From b7f4995fe41bb5cd06098a3a86e4814831b79abb Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Tue, 18 Oct 2022 13:47:04 -0400 Subject: [PATCH] Add `tolerations` and `nodeSelector` to Server ACL init jobs and `nodeSelector` to Webhook cert manager (#1581) * Add tolerations and nodeSelector to server-acl-[init|cleanup] jobs * Add nodeSelector to webhook cert manager * Add nodeSelector to webhook-cert-manager-deployment with BATS tests * Add tolerations and nodeSelector to server-acl-init template with BATS * Add tolerations and nodeSelector to server-acl-init-cleanup template with BATS * Fix indent of nodeSelector and tolerations * Remove job stanza, bringing nodeSelector and tolerations up by one indent level * Apply suggestions from code review Co-authored-by: Iryna Shustava * Fix indent and files targeted by bats * Change indent in cleanup job from 12 to 8 Co-authored-by: Iryna Shustava --- .../server-acl-init-cleanup-job.yaml | 8 ++++ .../consul/templates/server-acl-init-job.yaml | 8 ++++ .../webhook-cert-manager-deployment.yaml | 6 ++- .../unit/server-acl-init-cleanup-job.bats | 45 +++++++++++++++++++ .../consul/test/unit/server-acl-init-job.bats | 45 +++++++++++++++++++ .../unit/webhook-cert-manager-deployment.bats | 23 ++++++++++ charts/consul/values.yaml | 30 +++++++++++++ 7 files changed, 164 insertions(+), 1 deletion(-) diff --git a/charts/consul/templates/server-acl-init-cleanup-job.yaml b/charts/consul/templates/server-acl-init-cleanup-job.yaml index 4db5e356e3..697427ab5f 100644 --- a/charts/consul/templates/server-acl-init-cleanup-job.yaml +++ b/charts/consul/templates/server-acl-init-cleanup-job.yaml @@ -62,6 +62,14 @@ spec: limits: memory: "50Mi" cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 7bb955161f..7046ac500f 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -336,6 +336,14 @@ spec: limits: memory: "50Mi" cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/consul/templates/webhook-cert-manager-deployment.yaml b/charts/consul/templates/webhook-cert-manager-deployment.yaml index 609f3314b3..eef13e78b6 100644 --- a/charts/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/consul/templates/webhook-cert-manager-deployment.yaml @@ -64,6 +64,10 @@ spec: {{- if .Values.webhookCertManager.tolerations }} tolerations: {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} - {{- end}} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} {{- end }} diff --git a/charts/consul/test/unit/server-acl-init-cleanup-job.bats b/charts/consul/test/unit/server-acl-init-cleanup-job.bats index 3cc17b2682..cb57374116 100644 --- a/charts/consul/test/unit/server-acl-init-cleanup-job.bats +++ b/charts/consul/test/unit/server-acl-init-cleanup-job.bats @@ -70,3 +70,48 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +#-------------------------------------------------------------------- +# global.acls.tolerations and global.acls.nodeSelector + +@test "serverACLInitCleanup/Job: tolerations not set by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-cleanup-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.tolerations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "serverACLInitCleanup/Job: tolerations can be set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-cleanup-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.tolerations=- key: value' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.tolerations[0].key' | tee /dev/stderr) + [ "${actual}" = "value" ] +} + +@test "serverACLInitCleanup/Job: nodeSelector not set by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-cleanup-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "serverACLInitCleanup/Job: nodeSelector can be set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-cleanup-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.nodeSelector=- key: value' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.nodeSelector[0].key' | tee /dev/stderr) + [ "${actual}" = "value" ] +} diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index 973c06a429..d2d548664c 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -1555,6 +1555,51 @@ load _helpers [ "${actual}" = "true" ] } +#-------------------------------------------------------------------- +# global.acls.tolerations and global.acls.nodeSelector + +@test "serverACLInit/Job: tolerations not set by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.tolerations' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "serverACLInit/Job: tolerations can be set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.tolerations=- key: value' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.tolerations[0].key' | tee /dev/stderr) + [ "${actual}" = "value" ] +} + +@test "serverACLInit/Job: nodeSelector not set by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "serverACLInit/Job: nodeSelector can be set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.acls.nodeSelector=- key: value' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.nodeSelector[0].key' | tee /dev/stderr) + [ "${actual}" = "value" ] +} + #-------------------------------------------------------------------- # externalServers.enabled diff --git a/charts/consul/test/unit/webhook-cert-manager-deployment.bats b/charts/consul/test/unit/webhook-cert-manager-deployment.bats index c1985c4396..d01d8da061 100644 --- a/charts/consul/test/unit/webhook-cert-manager-deployment.bats +++ b/charts/consul/test/unit/webhook-cert-manager-deployment.bats @@ -65,6 +65,29 @@ load _helpers [ "${actual}" = "value" ] } +@test "webhookCertManager/Deployment: no nodeSelector by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "webhookCertManager/Deployment: nodeSelector can be set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'webhookCertManager.nodeSelector=- key: value' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.nodeSelector[0].key' | tee /dev/stderr) + [ "${actual}" = "value" ] +} + #-------------------------------------------------------------------- # Vault diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 461c5580a3..7576714eb2 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -485,6 +485,23 @@ global: # @type: string secretKey: null + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # Tolerations (https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created # that contains your enterprise license. It is required if you are using an @@ -3072,6 +3089,19 @@ webhookCertManager: # @type: string tolerations: null + # This value defines `nodeSelector` (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + # Configures a demo Prometheus installation. prometheus: # When true, the Helm chart will install a demo Prometheus server instance