diff --git a/k8s/helm/templates/_helpers.tpl b/k8s/helm/templates/_helpers.tpl index 763db267..8baf5c9d 100644 --- a/k8s/helm/templates/_helpers.tpl +++ b/k8s/helm/templates/_helpers.tpl @@ -31,6 +31,13 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the image tag to use. +*/}} +{{- define "warp.imageVersion" -}} +{{- default .Chart.AppVersion .Values.image.version -}} +{{- end -}} + {{/* Common labels */}} diff --git a/k8s/helm/templates/job.yaml b/k8s/helm/templates/job.yaml index 0efcb8e1..fa98818d 100644 --- a/k8s/helm/templates/job.yaml +++ b/k8s/helm/templates/job.yaml @@ -10,11 +10,11 @@ spec: restartPolicy: Never containers: - name: {{ include "warp.fullname" . }} - image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}:{{ include "warp.imageVersion" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - "{{ .Values.warpConfiguration.operationToBenchmark }}" - - "--warp-client=warp-{0...{{ sub .Values.replicaCount 1 }}}.warp.{{ .Release.Namespace }}" + - "--warp-client={{ include "warp.fullname" . }}-{0...{{ sub .Values.replicaCount 1 }}}.{{ include "warp.fullname" . }}.{{ .Release.Namespace }}" {{- range $k, $v := .Values.warpJobArgs }} - --{{ $k }}={{ $v }} {{- end }} @@ -28,10 +28,34 @@ spec: - name: WARP_REGION value: {{ .Values.warpConfiguration.s3ServerRegion | quote }} - name: WARP_ACCESS_KEY - value: {{ .Values.warpConfiguration.s3AccessKey | quote }} + valueFrom: + secretKeyRef: + name: {{ include "warp.fullname" . }}-credentials + key: access_key - name: WARP_SECRET_KEY - value: {{ .Values.warpConfiguration.s3SecretKey | quote }} + valueFrom: + secretKeyRef: + name: {{ include "warp.fullname" . }}-credentials + key: secret_key + {{- if .Values.serverResources }} + resources: {{- toYaml .Values.serverResources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "warp.serviceAccountName" . }} + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- .Values.podSecurityContext | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- .Values.affinity | toYaml | nindent 8 }} + {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- .Values.tolerations | toYaml | nindent 8 }} + {{- end }} backoffLimit: 4 diff --git a/k8s/helm/templates/secret.yaml b/k8s/helm/templates/secret.yaml new file mode 100644 index 00000000..db9dedbb --- /dev/null +++ b/k8s/helm/templates/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "warp.fullname" . }}-credentials + labels: + {{- include "warp.labels" . | nindent 4 }} +data: + access_key: {{ .Values.warpConfiguration.s3AccessKey | b64enc }} + secret_key: {{ .Values.warpConfiguration.s3SecretKey | b64enc }} diff --git a/k8s/helm/templates/statefulset.yaml b/k8s/helm/templates/statefulset.yaml index ce3636a4..20754457 100644 --- a/k8s/helm/templates/statefulset.yaml +++ b/k8s/helm/templates/statefulset.yaml @@ -19,16 +19,31 @@ spec: spec: containers: - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}:{{ include "warp.imageVersion" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - client ports: - name: http - containerPort: 7761 + containerPort: {{ .Values.service.port }} + {{- if .Values.clientResources }} + resources: {{- toYaml .Values.clientResources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "warp.serviceAccountName" . }} + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- .Values.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.affinity }} affinity: {{- .Values.affinity | toYaml | nindent 8 }} {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- .Values.tolerations | toYaml | nindent 8 }} + {{- end }} diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml index 31068f62..64585986 100644 --- a/k8s/helm/values.yaml +++ b/k8s/helm/values.yaml @@ -8,6 +8,8 @@ replicaCount: 4 image: repository: minio/warp pullPolicy: IfNotPresent + # Set version to use a specific release of Warp + # version: latest imagePullSecrets: [] nameOverride: "" @@ -52,30 +54,31 @@ serviceAccount: create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - name: + # name: -podSecurityContext: {} - # fsGroup: 2000 +securityContext: + readOnlyRootFilesystem: true -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + fsGroup: 1001 service: port: 7761 -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. +serverResources: {} # limits: + # cpu: 500m + # memory: 512Mi + # requests: # cpu: 100m # memory: 128Mi + +clientResources: {} + # limits: + # cpu: 4 + # memory: 512Mi # requests: # cpu: 100m # memory: 128Mi