refactor: Adjust values.yaml file to be closer to listener-operator

Author: Techassi

Tiltfile

@@ -35,7 +35,7 @@ helm_crds, helm_non_crds = filter_yaml(
       name=operator_name,
       namespace="stackable-operators",
       set=[
-         'secretOperator.image.repository=' + registry + '/' + operator_name,
+         'image.repository=' + registry + '/' + operator_name,
       ],
    ),
    api_version = "^apiextensions\\.k8s\\.io/.*$",

deploy/helm/secret-operator/templates/controller-deployment.yaml

@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "operator.fullname" . }}-controller
+  name: {{ include "operator.fullname" . }}
   labels:
     {{- include "operator.labels" . | nindent 4 }}
 spec:
@@ -12,29 +12,29 @@ spec:
   template:
     metadata:
       annotations:
-        internal.stackable.tech/image: "{{ .Values.secretOperator.image.repository }}:{{ .Values.secretOperator.image.tag | default .Chart.AppVersion }}"
-        {{- with .Values.podAnnotations }}
+        internal.stackable.tech/image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        {{- with .Values.controllerService.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
         {{- include "operator.selectorLabels" . | nindent 8 }}
     spec:
-      {{- with .Values.imagePullSecrets }}
+      {{- with .Values.image.pullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       # NOTE (@Techassi): Does it maybe make sense to have two different service accounts?
       serviceAccountName: {{ include "operator.fullname" . }}-serviceaccount
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.controllerService.podSecurityContext | nindent 8 }}
       containers:
-        - name: {{ include "operator.appname" . }}-controller
+        - name: {{ include "operator.appname" . }}
           securityContext:
-            {{- toYaml .Values.secretOperator.securityContext | nindent 12 }}
-          image: "{{ .Values.secretOperator.image.repository }}:{{ .Values.secretOperator.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.secretOperator.image.pullPolicy }}
+            {{- toYaml .Values.controllerService.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
-            {{ .Values.secretOperator.resources | toYaml | nindent 12 }}
+            {{ .Values.controllerService.resources | toYaml | nindent 12 }}
           # The arguments passed to the command being run in the container. The final command will
           # look like `secret-operator run controller [OPTIONS]`. The controller needs to only run
           # once in a Kubernetes cluster and as such is deployed as a Deployment with a single
@@ -80,18 +80,18 @@ spec:
               value: {{ .Values.kubernetesClusterDomain | quote }}
             {{- end }}
             {{- include "telemetry.envVars" . | nindent 12 }}
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.controllerService.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- with .Values.controllerService.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.controllerService.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.priorityClassName }}
+      {{- with .Values.controllerService.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}

deploy/helm/secret-operator/templates/csi-server-daemonset.yaml renamed to deploy/helm/secret-operator/templates/csi-node-driver-daemonset.yaml

@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: {{ include "operator.fullname" . }}-csi-server
+  name: {{ include "operator.fullname" . }}-csi-node-driver
   labels:
     {{- include "operator.labels" . | nindent 4 }}
 spec:
@@ -12,8 +12,8 @@ spec:
   template:
     metadata:
       annotations:
-        internal.stackable.tech/image: "{{ .Values.secretOperator.image.repository }}:{{ .Values.secretOperator.image.tag | default .Chart.AppVersion }}"
-        {{- with .Values.podAnnotations }}
+        internal.stackable.tech/image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        {{- with .Values.csiNodeDriver.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
@@ -26,21 +26,21 @@ spec:
       # NOTE (@Techassi): Does it maybe make sense to have two different service accounts?
       serviceAccountName: {{ include "operator.fullname" . }}-serviceaccount
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.csiNodeDriver.podSecurityContext | nindent 8 }}
       containers:
-        - name: {{ include "operator.appname" . }}-csi-server
+        - name: csi-node-service
           securityContext:
-            {{- toYaml .Values.secretOperator.securityContext | nindent 12 }}
-          image: "{{ .Values.secretOperator.image.repository }}:{{ .Values.secretOperator.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.secretOperator.image.pullPolicy }}
+            {{- toYaml .Values.csiNodeDriver.nodeService.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
-            {{ .Values.secretOperator.resources | toYaml | nindent 12 }}
+            {{ .Values.csiNodeDriver.nodeService.resources | toYaml | nindent 12 }}
           # The arguments passed to the command being run in the container. The final command will
           # look like `secret-operator run csi-server [OPTIONS]`. The CSI server needs to run on
           # every Kubernetes cluster node and as such is deployed as a DaemonSet.
           args:
             - run
-            - csi-server
+            - csi-node-service
           env:
             # The following env vars are passed as clap (think CLI) arguments to the operator.
             # They are picked up by clap using the structs defied in the operator.
@@ -50,7 +50,7 @@ spec:
             - name: CSI_ENDPOINT
               value: /csi/csi.sock
             - name: PRIVILEGED
-              value: {{ .Values.secretOperator.securityContext.privileged | quote }}
+              value: {{ .Values.csiNodeDriver.nodeService.securityContext.privileged | quote }}
 
