/mutatingadmissionwebhook.yaml | 27 +++++++ .../templates/service.yaml | 37 +++++++++ .../templates/serviceaccount.yaml | 16 ++++ .../templates/tests/test-connection.yaml | 15 ++++ charts/node-specific-sizing/values.yaml | 27 +++++++ 12 files changed, 325 insertions(+) create mode 100644 charts/node-specific-sizing/.helmignore create mode 100644 charts/node-specific-sizing/Chart.yaml create mode 100644 charts/node-specific-sizing/templates/_helpers.tpl create mode 100644 charts/node-specific-sizing/templates/_pod.tpl create mode 100644 charts/node-specific-sizing/templates/clusterrole.yaml create mode 100644 charts/node-specific-sizing/templates/clusterrolebinding.yaml create mode 100644 charts/node-specific-sizing/templates/deployment.yaml create mode 100644 charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml create mode 100644 charts/node-specific-sizing/templates/service.yaml create mode 100644 charts/node-specific-sizing/templates/serviceaccount.yaml create mode 100644 charts/node-specific-sizing/templates/tests/test-connection.yaml create mode 100644 charts/node-specific-sizing/values.yaml diff --git a/charts/node-specific-sizing/.helmignore b/charts/node-specific-sizing/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/node-specific-sizing/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/node-specific-sizing/Chart.yaml b/charts/node-specific-sizing/Chart.yaml new file mode 100644 index 0000000..2b86a10 --- /dev/null +++ b/charts/node-specific-sizing/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: node-specific-sizing +description: A Helm chart for Kubernetes +type: application +version: 0.1.0 +appVersion: "1.16.0" diff --git a/charts/node-specific-sizing/templates/_helpers.tpl b/charts/node-specific-sizing/templates/_helpers.tpl new file mode 100644 index 0000000..eec0d81 --- /dev/null +++ b/charts/node-specific-sizing/templates/_helpers.tpl @@ -0,0 +1,81 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "node-specific-sizing.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "node-specific-sizing.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "node-specific-sizing.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "node-specific-sizing.labels" -}} +helm.sh/chart: {{ include "node-specific-sizing.chart" . }} +{{ include "node-specific-sizing.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "node-specific-sizing.selectorLabels" -}} +app.kubernetes.io/name: {{ include "node-specific-sizing.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "node-specific-sizing.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "node-specific-sizing.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "node-specific-sizing.namespace" -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "node-specific-sizing.selectorLabels" -}} +app.kubernetes.io/name: {{ include "node-specific-sizing.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/_pod.tpl b/charts/node-specific-sizing/templates/_pod.tpl new file mode 100644 index 0000000..5a3be07 --- /dev/null +++ b/charts/node-specific-sizing/templates/_pod.tpl @@ -0,0 +1,24 @@ +{{- define "node-specific-sizing.pod" -}} +serviceAccountName: {{ include "node-specific-sizing.serviceAccountName" . }} +terminationGracePeriodSeconds: 10 +containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image.registry }}/{{ .Values.image.tag }}@sha256:{{ .Values.image.sha256 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + securityContext: + runAsNonRoot: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: node-specific-sizing-cert +{{- end }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/clusterrole.yaml b/charts/node-specific-sizing/templates/clusterrole.yaml new file mode 100644 index 0000000..dd1790c --- /dev/null +++ b/charts/node-specific-sizing/templates/clusterrole.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) (not .Values.rbac.useExistingClusterRole) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{ - include "node-specific-sizing.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "node-specific-sizing.fullname" . }} +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + {{- with .Values.rbac.extraClusterRoleRules }} + {{- toYaml . | nindent 2 }} + {{- end}} +{{- end }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/clusterrolebinding.yaml b/charts/node-specific-sizing/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..5388d55 --- /dev/null +++ b/charts/node-specific-sizing/templates/clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-specific-sizing.fullname" . }} + labels: + {{ - include "node-specific-sizing.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if .Values.rbac.useExistingClusterRole }} + name: {{ .Values.rbac.useExistingClusterRole }} + {{- else }} + name: {{ include "node-specific-sizing.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "node-specific-sizing.serviceAccountName" . }} + namespace: {{ include "node-specific-sizing.namespace" . }} +{{- end }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/deployment.yaml b/charts/node-specific-sizing/templates/deployment.yaml new file mode 100644 index 0000000..4f6ab03 --- /dev/null +++ b/charts/node-specific-sizing/templates/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-specific-sizing.fullname" . }} + labels: + {{- include "node-specific-sizing.labels" . | nindent 4 }} + {{- if .Values.deployment.annotations }} + annotations: + {{- toYaml .Values.deployment.annotations | nindent 4 }} +spec: + replicas: {{ .Values.deployment.replicas }} + selector: + matchLabels: + app: {{- include "node-specific-sizing.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "node-specific-sizing.labels" . | nindent 4 }} + spec: + {{- include "node-specific-sizing.pod" . | nindent 6 }} + \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml b/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml new file mode 100644 index 0000000..c62e98e --- /dev/null +++ b/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml @@ -0,0 +1,27 @@ +kind: MutatingWebhookConfiguration +apiVersion: admissionregistration.k8s.io/v1 +metadata: + name: {{ include "node-specific-sizing.fullname" . }} + annotations: + cert-manager.io/inject-ca-from: kube-system/{{ include "node-specific-sizing.fullname" . }} +webhooks: + - name: {{ include "node-specific-sizing.fullname" . }}.svc.cluster.local + objectSelector: + matchLabels: + node-specific-sizing.manomano.tech/enabled: "true" + admissionReviewVersions: [ "v1" ] + sideEffects: None + failurePolicy: Ignore + timeoutSeconds: 1 + clientConfig: + service: + namespace: kube-system + name: {{ include "node-specific-sizing.fullname" . }} + path: /mutate + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE"] + scope: Namespaced + diff --git a/charts/node-specific-sizing/templates/service.yaml b/charts/node-specific-sizing/templates/service.yaml new file mode 100644 index 0000000..95c72b6 --- /dev/null +++ b/charts/node-specific-sizing/templates/service.yaml @@ -0,0 +1,37 @@ +{{- if .Values.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "node-specific-sizing.fullname" . }} + namespace: {{ include "node-specific-sizing.namespace" . }} + labels: + {{- include "node-specific-sizing.labels" . | nindent 4 }} +spec: + {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- with .Values.service.clusterIP }} + clusterIP: {{ . }} + {{- end }} + {{- else if eq .Values.service.type "LoadBalancer" }} + type: LoadBalancer + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- with .Values.service.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- else }} + type: {{ .Values.service.type }} + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + protocol: TCP + name: {{ .Values.service.portName }} + selector: + {{- include "node-specific-sizing.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/serviceaccount.yaml b/charts/node-specific-sizing/templates/serviceaccount.yaml new file mode 100644 index 0000000..9956817 --- /dev/null +++ b/charts/node-specific-sizing/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} +metadata: + name: {{ include "node-specific-sizing.serviceAccountName" . }} + labels: + {{- include "node-specific-sizing.