Skip to content

Commit

Permalink
feat: configure excluded propagate labels/annotations
Browse files Browse the repository at this point in the history
  • Loading branch information
erikgb committed Jun 30, 2024
1 parent 45087b2 commit 8829a67
Show file tree
Hide file tree
Showing 8 changed files with 125 additions and 38 deletions.
32 changes: 17 additions & 15 deletions charts/accurate/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,21 +53,23 @@ $ helm install --create-namespace --namespace accurate accurate -f values.yaml a

## Values

| Key | Type | Default | Description |
| ---------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. |
| controller.additionalRBAC.clusterRoles | list | `[]` | Specify additional ClusterRoles to be granted to the accurate controller. "admin" is recommended to allow the controller to manage common namespace-scoped resources. |
| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. |
| controller.extraArgs | list | `[]` | Optional additional arguments. |
| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. |
| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. |
| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. |
| image.pullPolicy | string | `nil` | Accurate image pullPolicy. |
| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. |
| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. |
| installCRDs | bool | `true` | Controls if CRDs are automatically installed and managed as part of your Helm release. |
| Key | Type | Default | Description |
|--------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| controller.additionalRBAC.rules | list | `[]` | Specify the RBAC rules to be added to the controller. ClusterRole and ClusterRoleBinding are created with the names `{{ release name }}-additional-resources`. The rules defined here will be used for the ClusterRole rules. |
| controller.additionalRBAC.clusterRoles | list | `[]` | Specify additional ClusterRoles to be granted to the accurate controller. "admin" is recommended to allow the controller to manage common namespace-scoped resources. |
| controller.config.annotationKeys | list | `[]` | Annotations to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.labelKeys | list | `[]` | Labels to be propagated to sub-namespaces. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.watches | list | `[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"},{"kind":"Secret","version":"v1"}]` | List of GVK for namespace-scoped resources that can be propagated. Any namespace-scoped resource is allowed. |
| controller.config.propagateAnnotationKeyExcludes | list | `["*kubernetes.io/*"]` | Annotations to exclude when propagating resources. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.config.propagateLabelKeyExcludes | list | `["*kubernetes.io/*"]` | Labels to exclude when propagating resources. It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func. |
| controller.extraArgs | list | `[]` | Optional additional arguments. |
| controller.replicas | int | `2` | Specify the number of replicas of the controller Pod. |
| controller.resources | object | `{"requests":{"cpu":"100m","memory":"20Mi"}}` | Specify resources. |
| controller.terminationGracePeriodSeconds | int | `10` | Specify terminationGracePeriodSeconds. |
| image.pullPolicy | string | `nil` | Accurate image pullPolicy. |
| image.repository | string | `"ghcr.io/cybozu-go/accurate"` | Accurate image repository to use. |
| image.tag | string | `{{ .Chart.AppVersion }}` | Accurate image tag to use. |
| installCRDs | bool | `true` | Controls if CRDs are automatically installed and managed as part of your Helm release. |

## Generate Manifests

Expand Down
6 changes: 6 additions & 0 deletions charts/accurate/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,11 @@ data:
{{- end }}
watches: {{ toYaml .Values.controller.config.watches | nindent 6 }}
{{- with .Values.controller.config.namingPolicies }}
{{- with .Values.controller.config.propagateLabelKeyExcludes }}
propagateLabelKeyExcludes: {{ toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.config.propagateAnnotationKeyExcludes }}
propagateAnnotationKeyExcludes: {{ toYaml . | nindent 6 }}
{{- end }}
namingPolicies: {{ toYaml . | nindent 6 }}
{{- end }}
12 changes: 12 additions & 0 deletions charts/accurate/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,18 @@ controller:
- version: v1
kind: ResourceQuota

# controller.config.propagateLabelKeyExcludes -- Labels to exclude when propagating resources.
# It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
## https://pkg.go.dev/path#Match
propagateLabelKeyExcludes:
- '*kubernetes.io/*'

# controller.config.propagateAnnotationKeyExcludes -- Annotations to exclude when propagating resources.
# It is also possible to specify a glob pattern that can be interpreted by Go's "path.Match" func.
## https://pkg.go.dev/path#Match
propagateAnnotationKeyExcludes:
- '*kubernetes.io/*'

# controller.config.namingPolicies -- List of nameing policy for SubNamespaces.
# root and match are both regular expressions.
# When a SubNamespace is created in a tree starting from a root namespace and the root namespace's name matches the "root" regular expression, the SubNamespace name is validated with the "match" regular expression.
Expand Down
7 changes: 6 additions & 1 deletion cmd/accurate-controller/sub/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@ func subMain(ns, addr string, port int) error {
})
}

cloner := controllers.ResourceCloner{
LabelKeyExcludes: cfg.PropagateLabelKeyExcludes,
AnnotationKeyExcludes: cfg.PropagateAnnotationKeyExcludes,
}
dec := admission.NewDecoder(scheme)

// Namespace reconciler & webhook
Expand All @@ -117,6 +121,7 @@ func subMain(ns, addr string, port int) error {
}
if err := (&controllers.NamespaceReconciler{
Client: mgr.GetClient(),
ResourceCloner: cloner,
LabelKeys: cfg.LabelKeys,
AnnotationKeys: cfg.AnnotationKeys,
SubNamespaceLabelKeys: cfg.SubNamespaceLabelKeys,
Expand All @@ -142,7 +147,7 @@ func subMain(ns, addr string, port int) error {
if err := indexing.SetupIndexForResource(ctx, mgr, res); err != nil {
return fmt.Errorf("failed to setup indexer for %s: %w", res.GroupVersionKind().String(), err)
}
if err := controllers.NewPropagateController(res).SetupWithManager(mgr); err != nil {
if err := controllers.NewPropagateController(res, cloner).SetupWithManager(mgr); err != nil {
return fmt.Errorf("unable to create %s controller: %w", res.GroupVersionKind().String(), err)
}
logger.Info("watching", "gvk", res.GroupVersionKind().String())
Expand Down
7 changes: 4 additions & 3 deletions controllers/namespace_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
// NamespaceReconciler reconciles a Namespace object
type NamespaceReconciler struct {
client.Client
ResourceCloner
LabelKeys []string
AnnotationKeys []string
SubNamespaceLabelKeys []string
Expand Down Expand Up @@ -229,7 +230,7 @@ func (r *NamespaceReconciler) propagateCreate(ctx context.Context, res *unstruct
return err
}

if err := r.Create(ctx, cloneResource(res, ns)); err != nil {
if err := r.Create(ctx, r.cloneResource(res, ns)); err != nil {
return utilerrors.Ignore(err, utilerrors.IsNamespaceTerminating)
}

Expand All @@ -249,14 +250,14 @@ func (r *NamespaceReconciler) propagateUpdate(ctx context.Context, res *unstruct
if !apierrors.IsNotFound(err) {
return err
}
if err := r.Create(ctx, cloneResource(res, ns)); err != nil {
if err := r.Create(ctx, r.cloneResource(res, ns)); err != nil {
return utilerrors.Ignore(err, utilerrors.IsNamespaceTerminating)
}
logger.Info("created a resource", "namespace", ns, "name", res.GetName(), "gvk", gvk.String())
return nil
}

c2 := cloneResource(res, ns)
c2 := r.cloneResource(res, ns)

// Ensure that managed fields are upgraded to SSA before the following SSA.
// TODO(migration): This code could be removed after a couple of releases.
Expand Down
Loading

0 comments on commit 8829a67

Please sign in to comment.