             # Sometimes products need to know the operator image, e.g. the opa-bundle-builder OPA
             # sidecar uses the operator image.
@@ -88,32 +88,34 @@ spec:
             - name: csi
               mountPath: /csi
             - name: mountpoint
-              mountPath: {{ .Values.kubeletDir }}/pods
-              {{- if .Values.secretOperator.securityContext.privileged }}
+              mountPath: {{ .Values.csiNodeDriver.kubeletDir }}/pods
+              {{- if .Values.csiNodeDriver.nodeService.securityContext.privileged }}
               mountPropagation: Bidirectional
               {{- end }}
             - name: tmp
               mountPath: /tmp
+
         - name: external-provisioner
-          image: "{{ .Values.externalProvisioner.image.repository }}:{{ .Values.externalProvisioner.image.tag }}"
-          imagePullPolicy: {{ .Values.externalProvisioner.image.pullPolicy }}
+          image: "{{ .Values.csiNodeDriver.externalProvisioner.image.repository }}:{{ .Values.csiNodeDriver.externalProvisioner.image.tag }}"
+          imagePullPolicy: {{ .Values.csiNodeDriver.externalProvisioner.image.pullPolicy }}
           resources:
-            {{ .Values.externalProvisioner.resources | toYaml | nindent 12 }}
+            {{ .Values.csiNodeDriver.externalProvisioner.resources | toYaml | nindent 12 }}
           args:
             - --csi-address=/csi/csi.sock
             - --feature-gates=Topology=true
             - --extra-create-metadata
           volumeMounts:
             - name: csi
               mountPath: /csi
+
         - name: node-driver-registrar
-          image: "{{ .Values.nodeDriverRegistrar.image.repository }}:{{ .Values.nodeDriverRegistrar.image.tag }}"
-          imagePullPolicy: {{ .Values.nodeDriverRegistrar.image.pullPolicy }}
+          image: "{{ .Values.csiNodeDriver.nodeDriverRegistrar.image.repository }}:{{ .Values.csiNodeDriver.nodeDriverRegistrar.image.tag }}"
+          imagePullPolicy: {{ .Values.csiNodeDriver.nodeDriverRegistrar.image.pullPolicy }}
           resources:
-            {{ .Values.nodeDriverRegistrar.resources | toYaml | nindent 12 }}
+            {{ .Values.csiNodeDriver.nodeDriverRegistrar.resources | toYaml | nindent 12 }}
           args:
             - --csi-address=/csi/csi.sock
-            - --kubelet-registration-path={{ .Values.kubeletDir }}/plugins/secrets.stackable.tech/csi.sock
+            - --kubelet-registration-path={{ .Values.csiNodeDriver.kubeletDir }}/plugins/secrets.stackable.tech/csi.sock
           volumeMounts:
             - name: registration-sock
               mountPath: /registration
@@ -124,27 +126,27 @@ spec:
           hostPath:
             # node-driver-registrar appends a driver-unique filename to this path to avoid conflicts
             # see https://github.com/stackabletech/secret-operator/issues/229 for why this path should not be too long
-            path: {{ .Values.kubeletDir }}/plugins_registry
+            path: {{ .Values.csiNodeDriver.kubeletDir }}/plugins_registry
         - name: csi
           hostPath:
-            path: {{ .Values.kubeletDir }}/plugins/secrets.stackable.tech/
+            path: {{ .Values.csiNodeDriver.kubeletDir }}/plugins/secrets.stackable.tech/
         - name: mountpoint
           hostPath:
-            path: {{ .Values.kubeletDir }}/pods/
+            path: {{ .Values.csiNodeDriver.kubeletDir }}/pods/
         - name: tmp
           emptyDir: {}
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.csiNodeDriver.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- with .Values.csiNodeDriver.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.csiNodeDriver.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.priorityClassName }}
+      {{- with .Values.csiNodeDriver.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}

