Skip to content

Commit

Permalink
Implements general chart improvements (#13)
Browse files Browse the repository at this point in the history
* Avoid unnecessary restarts at new helm version: The ConfigMap where the config is stored, contains labels. The labels contains the version of the helm chart. If there is a new helm chart version, the pod gets restarted, too. It doesnt matter, if its necessary or not. To solve this, I moved the config to a named templated which can be sourced from the config map and the hash annotation. I contribute this pattern to many helm charts: ([promtail] Avoid unnecessary pod restart on each helm chart version grafana/helm-charts#2833, [bitnami/kubernetes-event-exporter] Avoid unnecessary pod restart on each helm chart version bitnami/charts#21489, [prometheus-blackbox-exporter] Avoid unnecessary pod restart on each helm chart version prometheus-community/helm-charts#4077, helm: Avoid unnecessary pod restart on each helm chart version kubernetes-sigs/external-dns#4103)
* Added securityContexts to container and pod. They contains the current best-practice. The settings are required to run kubelint together with PSA restricted.
* Added automountServiceAccountToken to the Deployment and ServiceAccount. A lot of security tools hightlight automountServiceAccountToken=true on a ServiceAccount as insecure. The best-practice is to set automountServiceAccountToken=false on a ServiceAccount and do automountServiceAccountToken=true on the Deployment. Ref: https://securecloud.blog/2021/08/17/azure-aks-reviewing-recommendations-from-security-center-disabling-automounting-api-credentials
* Added nodeSelector, affinity, tolerations, priorityClassName
Pass .Values.config, .Values.ingress.hosts.hosts through helm tpl function: If kubelint is part of a bigger umbrella helm chart, values from .Values.global can be re-used. It's also useful for the namespace option
* Adds configurable readinessProbe to deployment
* Bumps chart version number
  • Loading branch information
jkroepke authored Mar 1, 2024
1 parent 60d518b commit e00efaa
Show file tree
Hide file tree
Showing 8 changed files with 100 additions and 12 deletions.
2 changes: 1 addition & 1 deletion charts/kubetail/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ keywords:
- private
- realtime
type: application
version: 0.2.8
version: 0.3.0
appVersion: "0.1.9"
home: https://github.com/kubetail-org/kubetail
maintainers:
Expand Down
11 changes: 11 additions & 0 deletions charts/kubetail/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,14 @@ ServiceAccount name
{{- define "kubetail.serviceAccountName" -}}
{{ if .Values.serviceAccount.name }}{{ .Values.serviceAccount.name }}{{ else }}{{ include "kubetail.fullname" . }}{{ end }}
{{- end }}

