From 6ca56669bb383d8395304441b491396119dec42d Mon Sep 17 00:00:00 2001 From: Akash Gupta Date: Wed, 20 Nov 2024 14:09:06 +0530 Subject: [PATCH 1/6] [tfy-agent] support extra vol in proxy + add docs for insecure mode --- charts/tfy-agent/Chart.yaml | 2 +- charts/tfy-agent/README.md | 28 +++++++++++++++++++ .../templates/tfy-agent-proxy-deployment.yaml | 4 +++ charts/tfy-agent/values.yaml | 7 +++++ 4 files changed, 40 insertions(+), 1 deletion(-) diff --git a/charts/tfy-agent/Chart.yaml b/charts/tfy-agent/Chart.yaml index 09629475..0bbd5eba 100644 --- a/charts/tfy-agent/Chart.yaml +++ b/charts/tfy-agent/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.39 +version: 0.2.40 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/tfy-agent/README.md b/charts/tfy-agent/README.md index 567189d2..16b069b6 100644 --- a/charts/tfy-agent/README.md +++ b/charts/tfy-agent/README.md @@ -33,6 +33,34 @@ This application has two parts. * If the list of allowed namespaces is empty. We set up [cluster-wide access](https://github.com/truefoundry/infra-charts/blob/main/charts/tfy-agent/templates/tfy-agent-proxy-clusterrolebinding-ns.yaml) for these namespaced resources. +## Trobleshoot + +### Using self-signed certificate in control plane URL +If your control plane URL is using self-signed CA certificate, follow these steps: +1. Update CA bundle in the container by mounting your CA bundle. This can be done in two ways + a. using volume mounts + - create a config map using your `ca-certificate.crt` file + `kubectl create configmap tfy-ca-cert -n tfy-agent --from-file=ca-certificate.crt` + - add following volume and volume mounts in both tfyAgent and tfyAgentProxy + ``` + tfyAgent: + ... + extraVolumes: + - name + extraVolumeMounts: + - name + ``` + b. using jspolicy - [link](https://artifacthub.io/packages/helm/truefoundry/tfy-jspolicy-config) + +2. Add extraEnv in tfyAgent to allow insecure connection + ``` + tfyAgent: + extraEnvVars: + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: '0' + ``` + + ## Parameters ### Configuration parameters diff --git a/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml b/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml index db42b4d1..568bf1ee 100644 --- a/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml +++ b/charts/tfy-agent/templates/tfy-agent-proxy-deployment.yaml @@ -51,6 +51,8 @@ spec: imagePullPolicy: {{ .Values.tfyAgentProxy.image.pullPolicy }} resources: {{- toYaml .Values.tfyAgentProxy.resources | nindent 12 }} + volumeMounts: + {{- toYaml .Values.tfyAgentProxy.extraVolumeMounts | nindent 12 }} {{- with .Values.tfyAgentProxy.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -66,4 +68,6 @@ spec: {{- with .Values.tfyAgentProxy.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} + volumes: + {{- toYaml .Values.tfyAgentProxy.extraVolumes | nindent 8 }} {{- end }} diff --git a/charts/tfy-agent/values.yaml b/charts/tfy-agent/values.yaml index 1de75514..6cac6ff9 100644 --- a/charts/tfy-agent/values.yaml +++ b/charts/tfy-agent/values.yaml @@ -420,6 +420,13 @@ tfyAgentProxy: ## @param tfyAgentProxy.serviceAccount.name Name of the serviceAccount to use. If not set and create is true, a name is generated using the fullname template ## name: "" + + ## @param tfyAgentProxy.extraVolumes Extra volume for tfyAgent container + ## + extraVolumes: [] + ## @param tfyAgentProxy.extraVolumeMounts Extra volume mount for tfyAgent container + ## + extraVolumeMounts: [] clusterRole: ## @param tfyAgentProxy.clusterRole.enable Create cluster role. From 8dbcb663e1539a73afed629c0a16df47a735e38c Mon Sep 17 00:00:00 2001 From: akashg3627 Date: Wed, 20 Nov 2024 08:39:35 +0000 Subject: [PATCH 2/6] Update README.md with readme-generator-for-helm Signed-off-by: akashg3627 --- charts/tfy-agent/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/tfy-agent/README.md b/charts/tfy-agent/README.md index 16b069b6..2aa87cde 100644 --- a/charts/tfy-agent/README.md +++ b/charts/tfy-agent/README.md @@ -161,6 +161,8 @@ If your control plane URL is using self-signed CA certificate, follow these step | `tfyAgentProxy.serviceAccount.create` | Bool to enable serviceAccount creation | `true` | | `tfyAgentProxy.serviceAccount.annotations` | Annotations to add to the serviceAccount | `{}` | | `tfyAgentProxy.serviceAccount.name` | Name of the serviceAccount to use. If not set and create is true, a name is generated using the fullname template | `""` | +| `tfyAgentProxy.extraVolumes` | Extra volume for tfyAgent container | `[]` | +| `tfyAgentProxy.extraVolumeMounts` | Extra volume mount for tfyAgent container | `[]` | | `tfyAgentProxy.clusterRole.enable` | Create cluster role. | `true` | | `tfyAgentProxy.clusterRole.strictMode` | Only add required authz rules. | `false` | | `tfyAgentProxy.clusterRole.clusterScopedAdditionalClusterRoleRules` | Additional rules to add to the cluster role for cluster-scoped resources. | `[]` | From 908f2c84bdf4e55f11fc067c54e573e4457fa0c1 Mon Sep 17 00:00:00 2001 From: Akash Gupta Date: Wed, 20 Nov 2024 14:14:51 +0530 Subject: [PATCH 3/6] update --- charts/tfy-agent/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/tfy-agent/README.md b/charts/tfy-agent/README.md index 2aa87cde..1a3d5b08 100644 --- a/charts/tfy-agent/README.md +++ b/charts/tfy-agent/README.md @@ -37,8 +37,8 @@ This application has two parts. ### Using self-signed certificate in control plane URL If your control plane URL is using self-signed CA certificate, follow these steps: -1. Update CA bundle in the container by mounting your CA bundle. This can be done in two ways - a. using volume mounts +1. Update CA bundle in the container by mounting your CA bundle. This can be done in two ways: + 1. using volume mounts - create a config map using your `ca-certificate.crt` file `kubectl create configmap tfy-ca-cert -n tfy-agent --from-file=ca-certificate.crt` - add following volume and volume mounts in both tfyAgent and tfyAgentProxy @@ -50,7 +50,7 @@ If your control plane URL is using self-signed CA certificate, follow these step extraVolumeMounts: - name ``` - b. using jspolicy - [link](https://artifacthub.io/packages/helm/truefoundry/tfy-jspolicy-config) + 2. using jspolicy - [link](https://artifacthub.io/packages/helm/truefoundry/tfy-jspolicy-config) 2. Add extraEnv in tfyAgent to allow insecure connection ``` From 5ba7947f9b012a86865bde3d080f95445a1a7279 Mon Sep 17 00:00:00 2001 From: Akash Gupta Date: Wed, 20 Nov 2024 14:19:20 +0530 Subject: [PATCH 4/6] update --- charts/tfy-agent/README.md | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/charts/tfy-agent/README.md b/charts/tfy-agent/README.md index 1a3d5b08..811846db 100644 --- a/charts/tfy-agent/README.md +++ b/charts/tfy-agent/README.md @@ -40,15 +40,37 @@ If your control plane URL is using self-signed CA certificate, follow these step 1. Update CA bundle in the container by mounting your CA bundle. This can be done in two ways: 1. using volume mounts - create a config map using your `ca-certificate.crt` file + `kubectl create configmap tfy-ca-cert -n tfy-agent --from-file=ca-certificate.crt` + - add following volume and volume mounts in both tfyAgent and tfyAgentProxy ``` tfyAgent: - ... extraVolumes: - - name + - name: ca-certificates-volume + configMap: + name: tfy-ca-cert + items: + - key: ca-certificates.crt + path: ca-certificates.crt + extraVolumeMounts: + - name: ca-certificates-volume + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true + tfyAgentProxy: + extraVolumes: + - name: ca-certificates-volume + configMap: + name: tfy-ca-cert + items: + - key: ca-certificates.crt + path: ca-certificates.crt extraVolumeMounts: - - name + - name: ca-certificates-volume + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true ``` 2. using jspolicy - [link](https://artifacthub.io/packages/helm/truefoundry/tfy-jspolicy-config) From 5fa9e3d868146c65dfc9ed2c25b398482ca5b8c4 Mon Sep 17 00:00:00 2001 From: Akash Gupta Date: Wed, 20 Nov 2024 14:20:12 +0530 Subject: [PATCH 5/6] fix comments --- charts/tfy-agent/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/tfy-agent/values.yaml b/charts/tfy-agent/values.yaml index 6cac6ff9..09fb9007 100644 --- a/charts/tfy-agent/values.yaml +++ b/charts/tfy-agent/values.yaml @@ -421,10 +421,10 @@ tfyAgentProxy: ## name: "" - ## @param tfyAgentProxy.extraVolumes Extra volume for tfyAgent container + ## @param tfyAgentProxy.extraVolumes Extra volume for tfyAgentProxy container ## extraVolumes: [] - ## @param tfyAgentProxy.extraVolumeMounts Extra volume mount for tfyAgent container + ## @param tfyAgentProxy.extraVolumeMounts Extra volume mount for tfyAgentProxy container ## extraVolumeMounts: [] From cd4e557ef8c1636d5881546d8b84b6c92a579249 Mon Sep 17 00:00:00 2001 From: akashg3627 Date: Wed, 20 Nov 2024 08:50:38 +0000 Subject: [PATCH 6/6] Update README.md with readme-generator-for-helm Signed-off-by: akashg3627 --- charts/tfy-agent/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/tfy-agent/README.md b/charts/tfy-agent/README.md index 811846db..0534edb3 100644 --- a/charts/tfy-agent/README.md +++ b/charts/tfy-agent/README.md @@ -183,8 +183,8 @@ If your control plane URL is using self-signed CA certificate, follow these step | `tfyAgentProxy.serviceAccount.create` | Bool to enable serviceAccount creation | `true` | | `tfyAgentProxy.serviceAccount.annotations` | Annotations to add to the serviceAccount | `{}` | | `tfyAgentProxy.serviceAccount.name` | Name of the serviceAccount to use. If not set and create is true, a name is generated using the fullname template | `""` | -| `tfyAgentProxy.extraVolumes` | Extra volume for tfyAgent container | `[]` | -| `tfyAgentProxy.extraVolumeMounts` | Extra volume mount for tfyAgent container | `[]` | +| `tfyAgentProxy.extraVolumes` | Extra volume for tfyAgentProxy container | `[]` | +| `tfyAgentProxy.extraVolumeMounts` | Extra volume mount for tfyAgentProxy container | `[]` | | `tfyAgentProxy.clusterRole.enable` | Create cluster role. | `true` | | `tfyAgentProxy.clusterRole.strictMode` | Only add required authz rules. | `false` | | `tfyAgentProxy.clusterRole.clusterScopedAdditionalClusterRoleRules` | Additional rules to add to the cluster role for cluster-scoped resources. | `[]` |