Skip to content

Commit

Permalink
CASMPET-6915: use newer plugin image and change it to daemonset (#107)
Browse files Browse the repository at this point in the history
  • Loading branch information
bo-quan authored Apr 5, 2024
1 parent ee4f3a9 commit de797ff
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 52 deletions.
8 changes: 4 additions & 4 deletions kubernetes/cray-opa/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# MIT License
#
# (C) Copyright 2022-2023 Hewlett Packard Enterprise Development LP
# (C) Copyright 2022-2024 Hewlett Packard Enterprise Development LP
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
Expand All @@ -23,7 +23,7 @@
#
apiVersion: v2
name: cray-opa
version: 1.32.9
version: 1.32.10
description: Cray Open Policy Agent
keywords:
- opa
Expand All @@ -33,9 +33,9 @@ sources:
maintainers:
- name: bo-quan
- name: ndavidson-hpe
appVersion: 0.52.0
appVersion: 0.62.0
annotations:
artifacthub.io/images: |-
- name: cray-opa
image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless
image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless
artifacthub.io/license: MIT
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{/*
MIT License

(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP

Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
Expand All @@ -22,29 +22,28 @@ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
*/}}
{{- range $name, $options:= .Values.ingresses }}
{{ $uuid := uuidv4 }}
---
apiVersion: apps/v1
kind: Deployment
kind: DaemonSet
metadata:
name: cray-opa-{{ $name }}
namespace: {{ $.Release.Namespace }}
spec:
replicas: {{ $.Values.opa.replicas }}
strategy:
updateStrategy:
{{- $.Values.opa.strategy | toYaml | nindent 4}}
selector:
matchLabels:
daemonset: cray-opa-{{ $name }}
app.kubernetes.io/name: cray-opa-{{ $name }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
template:
metadata:
labels:
daemonset: cray-opa-{{ $name }}
app.kubernetes.io/name: cray-opa-{{ $name }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
deployment/uuid: {{ $uuid }}
spec:
containers:
- image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
Expand Down Expand Up @@ -151,34 +150,6 @@ spec:
- configMap:
name: cray-configmap-ca-public-key
name: fetch-jwt-certs-ca-vol
affinity:
{{- if eq $.Values.affinity.default "preferred" }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- cray-opa-{{ $name }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{- if eq $.Values.affinity.default "required" }}
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: deployment/uuid
operator: In
values:
- {{ $uuid }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{ if $options.affinity }}
{{ toYaml $options.affinity | indent 8 }}
{{- end }}
nodeSelector:
{{ toYaml $.Values.nodeSelector | indent 8 }}
tolerations:
Expand Down
3 changes: 2 additions & 1 deletion kubernetes/cray-opa/templates/service.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{/*
MIT License

(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP

Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
Expand Down Expand Up @@ -33,6 +33,7 @@ metadata:
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
spec:
internalTrafficPolicy: {{ $.Values.opa.internalTrafficPolicy }}
ports:
- name: http
port: {{ $.Values.opa.port }}
Expand Down
4 changes: 2 additions & 2 deletions kubernetes/cray-opa/tests/opa/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# MIT License
#
# (C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
Expand Down Expand Up @@ -37,7 +37,7 @@ RUN cd src/run_tests && go mod download
RUN cd src/run_tests && go build .
RUN ls src/run_tests

FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless
FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless
WORKDIR /tmp
COPY --from=builder --chown=1000:1000 /go/src/run_tests/run_tests .
COPY --chown=1000:1000 tests/opa/certificate_authority.crt /jwtValidationFetchTls/certificate_authority.crt
16 changes: 5 additions & 11 deletions kubernetes/cray-opa/values.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# MIT License
#
# (C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
Expand All @@ -24,7 +24,7 @@
---
image:
repository: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa
tag: 0.52.0-envoy-rootless # When changing this, also update tests/opa//Dockerfile.
tag: 0.62.0-envoy-rootless # When changing this, also update tests/opa/Dockerfile and precache image.
pullPolicy: IfNotPresent

priorityClassName: csm-high-priority-service
Expand Down Expand Up @@ -89,7 +89,7 @@ ingresses:
issuers: []

opa:
replicas: 3
internalTrafficPolicy: Local
port: 9191
containerPort: 9191
loglevel: info
Expand All @@ -99,15 +99,14 @@ opa:
secret: ""
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
maxUnavailable: 1
type: RollingUpdate
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "10Gi"
memory: "800Mi"
# Timeout defaults to 200ms if not specified. Setting it to 20s, an
# arbitrary long timeout, provides sufficient overhead to resolve
# CASMPET-1804/2570 "deadline exceeded" gRPC errors for the ext_authz filter.
Expand All @@ -126,11 +125,6 @@ opa:
heartbeat: false
tpmProvisioner: false

affinity:
# set default to 'preferred' for default preferred anti affinity rule
# set default to 'required' for default required anti affinity rule
default: required

jwtValidation:
keycloak:
jwksUri: "https://istio-ingressgateway.istio-system.svc.cluster.local./keycloak/realms/shasta/protocol/openid-connect/certs"
Expand Down

0 comments on commit de797ff

Please sign in to comment.