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/node-specific-sizing/templates/tests/test-connection.yaml b/charts/node-specific-sizing/templates/tests/test-connection.yaml new file mode 100644 index 0000000..4a8d485 --- /dev/null +++ b/charts/node-specific-sizing/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "node-specific-sizing.fullname" . }}-test-connection" + labels: + {{- include "knss.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "knss.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/node-specific-sizing/values.yaml b/charts/node-specific-sizing/values.yaml new file mode 100644 index 0000000..7f18ede --- /dev/null +++ b/charts/node-specific-sizing/values.yaml @@ -0,0 +1,27 @@ + +global: + imageRegistry: docker.io + +image: + sha: "" + +annotations: {} + +rbac: + create: true + ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) + # useExistingRole: name-of-some-role + # useExistingClusterRole: name-of-some-clusterRole + extraClusterRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + +## Override the deployment namespace +## +namespaceOverride: "" + +serviceAccount: + autoMount: true + labels: {} + annotations: {} \ No newline at end of file From ab855cdecea9112dac85e7d397f3cc129b6e5fec Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Fri, 14 Mar 2025 16:36:23 +1000 Subject: [PATCH 2/8] helm chart stuff --- .gitignore | 1 + charts/node-specific-sizing/Chart.yaml | 11 ++- .../templates/_helpers.tpl | 33 ++++---- .../node-specific-sizing/templates/_pod.tpl | 24 ------ .../templates/clusterrole.yaml | 18 ++--- .../templates/clusterrolebinding.yaml | 23 ++---- .../templates/deployment.yaml | 42 +++++++--- .../templates/mutatingadmissionwebhook.yaml | 14 ++-- .../templates/selfsigned-issuer.yaml | 16 ++++ .../templates/service.yaml | 38 +++------ .../templates/serviceaccount.yaml | 16 ++-- .../templates/serving-cert.yaml | 22 +++++ charts/node-specific-sizing/values.yaml | 42 +++++----- deploy/certmanager.yaml | 49 +++++------ deploy/clusterrolebinding.yaml | 2 +- deploy/deployment.yaml | 9 ++- deploy/kustomization.yaml | 7 +- deploy/mutatingadmissionwebhook.yaml | 4 +- sleep-daemonset.yaml | 81 +++++++++++++++++++ 19 files changed, 265 insertions(+), 187 deletions(-) delete mode 100644 charts/node-specific-sizing/templates/_pod.tpl create mode 100644 charts/node-specific-sizing/templates/selfsigned-issuer.yaml create mode 100644 charts/node-specific-sizing/templates/serving-cert.yaml create mode 100644 sleep-daemonset.yaml diff --git a/.gitignore b/.gitignore index 2e8160e..21f2d31 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ build/_output bin/kustomize bin/node-specific-sizing deploy.yaml +build.yaml diff --git a/charts/node-specific-sizing/Chart.yaml b/charts/node-specific-sizing/Chart.yaml index 2b86a10..a291a0d 100644 --- a/charts/node-specific-sizing/Chart.yaml +++ b/charts/node-specific-sizing/Chart.yaml @@ -1,6 +1,13 @@ apiVersion: v2 name: node-specific-sizing -description: A Helm chart for Kubernetes +description: A Kubernetes controller that helps resize pods created by a DaemonSet depending on the amount of allocatable resources present on the node. type: application version: 0.1.0 -appVersion: "1.16.0" +appVersion: "0.1.0" + +dependencies: + - name: cert-manager + repository: https://charts.jetstack.io + condition: certmanager.enabled + alias: certmanager + version: "v1.15.3" diff --git a/charts/node-specific-sizing/templates/_helpers.tpl b/charts/node-specific-sizing/templates/_helpers.tpl index eec0d81..b84cf39 100644 --- a/charts/node-specific-sizing/templates/_helpers.tpl +++ b/charts/node-specific-sizing/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "node-specific-sizing.name" -}} +{{- define "chart.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "node-specific-sizing.fullname" -}} +{{- define "chart.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -23,19 +23,21 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- end }} + {{/* Create chart name and version as used by the chart label. */}} -{{- define "node-specific-sizing.chart" -}} +{{- define "chart.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} + {{/* Common labels */}} -{{- define "node-specific-sizing.labels" -}} -helm.sh/chart: {{ include "node-specific-sizing.chart" . }} -{{ include "node-specific-sizing.selectorLabels" . }} +{{- define "chart.labels" -}} +helm.sh/chart: {{ include "chart.chart" . }} +{{ include "chart.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,17 +47,18 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "node-specific-sizing.selectorLabels" -}} -app.kubernetes.io/name: {{ include "node-specific-sizing.name" . }} +{{- define "chart.selectorLabels" -}} +app.kubernetes.io/name: {{ include "chart.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/part-of: "node-specific-sizing" {{- end }} {{/* Create the name of the service account to use */}} -{{- define "node-specific-sizing.serviceAccountName" -}} +{{- define "chart.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "node-specific-sizing.fullname" .) .Values.serviceAccount.name }} +{{- default (include "chart.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} @@ -64,18 +67,10 @@ Create the name of the service account to use {{/* Allow the release namespace to be overridden for multi-namespace deployments in combined charts */}} -{{- define "node-specific-sizing.namespace" -}} +{{- define "chart.namespace" -}} {{- if .Values.namespaceOverride }} {{- .Values.namespaceOverride }} {{- else }} {{- .Release.Namespace }} {{- end }} {{- end }} - -{{/* -Selector labels -*/}} -{{- define "node-specific-sizing.selectorLabels" -}} -app.kubernetes.io/name: {{ include "node-specific-sizing.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/_pod.tpl b/charts/node-specific-sizing/templates/_pod.tpl deleted file mode 100644 index 5a3be07..0000000 --- a/charts/node-specific-sizing/templates/_pod.tpl +++ /dev/null @@ -1,24 +0,0 @@ -{{- define "node-specific-sizing.pod" -}} -serviceAccountName: {{ include "node-specific-sizing.serviceAccountName" . }} -terminationGracePeriodSeconds: 10 -containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.registry }}/{{ .Values.image.tag }}@sha256:{{ .Values.image.sha256 }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - securityContext: - runAsNonRoot: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: node-specific-sizing-cert -{{- end }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/clusterrole.yaml b/charts/node-specific-sizing/templates/clusterrole.yaml index dd1790c..30e9137 100644 --- a/charts/node-specific-sizing/templates/clusterrole.yaml +++ b/charts/node-specific-sizing/templates/clusterrole.yaml @@ -1,14 +1,10 @@ -{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) (not .Values.rbac.useExistingClusterRole) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: - {{ - include "node-specific-sizing.labels" . | nindent 4 }} - {{- with .Values.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "node-specific-sizing.fullname" . }} + name: {{ include "chart.fullname" . }}-role + labels: + app.kubernetes.io/component: rbac + {{- include "chart.labels" . | nindent 4 }} rules: - apiGroups: - "" @@ -17,8 +13,4 @@ rules: verbs: - get - list - - watch - {{- with .Values.rbac.extraClusterRoleRules }} - {{- toYaml . | nindent 2 }} - {{- end}} -{{- end }} \ No newline at end of file + - watch \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/clusterrolebinding.yaml b/charts/node-specific-sizing/templates/clusterrolebinding.yaml index 5388d55..1c0d357 100644 --- a/charts/node-specific-sizing/templates/clusterrolebinding.yaml +++ b/charts/node-specific-sizing/templates/clusterrolebinding.yaml @@ -1,24 +1,15 @@ -{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "node-specific-sizing.fullname" . }} - labels: - {{ - include "node-specific-sizing.labels" . | nindent 4 }} - {{- with .Values.