From e04844cbb34bc9a5d86f4eb2de33bce7d8e7e14f Mon Sep 17 00:00:00 2001 From: Arik Alon Date: Mon, 2 Jun 2025 20:20:23 +0300 Subject: [PATCH 1/2] Fix helm upgrade procedure Add helm values for mutation mode and threshold Fix readme --- enforcer/README.md | 38 +++++++++++++------ enforcer/env_vars.py | 2 +- helm/krr-enforcer/Chart.yaml | 4 +- .../templates/enforcer-cert-job.yaml | 9 ----- helm/krr-enforcer/templates/enforcer.yaml | 5 +++ helm/krr-enforcer/values.yaml | 6 ++- 6 files changed, 39 insertions(+), 25 deletions(-) diff --git a/enforcer/README.md b/enforcer/README.md index e6e717ac..1aa5ab5c 100644 --- a/enforcer/README.md +++ b/enforcer/README.md @@ -59,27 +59,41 @@ The webhook uses `failurePolicy: Ignore` by default, meaning if the webhook fail helm repo add robusta https://robusta-charts.storage.googleapis.com && helm repo update ``` -2. **Add cluster configuration**: +2. **Configure Robusta Account Connection**: -If the enforcer is installed in the same namespace as Robusta, it will automatically detect the Robusta account settings. +The `Enforcer` needs access to your Robusta account to fetch KRR recommendations. Choose the appropriate configuration based on your setup: -If your Robusta UI sink token, is pulled from a secret (as described [here](https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html#pulling-values-from-kubernetes-secrets)), you should add the same environement variable to the `Enforcer` pod as well. +#### Option A: Same Namespace as Robusta (Easiest) +If the enforcer is installed in the **same namespace as Robusta**, it will automatically detect Robusta account settings from the existing configuration. -If the `Enforcer` is installed on a different namespace, you can provide your Robusta account credentials using env variables: +**⚠️ Caveat**: If your Robusta UI token is pulled from a secret (as described [here](https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html#pulling-values-from-kubernetes-secrets)), you must add the same environment variables to the enforcer pod: -Add your robusta credentials and cluster name: (`enforcer-values.yaml`) +```yaml +# enforcer-values.yaml +additionalEnvVars: + - name: TOKEN_ENV_VAR_NAME + valueFrom: + secretKeyRef: + name: robusta-secrets + key: robustaSinkToken +``` + +#### Option B: Different Namespace +If the enforcer is installed in a **different namespace than Robusta**, provide the Robusta credentials explicitly: ```yaml +# enforcer-values.yaml additionalEnvVars: - name: CLUSTER_NAME - value: my-cluster-name # should be the same as the robusta installation on this cluster + value: my-cluster-name # should match your Robusta cluster name - name: ROBUSTA_UI_TOKEN - value: "MY ROBUSTA UI TOKEN" -# - name: ROBUSTA_UI_TOKEN # or pulled from a secret -# valueFrom: -# secretKeyRef: -# name: robusta-secrets -# key: robustaSinkToken + value: "MY_ROBUSTA_UI_TOKEN" + # OR pull from a secret: + # - name: ROBUSTA_UI_TOKEN + # valueFrom: + # secretKeyRef: + # name: robusta-secrets + # key: robustaSinkToken ``` 2. **Install with default settings**: diff --git a/enforcer/env_vars.py b/enforcer/env_vars.py index d6ae6232..8c015052 100644 --- a/enforcer/env_vars.py +++ b/enforcer/env_vars.py @@ -15,7 +15,7 @@ UPDATE_THRESHOLD = float(os.environ.get("UPDATE_THRESHOLD", 20.0)) SCAN_RELOAD_INTERVAL = int(os.environ.get("SCAN_RELOAD_INTERVAL", 3600)) -KRR_MUTATION_MODE_DEFAULT = os.environ.get("KRR_MUTATION_MODE_DEFAULT", "enforce") +KRR_MUTATION_MODE_DEFAULT = os.environ.get("KRR_MUTATION_MODE_DEFAULT", "ignore") REPLICA_SET_CLEANUP_INTERVAL = int(os.environ.get("REPLICA_SET_CLEANUP_INTERVAL", 600)) REPLICA_SET_DELETION_WAIT = int(os.environ.get("REPLICA_SET_DELETION_WAIT", 600)) SCAN_AGE_HOURS_THRESHOLD = int(os.environ.get("SCAN_AGE_HOURS_THRESHOLD", 360)) # 15 days diff --git a/helm/krr-enforcer/Chart.yaml b/helm/krr-enforcer/Chart.yaml index ae6da9de..88598344 100644 --- a/helm/krr-enforcer/Chart.yaml +++ b/helm/krr-enforcer/Chart.yaml @@ -3,5 +3,5 @@ name: krr-enforcer