{{/*
config
*/}}
{{- define "kubetail.config" -}}
addr: :{{ .Values.deployment.containerPort }}
auth-mode: {{ .Values.authMode }}
{{- with .Values.config }}
{{- tpl (toYaml .) $ | nindent 0 }}
{{- end }}
{{- end }}
7 changes: 2 additions & 5 deletions charts/kubetail/templates/config-map.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,5 @@ metadata:
{{- include "kubetail.labels" $ | nindent 4 }}
data:
config.yaml: |
addr: :{{ .Values.deployment.containerPort }}
auth-mode: {{ .Values.authMode }}
{{- with .Values.config }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- include "kubetail.config" $ | nindent 4 }}
35 changes: 33 additions & 2 deletions charts/kubetail/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,22 @@ spec:
labels:
{{- include "kubetail.labels" $ | nindent 8 }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/config-map.yaml") . | sha256sum }}
checksum/config: {{ include "kubetail.config" . | sha256sum }}
{{- with .Values.deployment.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
{{- if eq .Values.authMode "cluster" }}
serviceAccountName: {{ include "kubetail.serviceAccountName" . }}
{{- end }}
securityContext:
{{- toYaml .Values.deployment.podSecurityContext | nindent 8 }}
containers:
- name: kubetail
image: {{ .Values.image.registry }}:{{ default .Chart.AppVersion .Values.image.tag }}
securityContext:
{{- toYaml .Values.deployment.securityContext | nindent 10 }}
{{- if .Values.image.pullPolicy }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- end }}
Expand All @@ -35,9 +43,17 @@ spec:
{{- range .Values.deployment.args }}
- {{ . }}
{{- end }}
{{- if .Values.deployment.livenessProbe.enabled }}
{{- with .Values.deployment.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 10 }}
{{- toYaml (omit . "enabled") | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.deployment.readinessProbe.enabled }}
{{- with .Values.deployment.readinessProbe }}
readinessProbe:
{{- toYaml (omit . "enabled") | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.deployment.resources }}
resources:
Expand All @@ -47,6 +63,21 @@ spec:
- name: config
mountPath: /etc/kubetail
readOnly: true
{{- with .Values.deployment.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
volumes:
- name: config
configMap:
Expand Down
6 changes: 3 additions & 3 deletions charts/kubetail/templates/ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ metadata:
spec:
rules:
{{- range $ing.hosts }}
- host: {{ .host }}
- host: {{ tpl .host $ }}
http:
paths:
{{- range .paths }}
Expand All @@ -29,9 +29,9 @@ spec:
{{- range . }}
- hosts:
{{- range .hosts }}
- {{ . }}
- {{ tpl . $ }}
{{- end }}
secretName: {{ if $ing.secretName }}{{ $ing.secretName }}{{ else }}{{ include "kubetail.fullname" $ }}{{ end }}
secretName: {{ if $ing.secretName }}{{ tpl $ing.secretName $ }}{{ else }}{{ include "kubetail.fullname" $ }}{{ end }}
{{- end }}
{{- end }}
{{- end }}
7 changes: 7 additions & 0 deletions charts/kubetail/templates/service-account.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,14 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
metadata:
{{- if .Values.serviceAccount.annotations }}
annotations:
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}
{{- include "kubetail.metadataNamespace" $ | nindent 2 }}
name: {{ include "kubetail.serviceAccountName" . }}
labels:
{{- include "kubetail.labels" $ | nindent 4 }}
{{- end }}
6 changes: 6 additions & 0 deletions charts/kubetail/templates/service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,16 @@ metadata:
name: {{ if .Values.service.name }}{{ .Values.service.name }}{{ else }}{{ include "kubetail.fullname" . }}{{ end }}
labels:
{{- include "kubetail.labels" $ | nindent 4 }}
{{- if .Values.service.annotations }}
annotations:
{{- toYaml .Values.service.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
selector:
{{- include "kubetail.selectorLabels" $ | nindent 4 }}
ports:
- port: {{ .Values.service.port }}
name: kubetail
targetPort: kubetail
appProtocol: http
38 changes: 37 additions & 1 deletion charts/kubetail/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,17 @@ deployment:
args:
- --config=/etc/kubetail/config.yaml
livenessProbe:
enabled: true
httpGet:
scheme: HTTP
path: /healthz
port: 4000
initialDelaySeconds: 30
timeoutSeconds: 30
periodSeconds: 10
failureThreshold: 3
readinessProbe:
enabled: true
httpGet:
scheme: HTTP
path: /healthz
Expand All @@ -77,16 +88,41 @@ deployment:
requests:
cpu: 100m
memory: 100Mi
automountServiceAccountToken: true
podAnnotations: {}
podSecurityContext:
runAsUser: 10001
runAsGroup: 10001
fsGroup: 10001
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
affinity: {}
nodeSelector:
kubernetes.io/os: linux
tolerations: {}
priorityClassName: ""

# service options
service:
annotations: {}
name:
type: ClusterIP
port: 4000

# service-account options
serviceAccount:
name:
create: true
annotations: {}
name: ""
automountServiceAccountToken: false

# ingress options
ingress:
Expand Down

0 comments on commit e00efaa

Please sign in to comment.