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} + name: {{ include "chart.fullname" . }}-rolebinding + labels: + app.kubernetes.io/component: rbac + {{- include "chart.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - {{- if .Values.rbac.useExistingClusterRole }} - name: {{ .Values.rbac.useExistingClusterRole }} - {{- else }} - name: {{ include "node-specific-sizing.fullname" . }} - {{- end }} + name: {{ include "chart.name" . }}-role subjects: - kind: ServiceAccount - name: {{ include "node-specific-sizing.serviceAccountName" . }} - namespace: {{ include "node-specific-sizing.namespace" . }} -{{- end }} \ No newline at end of file + name: {{ include "chart.name" . }} + namespace: {{ include "chart.namespace" . }} \ No newline at end of file diff --git a/charts/node-specific-sizing/templates/deployment.yaml b/charts/node-specific-sizing/templates/deployment.yaml index 4f6ab03..e75aac6 100644 --- a/charts/node-specific-sizing/templates/deployment.yaml +++ b/charts/node-specific-sizing/templates/deployment.yaml @@ -1,21 +1,43 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "node-specific-sizing.fullname" . }} + name: {{ include "chart.fullname" . }} + namespace: {{ .Release.Namespace }} labels: - {{- include "node-specific-sizing.labels" . | nindent 4 }} - {{- if .Values.deployment.annotations }} - annotations: - {{- toYaml .Values.deployment.annotations | nindent 4 }} + app.kubernetes.io/component: controller + {{- include "chart.labels" . | nindent 4 }} spec: - replicas: {{ .Values.deployment.replicas }} + replicas: {{ .Values.replicas }} selector: matchLabels: - app: {{- include "node-specific-sizing.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + {{- include "chart.selectorLabels" . | nindent 6 }} template: metadata: labels: - {{- include "node-specific-sizing.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- include "chart.selectorLabels" . | nindent 8 }} spec: - {{- include "node-specific-sizing.pod" . | nindent 6 }} - \ No newline at end of file + serviceAccountName: {{ include "chart.serviceAccountName" . }} + terminationGracePeriodSeconds: 10 + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: {{- toYaml .Values.resources | nindent 10 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: node-specific-sizing-serving-cert + readOnly: true + securityContext: + runAsNonRoot: true + volumes: + - name: serving-certs + secret: + defaultMode: 420 + secretName: {{ include "chart.fullname" . }}-server-cert diff --git a/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml b/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml index c62e98e..0b7d11d 100644 --- a/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml +++ b/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml @@ -1,11 +1,13 @@ -kind: MutatingWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration metadata: - name: {{ include "node-specific-sizing.fullname" . }} + name: {{ include "chart.fullname" . }}-mutating-webhook-configuration annotations: - cert-manager.io/inject-ca-from: kube-system/{{ include "node-specific-sizing.fullname" . }} + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "chart.fullname" . }}-serving-cert' + labels: + {{- include "chart.labels" . | nindent 4 }} webhooks: - - name: {{ include "node-specific-sizing.fullname" . }}.svc.cluster.local + - name: {{ include "chart.fullname" . }}.svc.cluster.local objectSelector: matchLabels: node-specific-sizing.manomano.tech/enabled: "true" @@ -15,8 +17,8 @@ webhooks: timeoutSeconds: 1 clientConfig: service: - namespace: kube-system - name: {{ include "node-specific-sizing.fullname" . }} + namespace: node-specific-sizing + name: {{ include "chart.fullname" . }} path: /mutate rules: - apiGroups: [""] diff --git a/charts/node-specific-sizing/templates/selfsigned-issuer.yaml b/charts/node-specific-sizing/templates/selfsigned-issuer.yaml new file mode 100644 index 0000000..242c51f --- /dev/null +++ b/charts/node-specific-sizing/templates/selfsigned-issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "chart.fullname" . }}-selfsigned-issuer + namespace: {{ .Release.Namespace }} + annotations: + {{- if .Values.certmanager.enabled }} + helm.sh/hook: post-install,post-upgrade + {{- else }} + helm.sh/hook: pre-install,pre-upgrade + {{- end }} + helm.sh/hook-weight: "1" + labels: + {{- include "chart.labels" . | nindent 4 }} +spec: + selfSigned: {} diff --git a/charts/node-specific-sizing/templates/service.yaml b/charts/node-specific-sizing/templates/service.yaml index 95c72b6..68279f9 100644 --- a/charts/node-specific-sizing/templates/service.yaml +++ b/charts/node-specific-sizing/templates/service.yaml @@ -1,37 +1,17 @@ -{{- if .Values.service.enabled }} apiVersion: v1 kind: Service metadata: - name: {{ include "node-specific-sizing.fullname" . }} - namespace: {{ include "node-specific-sizing.namespace" . }} + name: {{ include "chart.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} labels: - {{- include "node-specific-sizing.labels" . | nindent 4 }} + app.kubernetes.io/component: webhook + {{- include "chart.labels" . | nindent 4 }} spec: - {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} type: ClusterIP - {{- with .Values.service.clusterIP }} - clusterIP: {{ . }} - {{- end }} - {{- else if eq .Values.service.type "LoadBalancer" }} - type: LoadBalancer - {{- with .Values.service.loadBalancerIP }} - loadBalancerIP: {{ . }} - {{- end }} - {{- with .Values.service.loadBalancerClass }} - loadBalancerClass: {{ . }} - {{- end }} - {{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- else }} - type: {{ .Values.service.type }} - {{- end }} + selector: + {{- include "chart.selectorLabels" . | nindent 4 }} ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} + - port: {{ default "443" .Values.service.port }} + targetPort: {{ default "8443" .Values.service.targetPort }} protocol: TCP - name: {{ .Values.service.portName }} - selector: - {{- include "node-specific-sizing.selectorLabels" . | nindent 4 }} -{{- end }} \ No newline at end of file + name: {{default (include "chart.fullname" .) .Values.service.portName }} diff --git a/charts/node-specific-sizing/templates/serviceaccount.yaml b/charts/node-specific-sizing/templates/serviceaccount.yaml index 9956817..c3c8ac2 100644 --- a/charts/node-specific-sizing/templates/serviceaccount.yaml +++ b/charts/node-specific-sizing/templates/serviceaccount.yaml @@ -1,16 +1,10 @@ -{{- if .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount -automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} metadata: - name: {{ include "node-specific-sizing.serviceAccountName" . }} + name: {{ include "chart.fullname" . }} + namespace: {{ .Release.Namespace }} labels: - {{- include "node-specific-sizing.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.serviceAccount.annotations }} + app.kubernetes.io/component: rbac + {{- include "chart.labels" . | nindent 4 }} annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} + {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} diff --git a/charts/node-specific-sizing/templates/serving-cert.yaml b/charts/node-specific-sizing/templates/serving-cert.yaml new file mode 100644 index 0000000..8e048af --- /dev/null +++ b/charts/node-specific-sizing/templates/serving-cert.yaml @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "chart.fullname" . }}-serving-cert + namespace: {{ .Release.Namespace }} + annotations: + {{- if .Values.certmanager.enabled }} + helm.sh/hook: post-install,post-upgrade + {{- else }} + helm.sh/hook: pre-install,pre-upgrade + {{- end }} + helm.sh/hook-weight: "2" + labels: + {{- include "chart.labels" . | nindent 4 }} +spec: + dnsNames: + - '{{ include "chart.fullname" . }}.{{ .Release.Namespace }}.svc' + - '{{ include "chart.