From 15fed09323c9b3350f10d47cdc79ff6795017373 Mon Sep 17 00:00:00 2001 From: Alex Shearn Date: Tue, 7 May 2024 14:18:12 +0100 Subject: [PATCH] Expose the deployment strategy values for the policy controller Prior to this change, the policy controller webhook was not able to have its deployment strategy modified. If you only deployed a single replica, it could not perform a rolling update due to the default `maxSurge: 25%` being rounded down to 0. This change exposes those values, so that the `maxSurge` can be updated and a single instance can be rolled. Fixes #748. Signed-off-by: Alex Shearn --- charts/policy-controller/README.md | 54 +++++++++++++++++++ .../templates/webhook/deployment_webhook.yaml | 7 +++ charts/policy-controller/values.yaml | 7 +++ 3 files changed, 68 insertions(+) diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index ff4b691a..3d55c6b8 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -12,6 +12,60 @@ The Helm chart for Policy Controller * +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | `{}` | | +| commonNodeSelector | object | `{}` | | +| commonTolerations | list | `[]` | | +| cosign.cosignPub | string | `""` | | +| cosign.webhookName | string | `"policy.sigstore.dev"` | | +| imagePullSecrets | list | `[]` | | +| installCRDs | bool | `true` | | +| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | | +| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | | +| leasescleanup.image.version | string | `"latest-dev"` | | +| loglevel | string | `"info"` | | +| serviceMonitor.enabled | bool | `false` | | +| webhook.configData | object | `{}` | | +| webhook.customLabels | object | `{}` | | +| webhook.env | object | `{}` | | +| webhook.extraArgs | object | `{}` | | +| webhook.failurePolicy | string | `"Fail"` | | +| webhook.image.pullPolicy | string | `"IfNotPresent"` | | +| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | +| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | | +| webhook.name | string | `"webhook"` | | +| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | +| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | +| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | | +| webhook.podDisruptionBudget.enabled | bool | `true` | | +| webhook.podDisruptionBudget.minAvailable | int | `1` | | +| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| webhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| webhook.podSecurityContext.enabled | bool | `true` | | +| webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| webhook.podSecurityContext.runAsUser | int | `1000` | | +| webhook.registryCaBundle | object | `{}` | | +| webhook.replicaCount | int | `1` | | +| webhook.resources.limits.cpu | string | `"200m"` | | +| webhook.resources.limits.memory | string | `"512Mi"` | | +| webhook.resources.requests.cpu | string | `"100m"` | | +| webhook.resources.requests.memory | string | `"128Mi"` | | +| webhook.securityContext.enabled | bool | `false` | | +| webhook.securityContext.runAsUser | int | `65532` | | +| webhook.service.annotations | object | `{}` | | +| webhook.service.port | int | `443` | | +| webhook.service.type | string | `"ClusterIP"` | | +| webhook.serviceAccount.annotations | object | `{}` | | +| webhook.serviceAccount.create | bool | `true` | | +| webhook.serviceAccount.name | string | `""` | | +| webhook.volumeMounts | list | `[]` | | +| webhook.volumes | list | `[]` | | +| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | +| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | + ### Deploy `policy-controller` Helm Chart Install `policy-controller` using Helm: diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml index 174ffd6d..48bc06ab 100644 --- a/charts/policy-controller/templates/webhook/deployment_webhook.yaml +++ b/charts/policy-controller/templates/webhook/deployment_webhook.yaml @@ -12,6 +12,13 @@ spec: matchLabels: {{- include "policy-controller.selectorLabels" . | nindent 6 }} control-plane: {{ template "policy-controller.fullname" . }}-webhook + +{{- if .Values.deployment.strategy }} + strategy: +{{ toYaml .Values.deployment.strategy | trim | indent 4 }} + {{ if eq .Values.deployment.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: metadata: {{- with .Values.webhook.podAnnotations }} diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml index 6ee8023a..b510fe90 100644 --- a/charts/policy-controller/values.yaml +++ b/charts/policy-controller/values.yaml @@ -9,6 +9,13 @@ imagePullSecrets: [] loglevel: info +deployment: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + webhook: customLabels: {} configData: {}