Skip to content

Commit

Permalink
Helm chart update (#695)
Browse files Browse the repository at this point in the history
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
    for Pulumi's contribution guidelines.

    Help us merge your changes more quickly by adding more details such
    as labels, milestones, and reviewers.-->

### Proposed changes

<!--Give us a brief description of what you've done and what it solves.
-->

Updates the Helm chart to install PKOv2, as similarly as possible to
`operator/config/default`.

Details:
- adds an aggregation role (view/edit) for the Pulumi API groups
- tweaks the controller's resources such that limits equals resources to
have "guaranteed" qos
- exposes the metrics port and the fileserver port
- supports two rbac modes for the controller - ClusterRole and Role

To install:
```
helm upgrade --install pulumi-kubernetes-operator ./deploy/helm/pulumi-operator
```

### Related issues (optional)

Closes #684 

<!--Refer to related PRs or issues: #1234, or 'Fixes #1234' or 'Closes
#1234'.
Or link to full URLs to issues or pull requests in other GitHub
repositories. -->
  • Loading branch information
EronWright authored Sep 27, 2024
1 parent 3c0c7a9 commit 388a7ee
Show file tree
Hide file tree
Showing 17 changed files with 546 additions and 154 deletions.
4 changes: 2 additions & 2 deletions deploy/helm/pulumi-operator/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ icon: https://www.pulumi.com/logos/brand/avatar-on-white.svg

type: application

version: 0.9.0
appVersion: 1.14.0
version: 2.0.0
appVersion: "v2.0-devel"

keywords:
- pulumi
Expand Down
196 changes: 185 additions & 11 deletions deploy/helm/pulumi-operator/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,193 @@
{{- if .Values.createClusterRole }}
{{- if and .Values.rbac.create .Values.rbac.createClusterRole }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "pulumi-kubernetes-operator.fullname" . }}
name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager
labels:
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
rules:
{{- if .Values.clusterRoleRules.enabled }}
{{- toYaml .Values.clusterRoleRules.rules | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
{{- if .Values.rbac.extraRules }}
{{- toYaml .Values.rbac.extraRules | nindent 2 }}
{{- end }}
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- auto.pulumi.com
resources:
- updates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- auto.pulumi.com
resources:
- updates/finalizers
verbs:
- update
- apiGroups:
- auto.pulumi.com
resources:
- updates/status
verbs:
- get
- patch
- update
- apiGroups:
- auto.pulumi.com
resources:
- workspaces
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- auto.pulumi.com
resources:
- workspaces/finalizers
verbs:
- update
- apiGroups:
- auto.pulumi.com
resources:
- workspaces/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- pulumi.com
resources:
- programs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- pulumi.com
resources:
- programs/finalizers
verbs:
- update
- apiGroups:
- pulumi.com
resources:
- programs/status
verbs:
- get
- patch
- update
- apiGroups:
- pulumi.com
resources:
- stacks
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- pulumi.com
resources:
- stacks/finalizers
verbs:
- update
- apiGroups:
- pulumi.com
resources:
- stacks/status
verbs:
- get
- patch
- update
- apiGroups:
- source.toolkit.fluxcd.io
resources:
- buckets
verbs:
- get
- list
- watch
- apiGroups:
- source.toolkit.fluxcd.io
resources:
- gitrepositories
verbs:
- get
- list
- watch
- apiGroups:
- source.toolkit.fluxcd.io
resources:
- ocirepositories
verbs:
- get
- list
- watch
{{- end }}
13 changes: 6 additions & 7 deletions deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,17 +1,16 @@
{{- if .Values.createClusterRole }}
{{- if and .Values.rbac.create .Values.rbac.createClusterRole }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "pulumi-kubernetes-operator.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager
subjects:
- kind: ServiceAccount
name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
roleRef:
kind: ClusterRole
name: {{ include "pulumi-kubernetes-operator.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
75 changes: 40 additions & 35 deletions deploy/helm/pulumi-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,28 +5,24 @@ metadata:
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "pulumi-kubernetes-operator.fullname" . }}
name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager
labels:
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
strategy:
type: {{ .Values.deploymentStrategy }}
type: {{ default "RollingUpdate" .Values.deploymentStrategy }}
selector:
matchLabels:
{{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 6 }}
app: {{ template "pulumi-kubernetes-operator.name" . }}
release: {{ .Release.Name }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
kubectl.kubernetes.io/default-container: manager
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
name: {{ template "pulumi-kubernetes-operator.name" . }}
app: {{ template "pulumi-kubernetes-operator.name" . }}
release: {{ .Release.Name }}
{{- include "pulumi-kubernetes-operator.selectorLabels" . | nindent 8 }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
Expand All @@ -36,35 +32,36 @@ spec:
{{- if .Values.extraSidecars }}
{{- toYaml .Values.extraSidecars | nindent 8 }}
{{- end}}
- args:
{{- with .Values.controller.args }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: manager
command:
- /manager
args:
- --leader-elect
- --health-probe-bind-address=:8081
- --metrics-bind-address=:8383
- --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local
- --zap-log-level={{ .Values.controller.logLevel }}
- --zap-time-encoding=iso8601
env:
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 8 }}
{{- end }}
- name: WATCH_NAMESPACE
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: {{ include "pulumi-kubernetes-operator.name" . }}
- name: GRACEFUL_SHUTDOWN_TIMEOUT_DURATION
value: {{ .Values.controller.gracefulShutdownTimeoutDuration }}
- name: MAX_CONCURRENT_RECONCILES
value: {{ .Values.controller.maxConcurrentReconciles | quote }}
- name: PULUMI_INFER_NAMESPACE
value: {{ .Values.controller.pulumiInferNamespace | quote }}
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ .Values.controller.kubernetesClusterDomain }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:v{{ .Values.image.tag | default .Chart.AppVersion }}"
ports:
- containerPort: 8383
name: http-metrics
protocol: TCP
- containerPort: 9090
name: http-fileserver
protocol: TCP
{{- if .Values.extraPorts }}
{{- toYaml .Values.extraPorts | nindent 8 }}
{{- end }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: {{ .Chart.Name }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
Expand All @@ -73,12 +70,22 @@ spec:
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- end }}
volumeMounts:
{{- with .Values.extraVolumeMounts }}
volumeMounts:
{{- toYaml . | nindent 8 }}
{{- end }}
- mountPath: /tmp
name: tmp-dir
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
Expand Down Expand Up @@ -109,9 +116,7 @@ spec:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.extraVolumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}
- emptyDir: {}
name: tmp-dir
22 changes: 22 additions & 0 deletions deploy/helm/pulumi-operator/templates/edit_clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- if and .Values.rbac.create .Values.rbac.createClusterAggregationRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "pulumi-kubernetes-operator.fullname" . }}-edit
labels:
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- pulumi.com
- auto.pulumi.com
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- patch
- update
{{- end }}
Loading

0 comments on commit 388a7ee

Please sign in to comment.