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.kubernetesClusterDomain }}' + issuerRef: + kind: Issuer + name: {{ include "chart.fullname" . }}-selfsigned-issuer + secretName: {{ include "chart.fullname" . }}-server-cert diff --git a/charts/node-specific-sizing/values.yaml b/charts/node-specific-sizing/values.yaml index 7f18ede..1a786e8 100644 --- a/charts/node-specific-sizing/values.yaml +++ b/charts/node-specific-sizing/values.yaml @@ -1,27 +1,27 @@ -global: - imageRegistry: docker.io - image: - sha: "" - -annotations: {} + repository: "ghcr.io/manomanotech/kubernetes-node-specific-sizing" + tag: "sha-28e2a98" -rbac: - create: true - ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) - # useExistingRole: name-of-some-role - # useExistingClusterRole: name-of-some-clusterRole - extraClusterRoleRules: [] - # - apiGroups: [] - # resources: [] - # verbs: [] +replicas: 3 -## Override the deployment namespace -## -namespaceOverride: "" +imagePullPolicy: IfNotPresent serviceAccount: - autoMount: true - labels: {} - annotations: {} \ No newline at end of file + annotations: {} + +resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + + +# Certmanager specific values +certmanager: + enabled: false + crds: + enabled: true + keep: true \ No newline at end of file diff --git a/deploy/certmanager.yaml b/deploy/certmanager.yaml index 4bf0bae..2e6f91d 100644 --- a/deploy/certmanager.yaml +++ b/deploy/certmanager.yaml @@ -1,59 +1,52 @@ kind: Issuer apiVersion: cert-manager.io/v1 metadata: - name: ca-bootstrap - namespace: kube-system + name: node-specific-sizing-ca-bootstrap + namespace: node-specific-sizing spec: selfSigned: {} --- kind: Certificate apiVersion: cert-manager.io/v1 metadata: - name: ca-root - namespace: kube-system + name: node-specific-sizing-ca-root + namespace: node-specific-sizing spec: - secretName: ca-root + secretName: node-specific-sizing-ca-root isCA: true - commonName: ca-root + commonName: node-specific-sizing-ca-root subject: - countries: [ "FR" ] - organizations: [ "ManoMano Internal" ] + countries: [ "AU" ] + organizations: [ "Entain Internal" ] privateKey: algorithm: RSA size: 2048 issuerRef: kind: Issuer - name: ca-bootstrap + name: node-specific-sizing-ca-bootstrap --- kind: Issuer apiVersion: cert-manager.io/v1 metadata: - name: ca-root - namespace: kube-system + name: node-specific-sizing-ca-root + namespace: node-specific-sizing spec: ca: - secretName: ca-root + secretName: node-specific-sizing-ca-root --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: - labels: - app.kubernetes.io/component: certificate - app.kubernetes.io/created-by: kubernetes-node-specific-sizing - app.kubernetes.io/instance: serving-cert - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/name: certificate - app.kubernetes.io/part-of: kubernetes-node-specific-sizing name: node-specific-sizing-serving-cert - namespace: kube-system + namespace: node-specific-sizing spec: dnsNames: - - node-specific-sizing.kube-system.svc - - node-specific-sizing.kube-system.svc.cluster.local + - node-specific-sizing.node-specific-sizing.svc + - node-specific-sizing.node-specific-sizing.svc.cluster.local issuerRef: - name: ca-root + name: node-specific-sizing-ca-root kind: Issuer - secretName: node-specific-sizing-cert + secretName: node-specific-sizing-serving-cert isCA: false privateKey: algorithm: RSA @@ -65,13 +58,13 @@ kind: Certificate apiVersion: cert-manager.io/v1 metadata: name: node-specific-sizing-client-cert - namespace: kube-system + namespace: node-specific-sizing spec: issuerRef: - name: ca-root + name: node-specific-sizing-ca-root kind: Issuer - commonName: api-server-client-cert-for-node-specific-sizing.manomano.tech - secretName: client-cert + commonName: api-server-client-cert-for-node-specific-sizing + secretName: node-specific-sizing-client-cert duration: 2160h renewBefore: 360h isCA: false diff --git a/deploy/clusterrolebinding.yaml b/deploy/clusterrolebinding.yaml index 0c6c0e4..02b1f80 100644 --- a/deploy/clusterrolebinding.yaml +++ b/deploy/clusterrolebinding.yaml @@ -11,4 +11,4 @@ roleRef: subjects: - kind: ServiceAccount name: node-specific-sizing - namespace: kube-system + namespace: node-specific-sizing diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 276e9c8..76343d6 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: node-specific-sizing + namespace: node-specific-sizing labels: app: node-specific-sizing spec: @@ -18,7 +19,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: node-specific-sizing - image: node-specific-sizing:latest + image: ghcr.io/manomanotech/kubernetes-node-specific-sizing:sha-28e2a98 imagePullPolicy: IfNotPresent env: - name: POD_NAMESPACE @@ -27,12 +28,12 @@ spec: fieldPath: metadata.namespace volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert + name: node-specific-sizing-serving-cert readOnly: true securityContext: runAsNonRoot: true volumes: - - name: cert + - name: node-specific-sizing-serving-cert secret: defaultMode: 420 - secretName: node-specific-sizing-cert + secretName: node-specific-sizing-serving-cert diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index 181dae6..5a4094e 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system +namespace: node-specific-sizing resources: - certmanager.yaml @@ -10,3 +10,8 @@ resources: - serviceaccount.yaml - mutatingadmissionwebhook.yaml - service.yaml + +labels: + - pairs: + app: node-specific-sizing + user: mark-lynch \ No newline at end of file diff --git a/deploy/mutatingadmissionwebhook.yaml b/deploy/mutatingadmissionwebhook.yaml index 44d5528..b1301b0 100644 --- a/deploy/mutatingadmissionwebhook.yaml +++ b/deploy/mutatingadmissionwebhook.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 metadata: name: node-specific-sizing annotations: - cert-manager.io/inject-ca-from: kube-system/node-specific-sizing-client-cert + cert-manager.io/inject-ca-from: node-specific-sizing/node-specific-sizing-client-cert webhooks: - name: node-specific-sizing.svc.cluster.local objectSelector: @@ -15,7 +15,7 @@ webhooks: timeoutSeconds: 2 clientConfig: service: - namespace: kube-system + namespace: node-specific-sizing name: node-specific-sizing path: /mutate rules: diff --git a/sleep-daemonset.yaml b/sleep-daemonset.yaml new file mode 100644 index 0000000..716ec36 --- /dev/null +++ b/sleep-daemonset.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: sleep-daemonset + namespace: node-specific-sizing + labels: + app: sleep +spec: + selector: + matchLabels: + app: sleep + template: + metadata: + labels: + app: sleep + node-specific-sizing.manomano.tech/enabled: "true" + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + node-specific-sizing.manomano.tech/request-cpu-fraction: "0.1" + node-specific-sizing.manomano.tech/maximum-cpu: "1" + # node-specific-sizing.manomano.tech/limit-cpu-fraction: "0.1" + # node-specific-sizing.manomano.tech/request-memory-fraction: "0.8" + # node-specific-sizing.manomano.tech/limit-memory-fraction: "0.1" + node-specific-sizing.manomano.tech/minimum-memory: 200Mi + node-specific-sizing.manomano.tech/maximum-memory: 500Mi + spec: + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + nodeSelector: + kubernetes.io/os: linux + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + # - effect: NoSchedule + # key: node.kubernetes.io/role + # operator: Exists + # - effect: NoSchedule + # key: node.kubernetes.io/arch + # operator: Exists + initContainers: + - name: fetch-instance-data + image: curlimages/curl:7.85.0 + command: + - "sh" + - "-c" + - | + echo "Fetching instance metadata..." + echo "Instance Type: $(curl -s http://169.254.169.254/latest/meta-data/instance-type)" + echo "CPU Details: $(grep -c ^processor /proc/cpuinfo) CPUs" + echo "Memory Details: $(grep MemTotal /proc/meminfo | awk '{print $2}') KiB" + resources: + requests: + cpu: 100m + memory: 100Mi + containers: + - name: sleep-a + image: alpine + command: + - "sleep" + - "infinity" + resources: + requests: + cpu: 100m + memory: 200Mi + # limits: + # cpu: 30m + # memory: 200Mi + - name: sleep-b + image: alpine + command: + - "sleep" + - "infinity" + resources: + requests: + cpu: 100m + memory: 600Mi + # limits: + # cpu: 270m + # memory: 1800Mi From c0a6bcc11e19be9adc5894da92166182b2d26904 Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Fri, 14 Mar 2025 16:39:13 +1000 Subject: [PATCH 3/8] publish helm charts --- .github/workflows/release.