Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add option to disable liveness and readiness probes #1218

Merged
merged 3 commits into from
Dec 5, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Tiltfile
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,8 @@ k8s_resource(
'kargo-api:configmap',
'kargo-api:secret',
'kargo-api:serviceaccount'
]
],
resource_deps=['dex-server']
)

k8s_resource(
Expand Down
2 changes: 2 additions & 0 deletions charts/kargo/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ In the average case, these settings should be left alone.
| `api.resources` | Resources limits and requests for the api containers. | `{}` |
| `api.nodeSelector` | Node selector for api pods. | `{}` |
| `api.tolerations` | Tolerations for api pods. | `[]` |
| `api.probes.enabled` | Whether liveness and readiness probes should be included in the API server deployment. It is sometimes advantageous to disable these during local development. | `true` |
| `api.tls.enabled` | Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section will be ignored when this is set to `false`. | `true` |
| `api.tls.selfSignedCert` | Whether to generate a self-signed certificate for use by the API server. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-cert` **must** be provided in the same namespace as Kargo. | `true` |
| `api.ingress.enabled` | Whether to enable ingress. By default, this is disabled. Enabling ingress is advanced usage. | `false` |
Expand All @@ -67,6 +68,7 @@ In the average case, these settings should be left alone.
| `api.oidc.dex.image.repository` | Image repository of Dex | `ghcr.io/dexidp/dex` |
| `api.oidc.dex.image.tag` | Image tag for Dex. | `v2.37.0` |
| `api.oidc.dex.image.pullPolicy` | Image pull policy for Dex. | `IfNotPresent` |
| `api.oidc.dex.probes.enabled` | Whether liveness and readiness probes should be included in the Dex server deployment. It is sometimes advantageous to disable these during local development. | `true` |
| `api.oidc.dex.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with Dex. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-dex-server-cert` **must** be provided in the same namespace as Kargo. There is no provision for running Dex without TLS. | `true` |
| `api.oidc.dex.skipApprovalScreen` | Whether to skip Dex's own approval screen. Since upstream identity providers will already request user consent, this second approval screen from Dex can be both superfluous and confusing. | `true` |
| `api.oidc.dex.connectors` | Configure [Dex connectors](https://dexidp.io/docs/connectors/) to one or more upstream identity providers. | `[]` |
Expand Down
4 changes: 3 additions & 1 deletion charts/kargo/templates/api/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ spec:
- name: h2c
containerPort: 8080
protocol: TCP
{{- if .Values.api.probes.enabled }}
livenessProbe:
exec:
command:
Expand All @@ -47,7 +48,7 @@ spec:
{{- if .Values.api.tls.enabled }}
- -tls
- -tls-no-verify
{{- end }}
{{- end }}
initialDelaySeconds: 10
readinessProbe:
exec:
Expand All @@ -59,6 +60,7 @@ spec:
- -tls-no-verify
{{- end }}
initialDelaySeconds: 5
{{- end }}
{{- if or .Values.kubeconfigSecrets.kargo (and .Values.api.oidc.enabled .Values.api.oidc.dex.enabled) .Values.api.tls.enabled }}
volumeMounts:
- mountPath: /etc/kargo
Expand Down
2 changes: 2 additions & 0 deletions charts/kargo/templates/dex-server/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ spec:
readOnly: true
resources:
{{- toYaml .Values.api.oidc.dex.resources | nindent 10 }}
{{- if .Values.api.oidc.dex.probes.enabled }}
livenessProbe:
httpGet:
path: /healthz/live
Expand All @@ -52,6 +53,7 @@ spec:
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 300
{{- end }}
volumes:
- name: config
projected:
Expand Down
6 changes: 6 additions & 0 deletions charts/kargo/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,9 @@ api:
nodeSelector: {}
## @param api.tolerations Tolerations for api pods.
tolerations: []
probes:
## @param api.probes.enabled Whether liveness and readiness probes should be included in the API server deployment. It is sometimes advantageous to disable these during local development.
enabled: true

tls:
## @param api.tls.enabled Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section will be ignored when this is set to `false`.
Expand Down Expand Up @@ -127,6 +130,9 @@ api:
tag: v2.37.0
## @param api.oidc.dex.image.pullPolicy Image pull policy for Dex.
pullPolicy: IfNotPresent
probes:
## @param api.oidc.dex.probes.enabled Whether liveness and readiness probes should be included in the Dex server deployment. It is sometimes advantageous to disable these during local development.
enabled: true

tls:
## @param api.oidc.dex.tls.selfSignedCert Whether to generate a self-signed certificate for use with Dex. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-dex-server-cert` **must** be provided in the same namespace as Kargo. There is no provision for running Dex without TLS.
Expand Down
4 changes: 4 additions & 0 deletions values.dev.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
api:
logLevel: DEBUG
host: localhost:30081
probes:
enabled: false
adminAccount:
password: admin
tokenSigningKey: iwishtowashmyirishwristwatch
Expand All @@ -12,5 +14,7 @@ api:
- id: mock
name: Example
type: mockCallback
probes:
enabled: false
controller:
logLevel: DEBUG
Loading