From ae3dde966d05b22563fa92afd24742b695d7fccd Mon Sep 17 00:00:00 2001 From: Roman Tkachenko Date: Wed, 11 May 2022 11:45:16 -0700 Subject: [PATCH] feat(helm): add priorityClassName and extraLabels to kube-agent (#12559) (#12568) * feat(helm): add priorityClassName and extraLabels to kube-agent Signed-off-by: Roman Tkachenko Co-authored-by: daquinoaldo Co-authored-by: daquinoaldo --- .../helm/reference/teleport-kube-agent.mdx | 282 ++++++++++++++++++ .../.lint/extra-labels.yaml | 31 ++ .../.lint/priority-class-name.yaml | 4 + .../templates/clusterrole.yaml | 4 + .../templates/clusterrolebinding.yaml | 4 + .../teleport-kube-agent/templates/config.yaml | 4 + .../templates/deployment.yaml | 9 + .../teleport-kube-agent/templates/pdb.yaml | 3 + .../teleport-kube-agent/templates/psp.yaml | 4 + .../teleport-kube-agent/templates/secret.yaml | 4 + .../templates/serviceaccount.yaml | 6 +- .../templates/statefulset.yaml | 9 + .../teleport-kube-agent/values.schema.json | 66 +++- .../chart/teleport-kube-agent/values.yaml | 25 ++ 14 files changed, 452 insertions(+), 3 deletions(-) create mode 100644 examples/chart/teleport-kube-agent/.lint/extra-labels.yaml create mode 100644 examples/chart/teleport-kube-agent/.lint/priority-class-name.yaml diff --git a/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx b/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx index bc0bc9e3811e7..c83ce6ff0c2dd 100644 --- a/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx +++ b/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx @@ -768,6 +768,27 @@ Ensures that this number of replicas is available during voluntary disruptions, +## `priorityClassName` + +| Type | Default value | +| - | - | +| `string` | `nil` | + +`priorityClassName` allows to specify a priority class for the `teleport-kube-agent` deployment/statefulset. + + + + ```yaml + priorityClassName: "teleport-kube-agent" + ``` + + + ```code + $ --set priorityClassName=teleport-kube-agent + ``` + + + ## `serviceAccountName` @@ -1000,6 +1021,267 @@ Kubernetes affinity to set for pod assignments. +## `extraLabels.clusterRole` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `ClusterRole` created by the chart. + + + + ```yaml + extraLabels: + clusterRole: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.clusterRole."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.clusterRoleBinding` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `ClusterRoleBinding` created by the chart. + + + + ```yaml + extraLabels: + clusterRoleBinding: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.clusterRoleBinding."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.config` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `ConfigMap` created by the chart. + + + + ```yaml + extraLabels: + config: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.config."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.deployment` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `Deployment` or `StatefulSet` created by the chart. + + + + ```yaml + extraLabels: + deployment: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.deployment."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.pod` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to every `Pod` in the `Deployment` or `StatefulSet` created by the chart. + + + + ```yaml + extraLabels: + pod: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.pod."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.podDisruptionBudget` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `PodDisruptionBudget` created by the chart (if enabled). + + + + ```yaml + extraLabels: + podDisruptionBudget: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.podDisruptionBudget."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.podSecurityPolicy` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `PodSecurityPolicy` created by the chart (if enabled). + + + + ```yaml + extraLabels: + podSecurityPolicy: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.podSecurityPolicy."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.secret` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `Secret` created by the chart (if enabled). + + + + ```yaml + extraLabels: + secret: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.secret."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + +## `extraLabels.serviceAccount` + +| Type | Default value | +| - | - | +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +Kubernetes labels which should be applied to the `ServiceAccount` created by the chart. + + + + ```yaml + extraLabels: + serviceAccount: + app.kubernetes.io/name: teleport-kube-agent + ``` + + + ```code + $ --set extraLabels.serviceAccount."app\.kubernetes\.io\/name"=teleport-kube-agent + ``` + + You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend + using a `values.yaml` file instead to avoid confusion and errors. + + + + ## `annotations.config` | Type | Default value | Can be used in `custom` mode? | `teleport.yaml` equivalent | diff --git a/examples/chart/teleport-kube-agent/.lint/extra-labels.yaml b/examples/chart/teleport-kube-agent/.lint/extra-labels.yaml new file mode 100644 index 0000000000000..29d6b946265c8 --- /dev/null +++ b/examples/chart/teleport-kube-agent/.lint/extra-labels.yaml @@ -0,0 +1,31 