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..72b1d1b --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,23 @@ +name: Publish Helm charts + +permissions: {} + +on: + push: + tags: + - 'v*' + +jobs: + release: + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + packages: write + pull-requests: write + steps: + - name: Publish Helm charts + uses: stefanprodan/helm-gh-pages@master + with: + charts_dir: chart + token: ${{ secrets.GITHUB_TOKEN }} From 12217e66a735143843f21fde74c4df6b372649a4 Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Mon, 17 Mar 2025 08:23:54 +1000 Subject: [PATCH 4/8] release helm chart on push --- .github/workflows/ci.yml | 78 +++++++-------- .github/workflows/container.yml | 164 ++++++++++++++++---------------- .github/workflows/release.yaml | 2 - sleep-daemonset.yaml | 3 +- 4 files changed, 123 insertions(+), 124 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c6ee3e4..4fe20d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,39 +1,39 @@ -name: CI -on: [pull_request] -jobs: - lint: - name: Lint - runs-on: ubuntu-latest - container: docker.io/library/golang:latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Verify go.mod - run: go mod tidy -# - name: Run lint -# run: make lint - build: - name: Build - runs-on: ubuntu-latest - container: docker.io/library/golang:latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - fetch-tags: true - - name: Setup Go environment - uses: actions/setup-go@v5.0.2 - with: - go-version-file: 'go.mod' - - name: Go Build - run: make build - tests: - name: Tests - runs-on: ubuntu-latest - container: docker.io/library/golang:latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Tests - run: make test \ No newline at end of file +# name: CI +# on: [pull_request] +# jobs: +# lint: +# name: Lint +# runs-on: ubuntu-latest +# container: docker.io/library/golang:latest +# steps: +# - name: Checkout +# uses: actions/checkout@v4 +# - name: Verify go.mod +# run: go mod tidy +# # - name: Run lint +# # run: make lint +# build: +# name: Build +# runs-on: ubuntu-latest +# container: docker.io/library/golang:latest +# steps: +# - name: Checkout +# uses: actions/checkout@v4 +# with: +# fetch-depth: 0 +# fetch-tags: true +# - name: Setup Go environment +# uses: actions/setup-go@v5.0.2 +# with: +# go-version-file: 'go.mod' +# - name: Go Build +# run: make build +# tests: +# name: Tests +# runs-on: ubuntu-latest +# container: docker.io/library/golang:latest +# steps: +# - name: Checkout +# uses: actions/checkout@v4 +# - name: Tests +# run: make test \ No newline at end of file diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index c2d3773..ca0c8cd 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -1,94 +1,94 @@ ---- -name: "Build & Publish Container" +# --- +# name: "Build & Publish Container" -on: - push: - branches: - - main - pull_request: - release: - types: - - published +# on: +# push: +# branches: +# - main +# pull_request: +# release: +# types: +# - published -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true +# concurrency: +# group: ${{ github.workflow }}-${{ github.ref }} +# cancel-in-progress: true -jobs: - docker-publish: - # This action doesn't need to wait on any other task, it's easy to re-tag if something failed and we're validating - # the tag here also - name: Push container image to ghcr.io - runs-on: ubuntu-latest - environment: - name: release - permissions: - # For the docker push and the git clone - packages: write - contents: read - steps: - - uses: actions/checkout@v4 +# jobs: +# docker-publish: +# # This action doesn't need to wait on any other task, it's easy to re-tag if something failed and we're validating +# # the tag here also +# name: Push container image to ghcr.io +# runs-on: ubuntu-latest +# environment: +# name: release +# permissions: +# # For the docker push and the git clone +# packages: write +# contents: read +# steps: +# - uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 +# - name: Set up QEMU +# uses: docker/setup-qemu-action@v2 - - uses: docker/setup-buildx-action@v3 +# - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} +# - uses: docker/login-action@v3 +# with: +# registry: ghcr.io +# username: ${{ github.repository_owner }} +# password: ${{ secrets.GITHUB_TOKEN }} - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ghcr.io/${{ github.repository}} - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - # disabled if major zero - type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} - type=sha,priority=650 - type=ref,event=branch - type=ref,event=pr +# - name: Extract metadata (tags, labels) for Docker +# id: meta +# uses: docker/metadata-action@v5 +# with: +# images: ghcr.io/${{ github.repository}} +# tags: | +# type=semver,pattern={{version}} +# type=semver,pattern={{major}}.{{minor}} +# # disabled if major zero +# type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} +# type=sha,priority=650 +# type=ref,event=branch +# type=ref,event=pr - - name: "Build and push Docker image" - uses: docker/build-push-action@v6 - with: - context: . - platforms: linux/amd64,linux/arm64,linux/arm/v7 - # Reuse the builder - cache-from: type=gha - cache-to: type=gha,mode=max - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} +# - name: "Build and push Docker image" +# uses: docker/build-push-action@v6 +# with: +# context: . +# platforms: linux/amd64,linux/arm64,linux/arm/v7 +# # Reuse the builder +# cache-from: type=gha +# cache-to: type=gha,mode=max +# push: true +# tags: ${{ steps.meta.outputs.tags }} +# labels: ${{ steps.meta.outputs.labels }} - - name: "Update Deployment Image Tag" # [3] - working-directory: "deploy" - run: | - # Get any tags that were pushed - # XXX: Get sha or tag one - # Hint: tags are actually full image names with tags here - image_tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d',' -f1) - - kustomize edit set image node-specific-sizing=$image_tag - - kustomize build . > deploy.yaml +# - name: "Update Deployment Image Tag" # [3] +# working-directory: "deploy" +# run: | +# # Get any tags that were pushed +# # XXX: Get sha or tag one +# # Hint: tags are actually full image names with tags here +# image_tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d',' -f1) - - name: "Upload Deployment YAML" # [4] - uses: actions/upload-artifact@v4 - with: - path: deploy/deploy.yaml - name: deploy.yaml +# kustomize edit set image node-specific-sizing=$image_tag - - uses: xresloader/upload-to-github-release@v1 - if: github.event_name == 'release' && github.event.action == 'published' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - file: deploy.yaml - release_id: ${{ github.event.release.id }} \ No newline at end of file +# kustomize build . > deploy.yaml + +# - name: "Upload Deployment YAML" # [4] +# uses: actions/upload-artifact@v4 +# with: +# path: deploy/deploy.yaml +# name: deploy.yaml + +# - uses: xresloader/upload-to-github-release@v1 +# if: github.event_name == 'release' && github.event.action == 'published' +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# with: +# file: deploy.yaml +# release_id: ${{ github.event.release.id }} \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 72b1d1b..16d8e30 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,8 +4,6 @@ permissions: {} on: push: - tags: - - 'v*' jobs: release: diff --git a/sleep-daemonset.yaml b/sleep-daemonset.yaml index 716ec36..889ab2a 100644 --- a/sleep-daemonset.yaml +++ b/sleep-daemonset.yaml @@ -21,7 +21,8 @@ spec: # node-specific-sizing.manomano.tech/limit-cpu-fraction: "0.1" # node-specific-sizing.manomano.tech/request-memory-fraction: "0.8" # node-specific-sizing.manomano.tech/limit-memory-fraction: "0.1" - node-specific-sizing.manomano.tech/minimum-memory: 200Mi + # node-specific-sizing.manomano.tech/minimum-memory: 200Mi + node-specific-sizing.manomano.tech/request-memory-fraction: "0.1" node-specific-sizing.manomano.tech/maximum-memory: 500Mi spec: terminationGracePeriodSeconds: 0 From 3d95a4679c29d5b9fe2711a7e5ab3721f3af9b57 Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Mon, 17 Mar 2025 08:34:31 +1000 