From 65d05d488b5b11162815a2374d4fbe6949666003 Mon Sep 17 00:00:00 2001 From: Sergey Petrov Date: Mon, 30 Mar 2026 14:41:17 +0700 Subject: [PATCH 1/4] Add templates for Cloud Provider components: CSI, CCM, CAPI and Cloud Data Discoverer Signed-off-by: Sergey Petrov --- .../templates/_capi_controller_manager.tpl | 178 +++++ .../templates/_cloud-data-discoverer.tpl | 265 +++++++ .../templates/_cloud_controller_manager.tpl | 238 ++++++ charts/helm_lib/templates/_csi_controller.tpl | 18 +- charts/helm_lib/templates/_csi_node.tpl | 20 +- ...elm_lib_capi_controller_manager_value.yaml | 1 + ...lm_lib_cloud_controller_manager_value.yaml | 1 + ..._lib_cloud_data_discoverer_monitoring.yaml | 1 + .../helm_lib_cloud_data_discoverer_value.yaml | 1 + ...helm_lib_capi_controller_manager_test.yaml | 703 ++++++++++++++++++ ...elm_lib_cloud_controller_manager_test.yaml | 591 +++++++++++++++ ...cloud_data_discoverer_monitoring_test.yaml | 166 +++++ .../helm_lib_cloud_data_discoverer_test.yaml | 643 ++++++++++++++++ 13 files changed, 2813 insertions(+), 13 deletions(-) create mode 100644 charts/helm_lib/templates/_capi_controller_manager.tpl create mode 100644 charts/helm_lib/templates/_cloud-data-discoverer.tpl create mode 100644 charts/helm_lib/templates/_cloud_controller_manager.tpl create mode 100644 tests/templates/helm_lib_capi_controller_manager_value.yaml create mode 100644 tests/templates/helm_lib_cloud_controller_manager_value.yaml create mode 100644 tests/templates/helm_lib_cloud_data_discoverer_monitoring.yaml create mode 100644 tests/templates/helm_lib_cloud_data_discoverer_value.yaml create mode 100644 tests/tests/helm_lib_capi_controller_manager_test.yaml create mode 100644 tests/tests/helm_lib_cloud_controller_manager_test.yaml create mode 100644 tests/tests/helm_lib_cloud_data_discoverer_monitoring_test.yaml create mode 100644 tests/tests/helm_lib_cloud_data_discoverer_test.yaml diff --git a/charts/helm_lib/templates/_capi_controller_manager.tpl b/charts/helm_lib/templates/_capi_controller_manager.tpl new file mode 100644 index 0000000..0a9113a --- /dev/null +++ b/charts/helm_lib/templates/_capi_controller_manager.tpl @@ -0,0 +1,178 @@ +{{- define "capi_controller_manager_resources" -}} +cpu: 25m +memory: 50Mi +{{- end -}} + +{{- define "capi_controller_manager_max_allowed_resources" -}} +cpu: 50m +memory: 50Mi +{{- end -}} + +{{- /* Usage: {{ include "helm_lib_capi_controller_manager_manifests" (list . $config) }} */ -}} +{{- define "helm_lib_capi_controller_manager_manifests" -}} + {{- $context := index . 0 -}} + {{- $config := index . 1 -}} + + {{- $fullname := required "helm_lib_capi_controller_manager_manifests: fullname is required" $config.fullname -}} + {{- $image := required "helm_lib_capi_controller_manager_manifests: image is required" $config.image -}} + {{- $capiProviderName := required "helm_lib_capi_controller_manager_manifests: $capiProviderName is required" $config.capiProviderName -}} + {{- $resources := dig "resources" (include "capi_controller_manager_resources" $context | fromYaml) $config -}} + {{- $priorityClassName := dig "priorityClassName" "system-cluster-critical" $config -}} + {{- $serviceAccountName := dig "serviceAccountName" $fullname $config -}} + {{- $automountServiceAccountToken := dig "automountServiceAccountToken" true $config -}} + {{- $revisionHistoryLimit := dig "revisionHistoryLimit" 2 $config -}} + {{- $terminationGracePeriodSeconds := dig "terminationGracePeriodSeconds" 10 $config -}} + {{- $hostNetwork := dig "hostNetwork" false $config -}} + {{- $dnsPolicy := dig "dnsPolicy" nil $config -}} + {{- $nodeSelectorStrategy := dig "nodeSelectorStrategy" "master" $config -}} + {{- $tolerationsStrategies := dig "tolerationsStrategies" (list "any-node" "uninitialized") $config -}} + {{- $livenessProbePort := dig "livenessProbePort" 8081 $config }} + {{- $readinessProbePort := dig "readinessProbePort" 8081 $config }} + + {{- $additionalArgs := dig "additionalArgs" (list) $config -}} + {{- $additionalEnv := dig "additionalEnv" (list) $config -}} + {{- $additionalPorts := dig "additionalPorts" (list) $config -}} + {{- $additionalInitContainers := dig "additionalInitContainers" (list) $config -}} + {{- $additionalVolumeMounts := dig "additionalVolumeMounts" (list) $config -}} + {{- $additionalVolumes := dig "additionalVolumes" (list) $config -}} + {{- $additionalPodLabels := dig "additionalPodLabels" (dict) $config -}} + {{- $additionalPodAnnotations := dig "additionalPodAnnotations" (dict) $config -}} + + {{- $pdbEnabled := dig "pdbEnabled" true $config -}} + {{- $pdbMaxUnavailable := dig "pdbMaxUnavailable" 1 $config -}} + + {{- $vpaEnabled := dig "vpaEnabled" false $config -}} + {{- $vpaUpdateMode := dig "vpaUpdateMode" "InPlaceOrRecreate" $config -}} + {{- $vpaMaxAllowed := dig "vpaMaxAllowed" (include "capi_controller_manager_max_allowed_resources" $context | fromYaml) $config -}} + +{{- if and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} +--- +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $fullname }} + updatePolicy: + updateMode: {{ $vpaUpdateMode | quote }} + resourcePolicy: + containerPolicies: + - containerName: {{ $fullname | quote }} + minAllowed: + {{- toYaml $resources | nindent 10 }} + maxAllowed: + {{- toYaml $vpaMaxAllowed | nindent 10 }} +{{- end }} + +{{- if $pdbEnabled }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + maxUnavailable: {{ $pdbMaxUnavailable }} + selector: + matchLabels: + app: {{ $fullname }} +{{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + {{- include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" $context | nindent 2 }} + revisionHistoryLimit: {{ $revisionHistoryLimit }} + selector: + matchLabels: + app: {{ $fullname }} + cluster.x-k8s.io/provider: {{ $capiProviderName }} + control-plane: controller-manager + template: + metadata: + labels: + app: {{ $fullname }} + cluster.x-k8s.io/provider: {{ $capiProviderName }} + control-plane: controller-manager + {{- with $additionalPodLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $additionalPodAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + imagePullSecrets: + - name: deckhouse-registry + {{- include "helm_lib_pod_anti_affinity_for_ha" (list $context (dict "app" $fullname)) | nindent 6 }} + {{- include "helm_lib_priority_class" (tuple $context $priorityClassName) | nindent 6 }} + {{- include "helm_lib_node_selector" (tuple $context $nodeSelectorStrategy) | nindent 6 }} + {{- include "helm_lib_tolerations" (concat (list $context) $tolerationsStrategies) | nindent 6 }} + {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" $context | nindent 6 }} + automountServiceAccountToken: {{ $automountServiceAccountToken }} + serviceAccountName: {{ $serviceAccountName }} + terminationGracePeriodSeconds: {{ $terminationGracePeriodSeconds }} + hostNetwork: {{ $hostNetwork }} + {{- with $dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with $additionalInitContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ $fullname }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" dict | nindent 8 }} + image: {{ $image }} + imagePullPolicy: IfNotPresent + args: + - --leader-elect + {{- with $additionalArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with $additionalEnv }} + env: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with $additionalPorts }} + ports: + {{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ $livenessProbePort }} + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: {{ $readinessProbePort }} + initialDelaySeconds: 5 + periodSeconds: 10 + {{- with $additionalVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }} + {{- if not (and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd")) }} + {{- toYaml $resources | nindent 12 }} + {{- end }} + {{- with $additionalVolumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/helm_lib/templates/_cloud-data-discoverer.tpl b/charts/helm_lib/templates/_cloud-data-discoverer.tpl new file mode 100644 index 0000000..debb3fc --- /dev/null +++ b/charts/helm_lib/templates/_cloud-data-discoverer.tpl @@ -0,0 +1,265 @@ +{{- define "cloud_data_discoverer_resources" -}} +cpu: 25m +memory: 50Mi +{{- end -}} + +{{- define "cloud_data_discoverer_max_allowed_resources" -}} +cpu: 50m +memory: 50Mi +{{- end -}} + +{{- /* Usage: {{ include "helm_lib_cloud_data_discoverer_manifests" (list . $config) }} */ -}} +{{- define "helm_lib_cloud_data_discoverer_manifests" -}} + {{- $context := index . 0 -}} + {{- $config := index . 1 -}} + + {{- $fullname := dig "fullname" "cloud-data-discoverer" $config -}} + {{- $image := required "helm_lib_cloud_data_discoverer_manifests: image is required" $config.image -}} + {{- $resources := dig "resources" (include "cloud_data_discoverer_resources" $context | fromYaml) $config -}} + {{- $replicas := dig "replicas" 1 $config -}} + {{- $revisionHistoryLimit := dig "revisionHistoryLimit" 2 $config -}} + {{- $serviceAccountName := dig "serviceAccountName" "cloud-data-discoverer" $config -}} + {{- $automountServiceAccountToken := dig "automountServiceAccountToken" true $config -}} + {{- $priorityClassName := dig "priorityClassName" "cluster-low" $config -}} + {{- $nodeSelectorStrategy := dig "nodeSelectorStrategy" "master" $config -}} + {{- $tolerationsStrategies := dig "tolerationsStrategies" (list "any-node" "with-uninitialized") $config -}} + {{- $additionalArgs := dig "additionalArgs" (list) $config -}} + {{- $additionalEnv := dig "additionalEnv" (list) $config -}} + {{- $additionalPodLabels := dig "additionalPodLabels" (dict) $config }} + {{- $additionalPodAnnotations := dig "additionalPodAnnotations" (dict) $config }} + {{- $additionalInitContainers := dig "additionalInitContainers" (list) $config -}} + {{- $additionalVolumes := dig "additionalVolumes" (list) $config -}} + {{- $additionalVolumeMounts := dig "additionalVolumeMounts" (list) $config -}} + + {{- $pdbEnabled := dig "pdbEnabled" true $config -}} + {{- $pdbMaxUnavailable := dig "pdbMaxUnavailable" 1 $config -}} + + {{- $vpaEnabled := dig "vpaEnabled" true $config -}} + {{- $vpaUpdateMode := dig "vpaUpdateMode" "Initial" $config -}} + {{- $vpaMaxAllowed := dig "vpaMaxAllowed" (include "cloud_data_discoverer_max_allowed_resources" $context | fromYaml) $config -}} + +{{- if and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} +--- +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $fullname }} + updatePolicy: + updateMode: {{ $vpaUpdateMode | quote }} + resourcePolicy: + containerPolicies: + - containerName: {{ $fullname | quote }} + minAllowed: + {{- toYaml $resources | nindent 8 }} + maxAllowed: + {{- toYaml $vpaMaxAllowed | nindent 8 }} + {{- include "helm_lib_vpa_kube_rbac_proxy_resources" $context | nindent 4 }} +{{- end }} + +{{- if $pdbEnabled }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + maxUnavailable: {{ $pdbMaxUnavailable }} + selector: + matchLabels: + app: {{ $fullname }} +{{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + replicas: {{ $replicas }} + revisionHistoryLimit: {{ $revisionHistoryLimit }} + strategy: + type: Recreate + selector: + matchLabels: + app: {{ $fullname }} + template: + metadata: + labels: + app: {{ $fullname }} + {{- with $additionalPodLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + kubectl.kubernetes.io/default-exec-container: {{ $fullname }} + kubectl.kubernetes.io/default-logs-container: {{ $fullname }} + {{- with $additionalPodAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + imagePullSecrets: + - name: deckhouse-registry + {{- include "helm_lib_priority_class" (tuple $context $priorityClassName) | nindent 6 }} + {{- include "helm_lib_node_selector" (tuple $context $nodeSelectorStrategy) | nindent 6 }} + {{- include "helm_lib_tolerations" (concat (list $context) $tolerationsStrategies) | nindent 6 }} + {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" $context | nindent 6 }} + dnsPolicy: {{ include "helm_lib_dns_policy_bootstraping_state" (list $context "Default" "ClusterFirstWithHostNet") }} + automountServiceAccountToken: {{ $automountServiceAccountToken }} + serviceAccountName: {{ $serviceAccountName }} + {{- with $additionalInitContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ $fullname }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" dict | nindent 8 }} + image: {{ $image }} + args: + - --discovery-period=1h + - --listen-address=127.0.0.1:8081 + {{- with $additionalArgs }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $additionalEnv }} + env: + {{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTPS + {{- with $additionalVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 12 }} + {{- if not (and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd")) }} + {{- toYaml $resources | nindent 12 }} + {{- end }} + - name: kube-rbac-proxy + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" dict | nindent 8 }} + image: {{ include "helm_lib_module_common_image" (list $context "kubeRbacProxy") }} + args: + - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):8080" + - "--v=2" + - "--logtostderr=true" + - "--stale-cache-interval=1h30m" + - "--livez-path=/livez" + ports: + - containerPort: 8080 + name: https-metrics + env: + - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: KUBE_RBAC_PROXY_CONFIG + value: | + excludePaths: + - /healthz + upstreams: + - upstream: http://127.0.0.1:8081/ + path: / + authorization: + resourceAttributes: + namespace: d8-{{ $context.Chart.Name }} + apiGroup: apps + apiVersion: v1 + resource: deployments + subresource: prometheus-metrics + name: {{ $fullname }} + livenessProbe: + httpGet: + path: /livez + port: 8080 + scheme: HTTPS + readinessProbe: + httpGet: + path: /livez + port: 8080 + scheme: HTTPS + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 12 }} + {{- if not (and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd")) }} + {{- include "helm_lib_container_kube_rbac_proxy_resources" $context | nindent 12 }} + {{- end }} + {{- with $additionalVolumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} + + +{{- /* Usage: {{ include "helm_lib_cloud_data_discoverer_pod_monitor" (list . $config) }} */ -}} +{{- define "helm_lib_cloud_data_discoverer_pod_monitor" -}} + {{- $context := index . 