deploy/helm/secret-operator/values.yaml

@@ -1,39 +1,20 @@
 # Default values for secret-operator.
 ---
+# Used by both the Controller Service and Node Service containers
 image:
+  repository: oci.stackable.tech/sdp/listener-operator
+  # tag: 0.0.0-dev
+  pullPolicy: IfNotPresent
   pullSecrets: []
 
-externalProvisioner:
-  image:
-    repository: oci.stackable.tech/sdp/sig-storage/csi-provisioner
-    tag: v5.3.0
-    pullPolicy: IfNotPresent
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 100m
-      memory: 128Mi
-nodeDriverRegistrar:
-  image:
-    repository: oci.stackable.tech/sdp/sig-storage/csi-node-driver-registrar
-    tag: v2.15.0
-    pullPolicy: IfNotPresent
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 100m
-      memory: 128Mi
+controllerService:
+  podAnnotations: {}
+  podSecurityContext: {}
+    # fsGroup: 2000
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
 
-secretOperator:
-  image:
-    repository: oci.stackable.tech/sdp/secret-operator
-    # tag: 0.0.0-dev
-    pullPolicy: IfNotPresent
-  # Resources of the secret-operator container itself
   resources:
     limits:
       cpu: 100m
@@ -45,17 +26,76 @@ secretOperator:
   securityContext:
     # secret-operator requires root permissions
     runAsUser: 0
-    # It is strongly recommended to run secret-operator as a privileged container, since
-    # it enables additional protections for the secret contents.
-    # Unprivileged mode is EXPERIMENTAL and requires manual migration for an existing cluster.
-    privileged: true
     # capabilities:
     #   drop:
     #   - ALL
     # readOnlyRootFilesystem: true
     # runAsNonRoot: true
     # runAsUser: 1000
 
+csiNodeDriver:
+  # Kubelet dir may vary in environments such as microk8s.
+  # See https://github.com/stackabletech/secret-operator/issues/229
+  kubeletDir: /var/lib/kubelet
+
+  podAnnotations: {}
+  podSecurityContext: {}
+    # fsGroup: 2000
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+  nodeService:
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+
+    securityContext:
+      # secret-operator requires root permissions
+      runAsUser: 0
+      # It is strongly recommended to run secret-operator as a privileged container, since
+      # it enables additional protections for the secret contents.
+      # Unprivileged mode is EXPERIMENTAL and requires manual migration for an existing cluster.
+      privileged: true
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 1000
+
+  externalProvisioner:
+    image:
+      repository: oci.stackable.tech/sdp/sig-storage/csi-provisioner
+      tag: v5.3.0
+      pullPolicy: IfNotPresent
+      # NOTE (@Techassi): Support setting pullSecrets
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
+
+  nodeDriverRegistrar:
+    image:
+      repository: oci.stackable.tech/sdp/sig-storage/csi-node-driver-registrar
+      tag: v2.15.0
+      pullPolicy: IfNotPresent
+      # NOTE (@Techassi): Support setting pullSecrets
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
+
 nameOverride: ""
 fullnameOverride: ""
 
@@ -68,30 +108,11 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-podAnnotations: {}
-
 # Provide additional labels which get attached to all deployed resources
 labels:
   stackable.tech/vendor: Stackable
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-# priorityClassName: ...
-
-# When running on a non-default Kubernetes cluster domain, the cluster domain can be configured here.
-# See the https://docs.stackable.tech/home/stable/guides/kubernetes-cluster-domain guide for details.
-# kubernetesClusterDomain: my-cluster.local
-
-# Kubelet dir may vary in environments such as microk8s, see https://github.com/stackabletech/secret-operator/issues/229
-kubeletDir: /var/lib/kubelet
-
+# Customize default custom resources deployed by the operator
 secretClasses:
   tls:
     # The namespace that the TLS Certificate Authority is installed into.