Subject: [PATCH 5/8] Don't forget to checkout --- .github/workflows/ci.yml | 78 ++++----- .github/workflows/container.yml | 160 +++++++++--------- .github/workflows/release.yaml | 3 +- README.md | 28 ++- .../templates/deployment.yaml | 2 +- .../templates/service.yaml | 8 +- .../templates/tests/test-connection.yaml | 15 -- 7 files changed, 149 insertions(+), 145 deletions(-) delete mode 100644 charts/node-specific-sizing/templates/tests/test-connection.yaml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4fe20d7..c6ee3e4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,39 +1,39 @@ -# name: CI -# on: [pull_request] -# jobs: -# lint: -# name: Lint -# runs-on: ubuntu-latest -# container: docker.io/library/golang:latest -# steps: -# - name: Checkout -# uses: actions/checkout@v4 -# - name: Verify go.mod -# run: go mod tidy -# # - name: Run lint -# # run: make lint -# build: -# name: Build -# runs-on: ubuntu-latest -# container: docker.io/library/golang:latest -# steps: -# - name: Checkout -# uses: actions/checkout@v4 -# with: -# fetch-depth: 0 -# fetch-tags: true -# - name: Setup Go environment -# uses: actions/setup-go@v5.0.2 -# with: -# go-version-file: 'go.mod' -# - name: Go Build -# run: make build -# tests: -# name: Tests -# runs-on: ubuntu-latest -# container: docker.io/library/golang:latest -# steps: -# - name: Checkout -# uses: actions/checkout@v4 -# - name: Tests -# run: make test \ No newline at end of file +name: CI +on: [pull_request] +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + container: docker.io/library/golang:latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Verify go.mod + run: go mod tidy +# - name: Run lint +# run: make lint + build: + name: Build + runs-on: ubuntu-latest + container: docker.io/library/golang:latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + fetch-tags: true + - name: Setup Go environment + uses: actions/setup-go@v5.0.2 + with: + go-version-file: 'go.mod' + - name: Go Build + run: make build + tests: + name: Tests + runs-on: ubuntu-latest + container: docker.io/library/golang:latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Tests + run: make test \ No newline at end of file diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index ca0c8cd..b358e7a 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -1,94 +1,94 @@ -# --- -# name: "Build & Publish Container" +--- +name: "Build & Publish Container" -# on: -# push: -# branches: -# - main -# pull_request: -# release: -# types: -# - published +on: + push: + branches: + - main + pull_request: + release: + types: + - published -# concurrency: -# group: ${{ github.workflow }}-${{ github.ref }} -# cancel-in-progress: true +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true -# jobs: -# docker-publish: -# # This action doesn't need to wait on any other task, it's easy to re-tag if something failed and we're validating -# # the tag here also -# name: Push container image to ghcr.io -# runs-on: ubuntu-latest -# environment: -# name: release -# permissions: -# # For the docker push and the git clone -# packages: write -# contents: read -# steps: -# - uses: actions/checkout@v4 +jobs: + docker-publish: + # This action doesn't need to wait on any other task, it's easy to re-tag if something failed and we're validating + # the tag here also + name: Push container image to ghcr.io + runs-on: ubuntu-latest + environment: + name: release + permissions: + # For the docker push and the git clone + packages: write + contents: read + steps: + - uses: actions/checkout@v4 -# - name: Set up QEMU -# uses: docker/setup-qemu-action@v2 + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 -# - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@v3 -# - uses: docker/login-action@v3 -# with: -# registry: ghcr.io -# username: ${{ github.repository_owner }} -# password: ${{ secrets.GITHUB_TOKEN }} + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} -# - name: Extract metadata (tags, labels) for Docker -# id: meta -# uses: docker/metadata-action@v5 -# with: -# images: ghcr.io/${{ github.repository}} -# tags: | -# type=semver,pattern={{version}} -# type=semver,pattern={{major}}.{{minor}} -# # disabled if major zero -# type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} -# type=sha,priority=650 -# type=ref,event=branch -# type=ref,event=pr + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository}} + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + # disabled if major zero + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} + type=sha,priority=650 + type=ref,event=branch + type=ref,event=pr -# - name: "Build and push Docker image" -# uses: docker/build-push-action@v6 -# with: -# context: . -# platforms: linux/amd64,linux/arm64,linux/arm/v7 -# # Reuse the builder -# cache-from: type=gha -# cache-to: type=gha,mode=max -# push: true -# tags: ${{ steps.meta.outputs.tags }} -# labels: ${{ steps.meta.outputs.labels }} + - name: "Build and push Docker image" + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/amd64,linux/arm64,linux/arm/v7 + # Reuse the builder + cache-from: type=gha + cache-to: type=gha,mode=max + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} -# - name: "Update Deployment Image Tag" # [3] -# working-directory: "deploy" -# run: | -# # Get any tags that were pushed -# # XXX: Get sha or tag one -# # Hint: tags are actually full image names with tags here -# image_tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d',' -f1) + - name: "Update Deployment Image Tag" # [3] + working-directory: "deploy" + run: | + # Get any tags that were pushed + # XXX: Get sha or tag one + # Hint: tags are actually full image names with tags here + image_tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d',' -f1) -# kustomize edit set image node-specific-sizing=$image_tag + kustomize edit set image node-specific-sizing=$image_tag -# kustomize build . > deploy.yaml + kustomize build . > deploy.yaml -# - name: "Upload Deployment YAML" # [4] -# uses: actions/upload-artifact@v4 -# with: -# path: deploy/deploy.yaml -# name: deploy.yaml + - name: "Upload Deployment YAML" # [4] + uses: actions/upload-artifact@v4 + with: + path: deploy/deploy.yaml + name: deploy.yaml -# - uses: xresloader/upload-to-github-release@v1 -# if: github.event_name == 'release' && github.event.action == 'published' -# env: -# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# with: -# file: deploy.yaml -# release_id: ${{ github.event.release.id }} \ No newline at end of file + - uses: xresloader/upload-to-github-release@v1 + if: github.event_name == 'release' && github.event.action == 'published' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + file: deploy.yaml + release_id: ${{ github.event.release.id }} \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 16d8e30..2363452 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,8 +14,9 @@ jobs: packages: write pull-requests: write steps: + - name: Checkout + uses: actions/checkout@v4 - name: Publish Helm charts uses: stefanprodan/helm-gh-pages@master with: - charts_dir: chart token: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index a16a924..5f807df 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,24 @@ Helps you resize pods created by a DaemonSet depending on the amount of allocatable resources present on the node. +## Helm + +### Install + +```bash +helm repo add node-specific-sizing https://mlladb.github.io/kubernetes-node-specific-sizing/ +helm repo update +helm repo list +helm install node-specific-sizing node-specific-sizing/node-specific-sizing --namespace node-specific-sizing --create-namespace +helm list --namespace node-specific-sizing +``` + +### Uninstall + +```bash +helm uninstall node-specific-sizing --namespace node-specific-sizing +``` + ## How to use 1. Add the `node-specific-sizing.manomano.tech/enabled: "true"` label any pod you'd like to size depending on the node. @@ -19,7 +37,7 @@ Helps you resize pods created by a DaemonSet depending on the amount of allocata - `node-specific-sizing.manomano.tech/maximum-cpu: 