0 -}} + {{- $config := index . 1 -}} + + {{- $fullname := dig "fullname" "cloud-data-discoverer" $config -}} + {{- $targetNamespace := required "helm_lib_cloud_data_discoverer_pod_monitor: targetNamespace is required" $config.targetNamespace -}} + {{- $additionalRelabelings := dig "additionalRelabelings" (list) $config -}} + +{{- if ($context.Values.global.enabledModules | has "operator-prometheus-crd") -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ $fullname }}-metrics + namespace: d8-monitoring + {{- include "helm_lib_module_labels" (list $context (dict "prometheus" "main" "app" $fullname)) | nindent 2 }} +spec: + jobLabel: app + podMetricsEndpoints: + - port: https-metrics + path: /metrics + scheme: https + bearerTokenSecret: + name: prometheus-token + key: token + tlsConfig: + insecureSkipVerify: true + honorLabels: true + scrapeTimeout: {{ include "helm_lib_prometheus_target_scrape_timeout_seconds" (list $context 25) }} + relabelings: + - regex: "endpoint|pod|container" + action: labeldrop + - targetLabel: job + replacement: {{ $fullname }} + - sourceLabels: [__meta_kubernetes_pod_node_name] + targetLabel: node + - targetLabel: tier + replacement: cluster + - sourceLabels: [__meta_kubernetes_pod_ready] + regex: "true" + action: keep + {{- with $additionalRelabelings }} + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + matchLabels: + app: {{ $fullname }} + namespaceSelector: + matchNames: + - {{ $targetNamespace }} + + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/helm_lib/templates/_cloud_controller_manager.tpl b/charts/helm_lib/templates/_cloud_controller_manager.tpl new file mode 100644 index 0000000..bf6d6b2 --- /dev/null +++ b/charts/helm_lib/templates/_cloud_controller_manager.tpl @@ -0,0 +1,238 @@ +{{- define "cloud_controller_manager_resources" }} +cpu: 25m +memory: 50Mi +{{- end }} + +{{- define "cloud_controller_manager_max_allowed_resources" }} +cpu: 50m +memory: 50Mi +{{- end }} + +{{- /* Usage: {{ include "helm_lib_cloud_controller_manager_manifests" (list . $config) }} */ -}} +{{- define "helm_lib_cloud_controller_manager_manifests" }} + {{- $context := index . 0 }} + {{- $config := index . 1 }} + + {{- $fullname := dig "fullname" "cloud-controller-manager" $config }} + {{- $image := $config.image | required "image is required" }} + {{- $resources := dig "resources" (include "cloud_controller_manager_resources" $context | fromYaml) $config }} + {{- $priorityClassName := dig "priorityClassName" "system-cluster-critical" $config }} + {{- $nodeSelectorStrategy := dig "nodeSelectorStrategy" "master" $config -}} + {{- $tolerationsStrategies := dig "tolerationsStrategies" (list "wildcard") $config -}} + {{- $hostNetwork := dig "hostNetwork" true $config }} + {{- $dnsPolicy := dig "dnsPolicy" "Default" $config }} + {{- $automountServiceAccountToken := dig "automountServiceAccountToken" true $config }} + {{- $serviceAccountName := dig "serviceAccountName" $fullname $config }} + {{- $revisionHistoryLimit := dig "revisionHistoryLimit" 2 $config }} + {{- $additionalEnvs := dig "additionalEnvs" (list) $config }} + {{- $additionalArgs := dig "additionalArgs" nil $config }} + {{- $additionalVolumeMounts := dig "additionalVolumeMounts" (list) $config }} + {{- $additionalVolumes := dig "additionalVolumes" (list) $config }} + {{- $additionalPodLabels := dig "additionalPodLabels" (dict) $config }} + {{- $additionalPodAnnotations := dig "additionalPodAnnotations" (dict) $config }} + + {{- $pdbEnabled := dig "pdbEnabled" true $config }} + {{- $pdbMaxUnavailable := dig "pdbMaxUnavailable" 1 $config }} + {{- $additionalPDBAnnotations := dig "additionalPDBAnnotations" (dict) $config }} + + {{- $vpaEnabled := dig "vpaEnabled" true $config }} + {{- $vpaUpdateMode := dig "vpaUpdateMode" "InPlaceOrRecreate" $config }} + {{- $vpaMaxAllowed := dig "vpaMaxAllowed" (include "cloud_controller_manager_max_allowed_resources" $context | fromYaml) $config }} + + {{- $securityPolicyExceptionEnabled := dig "securityPolicyExceptionEnabled" false $config }} + +{{- if and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} +--- +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $fullname }} + updatePolicy: + updateMode: {{ $vpaUpdateMode }} + resourcePolicy: + containerPolicies: + - containerName: {{ $fullname | quote }} + minAllowed: + {{- toYaml $resources | nindent 10 }} + maxAllowed: + {{- toYaml $vpaMaxAllowed | nindent 10 }} +{{- end }} + +{{- if $pdbEnabled }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} + {{- with $additionalPDBAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + maxUnavailable: {{ $pdbMaxUnavailable }} + selector: + matchLabels: + app: {{ $fullname }} +{{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} + {{- include "helm_lib_module_labels" (list $context (dict "app" $fullname)) | nindent 2 }} +spec: + {{- include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" $context | nindent 2 }} + revisionHistoryLimit: {{ $revisionHistoryLimit }} + selector: + matchLabels: + app: {{ $fullname }} + template: + metadata: + labels: + app: {{ $fullname }} + {{- if and $securityPolicyExceptionEnabled ($context.Values.global.enabledModules | has "admission-policy-engine-crd") }} + security.deckhouse.io/security-policy-exception: {{ $fullname }} + {{- end }} + {{- with $additionalPodLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $additionalPodAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + imagePullSecrets: + - name: deckhouse-registry + {{- include "helm_lib_pod_anti_affinity_for_ha" (list $context (dict "app" $fullname)) | nindent 6 }} + {{- include "helm_lib_priority_class" (tuple $context $priorityClassName) | nindent 6 }} + {{- include "helm_lib_node_selector" (tuple $context $nodeSelectorStrategy) | nindent 6 }} + {{- include "helm_lib_tolerations" (concat (list $context) $tolerationsStrategies) | nindent 6 }} + {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" $context | nindent 6 }} + automountServiceAccountToken: {{ $automountServiceAccountToken }} + hostNetwork: {{ $hostNetwork }} + dnsPolicy: {{ $dnsPolicy }} + serviceAccountName: {{ $serviceAccountName }} + containers: + - name: {{ $fullname }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" dict | nindent 10 }} + image: {{ $image }} + args: + - --leader-elect=true + - --bind-address=127.0.0.1 + - --secure-port=10471 + {{- with $additionalArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- if not $context.Values.global.clusterIsBootstrapped }} + - name: KUBERNETES_SERVICE_HOST + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: KUBERNETES_SERVICE_PORT + value: "6443" + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- with $additionalEnvs }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- include "helm_lib_envs_for_proxy" $context | nindent 12 }} + livenessProbe: + httpGet: + path: /healthz + port: 10471 + host: 127.0.0.1 + scheme: HTTPS + readinessProbe: + httpGet: + path: /healthz + port: 10471 + host: 127.0.0.1 + scheme: HTTPS + {{- with $additionalVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + requests: + {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 14 }} + {{- if not (and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd")) }} + {{- toYaml $resources | nindent 14 }} + {{- end }} + {{- with $additionalVolumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + +{{- if and $securityPolicyExceptionEnabled ($context.Values.global.enabledModules | has "admission-policy-engine-crd") }} +--- +apiVersion: deckhouse.io/v1alpha1 +kind: SecurityPolicyException +metadata: + name: {{ $fullname }} + namespace: d8-{{ $context.Chart.Name }} +spec: + {{- if $hostNetwork }} + network: + hostNetwork: + allowedValue: true + metadata: + description: | + Allow host network access for Cloud Controller Manager. + The Cloud Controller Manager requires host network access to communicate with the API for managing infrastructure resources, including load balancer configuration, node lifecycle management, and routing operations. + {{- end }} + + {{- $hasHostPathVolumes := false }} + {{- if $additionalVolumes }} + {{- range $volume := $additionalVolumes }} + {{- if $volume.hostPath }} + {{- $hasHostPathVolumes = true }} + {{- end }} + {{- end }} + {{- end }} + {{- if $hasHostPathVolumes }} + volumes: + types: + allowedValues: + - hostPath + metadata: + description: | + Allow hostPath volume type for CSI Controller. + The CSI Controller requires hostPath volumes for accessing host-level resources needed for storage management operations specific to the cloud provider implementation. + hostPath: + allowedValues: + {{- range $volume := $additionalVolumes }} + {{- if $volume.hostPath }} + {{- $readOnly := false }} + {{- range $volumeMount := $additionalVolumeMounts }} + {{- if eq $volumeMount.name $volume.name }} + {{- $readOnly = (default false $volumeMount.readOnly) }} + {{- end }} + {{- end }} + - path: {{ $volume.hostPath.path }} + readOnly: {{ $readOnly }} + metadata: + description: | + Allow access to additional hostPath volume at {{ $volume.hostPath.path }}. + This additional hostPath volume is required by the CSI Node Driver for extended storage operations specific to the cloud provider implementation. + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- end }} diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl index 9d643fb..2531211 100644 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -641,16 +641,22 @@ spec: The CSI Controller requires hostPath volumes for accessing host-level resources needed for storage management operations specific to the cloud provider implementation. hostPath: allowedValues: - {{- range $vol := $additionalControllerVolumes }} - {{- if $vol.hostPath }} - - path: {{ $vol.hostPath.path }} - readOnly: false + {{- range $volume := $additionalControllerVolumes }} + {{- if $volume.hostPath }} + {{- $readOnly := false }} + {{- range $volumeMount := $additionalControllerVolumeMounts }} + {{- if eq $volumeMount.name $volume.name }} + {{- $readOnly = (default false $volumeMount.readOnly) }} + {{- end }} + {{- end }} + - path: {{ $volume.hostPath.path }} + readOnly: {{ $readOnly }} metadata: description: | - Allow access to additional hostPath volume at {{ $vol.hostPath.path }}. + Allow access to additional hostPath volume at {{ $volume.hostPath.path }}. This hostPath volume is required by the CSI Controller for storage management operations specific to the cloud provider implementation. - {{- end }} {{- end }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl index fa374f2..6e677c9 100644 --- a/charts/helm_lib/templates/_csi_node.tpl +++ b/charts/helm_lib/templates/_csi_node.tpl @@ -364,18 +364,24 @@ spec: description: | Allow access to host device directory. CSI Node Driver requires access to /dev to manage block devices and perform disk operations for persistent volumes. - {{- if $additionalNodeVolumes }} - {{- range $vol := $additionalNodeVolumes }} - {{- if $vol.hostPath }} - - path: {{ $vol.hostPath.path }} - readOnly: false + {{- if $additionalNodeVolumes }} + {{- range $volume := $additionalNodeVolumes }} + {{- if $volume.hostPath }} + {{- $readOnly := false }} + {{- range $volumeMount := $additionalNodeVolumeMounts }} + {{- if eq $volumeMount.name $volume.name }} + {{- $readOnly = (default false $volumeMount.readOnly) }} + {{- end }} + {{- end }} + - path: {{ $volume.hostPath.path }} + readOnly: {{ $readOnly }} metadata: description: | - Allow access to additional hostPath volume at {{ $vol.hostPath.path }}. + Allow access to additional hostPath volume at {{ $volume.hostPath.path }}. This additional hostPath volume is required by the CSI Node Driver for extended storage operations specific to the cloud provider implementation. - {{- end }} {{- end }} {{- end }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/tests/templates/helm_lib_capi_controller_manager_value.yaml b/tests/templates/helm_lib_capi_controller_manager_value.yaml new file mode 100644 index 0000000..f450f0a --- /dev/null +++ b/tests/templates/helm_lib_capi_controller_manager_value.yaml @@ -0,0 +1 @@ +{{ include "helm_lib_capi_controller_manager_manifests" (list . .Values._testvalues) }} \ No newline at end of file diff --git a/tests/templates/helm_lib_cloud_controller_manager_value.yaml b/tests/templates/helm_lib_cloud_controller_manager_value.yaml new file mode 100644 index 0000000..55b4833 --- /dev/null +++ b/tests/templates/helm_lib_cloud_controller_manager_value.yaml @@ -0,0 +1 @@ +{{ include "helm_lib_cloud_controller_manager_manifests" (list . .Values._testvalues) }} \ No newline at end of file diff --git a/tests/templates/helm_lib_cloud_data_discoverer_monitoring.yaml b/tests/templates/helm_lib_cloud_data_discoverer_monitoring.yaml new file mode 100644 index 0000000..5c9c715 --- /dev/null +++ b/tests/templates/helm_lib_cloud_data_discoverer_monitoring.yaml @@ -0,0 +1 @@ +{{ include "helm_lib_cloud_data_discoverer_pod_monitor" (list . .Values._testvalues) }} \ No newline at end of file diff --git a/tests/templates/helm_lib_cloud_data_discoverer_value.yaml b/tests/templates/helm_lib_cloud_data_discoverer_value.yaml new file mode 100644 index 0000000..b7c0004 --- /dev/null +++ b/tests/templates/helm_lib_cloud_data_discoverer_value.yaml @@ -0,0 +1 @@ +{{ include "helm_lib_cloud_data_discoverer_manifests" (list . .Values._testvalues) }} \ No newline at end of file diff --git a/tests/tests/helm_lib_capi_controller_manager_test.yaml b/tests/tests/helm_lib_capi_controller_manager_test.yaml new file mode 100644 index 0000000..e888fa6 --- /dev/null +++ b/tests/tests/helm_lib_capi_controller_manager_test.yaml @@ -0,0 +1,703 @@ +suite: helm_lib_capi_controller_manager_value definition +templates: + - helm_lib_capi_controller_manager_value.yaml + +tests: + - it: renders basic CAPI controller manager deployment with defaults + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capz-controller-manager + image: controllerImage + capiProviderName: infrastructure-zvirt + documentSelector: + path: kind + value: Deployment + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: capz-controller-manager + namespace: d8-test-module + - equal: + path: metadata.name + value: capz-controller-manager + - equal: + path: spec.revisionHistoryLimit + value: 2 + - equal: + path: spec.selector.matchLabels.app + value: capz-controller-manager + - equal: + path: spec.selector.matchLabels["cluster.x-k8s.io/provider"] + value: infrastructure-zvirt + - equal: + path: spec.selector.matchLabels["control-plane"] + value: controller-manager + - equal: + path: spec.template.metadata.labels.app + value: capz-controller-manager + - equal: + path: spec.template.metadata.labels["cluster.x-k8s.io/provider"] + value: infrastructure-zvirt + - equal: + path: spec.template.metadata.labels["control-plane"] + value: controller-manager + - notExists: + path: spec.template.metadata.annotations + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + - equal: + path: spec.template.spec.serviceAccountName + value: capz-controller-manager + - equal: + path: spec.template.spec.terminationGracePeriodSeconds + value: 10 + - equal: + path: spec.template.spec.hostNetwork + value: false + - notExists: + path: spec.template.spec.dnsPolicy + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: deckhouse-registry + - exists: + path: spec.template.spec.tolerations + - exists: + path: spec.template.spec.securityContext + - equal: + path: spec.template.spec.containers[0].name + value: capz-controller-manager + - equal: + path: spec.template.spec.containers[0].image + value: controllerImage + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: IfNotPresent + - equal: + path: spec.template.spec.containers[0].args[0] + value: --leader-elect + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.path + value: /healthz + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.port + value: 8081 + - equal: + path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds + value: 15 + - equal: + path: spec.template.spec.containers[0].livenessProbe.periodSeconds + value: 20 + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.path + value: /readyz + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.port + value: 8081 + - equal: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 25m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 50Mi + + - it: renders basic CAPI controller manager PodDisruptionBudget + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capz-controller-manager + image: controllerImage + capiProviderName: infrastructure-zvirt + documentSelector: + path: kind + value: PodDisruptionBudget + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: PodDisruptionBudget + apiVersion: policy/v1 + name: capz-controller-manager + namespace: d8-test-module + - equal: + path: metadata.name + value: capz-controller-manager + - equal: + path: spec.maxUnavailable + value: 1 + - equal: + path: spec.selector.matchLabels.app + value: capz-controller-manager + + - it: does not render PodDisruptionBudget when disabled + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capz-controller-manager + image: controllerImage + capiProviderName: infrastructure-zvirt + pdbEnabled: false + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: capz-controller-manager + namespace: d8-test-module + + - it: renders custom PDB maxUnavailable + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capz-controller-manager + image: controllerImage + capiProviderName: infrastructure-zvirt + pdbMaxUnavailable: 2 + documentSelector: + path: kind + value: PodDisruptionBudget + asserts: + - equal: + path: spec.maxUnavailable + value: 2 + + - it: renders custom serviceAccountName and custom resources + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: caps-controller-manager + image: controllerImage + capiProviderName: infrastructure-static + serviceAccountName: custom-sa + resources: + cpu: 100m + memory: 128Mi + additionalArgs: + - --sync-period=1m + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: custom-sa + - contains: + path: spec.template.spec.containers[0].args + content: --sync-period=1m + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 100m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 128Mi + + - it: renders custom automountServiceAccountToken when disabled + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capz-controller-manager + image: controllerImage + capiProviderName: infrastructure-zvirt + automountServiceAccountToken: false + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + + - it: renders custom revisionHistoryLimit and terminationGracePeriodSeconds + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capz-controller-manager + image: controllerImage + capiProviderName: infrastructure-zvirt + revisionHistoryLimit: 5 + terminationGracePeriodSeconds: 30 + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.revisionHistoryLimit + value: 5 + - equal: + path: spec.template.spec.terminationGracePeriodSeconds + value: 30 + + - it: renders custom dnsPolicy when provided + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: caphc-controller-manager + image: controllerImage + capiProviderName: infrastructure-huaweicloud + dnsPolicy: ClusterFirstWithHostNet + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + + - it: renders custom deployment options for capcd style controller + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capcd-controller-manager + image: controllerImage + capiProviderName: infrastructure-static + serviceAccountName: capcd-controller-manager + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + tolerationsStrategies: + - wildcard + livenessProbePort: 9445 + readinessProbePort: 9445 + additionalArgs: + - --diagnostics-address=127.0.0.1:9446 + - --insecure-diagnostics + - --health-probe-bind-address=:9445 + - --zap-encoder=json + additionalEnv: + - name: CAPVCD_SKIP_RDE + value: "true" + - name: USE_K8S_ENV_AS_CONTROL_PLANE_IP + value: "true" + additionalPorts: + - containerPort: 4201 + name: webhook-server + protocol: TCP + additionalVolumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + additionalVolumes: + - name: cert + secret: + defaultMode: 420 + secretName: capcd-controller-manager-webhook-tls + additionalPodAnnotations: + checksum/config: deadbeef + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: metadata.name + value: capcd-controller-manager + - equal: + path: spec.selector.matchLabels["cluster.x-k8s.io/provider"] + value: infrastructure-static + - equal: + path: spec.template.spec.hostNetwork + value: true + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + - equal: + path: spec.template.spec.serviceAccountName + value: capcd-controller-manager + - equal: + path: spec.template.metadata.annotations["checksum/config"] + value: deadbeef + - contains: + path: spec.template.spec.containers[0].args + content: --leader-elect + - contains: + path: spec.template.spec.containers[0].args + content: --diagnostics-address=127.0.0.1:9446 + - contains: + path: spec.template.spec.containers[0].args + content: --insecure-diagnostics + - contains: + path: spec.template.spec.containers[0].args + content: --health-probe-bind-address=:9445 + - contains: + path: spec.template.spec.containers[0].args + content: --zap-encoder=json + - contains: + path: spec.template.spec.containers[0].env + content: + name: CAPVCD_SKIP_RDE + value: "true" + - contains: + path: spec.template.spec.containers[0].env + content: + name: USE_K8S_ENV_AS_CONTROL_PLANE_IP + value: "true" + - contains: + path: spec.template.spec.containers[0].ports + content: + containerPort: 4201 + name: webhook-server + protocol: TCP + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: cert + secret: + defaultMode: 420 + secretName: capcd-controller-manager-webhook-tls + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.port + value: 9445 + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.port + value: 9445 + + - it: renders additional initContainers when provided + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: caps-controller-manager + image: controllerImage + capiProviderName: infrastructure-static + additionalInitContainers: + - name: init-test + image: busybox + command: + - sh + - -c + - echo init + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.initContainers + content: + name: init-test + image: busybox + command: + - sh + - -c + - echo init + + - it: renders additional env entries + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capd-controller-manager + image: controllerImage + capiProviderName: infrastructure-dynamix + additionalEnv: + - name: DYNAMIX_APP_ID + valueFrom: + secretKeyRef: + name: dynamix-credentials + key: appId + - name: DYNAMIX_CONTROLLER_URL + valueFrom: + secretKeyRef: + name: dynamix-credentials + key: controllerUrl + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DYNAMIX_APP_ID + valueFrom: + secretKeyRef: + name: dynamix-credentials + key: appId + - contains: + path: spec.template.spec.containers[0].env + content: + name: DYNAMIX_CONTROLLER_URL + valueFrom: + secretKeyRef: + name: dynamix-credentials + key: controllerUrl + + - it: renders additional ports + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: caps-controller-manager + image: controllerImage + capiProviderName: infrastructure-static + additionalPorts: + - containerPort: 9443 + name: webhook-server + protocol: TCP + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.containers[0].ports + content: + containerPort: 9443 + name: webhook-server + protocol: TCP + + - it: renders additional volume mounts and volumes + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: caps-controller-manager + image: controllerImage + capiProviderName: infrastructure-static + additionalVolumeMounts: + - mountPath: /tmp + name: tmp + additionalVolumes: + - name: tmp + emptyDir: {} + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /tmp + name: tmp + - contains: + path: spec.template.spec.volumes + content: + name: tmp + emptyDir: {} + + - it: renders custom liveness and readiness probe ports + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: caphc-controller-manager + image: controllerImage + capiProviderName: infrastructure-huaweicloud + livenessProbePort: 8082 + readinessProbePort: 9555 + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.port + value: 8082 + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.port + value: 9555 + + - it: renders custom priorityClassName + set: + global: + modules: + placement: {} + enabledModules: [] + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capz-controller-manager + image: controllerImage + capiProviderName: infrastructure-zvirt + priorityClassName: cluster-low + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: cluster-low + + - it: renders VPA when enabled and vertical-pod-autoscaler-crd module is present + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capd-controller-manager + image: controllerImage + capiProviderName: infrastructure-dynamix + vpaEnabled: true + documentSelector: + path: kind + value: VerticalPodAutoscaler + asserts: + - hasDocuments: + count: 3 + - containsDocument: + kind: VerticalPodAutoscaler + apiVersion: autoscaling.k8s.io/v1 + name: capd-controller-manager + namespace: d8-test-module + - equal: + path: spec.targetRef.apiVersion + value: apps/v1 + - equal: + path: spec.targetRef.kind + value: Deployment + - equal: + path: spec.targetRef.name + value: capd-controller-manager + - equal: + path: spec.updatePolicy.updateMode + value: InPlaceOrRecreate + - equal: + path: spec.resourcePolicy.containerPolicies[0].containerName + value: capd-controller-manager + - equal: + path: spec.resourcePolicy.containerPolicies[0].minAllowed.cpu + value: 25m + - equal: + path: spec.resourcePolicy.containerPolicies[0].minAllowed.memory + value: 50Mi + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.cpu + value: 