feat: separate podlabels in controller-manager and audit deployment (#…

…3378)

Signed-off-by: Robert Bublik <mail@robertbublik.de>

cmd/build/helmify/main.go

@@ -133,19 +133,17 @@ func (ks *kindSet) Write() error {
  }
 
  if name == "gatekeeper-controller-manager" && kind == DeploymentKind {
+ obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"controllerManager.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
  obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.controllerManager.priorityClassName }}\n priorityClassName: {{ .Values.controllerManager.priorityClassName }}\n {{- end }}", 1)
  }
 
  if name == "gatekeeper-audit" && kind == DeploymentKind {
  obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n"
+ obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"audit.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
  obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.audit.priorityClassName }}\n priorityClassName: {{ .Values.audit.priorityClassName }}\n {{- end }}", 1)
  obj = strings.Replace(obj, " - emptyDir: {}", " {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1)
  }
 
- if kind == DeploymentKind {
- obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
- }
-
  if name == "gatekeeper-manager-role" && kind == "Role" {
  obj += "{{- with .Values.controllerManager.extraRules }}\n {{- toYaml . | nindent 0 }}\n{{- end }}\n"
  }

cmd/build/helmify/static/README.md

@@ -179,6 +179,7 @@ information._
 | image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
 | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
 | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
+| controllerManager.podLabels | The labels to add to the controller manager pod | `{}` |
 | controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
 | controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
 | controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
@@ -201,6 +202,7 @@ information._
 | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
 | controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
 | controllerManager.strategyRollingUpdate | [RollingUpdate](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment) configuration for Controller Manager deployment | `{}` |
+| audit.podLabels | The labels to add to the audit pod | `{}` |
 | audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
 | audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
 | audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |

cmd/build/helmify/static/templates/_helpers.tpl

@@ -40,6 +40,25 @@ Adds additional pod labels to the common ones
 {{- end }}
 {{- end -}}
 
+{{/*
+Adds additional controller-manager pod labels to the common ones
+*/}}
+{{- define "controllerManager.podLabels" -}}
+{{- if .Values.controllerManager.podLabels }}
+{{- toYaml .Values.controllerManager.podLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Adds additional audit pod labels to the common ones
+*/}}
+{{- define "audit.podLabels" -}}
+{{- if .Values.audit.podLabels }}
+{{- toYaml .Values.audit.podLabels }}
+{{- end }}
+{{- end -}}
+
+
 {{/*
 Mandatory labels
 */}}

cmd/build/helmify/static/values.yaml

@@ -186,6 +186,7 @@ controllerManager:
  clientCertName: ""
  strategyType: RollingUpdate
  strategyRollingUpdate: {}
+ podLabels: {}
  affinity:
  podAntiAffinity:
  preferredDuringSchedulingIgnoredDuringExecution:
@@ -241,6 +242,7 @@ audit:
  livenessTimeout: 1
  priorityClassName: system-cluster-critical
  disableCertRotation: false
+ podLabels: {}
  affinity: {}
  tolerations: []
  nodeSelector: {kubernetes.io/os: linux}

manifest_staging/charts/gatekeeper/README.md

@@ -179,6 +179,7 @@ information._
 | image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
 | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
 | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
+| controllerManager.podLabels | The labels to add to the controller manager pod | `{}` |
 | controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
 | controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
 | controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
@@ -201,6 +202,7 @@ information._
 | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
 | controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
 | controllerManager.strategyRollingUpdate | [RollingUpdate](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment) configuration for Controller Manager deployment | `{}` |
+| audit.podLabels | The labels to add to the audit pod | `{}` |
 | audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
 | audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
 | audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |

manifest_staging/charts/gatekeeper/templates/_helpers.tpl

@@ -40,6 +40,25 @@ Adds additional pod labels to the common ones
 {{- end }}
 {{- end -}}
 
+{{/*
+Adds additional controller-manager pod labels to the common ones
+*/}}
+{{- define "controllerManager.podLabels" -}}
+{{- if .Values.controllerManager.podLabels }}
+{{- toYaml .Values.controllerManager.podLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Adds additional audit pod labels to the common ones
+*/}}
+{{- define "audit.podLabels" -}}
+{{- if .Values.audit.podLabels }}
+{{- toYaml .Values.audit.podLabels }}
+{{- end }}
+{{- end -}}
+
+
 {{/*
 Mandatory labels
 */}}

manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml

@@ -35,6 +35,7 @@ spec:
  {{- end }}
  labels:
  {{- include "gatekeeper.podLabels" . | nindent 8 }}
+ {{- include "audit.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  app: '{{ template "gatekeeper.name" . }}'
  chart: '{{ template "gatekeeper.name" . }}'

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml

@@ -37,6 +37,7 @@ spec:
  {{- end }}
  labels:
  {{- include "gatekeeper.podLabels" . | nindent 8 }}
+ {{- include "controllerManager.podLabels" . | nindent 8 }}
  {{- include "gatekeeper.commonLabels" . | nindent 8 }}
  app: '{{ template "gatekeeper.name" . }}'
  chart: '{{ template "gatekeeper.name" . }}'

manifest_staging/charts/gatekeeper/values.yaml

@@ -186,6 +186,7 @@ controllerManager:
  clientCertName: ""
  strategyType: RollingUpdate
  strategyRollingUpdate: {}
+ podLabels: {}
  affinity:
  podAntiAffinity:
  preferredDuringSchedulingIgnoredDuringExecution:
@@ -241,6 +242,7 @@ audit:
  livenessTimeout: 1
  priorityClassName: system-cluster-critical
  disableCertRotation: false
+ podLabels: {}
  affinity: {}
  tolerations: []
  nodeSelector: {kubernetes.io/os: linux}