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster +extraLabels: + clusterRole: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "clusterrole" + clusterRoleBinding: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "clusterrolebinding" + config: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "config" + deployment: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "deployment" + pod: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "pod" + podDisruptionBudget: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "poddisruptionbudget" + podSecurityPolicy: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "podsecuritypolicy" + secret: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "secret" + serviceAccount: + app.kubernetes.io/name: "teleport-kube-agent" + resource: "serviceaccount" diff --git a/examples/chart/teleport-kube-agent/.lint/priority-class-name.yaml b/examples/chart/teleport-kube-agent/.lint/priority-class-name.yaml new file mode 100644 index 0000000000000..1f0baeb9262f6 --- /dev/null +++ b/examples/chart/teleport-kube-agent/.lint/priority-class-name.yaml @@ -0,0 +1,4 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +kubeClusterName: test-kube-cluster +priorityClassName: teleport-kube-agent diff --git a/examples/chart/teleport-kube-agent/templates/clusterrole.yaml b/examples/chart/teleport-kube-agent/templates/clusterrole.yaml index af039269c7e72..7cb5f60d54a3f 100644 --- a/examples/chart/teleport-kube-agent/templates/clusterrole.yaml +++ b/examples/chart/teleport-kube-agent/templates/clusterrole.yaml @@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ .Values.clusterRoleName | default .Release.Name }} +{{- if .Values.extraLabels.clusterRole }} + labels: + {{- toYaml .Values.extraLabels.clusterRole | nindent 4 }} +{{- end }} rules: - apiGroups: - "" diff --git a/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml b/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml index 57200e4aee90b..6298169bd6659 100644 --- a/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml +++ b/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml @@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Values.clusterRoleBindingName | default .Release.Name }} +{{- if .Values.extraLabels.clusterRoleBinding }} + labels: + {{- toYaml .Values.extraLabels.clusterRoleBinding | nindent 4 }} +{{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/examples/chart/teleport-kube-agent/templates/config.yaml b/examples/chart/teleport-kube-agent/templates/config.yaml index 83fa3f9fc161b..41a93e1bdab5d 100644 --- a/examples/chart/teleport-kube-agent/templates/config.yaml +++ b/examples/chart/teleport-kube-agent/templates/config.yaml @@ -4,6 +4,10 @@ kind: ConfigMap metadata: name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.config }} + labels: + {{- toYaml .Values.extraLabels.config | nindent 4 }} +{{- end }} {{- if .Values.annotations.config }} annotations: {{- toYaml .Values.annotations.config | nindent 4 }} diff --git a/examples/chart/teleport-kube-agent/templates/deployment.yaml b/examples/chart/teleport-kube-agent/templates/deployment.yaml index d268ed4ec2b30..3d998b9f89796 100644 --- a/examples/chart/teleport-kube-agent/templates/deployment.yaml +++ b/examples/chart/teleport-kube-agent/templates/deployment.yaml @@ -20,6 +20,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ .Release.Name }} + {{- if .Values.extraLabels.deployment }} + {{- toYaml .Values.extraLabels.deployment | nindent 4 }} + {{- end }} {{- if .Values.annotations.deployment }} annotations: {{- toYaml .Values.annotations.deployment | nindent 4 }} @@ -39,6 +42,9 @@ spec: {{- end }} labels: app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} spec: {{- if or .Values.affinity (gt (int .replicaCount) 1) }} affinity: @@ -186,6 +192,9 @@ spec: {{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} {{- end }} serviceAccountName: {{ .Values.serviceAccountName | default .Release.Name }} {{- end }} diff --git a/examples/chart/teleport-kube-agent/templates/pdb.yaml b/examples/chart/teleport-kube-agent/templates/pdb.yaml index 6e3f5c3f117a4..6b6e17ae09e10 100644 --- a/examples/chart/teleport-kube-agent/templates/pdb.yaml +++ b/examples/chart/teleport-kube-agent/templates/pdb.yaml @@ -10,6 +10,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ .Release.Name }} +{{- if .Values.extraLabels.podDisruptionBudget }} + {{- toYaml .Values.extraLabels.podDisruptionBudget | nindent 4 }} +{{- end }} spec: minAvailable: {{ .Values.highAvailability.podDisruptionBudget.minAvailable }} selector: diff --git a/examples/chart/teleport-kube-agent/templates/psp.yaml b/examples/chart/teleport-kube-agent/templates/psp.yaml index 57cfb11a1b27d..20cab01bd1c6b 100644 --- a/examples/chart/teleport-kube-agent/templates/psp.yaml +++ b/examples/chart/teleport-kube-agent/templates/psp.yaml @@ -3,6 +3,10 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ .Release.Name }} +{{- if .Values.extraLabels.podSecurityPolicy }} + labels: + {{- toYaml .Values.extraLabels.podSecurityPolicy | nindent 4 }} +{{- end }} annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' diff --git a/examples/chart/teleport-kube-agent/templates/secret.yaml b/examples/chart/teleport-kube-agent/templates/secret.yaml index aa8ad47bd0b32..ae26024097ff9 100644 --- a/examples/chart/teleport-kube-agent/templates/secret.yaml +++ b/examples/chart/teleport-kube-agent/templates/secret.