50m + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.memory + value: 50Mi + + - it: renders custom VPA update mode and maxAllowed + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capdvp-controller-manager + image: controllerImage + capiProviderName: infrastructure-dvp + vpaEnabled: true + vpaUpdateMode: Initial + vpaMaxAllowed: + cpu: 200m + memory: 256Mi + documentSelector: + path: kind + value: VerticalPodAutoscaler + asserts: + - equal: + path: spec.updatePolicy.updateMode + value: Initial + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.cpu + value: 200m + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.memory + value: 256Mi + + - it: does not render cpu and memory requests when VPA is enabled + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: capdvp-controller-manager + image: controllerImage + capiProviderName: infrastructure-dvp + vpaEnabled: true + documentSelector: + path: kind + value: Deployment + asserts: + - notExists: + path: spec.template.spec.containers[0].resources.requests.cpu + - notExists: + path: spec.template.spec.containers[0].resources.requests.memory \ No newline at end of file diff --git a/tests/tests/helm_lib_cloud_controller_manager_test.yaml b/tests/tests/helm_lib_cloud_controller_manager_test.yaml new file mode 100644 index 0000000..7773894 --- /dev/null +++ b/tests/tests/helm_lib_cloud_controller_manager_test.yaml @@ -0,0 +1,591 @@ +suite: helm_lib_cloud_controller_manager_manifests definition +templates: + - helm_lib_cloud_controller_manager_value.yaml + +tests: + - it: renders basic cloud-controller-manager deployment with defaults + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + documentSelector: + path: kind + value: Deployment + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: cloud-controller-manager + namespace: d8-test-module + - equal: + path: metadata.name + value: cloud-controller-manager + - equal: + path: spec.revisionHistoryLimit + value: 2 + - equal: + path: spec.selector.matchLabels.app + value: cloud-controller-manager + - equal: + path: spec.template.metadata.labels.app + value: cloud-controller-manager + - equal: + path: spec.template.spec.priorityClassName + value: system-cluster-critical + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + - equal: + path: spec.template.spec.hostNetwork + value: true + - equal: + path: spec.template.spec.dnsPolicy + value: Default + - equal: + path: spec.template.spec.serviceAccountName + value: cloud-controller-manager + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: deckhouse-registry + - equal: + path: spec.template.spec.containers[0].name + value: cloud-controller-manager + - equal: + path: spec.template.spec.containers[0].image + value: controllerImage + - equal: + path: spec.template.spec.containers[0].args[0] + value: --leader-elect=true + - equal: + path: spec.template.spec.containers[0].args[1] + value: --bind-address=127.0.0.1 + - equal: + path: spec.template.spec.containers[0].args[2] + value: --secure-port=10471 + - equal: + path: spec.template.spec.containers[0].env[0].name + value: HOST_IP + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.path + value: /healthz + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.port + value: 10471 + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.host + value: 127.0.0.1 + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.scheme + value: HTTPS + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.path + value: /healthz + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.port + value: 10471 + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.host + value: 127.0.0.1 + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.scheme + value: HTTPS + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 25m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 50Mi + + - it: renders basic cloud-controller-manager PodDisruptionBudget + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + documentSelector: + path: kind + value: PodDisruptionBudget + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: PodDisruptionBudget + apiVersion: policy/v1 + name: cloud-controller-manager + namespace: d8-test-module + - equal: + path: metadata.name + value: cloud-controller-manager + - equal: + path: spec.maxUnavailable + value: 1 + - equal: + path: spec.selector.matchLabels.app + value: cloud-controller-manager + + - it: does not render PodDisruptionBudget when disabled + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + pdbEnabled: false + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: cloud-controller-manager + namespace: d8-test-module + + - it: renders custom PDB maxUnavailable and annotations + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + pdbMaxUnavailable: 2 + additionalPDBAnnotations: + checksum/config: deadbeef + test.annotation: ok + documentSelector: + path: kind + value: PodDisruptionBudget + asserts: + - equal: + path: spec.maxUnavailable + value: 2 + - equal: + path: metadata.annotations["checksum/config"] + value: deadbeef + - equal: + path: metadata.annotations["test.annotation"] + value: ok + + - it: renders bootstrap API envs when cluster is not bootstrapped + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: false + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.containers[0].env[0].name + value: KUBERNETES_SERVICE_HOST + - equal: + path: spec.template.spec.containers[0].env[1].name + value: KUBERNETES_SERVICE_PORT + - equal: + path: spec.template.spec.containers[0].env[1].value + value: "6443" + - equal: + path: spec.template.spec.containers[0].env[2].name + value: HOST_IP + + - it: renders custom fullname service account and resources + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + fullname: ccm-custom + image: controllerImage + serviceAccountName: custom-sa + resources: + cpu: 100m + memory: 128Mi + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: metadata.name + value: ccm-custom + - equal: + path: spec.selector.matchLabels.app + value: ccm-custom + - equal: + path: spec.template.metadata.labels.app + value: ccm-custom + - equal: + path: spec.template.spec.serviceAccountName + value: custom-sa + - equal: + path: spec.template.spec.containers[0].name + value: ccm-custom + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 100m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 128Mi + + - it: renders custom deployment options and pod annotations + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + priorityClassName: cluster-low + nodeSelectorStrategy: master + tolerationsStrategies: + - wildcard + hostNetwork: false + dnsPolicy: ClusterFirst + automountServiceAccountToken: false + revisionHistoryLimit: 5 + additionalArgs: + - --cloud-provider=test + - --v=4 + additionalEnvs: + - name: TEST_ENV + value: "true" + - name: TEST_ENV_FROM + valueFrom: + secretKeyRef: + name: test-secret + key: token + additionalPodAnnotations: + checksum/config: deadbeef + custom.annotation/test: ok + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.revisionHistoryLimit + value: 5 + - equal: + path: spec.template.spec.priorityClassName + value: cluster-low + - equal: + path: spec.template.spec.hostNetwork + value: false + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirst + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - contains: + path: spec.template.spec.containers[0].args + content: --cloud-provider=test + - contains: + path: spec.template.spec.containers[0].args + content: --v=4 + - contains: + path: spec.template.spec.containers[0].env + content: + name: TEST_ENV + value: "true" + - contains: + path: spec.template.spec.containers[0].env + content: + name: TEST_ENV_FROM + valueFrom: + secretKeyRef: + name: test-secret + key: token + - equal: + path: spec.template.metadata.annotations["checksum/config"] + value: deadbeef + - equal: + path: spec.template.metadata.annotations["custom.annotation/test"] + value: ok + + - it: renders additional volume mounts and volumes + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + additionalVolumeMounts: + - mountPath: /etc/config + name: config + readOnly: true + additionalVolumes: + - name: config + secret: + secretName: cloud-controller-manager + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/config + name: config + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: config + secret: + secretName: cloud-controller-manager + + - it: renders VPA when enabled and vertical-pod-autoscaler-crd module is present + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + vpaEnabled: true + documentSelector: + path: kind + value: VerticalPodAutoscaler + asserts: + - hasDocuments: + count: 3 + - containsDocument: + kind: VerticalPodAutoscaler + apiVersion: autoscaling.k8s.io/v1 + name: cloud-controller-manager + namespace: d8-test-module + - equal: + path: spec.targetRef.apiVersion + value: apps/v1 + - equal: + path: spec.targetRef.kind + value: Deployment + - equal: + path: spec.targetRef.name + value: cloud-controller-manager + - equal: + path: spec.updatePolicy.updateMode + value: InPlaceOrRecreate + - equal: + path: spec.resourcePolicy.containerPolicies[0].containerName + value: cloud-controller-manager + - equal: + path: spec.resourcePolicy.containerPolicies[0].minAllowed.cpu + value: 25m + - equal: + path: spec.resourcePolicy.containerPolicies[0].minAllowed.memory + value: 50Mi + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.cpu + value: 50m + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.memory + value: 50Mi + + - it: renders custom VPA update mode and maxAllowed + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + vpaEnabled: true + vpaUpdateMode: Initial + vpaMaxAllowed: + cpu: 200m + memory: 256Mi + documentSelector: + path: kind + value: VerticalPodAutoscaler + asserts: + - equal: + path: spec.updatePolicy.updateMode + value: Initial + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.cpu + value: 200m + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.memory + value: 256Mi + + - it: does not render cpu and memory requests when VPA is enabled + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + vpaEnabled: true + documentSelector: + path: kind + value: Deployment + asserts: + - notExists: + path: spec.template.spec.containers[0].resources.requests.cpu + - notExists: + path: spec.template.spec.containers[0].resources.requests.memory + + - it: does not render VPA when disabled even if module is enabled + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + vpaEnabled: false + asserts: + - hasDocuments: + count: 2 + + - it: renders security policy exception and pod metadata marker when enabled + set: + global: + modules: + placement: {} + enabledModules: + - admission-policy-engine-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + securityPolicyExceptionEnabled: true + additionalVolumeMounts: + - mountPath: /etc/kubernetes/pki + name: k8s-certs + readOnly: true + additionalVolumes: + - name: k8s-certs + hostPath: + path: /etc/kubernetes/pki + type: DirectoryOrCreate + documentSelector: + path: kind + value: Deployment + asserts: + - hasDocuments: + count: 3 + - equal: + path: spec.template.metadata.labels["security.deckhouse.io/security-policy-exception"] + value: cloud-controller-manager + + - it: renders SecurityPolicyException with hostNetwork and hostPath details + set: + global: + modules: + placement: {} + enabledModules: + - admission-policy-engine-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + securityPolicyExceptionEnabled: true + hostNetwork: true + additionalVolumeMounts: + - mountPath: /etc/kubernetes/pki + name: k8s-certs + readOnly: true + additionalVolumes: + - name: k8s-certs + hostPath: + path: /etc/kubernetes/pki + type: DirectoryOrCreate + documentSelector: + path: kind + value: SecurityPolicyException + asserts: + - containsDocument: + kind: SecurityPolicyException + apiVersion: deckhouse.io/v1alpha1 + name: cloud-controller-manager + namespace: d8-test-module + - equal: + path: spec.network.hostNetwork.allowedValue + value: true + - equal: + path: spec.volumes.types.allowedValues[0] + value: hostPath + - equal: + path: spec.volumes.hostPath.allowedValues[0].path + value: /etc/kubernetes/pki + - equal: + path: spec.volumes.hostPath.allowedValues[0].readOnly + value: true + + - it: does not render SecurityPolicyException when admission policy module is disabled + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + _testvalues: + image: controllerImage + securityPolicyExceptionEnabled: true + additionalVolumes: + - name: k8s-certs + hostPath: + path: /etc/kubernetes/pki + type: DirectoryOrCreate + asserts: + - hasDocuments: + count: 2 \ No newline at end of file diff --git a/tests/tests/helm_lib_cloud_data_discoverer_monitoring_test.yaml b/tests/tests/helm_lib_cloud_data_discoverer_monitoring_test.yaml new file mode 100644 index 0000000..0bc0283 --- /dev/null +++ b/tests/tests/helm_lib_cloud_data_discoverer_monitoring_test.yaml @@ -0,0 +1,166 @@ +suite: helm_lib_cloud_data_discoverer_pod_monitor definition +templates: + - helm_lib_cloud_data_discoverer_monitoring.yaml + +tests: + - it: renders basic PodMonitor when operator-prometheus-crd module is enabled + set: + global: + discovery: + prometheusScrapeInterval: 30 + enabledModules: + - operator-prometheus-crd + _testvalues: + targetNamespace: d8-test-module + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: PodMonitor + apiVersion: monitoring.coreos.com/v1 + name: cloud-data-discoverer-metrics + namespace: d8-monitoring + + - it: renders PodMonitor default fields + set: + global: + discovery: + prometheusScrapeInterval: 30 + enabledModules: + - operator-prometheus-crd + _testvalues: + targetNamespace: d8-test-module + documentSelector: + path: kind + value: PodMonitor + asserts: + - equal: + path: metadata.name + value: cloud-data-discoverer-metrics + - equal: + path: metadata.namespace + value: d8-monitoring + - equal: + path: spec.jobLabel + value: app + - equal: + path: spec.selector.matchLabels.app + value: cloud-data-discoverer + - equal: + path: spec.namespaceSelector.matchNames[0] + value: d8-test-module + - equal: + path: spec.podMetricsEndpoints[0].port + value: https-metrics + - equal: + path: spec.podMetricsEndpoints[0].path + value: /metrics + - equal: + path: spec.podMetricsEndpoints[0].scheme + value: https + - equal: + path: spec.podMetricsEndpoints[0].bearerTokenSecret.name + value: prometheus-token + - equal: + path: spec.podMetricsEndpoints[0].bearerTokenSecret.key + value: token + - equal: + path: spec.podMetricsEndpoints[0].tlsConfig.insecureSkipVerify + value: true + - equal: + path: spec.podMetricsEndpoints[0].honorLabels + value: true + - equal: + path: spec.podMetricsEndpoints[0].relabelings[0].regex + value: endpoint|pod|container + - equal: + path: spec.podMetricsEndpoints[0].relabelings[0].action + value: labeldrop + - equal: + path: spec.podMetricsEndpoints[0].relabelings[1].targetLabel + value: job + - equal: + path: spec.podMetricsEndpoints[0].relabelings[1].replacement + value: cloud-data-discoverer + - equal: + path: spec.podMetricsEndpoints[0].relabelings[2].targetLabel + value: node + - equal: + path: spec.podMetricsEndpoints[0].relabelings[3].targetLabel + value: tier + - equal: + path: spec.podMetricsEndpoints[0].relabelings[3].replacement + value: cluster + - equal: + path: spec.podMetricsEndpoints[0].relabelings[4].regex + value: "true" + + - it: renders custom fullname in PodMonitor + set: + global: + discovery: + prometheusScrapeInterval: 30 + enabledModules: + - operator-prometheus-crd + _testvalues: + fullname: cdd-custom + targetNamespace: d8-cloud-provider-openstack + documentSelector: + path: kind + value: PodMonitor + asserts: + - equal: + path: metadata.name + value: cdd-custom-metrics + - equal: + path: spec.selector.matchLabels.app + value: cdd-custom + - equal: + path: spec.podMetricsEndpoints[0].relabelings[1].replacement + value: cdd-custom + - equal: + path: spec.namespaceSelector.matchNames[0] + value: d8-cloud-provider-openstack + + - it: renders additional relabelings + set: + global: + discovery: + prometheusScrapeInterval: 30 + enabledModules: + - operator-prometheus-crd + _testvalues: + targetNamespace: d8-test-module + additionalRelabelings: + - targetLabel: custom + replacement: value + - sourceLabels: + - __meta_kubernetes_namespace + targetLabel: namespace + documentSelector: + path: kind + value: PodMonitor + asserts: + - contains: + path: spec.podMetricsEndpoints[0].relabelings + content: + targetLabel: custom + replacement: value + - contains: + path: spec.podMetricsEndpoints[0].relabelings + content: + sourceLabels: + - __meta_kubernetes_namespace + targetLabel: namespace + + - it: does not render PodMonitor when operator-prometheus-crd module is disabled + set: + global: + discovery: + prometheusScrapeInterval: 30 + enabledModules: [] + _testvalues: + targetNamespace: d8-test-module + asserts: + - hasDocuments: + count: 0 \ No newline at end of file diff --git a/tests/tests/helm_lib_cloud_data_discoverer_test.yaml b/tests/tests/helm_lib_cloud_data_discoverer_test.yaml new file mode 100644 index 0000000..a95103f --- /dev/null +++ b/tests/tests/helm_lib_cloud_data_discoverer_test.yaml @@ -0,0 +1,643 @@ +suite: helm_lib_cloud_data_discoverer_manifests definition +templates: + - helm_lib_cloud_data_discoverer_value.yaml + +tests: + - it: renders basic cloud-data-discoverer deployment with defaults + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + documentSelector: + path: kind + value: Deployment + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: cloud-data-discoverer + namespace: d8-test-module + - equal: + path: metadata.name + value: cloud-data-discoverer + - equal: + path: spec.replicas + value: 1 + - equal: + path: spec.revisionHistoryLimit + value: 2 + - equal: + path: spec.strategy.type + value: Recreate + - equal: + path: spec.selector.matchLabels.app + value: cloud-data-discoverer + - equal: + path: spec.template.metadata.labels.app + value: cloud-data-discoverer + - equal: + path: spec.template.metadata.annotations["kubectl.kubernetes.io/default-exec-container"] + value: cloud-data-discoverer + - equal: + path: spec.template.metadata.annotations["kubectl.kubernetes.io/default-logs-container"] + value: cloud-data-discoverer + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: deckhouse-registry + - equal: + path: spec.template.spec.priorityClassName + value: cluster-low + - equal: + path: spec.template.spec.dnsPolicy + value: ClusterFirstWithHostNet + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + - equal: + path: spec.template.spec.serviceAccountName + value: cloud-data-discoverer + - notExists: + path: spec.template.spec.initContainers + - equal: + path: spec.template.spec.containers[0].name + value: cloud-data-discoverer + - equal: + path: spec.template.spec.containers[0].image + value: controllerImage + - equal: + path: spec.template.spec.containers[0].args[0] + value: --discovery-period=1h + - equal: + path: spec.template.spec.containers[0].args[1] + value: --listen-address=127.0.0.1:8081 + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.path + value: /healthz + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.port + value: 8080 + - equal: + path: spec.template.spec.containers[0].livenessProbe.httpGet.scheme + value: HTTPS + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.path + value: /healthz + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.port + value: 8080 + - equal: + path: spec.template.spec.containers[0].readinessProbe.httpGet.scheme + value: HTTPS + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 25m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 50Mi + - equal: + path: spec.template.spec.containers[1].name + value: kube-rbac-proxy + - equal: + path: spec.template.spec.containers[1].image + value: deckhouse.io/deckhouse/ce@kubeRbacProxyDigest + - equal: + path: spec.template.spec.containers[1].ports[0].name + value: https-metrics + - equal: + path: spec.template.spec.containers[1].ports[0].containerPort + value: 8080 + - equal: + path: spec.template.spec.containers[1].env[0].name + value: KUBE_RBAC_PROXY_LISTEN_ADDRESS + - equal: + path: spec.template.spec.containers[1].livenessProbe.httpGet.path + value: /livez + - equal: + path: spec.template.spec.containers[1].readinessProbe.httpGet.path + value: /livez + - notExists: + path: spec.template.spec.volumes + + - it: renders basic cloud-data-discoverer PodDisruptionBudget + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + documentSelector: + path: kind + value: PodDisruptionBudget + asserts: + - hasDocuments: + count: 2 + - containsDocument: + kind: PodDisruptionBudget + apiVersion: policy/v1 + name: cloud-data-discoverer + namespace: d8-test-module + - equal: + path: metadata.name + value: cloud-data-discoverer + - equal: + path: spec.maxUnavailable + value: 1 + - equal: + path: spec.selector.matchLabels.app + value: cloud-data-discoverer + + - it: does not render PodDisruptionBudget when disabled + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + pdbEnabled: false + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: cloud-data-discoverer + namespace: d8-test-module + + - it: renders custom PDB maxUnavailable + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + pdbMaxUnavailable: 2 + documentSelector: + path: kind + value: PodDisruptionBudget + asserts: + - equal: + path: spec.maxUnavailable + value: 2 + + - it: renders VPA when enabled and vertical-pod-autoscaler-crd module is present + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + vpaEnabled: true + documentSelector: + path: kind + value: VerticalPodAutoscaler + asserts: + - hasDocuments: + count: 3 + - containsDocument: + kind: VerticalPodAutoscaler + apiVersion: autoscaling.k8s.io/v1 + name: cloud-data-discoverer + namespace: d8-test-module + - equal: + path: spec.targetRef.apiVersion + value: apps/v1 + - equal: + path: spec.targetRef.kind + value: Deployment + - equal: + path: spec.targetRef.name + value: cloud-data-discoverer + - equal: + path: spec.updatePolicy.updateMode + value: Initial + - equal: + path: spec.resourcePolicy.containerPolicies[0].containerName + value: cloud-data-discoverer + - equal: + path: spec.resourcePolicy.containerPolicies[0].minAllowed.cpu + value: 25m + - equal: + path: spec.resourcePolicy.containerPolicies[0].minAllowed.memory + value: 50Mi + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.cpu + value: 50m + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.memory + value: 50Mi + + - it: renders custom VPA update mode and maxAllowed + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + vpaEnabled: true + vpaUpdateMode: InPlaceOrRecreate + vpaMaxAllowed: + cpu: 200m + memory: 256Mi + documentSelector: + path: kind + value: VerticalPodAutoscaler + asserts: + - equal: + path: spec.updatePolicy.updateMode + value: InPlaceOrRecreate + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.cpu + value: 200m + - equal: + path: spec.resourcePolicy.containerPolicies[0].maxAllowed.memory + value: 256Mi + + - it: does not render main container cpu and memory requests when VPA is enabled + set: + global: + modules: + placement: {} + enabledModules: + - vertical-pod-autoscaler-crd + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + vpaEnabled: true + documentSelector: + path: kind + value: Deployment + asserts: + - notExists: + path: spec.template.spec.containers[0].resources.requests.cpu + - notExists: + path: spec.template.spec.containers[0].resources.requests.memory + + - it: renders custom fullname replicas revision history and service account + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + fullname: cdd-custom + image: controllerImage + replicas: 3 + revisionHistoryLimit: 5 + serviceAccountName: custom-sa + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: metadata.name + value: cdd-custom + - equal: + path: spec.replicas + value: 3 + - equal: + path: spec.revisionHistoryLimit + value: 5 + - equal: + path: spec.selector.matchLabels.app + value: cdd-custom + - equal: + path: spec.template.spec.serviceAccountName + value: custom-sa + - equal: + path: spec.template.metadata.annotations["kubectl.kubernetes.io/default-exec-container"] + value: cdd-custom + - equal: + path: spec.template.metadata.annotations["kubectl.kubernetes.io/default-logs-container"] + value: cdd-custom + - equal: + path: spec.template.spec.containers[0].name + value: cdd-custom + - equal: + path: spec.template.spec.containers[1].env[1].value + value: | + excludePaths: + - /healthz + upstreams: + - upstream: http://127.0.0.1:8081/ + path: / + authorization: + resourceAttributes: + namespace: d8-test-module + apiGroup: apps + apiVersion: v1 + resource: deployments + subresource: prometheus-metrics + name: cdd-custom + + - it: renders custom service account automount priority class and resources + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + automountServiceAccountToken: false + priorityClassName: system-cluster-critical + resources: + cpu: 100m + memory: 128Mi + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - equal: + path: spec.template.spec.priorityClassName + value: system-cluster-critical + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 100m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 128Mi + + - it: renders additional args and env + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + additionalArgs: + - --credentials-file=/etc/config/credentials.json + - --project=test-project + additionalEnv: + - name: TEST_ENV + value: test + - name: TEST_ENV_FROM + valueFrom: + secretKeyRef: + name: test-secret + key: token + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --credentials-file=/etc/config/credentials.json + - contains: + path: spec.template.spec.containers[0].args + content: --project=test-project + - contains: + path: spec.template.spec.containers[0].env + content: + name: TEST_ENV + value: test + - contains: + path: spec.template.spec.containers[0].env + content: + name: TEST_ENV_FROM + valueFrom: + secretKeyRef: + name: test-secret + key: token + + - it: renders additional pod annotations + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + additionalPodAnnotations: + checksum/config: deadbeef + custom.annotation/test: ok + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.metadata.annotations["checksum/config"] + value: deadbeef + - equal: + path: spec.template.metadata.annotations["custom.annotation/test"] + value: ok + - equal: + path: spec.template.metadata.annotations["kubectl.kubernetes.io/default-exec-container"] + value: cloud-data-discoverer + + - it: renders additional init containers + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + additionalInitContainers: + - name: migrator + image: busybox + command: + - sh + - -c + - echo migrate + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.initContainers + content: + name: migrator + image: busybox + command: + - sh + - -c + - echo migrate + + - it: renders additional volumes and volume mounts + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + additionalVolumeMounts: + - mountPath: /etc/config + name: config + readOnly: true + additionalVolumes: + - name: config + secret: + secretName: cloud-data-discoverer + documentSelector: + path: kind + value: Deployment + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/config + name: config + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: config + secret: + secretName: cloud-data-discoverer + + - it: renders bootstrapping dnsPolicy variant when cluster is not bootstrapped + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: false + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.dnsPolicy + value: Default \ No newline at end of file From 0f0475493a340fdf6405878495f1fba937747051 Mon Sep 17 00:00:00 2001 From: Sergey Petrov Date: Mon, 30 Mar 2026 22:02:40 +0700 Subject: [PATCH 2/4] Add probe templates; Add documentation Signed-off-by: Sergey Petrov --- charts/helm_lib/README.md | 138 ++++++++++++++++++ .../templates/_capi_controller_manager.tpl | 74 +++++++--- .../templates/_cloud_controller_manager.tpl | 74 +++++++--- ...coverer.tpl => _cloud_data_discoverer.tpl} | 69 +++++++-- ...helm_lib_capi_controller_manager_test.yaml | 50 +++++-- ...elm_lib_cloud_controller_manager_test.yaml | 50 +++++++ .../helm_lib_cloud_data_discoverer_test.yaml | 50 +++++++ 7 files changed, 446 insertions(+), 59 deletions(-) rename charts/helm_lib/templates/{_cloud-data-discoverer.tpl => _cloud_data_discoverer.tpl} (70%) diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md index a05333f..a20855a 100644 --- a/charts/helm_lib/README.md +++ b/charts/helm_lib/README.md @@ -32,6 +32,12 @@ | [helm_lib_application_container_security_context_capabilities_drop_all_and_add](#helm_lib_application_container_security_context_capabilities_drop_all_and_add) | | [helm_lib_application_container_security_context_capabilities_drop_all_and_run_as_user_custom](#helm_lib_application_container_security_context_capabilities_drop_all_and_run_as_user_custom) | | [helm_lib_application_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted](#helm_lib_application_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted) | +| **Capi Controller Manager** | +| [helm_lib_capi_controller_manager_manifests](#helm_lib_capi_controller_manager_manifests) | +| **Cloud Controller Manager** | +| [helm_lib_cloud_controller_manager_manifests](#helm_lib_cloud_controller_manager_manifests) | +| **Cloud Data Discoverer** | +| [helm_lib_cloud_data_discoverer_manifests](#helm_lib_cloud_data_discoverer_manifests) | | **Csi Controller** | | [helm_lib_csi_image_with_common_fallback](#helm_lib_csi_image_with_common_fallback) | | **Dns Policy** | @@ -475,6 +481,138 @@ list: - Template context with .Values, .Chart, etc +## Capi Controller Manager + +### helm_lib_capi_controller_manager_manifests + + Renders common manifests for provider-specific CAPI Controller Managers. + Includes Deployment, VerticalPodAutoscaler (optional) and PodDisruptionBudget (optional). + Supported configuration parameters: + + fullname (required) — resource base name used for Deployment, PDB, VPA, and by default for the main container name. + + image (required) — image for the main container. + + capiProviderName (required) — value for the cluster.x-k8s.io/provider label in selectors and pod labels. + + resources (optional, default: `{cpu: 25m, memory: 50Mi}`) — main container resource requests used when VPA is disabled. + + priorityClassName (optional, default: `"system-cluster-critical"`) — Pod priority class name. + + serviceAccountName (optional, default: `$config.fullname`) — ServiceAccount name used by the Pod. + + automountServiceAccountToken (optional, default: `true`) — controls whether the service account token is mounted into the Pod. + + revisionHistoryLimit (optional, default: `2`) — number of old ReplicaSets retained by the Deployment. + + terminationGracePeriodSeconds (optional, default: `10`) — Pod termination grace period. + + hostNetwork (optional, default: `false`) — enables host networking for the Pod. + + dnsPolicy (optional, default: `nil`) — Pod DNS policy; if not set, the field is omitted. + + nodeSelectorStrategy (optional, default: `"master"`) — strategy passed to helm_lib_node_selector. + + tolerationsStrategies (optional, default: `["any-node", "uninitialized"]`) — arguments passed to helm_lib_tolerations. + + livenessProbe (optional, default: `{httpGet: {path: /healthz, port: 8081}, initialDelaySeconds: 15, periodSeconds: 20}`) — liveness probe configuration for the main container. + + readinessProbe (optional, default: `{httpGet: {path: /readyz, port: 8081}, initialDelaySeconds: 5, periodSeconds: 10}`) — readiness probe configuration for the main container. + + additionalArgs (optional, default: `[]`) — extra args for the main container. + + additionalEnv (optional, default: `[]`) — extra environment variables for the main container. + + additionalPorts (optional, default: `[]`) — extra container ports for the main container. + + additionalInitContainers (optional, default: `[]`) — extra initContainers for the Pod. + + additionalVolumeMounts (optional, default: `[]`) — extra volumeMounts for the main container. + + additionalVolumes (optional, default: `[]`) — extra Pod volumes. + + additionalPodLabels (optional, default: `{}`) — extra labels added to the pod template metadata. + + additionalPodAnnotations (optional, default: `{}`) — extra annotations added to the pod template metadata. + + pdbEnabled (optional, default: `true`) — enables PodDisruptionBudget rendering. + + pdbMaxUnavailable (optional, default: `1`) — maxUnavailable value for PodDisruptionBudget. + + vpaEnabled (optional, default: `false`) — enables VerticalPodAutoscaler rendering. + + vpaUpdateMode (optional, default: `"InPlaceOrRecreate"`) — VPA update mode. + + vpaMaxAllowed (optional, default: `{cpu: 50m, memory: 50Mi}`) — maximum resource values used in VPA policy. + +#### Usage + +`{{ include "helm_lib_capi_controller_manager_manifests" (list . $config) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc. +- Configuration dict for the CAPI Controller Manager. + +## Cloud Controller Manager + +### helm_lib_cloud_controller_manager_manifests + + Renders common manifests for provider-specific Cloud Controller Managers. + Includes Deployment, VerticalPodAutoscaler (optional), PodDisruptionBudget (optional), and SecurityPolicyException (optional). + Supported configuration parameters: + + fullname (optional, default: `"cloud-controller-manager"`) — resource base name used for Deployment, PDB, VPA, SecurityPolicyException, and the main container name by default. + + image (required) — image for the main container. + + resources (optional, default: `{cpu: 25m, memory: 50Mi}`) — main container resource requests used when VPA is disabled. + + priorityClassName (optional, default: `"system-cluster-critical"`) — Pod priority class name. + + nodeSelectorStrategy (optional, default: `"master"`) — strategy passed to helm_lib_node_selector. + + tolerationsStrategies (optional, default: ["wildcard"]) — strategies passed to helm_lib_tolerations. + + hostNetwork (optional, default: `true`) — enables host networking for the Pod and SecurityPolicyException network rule generation. + + dnsPolicy (optional, default: `"Default"`) — Pod DNS policy. + + automountServiceAccountToken (optional, default: `true`) — controls whether the service account token is mounted into the Pod. + + serviceAccountName (optional, default: `$config.fullname`) — ServiceAccount name used by the Pod. + + revisionHistoryLimit (optional, default: `2`) — number of old ReplicaSets retained by the Deployment. + + livenessProbe (optional, default: `{httpGet: {path: /healthz, port: 10471, host: 127.0.0.1, scheme: HTTPS}}`) — liveness probe configuration for the main container. + + readinessProbe (optional, default: `{httpGet: {path: /healthz, port: 10471, host: 127.0.0.1, scheme: HTTPS}}`) — readiness probe configuration for the main container. + + additionalEnvs (optional, default: `[]`) — extra environment variables for the main container. + + additionalArgs (optional, default: `nil`) — extra args for the main container. + + additionalVolumeMounts (optional, default: `[]`) — extra volumeMounts for the main container. + + additionalVolumes (optional, default: `[]`) — extra Pod volumes; hostPath volumes are also used to build SecurityPolicyException rules when enabled. + + additionalPodLabels (optional, default: `{}`) — extra labels added to the pod template metadata. + + additionalPodAnnotations (optional, default: `{}`) — extra annotations added to the pod template metadata. + + pdbEnabled (optional, default: `true`) — enables PodDisruptionBudget rendering. + + pdbMaxUnavailable (optional, default: `1`) — maxUnavailable value for PodDisruptionBudget. + + additionalPDBAnnotations (optional, default: `{}`) — extra annotations added to PodDisruptionBudget metadata. + + vpaEnabled (optional, default: `true`) — enables VerticalPodAutoscaler rendering. + + vpaUpdateMode (optional, default: `"InPlaceOrRecreate"`) — VPA update mode. + + vpaMaxAllowed (optional, default: `{cpu: 50m, memory: 50Mi}`) — maximum resource values used in VPA policy. + + securityPolicyExceptionEnabled (optional, default: `false`) — enables SecurityPolicyException rendering and adds the related pod label. + +#### Usage + +`{{ include "helm_lib_cloud_controller_manager_manifests" (list . $config) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc. +- Configuration dict for the Cloud Controller Manager. + +## Cloud Data Discoverer + +### helm_lib_cloud_data_discoverer_manifests + + Renders common manifests for provider-specific Cloud Data Discoverers. + Includes Deployment, VerticalPodAutoscaler (optional) and PodDisruptionBudget (optional). + Supported configuration parameters: + + fullname (optional, default: `"cloud-data-discoverer"`) — resource base name used for Deployment, PDB, VPA, and the main container name by default. + + image (required) — image for the main container. + + resources (optional, default: `{cpu: 25m, memory: 50Mi}`) — main container resource requests used when VPA is disabled. + + replicas (optional, default: `1`) — number of Deployment replicas. + + revisionHistoryLimit (optional, default: `2`) — number of old ReplicaSets retained by the Deployment. + + serviceAccountName (optional, default: `$config.fullname`) — ServiceAccount name used by the Pod. + + automountServiceAccountToken (optional, default: `true`) — controls whether the service account token is mounted into the Pod. + + priorityClassName (optional, default: `"cluster-low"`) — Pod priority class name. + + nodeSelectorStrategy (optional, default: `"master"`) — strategy passed to helm_lib_node_selector. + + tolerationsStrategies (optional, default: `["any-node", "with-uninitialized"]`) — strategies passed to helm_lib_tolerations. + + livenessProbe (optional, default: `{httpGet: {path: /healthz, port: 8080, scheme: HTTPS}}`) — liveness probe configuration for the main container. + + readinessProbe (optional, default: `{httpGet: {path: /healthz, port: 8080, scheme: HTTPS}}`) — readiness probe configuration for the main container. + + additionalArgs (optional, default: `[]`) — extra args for the main container. + + additionalEnv (optional, default: `[]`) — extra environment variables for the main container. + + additionalPodLabels (optional, default: `{}`) — extra labels added to the pod template metadata. + + additionalPodAnnotations (optional, default: `{}`) — extra annotations added to the pod template metadata. + + additionalInitContainers (optional, default: `[]`) — extra initContainers for the Pod. + + additionalVolumes (optional, default: `[]`) — extra Pod volumes. + + additionalVolumeMounts (optional, default: `[]`) — extra volumeMounts for the main container. + + pdbEnabled (optional, default: `true`) — enables PodDisruptionBudget rendering. + + pdbMaxUnavailable (optional, default: `1`) — maxUnavailable value for PodDisruptionBudget. + + vpaEnabled (optional, default: `true`) — enables VerticalPodAutoscaler rendering. + + vpaUpdateMode (optional, default: `"Initial"`) — VPA update mode. + + vpaMaxAllowed (optional, default: `{cpu: 50m, memory: 50Mi}`) — maximum resource values used in VPA policy. + +#### Usage + +`{{ include "helm_lib_cloud_data_discoverer_manifests" (list . $config) }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc. +- Configuration dict for the Cloud Data Discoverer. + ## Csi Controller ### helm_lib_csi_image_with_common_fallback diff --git a/charts/helm_lib/templates/_capi_controller_manager.tpl b/charts/helm_lib/templates/_capi_controller_manager.tpl index 0a9113a..69fe7ee 100644 --- a/charts/helm_lib/templates/_capi_controller_manager.tpl +++ b/charts/helm_lib/templates/_capi_controller_manager.tpl @@ -8,10 +8,57 @@ cpu: 50m memory: 50Mi {{- end -}} +{{- define "capi_controller_manager_liveness_probe" -}} +httpGet: + path: /healthz + port: 8081 +initialDelaySeconds: 15 +periodSeconds: 20 +{{- end -}} + +{{- define "capi_controller_manager_readiness_probe" -}} +httpGet: + path: /readyz + port: 8081 +initialDelaySeconds: 5 +periodSeconds: 10 +{{- end -}} + {{- /* Usage: {{ include "helm_lib_capi_controller_manager_manifests" (list . $config) }} */ -}} +{{- /* Renders common manifests for provider-specific CAPI Controller Managers. */ -}} +{{- /* Includes Deployment, VerticalPodAutoscaler (optional) and PodDisruptionBudget (optional). */ -}} +{{- /* Supported configuration parameters: */ -}} +{{- /* + fullname (required) — resource base name used for Deployment, PDB, VPA, and by default for the main container name. */ -}} +{{- /* + image (required) — image for the main container. */ -}} +{{- /* + capiProviderName (required) — value for the cluster.x-k8s.io/provider label in selectors and pod labels. */ -}} +{{- /* + resources (optional, default: `{cpu: 25m, memory: 50Mi}`) — main container resource requests used when VPA is disabled. */ -}} +{{- /* + priorityClassName (optional, default: `"system-cluster-critical"`) — Pod priority class name. */ -}} +{{- /* + serviceAccountName (optional, default: `$config.fullname`) — ServiceAccount name used by the Pod. */ -}} +{{- /* + automountServiceAccountToken (optional, default: `true`) — controls whether the service account token is mounted into the Pod. */ -}} +{{- /* + revisionHistoryLimit (optional, default: `2`) — number of old ReplicaSets retained by the Deployment. */ -}} +{{- /* + terminationGracePeriodSeconds (optional, default: `10`) — Pod termination grace period. */ -}} +{{- /* + hostNetwork (optional, default: `false`) — enables host networking for the Pod. */ -}} +{{- /* + dnsPolicy (optional, default: `nil`) — Pod DNS policy; if not set, the field is omitted. */ -}} +{{- /* + nodeSelectorStrategy (optional, default: `"master"`) — strategy passed to helm_lib_node_selector. */ -}} +{{- /* + tolerationsStrategies (optional, default: `["any-node", "uninitialized"]`) — arguments passed to helm_lib_tolerations. */ -}} +{{- /* + livenessProbe (optional, default: `{httpGet: {path: /healthz, port: 8081}, initialDelaySeconds: 15, periodSeconds: 20}`) — liveness probe configuration for the main container. */ -}} +{{- /* + readinessProbe (optional, default: `{httpGet: {path: /readyz, port: 8081}, initialDelaySeconds: 5, periodSeconds: 10}`) — readiness probe configuration for the main container. */ -}} +{{- /* + additionalArgs (optional, default: `[]`) — extra args for the main container. */ -}} +{{- /* + additionalEnv (optional, default: `[]`) — extra environment variables for the main container. */ -}} +{{- /* + additionalPorts (optional, default: `[]`) — extra container ports for the main container. */ -}} +{{- /* + additionalInitContainers (optional, default: `[]`) — extra initContainers for the Pod. */ -}} +{{- /* + additionalVolumeMounts (optional, default: `[]`) — extra volumeMounts for the main container. */ -}} +{{- /* + additionalVolumes (optional, default: `[]`) — extra Pod volumes. */ -}} +{{- /* + additionalPodLabels (optional, default: `{}`) — extra labels added to the pod template metadata. */ -}} +{{- /* + additionalPodAnnotations (optional, default: `{}`) — extra annotations added to the pod template metadata. */ -}} +{{- /* + pdbEnabled (optional, default: `true`) — enables PodDisruptionBudget rendering. */ -}} +{{- /* + pdbMaxUnavailable (optional, default: `1`) — maxUnavailable value for PodDisruptionBudget. */ -}} +{{- /* + vpaEnabled (optional, default: `false`) — enables VerticalPodAutoscaler rendering. */ -}} +{{- /* + vpaUpdateMode (optional, default: `"InPlaceOrRecreate"`) — VPA update mode. */ -}} +{{- /* + vpaMaxAllowed (optional, default: `{cpu: 50m, memory: 50Mi}`) — maximum resource values used in VPA policy. */ -}} {{- define "helm_lib_capi_controller_manager_manifests" -}} - {{- $context := index . 0 -}} - {{- $config := index . 1 -}} + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc. */ -}} + {{- $config := index . 1 -}} {{- /* Configuration dict for the CAPI Controller Manager. */ -}} {{- $fullname := required "helm_lib_capi_controller_manager_manifests: fullname is required" $config.fullname -}} {{- $image := required "helm_lib_capi_controller_manager_manifests: image is required" $config.image -}} @@ -26,9 +73,8 @@ memory: 50Mi {{- $dnsPolicy := dig "dnsPolicy" nil $config -}} {{- $nodeSelectorStrategy := dig "nodeSelectorStrategy" "master" $config -}} {{- $tolerationsStrategies := dig "tolerationsStrategies" (list "any-node" "uninitialized") $config -}} - {{- $livenessProbePort := dig "livenessProbePort" 8081 $config }} - {{- $readinessProbePort := dig "readinessProbePort" 8081 $config }} - + {{- $livenessProbe := dig "livenessProbe" (include "capi_controller_manager_liveness_probe" $context | fromYaml) $config }} + {{- $readinessProbe := dig "readinessProbe" (include "capi_controller_manager_readiness_probe" $context | fromYaml) $config }} {{- $additionalArgs := dig "additionalArgs" (list) $config -}} {{- $additionalEnv := dig "additionalEnv" (list) $config -}} {{- $additionalPorts := dig "additionalPorts" (list) $config -}} @@ -37,10 +83,8 @@ memory: 50Mi {{- $additionalVolumes := dig "additionalVolumes" (list) $config -}} {{- $additionalPodLabels := dig "additionalPodLabels" (dict) $config -}} {{- $additionalPodAnnotations := dig "additionalPodAnnotations" (dict) $config -}} - {{- $pdbEnabled := dig "pdbEnabled" true $config -}} {{- $pdbMaxUnavailable := dig "pdbMaxUnavailable" 1 $config -}} - {{- $vpaEnabled := dig "vpaEnabled" false $config -}} {{- $vpaUpdateMode := dig "vpaUpdateMode" "InPlaceOrRecreate" $config -}} {{- $vpaMaxAllowed := dig "vpaMaxAllowed" (include "capi_controller_manager_max_allowed_resources" $context | fromYaml) $config -}} @@ -150,17 +194,13 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} livenessProbe: - httpGet: - path: /healthz - port: {{ $livenessProbePort }} - initialDelaySeconds: 15 - periodSeconds: 20 + {{- with $livenessProbe }} + {{- toYaml . | nindent 10 }} + {{- end }} readinessProbe: - httpGet: - path: /readyz - port: {{ $readinessProbePort }} - initialDelaySeconds: 5 - periodSeconds: 10 + {{- with $readinessProbe }} + {{- toYaml . | nindent 10 }} + {{- end }} {{- with $additionalVolumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} diff --git a/charts/helm_lib/templates/_cloud_controller_manager.tpl b/charts/helm_lib/templates/_cloud_controller_manager.tpl index bf6d6b2..d0d1060 100644 --- a/charts/helm_lib/templates/_cloud_controller_manager.tpl +++ b/charts/helm_lib/templates/_cloud_controller_manager.tpl @@ -8,11 +8,56 @@ cpu: 50m memory: 50Mi {{- end }} +{{- define "cloud_controller_manager_liveness_probe" -}} +httpGet: + path: /healthz + port: 10471 + host: 127.0.0.1 + scheme: HTTPS +{{- end -}} + +{{- define "cloud_controller_manager_readiness_probe" -}} +httpGet: + path: /healthz + port: 10471 + host: 127.0.0.1 + scheme: HTTPS +{{- end -}} + {{- /* Usage: {{ include "helm_lib_cloud_controller_manager_manifests" (list . $config) }} */ -}} +{{- /* Renders common manifests for provider-specific Cloud Controller Managers. */ -}} +{{- /* Includes Deployment, VerticalPodAutoscaler (optional), PodDisruptionBudget (optional), and SecurityPolicyException (optional). */ -}} +{{- /* Supported configuration parameters: */ -}} +{{- /* + fullname (optional, default: `"cloud-controller-manager"`) — resource base name used for Deployment, PDB, VPA, SecurityPolicyException, and the main container name by default. */ -}} +{{- /* + image (required) — image for the main container. */ -}} +{{- /* + resources (optional, default: `{cpu: 25m, memory: 50Mi}`) — main container resource requests used when VPA is disabled. */ -}} +{{- /* + priorityClassName (optional, default: `"system-cluster-critical"`) — Pod priority class name. */ -}} +{{- /* + nodeSelectorStrategy (optional, default: `"master"`) — strategy passed to helm_lib_node_selector. */ -}} +{{- /* + tolerationsStrategies (optional, default: ["wildcard"]) — strategies passed to helm_lib_tolerations. */ -}} +{{- /* + hostNetwork (optional, default: `true`) — enables host networking for the Pod and SecurityPolicyException network rule generation. */ -}} +{{- /* + dnsPolicy (optional, default: `"Default"`) — Pod DNS policy. */ -}} +{{- /* + automountServiceAccountToken (optional, default: `true`) — controls whether the service account token is mounted into the Pod. */ -}} +{{- /* + serviceAccountName (optional, default: `$config.fullname`) — ServiceAccount name used by the Pod. */ -}} +{{- /* + revisionHistoryLimit (optional, default: `2`) — number of old ReplicaSets retained by the Deployment. */ -}} +{{- /* + livenessProbe (optional, default: `{httpGet: {path: /healthz, port: 10471, host: 127.0.0.1, scheme: HTTPS}}`) — liveness probe configuration for the main container. */ -}} +{{- /* + readinessProbe (optional, default: `{httpGet: {path: /healthz, port: 10471, host: 127.0.0.1, scheme: HTTPS}}`) — readiness probe configuration for the main container. */ -}} +{{- /* + additionalEnvs (optional, default: `[]`) — extra environment variables for the main container. */ -}} +{{- /* + additionalArgs (optional, default: `nil`) — extra args for the main container. */ -}} +{{- /* + additionalVolumeMounts (optional, default: `[]`) — extra volumeMounts for the main container. */ -}} +{{- /* + additionalVolumes (optional, default: `[]`) — extra Pod volumes; hostPath volumes are also used to build SecurityPolicyException rules when enabled. */ -}} +{{- /* + additionalPodLabels (optional, default: `{}`) — extra labels added to the pod template metadata. */ -}} +{{- /* + additionalPodAnnotations (optional, default: `{}`) — extra annotations added to the pod template metadata. */ -}} +{{- /* + pdbEnabled (optional, default: `true`) — enables PodDisruptionBudget rendering. */ -}} +{{- /* + pdbMaxUnavailable (optional, default: `1`) — maxUnavailable value for PodDisruptionBudget. */ -}} +{{- /* + additionalPDBAnnotations (optional, default: `{}`) — extra annotations added to PodDisruptionBudget metadata. */ -}} +{{- /* + vpaEnabled (optional, default: `true`) — enables VerticalPodAutoscaler rendering. */ -}} +{{- /* + vpaUpdateMode (optional, default: `"InPlaceOrRecreate"`) — VPA update mode. */ -}} +{{- /* + vpaMaxAllowed (optional, default: `{cpu: 50m, memory: 50Mi}`) — maximum resource values used in VPA policy. */ -}} +{{- /* + securityPolicyExceptionEnabled (optional, default: `false`) — enables SecurityPolicyException rendering and adds the related pod label. */ -}} {{- define "helm_lib_cloud_controller_manager_manifests" }} - {{- $context := index . 0 }} - {{- $config := index . 1 }} - + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc. */ -}} + {{- $config := index . 1 -}} {{- /* Configuration dict for the Cloud Controller Manager. */ -}} + {{- $fullname := dig "fullname" "cloud-controller-manager" $config }} {{- $image := $config.image | required "image is required" }} {{- $resources := dig "resources" (include "cloud_controller_manager_resources" $context | fromYaml) $config }} @@ -24,23 +69,22 @@ memory: 50Mi {{- $automountServiceAccountToken := dig "automountServiceAccountToken" true $config }} {{- $serviceAccountName := dig "serviceAccountName" $fullname $config }} {{- $revisionHistoryLimit := dig "revisionHistoryLimit" 2 $config }} + {{- $livenessProbe := dig "livenessProbe" (include "cloud_controller_manager_liveness_probe" $context | fromYaml) $config }} + {{- $readinessProbe := dig "readinessProbe" (include "cloud_controller_manager_readiness_probe" $context | fromYaml) $config }} {{- $additionalEnvs := dig "additionalEnvs" (list) $config }} {{- $additionalArgs := dig "additionalArgs" nil $config }} {{- $additionalVolumeMounts := dig "additionalVolumeMounts" (list) $config }} {{- $additionalVolumes := dig "additionalVolumes" (list) $config }} {{- $additionalPodLabels := dig "additionalPodLabels" (dict) $config }} {{- $additionalPodAnnotations := dig "additionalPodAnnotations" (dict) $config }} - {{- $pdbEnabled := dig "pdbEnabled" true $config }} {{- $pdbMaxUnavailable := dig "pdbMaxUnavailable" 1 $config }} {{- $additionalPDBAnnotations := dig "additionalPDBAnnotations" (dict) $config }} - {{- $vpaEnabled := dig "vpaEnabled" true $config }} {{- $vpaUpdateMode := dig "vpaUpdateMode" "InPlaceOrRecreate" $config }} {{- $vpaMaxAllowed := dig "vpaMaxAllowed" (include "cloud_controller_manager_max_allowed_resources" $context | fromYaml) $config }} - {{- $securityPolicyExceptionEnabled := dig "securityPolicyExceptionEnabled" false $config }} - + {{- if and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} --- apiVersion: autoscaling.k8s.io/v1 @@ -153,17 +197,13 @@ spec: {{- end }} {{- include "helm_lib_envs_for_proxy" $context | nindent 12 }} livenessProbe: - httpGet: - path: /healthz - port: 10471 - host: 127.0.0.1 - scheme: HTTPS + {{- with $livenessProbe }} + {{- toYaml . | nindent 12 }} + {{- end }} readinessProbe: - httpGet: - path: /healthz - port: 10471 - host: 127.0.0.1 - scheme: HTTPS + {{- with $readinessProbe }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with $additionalVolumeMounts }} volumeMounts: {{- toYaml . | nindent 12 }} diff --git a/charts/helm_lib/templates/_cloud-data-discoverer.tpl b/charts/helm_lib/templates/_cloud_data_discoverer.tpl similarity index 70% rename from charts/helm_lib/templates/_cloud-data-discoverer.tpl