4` - `node-specific-sizing.manomano.tech/minimum-memory: 50M` - `node-specific-sizing.manomano.tech/maximum-memory: 4G` - - NOTE: Minimums and maximums are applied to both resource and limits. + - NOTE: Minimums and maximums are applied to both resource and limits. We don't see the need to add different minimums for requests in limits in practice. You may challenge that choice by opening an issue. - NOTE: Minimums and maximums are to be understood per-pod and not per-container. See resource-sizing algorithm for details. @@ -29,7 +47,7 @@ Helps you resize pods created by a DaemonSet depending on the amount of allocata 5. Take care of the following - In some instances, if limit ends up being below request it will be adjusted to be equal to the request. - - WARNING: We have not tested all cases of partial configuration or weird mish-mashes. + - WARNING: We have not tested all cases of partial configuration or weird mish-mashes. - You're safer defining both requests and limits, or just requests if the underlying DaemonSet does not have limits. - Having some containers define a request or limit while others do not is unsupported. @@ -42,7 +60,7 @@ To achieve this, the updated container requests and limits (from here on out, "t follows: - For each container in the pod, and for each tunable, compute the tunable's relative value per container. - For any given container, `relative_tunable = container_tunable / (sum(container_tunables) - sum(excluded_container_tunables))` + For any given container, `relative_tunable = container_tunable / (sum(container_tunables) - sum(excluded_container_tunables))` - Derive a `pod_tunable_budget = allocatable_tunable_on_node * configured_pod_proportion - sum(excluded_container_tunables)`. This represents the resources that will be given to the pod. - Clamp `pod_tunable_budget` if minimums and/or maximums are set for that tunable. - Finally, `new_absolute_tunable = pod_tunable_budget * relative_tunable` spreads the budget between containers. @@ -82,7 +100,7 @@ PC3| .50 .55 .50 .55 // Output: relative_tunables 1. `make build` and `make docker-build` 2. `make deploy` to setup manifests in current context 3. `bin/playground.sh` to setup a K3D playground cluster with a toy daemonset with annotations set -4. `bin/dev_toggle.sh` to reconfigure the K3D playground cluster so that it can reach the webhook server on your workstation, +4. `bin/dev_toggle.sh` to reconfigure the K3D playground cluster so that it can reach the webhook server on your workstation, as well as extracting certs from the cluster. This allows you to use the IDE of your choice and try things directly. -### +### diff --git a/charts/node-specific-sizing/templates/deployment.yaml b/charts/node-specific-sizing/templates/deployment.yaml index e75aac6..4d9ffda 100644 --- a/charts/node-specific-sizing/templates/deployment.yaml +++ b/charts/node-specific-sizing/templates/deployment.yaml @@ -32,7 +32,7 @@ spec: fieldPath: metadata.namespace volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs - name: node-specific-sizing-serving-cert + name: serving-certs readOnly: true securityContext: runAsNonRoot: true diff --git a/charts/node-specific-sizing/templates/service.yaml b/charts/node-specific-sizing/templates/service.yaml index 68279f9..4bf4045 100644 --- a/charts/node-specific-sizing/templates/service.yaml +++ b/charts/node-specific-sizing/templates/service.yaml @@ -11,7 +11,7 @@ spec: selector: {{- include "chart.selectorLabels" . | nindent 4 }} ports: - - port: {{ default "443" .Values.service.port }} - targetPort: {{ default "8443" .Values.service.targetPort }} - protocol: TCP - name: {{default (include "chart.fullname" .) .Values.service.portName }} + - name: "https" + port: 443 + targetPort: 8443 + protocol: TCP diff --git a/charts/node-specific-sizing/templates/tests/test-connection.yaml b/charts/node-specific-sizing/templates/tests/test-connection.yaml deleted file mode 100644 index 4a8d485..0000000 --- a/charts/node-specific-sizing/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "node-specific-sizing.fullname" . }}-test-connection" - labels: - {{- include "knss.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "knss.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never From c1c5bf44acf9c18a9fbcbe88bc3d187afa45a21b Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Mon, 17 Mar 2025 11:09:36 +1000 Subject: [PATCH 6/8] fix indentation issue --- charts/node-specific-sizing/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/node-specific-sizing/templates/deployment.yaml b/charts/node-specific-sizing/templates/deployment.yaml index 4d9ffda..677e818 100644 --- a/charts/node-specific-sizing/templates/deployment.yaml +++ b/charts/node-specific-sizing/templates/deployment.yaml @@ -23,8 +23,8 @@ spec: containers: - name: {{ .Chart.Name }} image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - resources: {{- toYaml .Values.resources | nindent 10 }} + resources: {{- toYaml .Values.resources | nindent 12 }} + imagePullPolicy: {{ default "IfNotPresent" .Values.image.pullPolicy }} env: - name: POD_NAMESPACE valueFrom: From ccad92b83de061fbc78097a824b13d0c82d03957 Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Mon, 17 Mar 2025 11:43:26 +1000 Subject: [PATCH 7/8] fix service name --- .github/workflows/release.yaml | 2 ++ charts/node-specific-sizing/templates/service.yaml | 2 +- charts/node-specific-sizing/values.yaml | 1 + sleep-daemonset.yaml | 2 +- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2363452..0336665 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,6 +4,8 @@ permissions: {} on: push: + tags: + - 'v*' jobs: release: diff --git a/charts/node-specific-sizing/templates/service.yaml b/charts/node-specific-sizing/templates/service.yaml index 4bf4045..016f7c5 100644 --- a/charts/node-specific-sizing/templates/service.yaml +++ b/charts/node-specific-sizing/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "chart.fullname" . }}-webhook-service + name: {{ include "chart.fullname" . }} namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/component: webhook diff --git a/charts/node-specific-sizing/values.yaml b/charts/node-specific-sizing/values.yaml index 1a786e8..351683f 100644 --- a/charts/node-specific-sizing/values.yaml +++ b/charts/node-specific-sizing/values.yaml @@ -8,6 +8,7 @@ replicas: 3 imagePullPolicy: IfNotPresent serviceAccount: + create: true annotations: {} resources: diff --git a/sleep-daemonset.yaml b/sleep-daemonset.yaml index 889ab2a..8f42764 100644 --- a/sleep-daemonset.yaml +++ b/sleep-daemonset.yaml @@ -23,7 +23,7 @@ spec: # node-specific-sizing.manomano.tech/limit-memory-fraction: "0.1" # node-specific-sizing.manomano.tech/minimum-memory: 200Mi node-specific-sizing.manomano.tech/request-memory-fraction: "0.1" - node-specific-sizing.manomano.tech/maximum-memory: 500Mi + node-specific-sizing.manomano.tech/maximum-memory: 800Mi spec: terminationGracePeriodSeconds: 0 priorityClassName: system-node-critical From 447afded65a572fa208361419133ef7d7238dc68 Mon Sep 17 00:00:00 2001 From: "mark.lynch" Date: Mon, 17 Mar 2025 14:42:32 +1000 Subject: [PATCH 8/8] Update readme to refenrece upstream --- .../{release.yaml => publish_charts.yaml} | 0 .gitignore | 1 - README.md | 2 +- .../templates/mutatingadmissionwebhook.yaml | 2 +- deploy/certmanager.yaml | 49 ++++++----- deploy/clusterrolebinding.yaml | 2 +- deploy/deployment.yaml | 9 +- deploy/kustomization.yaml | 7 +- deploy/mutatingadmissionwebhook.yaml | 4 +- sleep-daemonset.yaml | 82 ------------------- 10 files changed, 38 insertions(+), 120 deletions(-) rename .github/workflows/{release.yaml => publish_charts.yaml} (100%) delete mode 100644 sleep-daemonset.