Leverage Helm values in templates (#251)

* Leverage Helm values in templates - A number of variables exist in values.yaml that are not leveraged at all in the deployment templates, such as: - Resources - Service Account - Affinity - Tolerations - Security Context - Updated the templates to leverage values that were already possible, as well as adding support for image.version * Leverage the svc name pattern for client lookup as well * Use a Secret to store S3 keys in K8S deployment - Passing the access and secret keys directly as environment variables can inadvertently leak them in a multitenant system, as anyone with the `view` ClusterRole or higher on the namespace will have the ability to read the spec of the `Job`. - Instead, create a secret with the keys and mount them as environment variables from there. --------- Co-authored-by: Harshavardhana <harsha@minio.io>
minio · Oct 19, 2023 · 9449191 · 9449191
1 parent 4855f46
commit 9449191
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 21 deletions.
diff --git a/k8s/helm/templates/_helpers.tpl b/k8s/helm/templates/_helpers.tpl
@@ -31,6 +31,13 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Set the image tag to use.
+*/}}
+{{- define "warp.imageVersion" -}}
+{{- default .Chart.AppVersion .Values.image.version -}}
+{{- end -}}
+
 {{/*
 Common labels
 */}}

diff --git a/k8s/helm/templates/job.yaml b/k8s/helm/templates/job.yaml
@@ -10,11 +10,11 @@ spec:
       restartPolicy: Never
       containers:
       - name: {{ include "warp.fullname" . }}
-        image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
+        image: "{{ .Values.image.repository }}:{{ include "warp.imageVersion" . }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args:
           - "{{ .Values.warpConfiguration.operationToBenchmark }}"
-          - "--warp-client=warp-{0...{{ sub .Values.replicaCount 1 }}}.warp.{{ .Release.Namespace }}"
+          - "--warp-client={{ include "warp.fullname" . }}-{0...{{ sub .Values.replicaCount 1 }}}.{{ include "warp.fullname" . }}.{{ .Release.Namespace }}"
         {{- range $k, $v := .Values.warpJobArgs }}
           - --{{ $k }}={{ $v }}
         {{- end }}
@@ -28,10 +28,34 @@ spec:
           - name: WARP_REGION
             value: {{ .Values.warpConfiguration.s3ServerRegion | quote }}
           - name: WARP_ACCESS_KEY
-            value: {{ .Values.warpConfiguration.s3AccessKey | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "warp.fullname" . }}-credentials
+                key: access_key
           - name: WARP_SECRET_KEY
-            value: {{ .Values.warpConfiguration.s3SecretKey | quote }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "warp.fullname" . }}-credentials
+                key: secret_key
+      {{- if .Values.serverResources }}
+        resources: {{- toYaml .Values.serverResources | nindent 12 }}
+      {{- end }}
+      {{- if .Values.securityContext }}
+        securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+      {{- end }}
+    {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "warp.serviceAccountName" . }}
+    {{- end }}
+    {{- if .Values.podSecurityContext }}
+      securityContext: {{- .Values.podSecurityContext | toYaml | nindent 8 }}
+    {{- end }}
+    {{- if .Values.affinity }}
+      affinity: {{- .Values.affinity | toYaml | nindent 8 }}
+    {{- end }}
     {{- if .Values.nodeSelector }}
       nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }}
     {{- end }}
+    {{- if .Values.tolerations }}
+      tolerations: {{- .Values.tolerations | toYaml | nindent 8 }}
+    {{- end }}
   backoffLimit: 4
diff --git a/k8s/helm/templates/secret.yaml b/k8s/helm/templates/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "warp.fullname" . }}-credentials
+  labels:
+    {{- include "warp.labels" . | nindent 4 }}
+data:
+  access_key: {{ .Values.warpConfiguration.s3AccessKey | b64enc }}
+  secret_key: {{ .Values.warpConfiguration.s3SecretKey | b64enc }}
diff --git a/k8s/helm/templates/statefulset.yaml b/k8s/helm/templates/statefulset.yaml
@@ -19,16 +19,31 @@ spec:
     spec:
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ include "warp.imageVersion" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - client	  
           ports:
             - name: http
-              containerPort: 7761
+              containerPort: {{ .Values.service.port }}
+          {{- if .Values.clientResources }}
+          resources: {{- toYaml .Values.clientResources | nindent 12 }}
+          {{- end }}
+          {{- if .Values.securityContext }}
+          securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
+    {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "warp.serviceAccountName" . }}
+    {{- end }}
+    {{- if .Values.podSecurityContext }}
+      securityContext: {{- .Values.podSecurityContext | toYaml | nindent 8 }}
+    {{- end }}
     {{- if .Values.affinity }}
       affinity: {{- .Values.affinity | toYaml | nindent 8 }}
     {{- end }}
     {{- if .Values.nodeSelector }}
       nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }}
     {{- end }}
+    {{- if .Values.tolerations }}
+      tolerations: {{- .Values.tolerations | toYaml | nindent 8 }}
+    {{- end }}
diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml
@@ -8,6 +8,8 @@ replicaCount: 4
 image:
   repository: minio/warp
   pullPolicy: IfNotPresent
+  # Set version to use a specific release of Warp
+  # version: latest
 
 imagePullSecrets: []
 nameOverride: ""
@@ -52,30 +54,31 @@ serviceAccount:
   create: true
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name:
+  # name:
 
-podSecurityContext: {}
-  # fsGroup: 2000
+securityContext:
+  readOnlyRootFilesystem: true
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1001
+  fsGroup: 1001
 
 service:
   port: 7761
 
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+serverResources: {}
   # limits:
+  #   cpu: 500m
+  #   memory: 512Mi
+  # requests:
   #   cpu: 100m
   #   memory: 128Mi
+
+clientResources: {}
+  # limits:
+  #   cpu: 4
+  #   memory: 512Mi
   # requests:
   #   cpu: 100m
   #   memory: 128Mi