rename to charts/helm_lib/templates/_cloud_data_discoverer.tpl index debb3fc..31c7fdd 100644 --- a/charts/helm_lib/templates/_cloud-data-discoverer.tpl +++ b/charts/helm_lib/templates/_cloud_data_discoverer.tpl @@ -8,21 +8,64 @@ cpu: 50m memory: 50Mi {{- end -}} +{{- define "cloud_data_discoverer_liveness_probe" -}} +httpGet: + path: /healthz + port: 8080 + scheme: HTTPS +{{- end -}} + +{{- define "cloud_data_discoverer_readiness_probe" -}} +httpGet: + path: /healthz + port: 8080 + scheme: HTTPS +{{- end -}} + {{- /* Usage: {{ include "helm_lib_cloud_data_discoverer_manifests" (list . $config) }} */ -}} +{{- /* Renders common manifests for provider-specific Cloud Data Discoverers. */ -}} +{{- /* Includes Deployment, VerticalPodAutoscaler (optional) and PodDisruptionBudget (optional). */ -}} +{{- /* Supported configuration parameters: */ -}} +{{- /* + fullname (optional, default: `"cloud-data-discoverer"`) — resource base name used for Deployment, PDB, VPA, and the main container name by default. */ -}} +{{- /* + image (required) — image for the main container. */ -}} +{{- /* + resources (optional, default: `{cpu: 25m, memory: 50Mi}`) — main container resource requests used when VPA is disabled. */ -}} +{{- /* + replicas (optional, default: `1`) — number of Deployment replicas. */ -}} +{{- /* + revisionHistoryLimit (optional, default: `2`) — number of old ReplicaSets retained by the Deployment. */ -}} +{{- /* + serviceAccountName (optional, default: `$config.fullname`) — ServiceAccount name used by the Pod. */ -}} +{{- /* + automountServiceAccountToken (optional, default: `true`) — controls whether the service account token is mounted into the Pod. */ -}} +{{- /* + priorityClassName (optional, default: `"cluster-low"`) — Pod priority class name. */ -}} +{{- /* + nodeSelectorStrategy (optional, default: `"master"`) — strategy passed to helm_lib_node_selector. */ -}} +{{- /* + tolerationsStrategies (optional, default: `["any-node", "with-uninitialized"]`) — strategies passed to helm_lib_tolerations. */ -}} +{{- /* + livenessProbe (optional, default: `{httpGet: {path: /healthz, port: 8080, scheme: HTTPS}}`) — liveness probe configuration for the main container. */ -}} +{{- /* + readinessProbe (optional, default: `{httpGet: {path: /healthz, port: 8080, scheme: HTTPS}}`) — readiness probe configuration for the main container. */ -}} +{{- /* + additionalArgs (optional, default: `[]`) — extra args for the main container. */ -}} +{{- /* + additionalEnv (optional, default: `[]`) — extra environment variables for the main container. */ -}} +{{- /* + additionalPodLabels (optional, default: `{}`) — extra labels added to the pod template metadata. */ -}} +{{- /* + additionalPodAnnotations (optional, default: `{}`) — extra annotations added to the pod template metadata. */ -}} +{{- /* + additionalInitContainers (optional, default: `[]`) — extra initContainers for the Pod. */ -}} +{{- /* + additionalVolumes (optional, default: `[]`) — extra Pod volumes. */ -}} +{{- /* + additionalVolumeMounts (optional, default: `[]`) — extra volumeMounts for the main container. */ -}} +{{- /* + pdbEnabled (optional, default: `true`) — enables PodDisruptionBudget rendering. */ -}} +{{- /* + pdbMaxUnavailable (optional, default: `1`) — maxUnavailable value for PodDisruptionBudget. */ -}} +{{- /* + vpaEnabled (optional, default: `true`) — enables VerticalPodAutoscaler rendering. */ -}} +{{- /* + vpaUpdateMode (optional, default: `"Initial"`) — VPA update mode. */ -}} +{{- /* + vpaMaxAllowed (optional, default: `{cpu: 50m, memory: 50Mi}`) — maximum resource values used in VPA policy. */ -}} {{- define "helm_lib_cloud_data_discoverer_manifests" -}} - {{- $context := index . 0 -}} - {{- $config := index . 1 -}} - + {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc. */ -}} + {{- $config := index . 1 -}} {{- /* Configuration dict for the Cloud Data Discoverer. */ -}} + {{- $fullname := dig "fullname" "cloud-data-discoverer" $config -}} {{- $image := required "helm_lib_cloud_data_discoverer_manifests: image is required" $config.image -}} {{- $resources := dig "resources" (include "cloud_data_discoverer_resources" $context | fromYaml) $config -}} {{- $replicas := dig "replicas" 1 $config -}} {{- $revisionHistoryLimit := dig "revisionHistoryLimit" 2 $config -}} - {{- $serviceAccountName := dig "serviceAccountName" "cloud-data-discoverer" $config -}} + {{- $serviceAccountName := dig "serviceAccountName" $fullname $config -}} {{- $automountServiceAccountToken := dig "automountServiceAccountToken" true $config -}} {{- $priorityClassName := dig "priorityClassName" "cluster-low" $config -}} {{- $nodeSelectorStrategy := dig "nodeSelectorStrategy" "master" $config -}} {{- $tolerationsStrategies := dig "tolerationsStrategies" (list "any-node" "with-uninitialized") $config -}} + {{- $livenessProbe := dig "livenessProbe" (include "cloud_data_discoverer_liveness_probe" $context | fromYaml) $config }} + {{- $readinessProbe := dig "readinessProbe" (include "cloud_data_discoverer_readiness_probe" $context | fromYaml) $config }} {{- $additionalArgs := dig "additionalArgs" (list) $config -}} {{- $additionalEnv := dig "additionalEnv" (list) $config -}} {{- $additionalPodLabels := dig "additionalPodLabels" (dict) $config }} @@ -30,14 +73,12 @@ memory: 50Mi {{- $additionalInitContainers := dig "additionalInitContainers" (list) $config -}} {{- $additionalVolumes := dig "additionalVolumes" (list) $config -}} {{- $additionalVolumeMounts := dig "additionalVolumeMounts" (list) $config -}} - {{- $pdbEnabled := dig "pdbEnabled" true $config -}} {{- $pdbMaxUnavailable := dig "pdbMaxUnavailable" 1 $config -}} - {{- $vpaEnabled := dig "vpaEnabled" true $config -}} {{- $vpaUpdateMode := dig "vpaUpdateMode" "Initial" $config -}} {{- $vpaMaxAllowed := dig "vpaMaxAllowed" (include "cloud_data_discoverer_max_allowed_resources" $context | fromYaml) $config -}} - + {{- if and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} --- apiVersion: autoscaling.k8s.io/v1 @@ -135,15 +176,13 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS + {{- with $livenessProbe }} + {{- toYaml . | nindent 10 }} + {{- end }} readinessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTPS + {{- with $readinessProbe }} + {{- toYaml . | nindent 10 }} + {{- end }} {{- with $additionalVolumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} diff --git a/tests/tests/helm_lib_capi_controller_manager_test.yaml b/tests/tests/helm_lib_capi_controller_manager_test.yaml index e888fa6..549ead6 100644 --- a/tests/tests/helm_lib_capi_controller_manager_test.yaml +++ b/tests/tests/helm_lib_capi_controller_manager_test.yaml @@ -311,8 +311,18 @@ tests: dnsPolicy: ClusterFirstWithHostNet tolerationsStrategies: - wildcard - livenessProbePort: 9445 - readinessProbePort: 9445 + livenessProbe: + httpGet: + path: /healthz + port: 9445 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 9445 + initialDelaySeconds: 5 + periodSeconds: 10 additionalArgs: - --diagnostics-address=127.0.0.1:9446 - --insecure-diagnostics @@ -548,7 +558,7 @@ tests: name: tmp emptyDir: {} - - it: renders custom liveness and readiness probe ports + - it: renders custom liveness and readiness probes set: global: modules: @@ -560,18 +570,38 @@ tests: fullname: caphc-controller-manager image: controllerImage capiProviderName: infrastructure-huaweicloud - livenessProbePort: 8082 - readinessProbePort: 9555 + livenessProbe: + httpGet: + path: /api/v1/health/live + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /api/v1/health/ready + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 documentSelector: path: kind value: Deployment asserts: - equal: - path: spec.template.spec.containers[0].livenessProbe.httpGet.port - value: 8082 - - equal: - path: spec.template.spec.containers[0].readinessProbe.httpGet.port - value: 9555 + path: spec.template.spec.containers[0].livenessProbe + value: + httpGet: + path: /api/v1/health/live + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + httpGet: + path: /api/v1/health/ready + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 - it: renders custom priorityClassName set: diff --git a/tests/tests/helm_lib_cloud_controller_manager_test.yaml b/tests/tests/helm_lib_cloud_controller_manager_test.yaml index 7773894..acaf0f1 100644 --- a/tests/tests/helm_lib_cloud_controller_manager_test.yaml +++ b/tests/tests/helm_lib_cloud_controller_manager_test.yaml @@ -104,6 +104,56 @@ tests: path: spec.template.spec.containers[0].resources.requests.memory value: 50Mi + - it: renders custom liveness and readiness probes + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + livenessProbe: + httpGet: + path: /api/v1/health/live + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /api/v1/health/ready + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + httpGet: + path: /api/v1/health/live + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + httpGet: + path: /api/v1/health/ready + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + - it: renders basic cloud-controller-manager PodDisruptionBudget set: global: diff --git a/tests/tests/helm_lib_cloud_data_discoverer_test.yaml b/tests/tests/helm_lib_cloud_data_discoverer_test.yaml index a95103f..7fc83be 100644 --- a/tests/tests/helm_lib_cloud_data_discoverer_test.yaml +++ b/tests/tests/helm_lib_cloud_data_discoverer_test.yaml @@ -132,6 +132,56 @@ tests: - notExists: path: spec.template.spec.volumes + - it: renders custom liveness and readiness probes + set: + global: + modules: + placement: {} + enabledModules: [] + clusterIsBootstrapped: true + discovery: + d8SpecificNodeCountByRole: {} + modulesImages: + registry: + base: deckhouse.io/deckhouse/ce + digests: + common: + kubeRbacProxy: kubeRbacProxyDigest + _testvalues: + image: controllerImage + livenessProbe: + httpGet: + path: /api/v1/health/live + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /api/v1/health/ready + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + documentSelector: + path: kind + value: Deployment + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + httpGet: + path: /api/v1/health/live + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + httpGet: + path: /api/v1/health/ready + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 + - it: renders basic cloud-data-discoverer PodDisruptionBudget set: global: From 145cc02fc50b5c926e91b48a84b715dc988bc765 Mon Sep 17 00:00:00 2001 From: Sergey Petrov Date: Tue, 31 Mar 2026 16:18:34 +0700 Subject: [PATCH 3/4] Fix SecurityPolicyException desciptions Signed-off-by: Sergey Petrov --- .../helm_lib/templates/_cloud_controller_manager.tpl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/helm_lib/templates/_cloud_controller_manager.tpl b/charts/helm_lib/templates/_cloud_controller_manager.tpl index d0d1060..dfaa91f 100644 --- a/charts/helm_lib/templates/_cloud_controller_manager.tpl +++ b/charts/helm_lib/templates/_cloud_controller_manager.tpl @@ -57,7 +57,7 @@ httpGet: {{- define "helm_lib_cloud_controller_manager_manifests" }} {{- $context := index . 0 -}} {{- /* Template context with .Values, .Chart, etc. */ -}} {{- $config := index . 1 -}} {{- /* Configuration dict for the Cloud Controller Manager. */ -}} - + {{- $fullname := dig "fullname" "cloud-controller-manager" $config }} {{- $image := $config.image | required "image is required" }} {{- $resources := dig "resources" (include "cloud_controller_manager_resources" $context | fromYaml) $config }} @@ -84,7 +84,7 @@ httpGet: {{- $vpaUpdateMode := dig "vpaUpdateMode" "InPlaceOrRecreate" $config }} {{- $vpaMaxAllowed := dig "vpaMaxAllowed" (include "cloud_controller_manager_max_allowed_resources" $context | fromYaml) $config }} {{- $securityPolicyExceptionEnabled := dig "securityPolicyExceptionEnabled" false $config }} - + {{- if and $vpaEnabled ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} --- apiVersion: autoscaling.k8s.io/v1 @@ -252,8 +252,8 @@ spec: - hostPath metadata: description: | - Allow hostPath volume type for CSI Controller. - The CSI Controller requires hostPath volumes for accessing host-level resources needed for storage management operations specific to the cloud provider implementation. + Allow hostPath volume type for Cloud Controller Manager. + The Cloud Controller Manager requires hostPath volumes for accessing host-level resources needed for cloud provider integration and infrastructure management operations. hostPath: allowedValues: {{- range $volume := $additionalVolumes }} @@ -269,7 +269,7 @@ spec: metadata: description: | Allow access to additional hostPath volume at {{ $volume.hostPath.path }}. - This additional hostPath volume is required by the CSI Node Driver for extended storage operations specific to the cloud provider implementation. + This additional hostPath volume is required by the Cloud Controller Manager for provider-specific infrastructure management operations. {{- end }} {{- end }} {{- end }} From 84dc63eb9bc3da9cf7bee42efff919473ec63687 Mon Sep 17 00:00:00 2001 From: Sergey Petrov Date: Tue, 31 Mar 2026 16:26:01 +0700 Subject: [PATCH 4/4] Bump chart version Signed-off-by: Sergey Petrov --- charts/helm_lib/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 65cfcfe..c2713a8 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.71.5 +version: 1.71.6 description: "Helm utils template definitions for Deckhouse modules."