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/publish_charts.yaml similarity index 100% rename from .github/workflows/release.yaml rename to .github/workflows/publish_charts.yaml diff --git a/.gitignore b/.gitignore index 21f2d31..2e8160e 100644 --- a/.gitignore +++ b/.gitignore @@ -20,4 +20,3 @@ build/_output bin/kustomize bin/node-specific-sizing deploy.yaml -build.yaml diff --git a/README.md b/README.md index 5f807df..1bdff3e 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Helps you resize pods created by a DaemonSet depending on the amount of allocata ### Install ```bash -helm repo add node-specific-sizing https://mlladb.github.io/kubernetes-node-specific-sizing/ +helm repo add node-specific-sizing https://manomanotech.github.io/kubernetes-node-specific-sizing/ helm repo update helm repo list helm install node-specific-sizing node-specific-sizing/node-specific-sizing --namespace node-specific-sizing --create-namespace diff --git a/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml b/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml index 0b7d11d..0dcb5fe 100644 --- a/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml +++ b/charts/node-specific-sizing/templates/mutatingadmissionwebhook.yaml @@ -1,7 +1,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: {{ include "chart.fullname" . }}-mutating-webhook-configuration + name: {{ include "chart.fullname" . }}-webhook annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "chart.fullname" . }}-serving-cert' labels: diff --git a/deploy/certmanager.yaml b/deploy/certmanager.yaml index 2e6f91d..4bf0bae 100644 --- a/deploy/certmanager.yaml +++ b/deploy/certmanager.yaml @@ -1,52 +1,59 @@ kind: Issuer apiVersion: cert-manager.io/v1 metadata: - name: node-specific-sizing-ca-bootstrap - namespace: node-specific-sizing + name: ca-bootstrap + namespace: kube-system spec: selfSigned: {} --- kind: Certificate apiVersion: cert-manager.io/v1 metadata: - name: node-specific-sizing-ca-root - namespace: node-specific-sizing + name: ca-root + namespace: kube-system spec: - secretName: node-specific-sizing-ca-root + secretName: ca-root isCA: true - commonName: node-specific-sizing-ca-root + commonName: ca-root subject: - countries: [ "AU" ] - organizations: [ "Entain Internal" ] + countries: [ "FR" ] + organizations: [ "ManoMano Internal" ] privateKey: algorithm: RSA size: 2048 issuerRef: kind: Issuer - name: node-specific-sizing-ca-bootstrap + name: ca-bootstrap --- kind: Issuer apiVersion: cert-manager.io/v1 metadata: - name: node-specific-sizing-ca-root - namespace: node-specific-sizing + name: ca-root + namespace: kube-system spec: ca: - secretName: node-specific-sizing-ca-root + secretName: ca-root --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: + labels: + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: kubernetes-node-specific-sizing + app.kubernetes.io/instance: serving-cert + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: certificate + app.kubernetes.io/part-of: kubernetes-node-specific-sizing name: node-specific-sizing-serving-cert - namespace: node-specific-sizing + namespace: kube-system spec: dnsNames: - - node-specific-sizing.node-specific-sizing.svc - - node-specific-sizing.node-specific-sizing.svc.cluster.local + - node-specific-sizing.kube-system.svc + - node-specific-sizing.kube-system.svc.cluster.local issuerRef: - name: node-specific-sizing-ca-root + name: ca-root kind: Issuer - secretName: node-specific-sizing-serving-cert + secretName: node-specific-sizing-cert isCA: false privateKey: algorithm: RSA @@ -58,13 +65,13 @@ kind: Certificate apiVersion: cert-manager.io/v1 metadata: name: node-specific-sizing-client-cert - namespace: node-specific-sizing + namespace: kube-system spec: issuerRef: - name: node-specific-sizing-ca-root + name: ca-root kind: Issuer - commonName: api-server-client-cert-for-node-specific-sizing - secretName: node-specific-sizing-client-cert + commonName: api-server-client-cert-for-node-specific-sizing.manomano.tech + secretName: client-cert duration: 2160h renewBefore: 360h isCA: false diff --git a/deploy/clusterrolebinding.yaml b/deploy/clusterrolebinding.yaml index 02b1f80..0c6c0e4 100644 --- a/deploy/clusterrolebinding.yaml +++ b/deploy/clusterrolebinding.yaml @@ -11,4 +11,4 @@ roleRef: subjects: - kind: ServiceAccount name: node-specific-sizing - namespace: node-specific-sizing + namespace: kube-system diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 76343d6..276e9c8 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: node-specific-sizing - namespace: node-specific-sizing labels: app: node-specific-sizing spec: @@ -19,7 +18,7 @@ spec: terminationGracePeriodSeconds: 10 containers: - name: node-specific-sizing - image: ghcr.io/manomanotech/kubernetes-node-specific-sizing:sha-28e2a98 + image: node-specific-sizing:latest imagePullPolicy: IfNotPresent env: - name: POD_NAMESPACE @@ -28,12 +27,12 @@ spec: fieldPath: metadata.namespace volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs - name: node-specific-sizing-serving-cert + name: cert readOnly: true securityContext: runAsNonRoot: true volumes: - - name: node-specific-sizing-serving-cert + - name: cert secret: defaultMode: 420 - secretName: node-specific-sizing-serving-cert + secretName: node-specific-sizing-cert diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index 5a4094e..181dae6 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: node-specific-sizing +namespace: kube-system resources: - certmanager.yaml @@ -10,8 +10,3 @@ resources: - serviceaccount.yaml - mutatingadmissionwebhook.yaml - service.yaml - -labels: - - pairs: - app: node-specific-sizing - user: mark-lynch \ No newline at end of file diff --git a/deploy/mutatingadmissionwebhook.yaml b/deploy/mutatingadmissionwebhook.yaml index b1301b0..44d5528 100644 --- a/deploy/mutatingadmissionwebhook.yaml +++ b/deploy/mutatingadmissionwebhook.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 metadata: name: node-specific-sizing annotations: - cert-manager.io/inject-ca-from: node-specific-sizing/node-specific-sizing-client-cert + cert-manager.io/inject-ca-from: kube-system/node-specific-sizing-client-cert webhooks: - name: node-specific-sizing.svc.cluster.local objectSelector: @@ -15,7 +15,7 @@ webhooks: timeoutSeconds: 2 clientConfig: service: - namespace: node-specific-sizing + namespace: kube-system name: node-specific-sizing path: /mutate rules: diff --git a/sleep-daemonset.yaml b/sleep-daemonset.yaml deleted file mode 100644 index 8f42764..0000000 --- a/sleep-daemonset.yaml +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: sleep-daemonset - namespace: node-specific-sizing - labels: - app: sleep -spec: - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - node-specific-sizing.manomano.tech/enabled: "true" - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - node-specific-sizing.manomano.tech/request-cpu-fraction: "0.1" - node-specific-sizing.manomano.tech/maximum-cpu: "1" - # node-specific-sizing.manomano.tech/limit-cpu-fraction: "0.1" - # node-specific-sizing.manomano.tech/request-memory-fraction: "0.8" - # node-specific-sizing.manomano.tech/limit-memory-fraction: "0.1" - # node-specific-sizing.manomano.tech/minimum-memory: 200Mi - node-specific-sizing.manomano.tech/request-memory-fraction: "0.1" - node-specific-sizing.manomano.tech/maximum-memory: 800Mi - spec: - terminationGracePeriodSeconds: 0 - priorityClassName: system-node-critical - nodeSelector: - kubernetes.io/os: linux - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - # - effect: NoSchedule - # key: node.kubernetes.io/role - # operator: Exists - # - effect: NoSchedule - # key: node.kubernetes.io/arch - # operator: Exists - initContainers: - - name: fetch-instance-data - image: curlimages/curl:7.85.0 - command: - - "sh" - - "-c" - - | - echo "Fetching instance metadata..." - echo "Instance Type: $(curl -s http://169.254.169.254/latest/meta-data/instance-type)" - echo "CPU Details: $(grep -c ^processor /proc/cpuinfo) CPUs" - echo "Memory Details: $(grep MemTotal /proc/meminfo | awk '{print $2}') KiB" - resources: - requests: - cpu: 100m - memory: 100Mi - containers: - - name: sleep-a - image: alpine - command: - - "sleep" - - "infinity" - resources: - requests: - cpu: 100m - memory: 200Mi - # limits: - # cpu: 30m - # memory: 200Mi - - name: sleep-b - image: alpine - command: - - "sleep" - - "infinity" - resources: - requests: - cpu: 100m - memory: 600Mi - # limits: - # cpu: 270m - # memory: 1800Mi