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: {{ .Values.secretName }} namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.secret }} + labels: + {{- toYaml .Values.extraLabels.secret | nindent 4 }} +{{- end }} type: Opaque stringData: auth-token: | diff --git a/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml b/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml index 26d79e5eb9fe1..e3eb068278401 100644 --- a/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml +++ b/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml @@ -3,7 +3,11 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccountName | default .Release.Name }} namespace: {{ .Release.Namespace }} +{{- if .Values.extraLabels.serviceAccount }} + labels: + {{- toYaml .Values.extraLabels.serviceAccount | nindent 4 }} +{{- end }} {{- if .Values.annotations.serviceAccount }} annotations: {{- toYaml .Values.annotations.serviceAccount | nindent 4 }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/examples/chart/teleport-kube-agent/templates/statefulset.yaml b/examples/chart/teleport-kube-agent/templates/statefulset.yaml index c80c8b7a0a53c..203a0c13a2640 100644 --- a/examples/chart/teleport-kube-agent/templates/statefulset.yaml +++ b/examples/chart/teleport-kube-agent/templates/statefulset.yaml @@ -20,6 +20,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ .Release.Name }} + {{- if .Values.extraLabels.deployment }} + {{- toYaml .Values.extraLabels.deployment | nindent 4 }} + {{- end }} spec: serviceName: {{ .Release.Name }} replicas: {{ .replicaCount }} @@ -36,6 +39,9 @@ spec: {{- end }} labels: app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} spec: securityContext: fsGroup: 9807 @@ -101,6 +107,9 @@ spec: {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} {{- end }} serviceAccountName: {{ .Values.serviceAccountName | default .Release.Name }} {{- if .Values.nodeSelector }} diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json index 4f3604bb23f96..8f9f4170a16cf 100644 --- a/examples/chart/teleport-kube-agent/values.schema.json +++ b/examples/chart/teleport-kube-agent/values.schema.json @@ -206,6 +206,11 @@ } } }, + "priorityClassName": { + "$id": "#/properties/priorityClassName", + "type": "string", + "default": "" + }, "serviceAccountName": { "$id": "#/properties/serviceAccountName", "type": "string", @@ -228,7 +233,13 @@ "level": { "$id": "#/properties/log/properties/level", "type": "string", - "enum": ["DEBUG", "INFO", "WARN", "WARNING", "ERROR"], + "enum": [ + "DEBUG", + "INFO", + "WARN", + "WARNING", + "ERROR" + ], "default": "INFO" }, "deployment": { @@ -253,6 +264,57 @@ "type": "object", "default": {} }, + "extraLabels": { + "$id": "#/properties/extraLabels", + "type": "object", + "properties": { + "clusterRole": { + "$id": "#/properties/extraLabels/properties/clusterRole", + "type": "object", + "default": {} + }, + "clusterRoleBinding": { + "$id": "#/properties/extraLabels/properties/clusterRoleBinding", + "type": "object", + "default": {} + }, + "config": { + "$id": "#/properties/extraLabels/properties/config", + "type": "object", + "default": {} + }, + "deployment": { + "$id": "#/properties/extraLabels/properties/deployment", + "type": "object", + "default": {} + }, + "pod": { + "$id": "#/properties/extraLabels/properties/pod", + "type": "object", + "default": {} + }, + "podDisruptionBudget": { + "$id": "#/properties/extraLabels/properties/podDisruptionBudget", + "type": "object", + "default": {} + }, + "podSecurityPolicy": { + "$id": "#/properties/extraLabels/properties/podSecurityPolicy", + "type": "object", + "default": {} + }, + "secret": { + "$id": "#/properties/extraLabels/properties/secret", + "type": "object", + "default": {} + }, + "serviceAccount": { + "$id": "#/properties/extraLabels/properties/serviceAccount", + "type": "object", + "default": {} + } + } + }, "annotations": { "$id": "#/properties/annotations", "type": "object", @@ -336,4 +398,4 @@ "default": 1 } } -} +} \ No newline at end of file diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index 91ab950525518..f7173bbf04338 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -167,6 +167,28 @@ affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ nodeSelector: {} +# Kubernetes labels to apply +# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +extraLabels: + # Labels for the Cluster Role + clusterRole: {} + # Labels for the Cluster Role Binding + clusterRoleBinding: {} + # Labels for the ConfigMap + config: {} + # Labels for the Deployment/StatefulSet + deployment: {} + # Labels for each Pod in the Deployment/StatefulSet + pod: {} + # Labels for the Pod Disruption Budget (ignored when disabled) + podDisruptionBudget: {} + # Labels for the Pod Security Policy (ignored when disabled) + podSecurityPolicy: {} + # Labels for the Secret (ignored when disabled) + secret: {} + # Labels for the ServiceAccount object + serviceAccount: {} + # Kubernetes annotations to apply # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ annotations: @@ -214,6 +236,9 @@ resources: {} # cpu: "1" # memory: "2Gi" +# Priority class name to add to the deployment +priorityClassName: "" + # Tolerations for pod assignment # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: []