description: KRR enforcer - auto apply KRR recommendations type: application -version: 0.3.1 -appVersion: 0.3.1 +version: 0.3.2 +appVersion: 0.3.2 diff --git a/helm/krr-enforcer/templates/enforcer-cert-job.yaml b/helm/krr-enforcer/templates/enforcer-cert-job.yaml index 6d61c307..c725fe00 100644 --- a/helm/krr-enforcer/templates/enforcer-cert-job.yaml +++ b/helm/krr-enforcer/templates/enforcer-cert-job.yaml @@ -139,15 +139,6 @@ spec: values: ["kube-system"] EOF - # Restart the enforcer deployment to pick up new certificates (only if it exists) - echo "Checking if enforcer deployment exists..." - if kubectl get deployment ${SERVICE_NAME} -n ${NAMESPACE} >/dev/null 2>&1; then - echo "Restarting enforcer deployment..." - kubectl rollout restart deployment ${SERVICE_NAME} -n ${NAMESPACE} - else - echo "Deployment ${SERVICE_NAME} does not exist yet, skipping restart" - fi - echo "Job completed successfully!" --- apiVersion: v1 diff --git a/helm/krr-enforcer/templates/enforcer.yaml b/helm/krr-enforcer/templates/enforcer.yaml index df59018e..135d4c78 100644 --- a/helm/krr-enforcer/templates/enforcer.yaml +++ b/helm/krr-enforcer/templates/enforcer.yaml @@ -24,6 +24,7 @@ spec: app.kubernetes.io/component: krr-enforcer annotations: admission.robusta.dev/krr-mutation-mode: ignore + checksum/cert: {{ .Release.Revision | toString | sha256sum }} {{- with .Values.annotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -118,6 +119,10 @@ spec: value: "/etc/webhook/certs/tls.crt" - name: LOG_LEVEL value: {{ .Values.logLevel | quote }} + - name: KRR_MUTATION_MODE_DEFAULT + value: {{ .Values.mutationMode | quote }} + - name: UPDATE_THRESHOLD + value: {{ .Values.updateThreshold | quote }} {{- if .Values.certificate }} - name: CERTIFICATE value: {{ .Values.certificate | quote }} diff --git a/helm/krr-enforcer/values.yaml b/helm/krr-enforcer/values.yaml index b8031713..520d7c13 100644 --- a/helm/krr-enforcer/values.yaml +++ b/helm/krr-enforcer/values.yaml @@ -1,12 +1,16 @@ certificate: "" # base64 encoded logLevel: INFO +# Enforcer configuration +mutationMode: ignore # enforce or ignore - default global enforcement mode +updateThreshold: 20.0 # percentage threshold for applying resource updates + # fullImage: ~ # full image path can be used to override image.repository/image.name:image.tag image: repository: us-central1-docker.pkg.dev/genuine-flight-317411/devel name: krr-enforcer - tag: 0.3.1 + tag: 0.3.2 imagePullPolicy: IfNotPresent resources: requests: From ebf48a59a5a26e7b3f2bcc0134118cd085ddf1fd Mon Sep 17 00:00:00 2001 From: Arik Alon Date: Mon, 2 Jun 2025 21:11:37 +0300 Subject: [PATCH 2/2] Fix readme --- enforcer/README.md | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/enforcer/README.md b/enforcer/README.md index 1aa5ab5c..6a7da1e8 100644 --- a/enforcer/README.md +++ b/enforcer/README.md @@ -64,19 +64,10 @@ helm repo add robusta https://robusta-charts.storage.googleapis.com && helm repo The `Enforcer` needs access to your Robusta account to fetch KRR recommendations. Choose the appropriate configuration based on your setup: #### Option A: Same Namespace as Robusta (Easiest) -If the enforcer is installed in the **same namespace as Robusta**, it will automatically detect Robusta account settings from the existing configuration. +If the enforcer is installed in the **same namespace as Robusta**, it can automatically detect Robusta account settings and there is no need for explicit configuration. -**⚠️ Caveat**: If your Robusta UI token is pulled from a secret (as described [here](https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html#pulling-values-from-kubernetes-secrets)), you must add the same environment variables to the enforcer pod: +**⚠️ Caveat**: If your Robusta UI token is pulled from a secret (as described [here](https://docs.robusta.dev/master/setup-robusta/configuration-secrets.html#pulling-values-from-kubernetes-secrets)), this method won’t work and you should use Option B (described below) instead. -```yaml -# enforcer-values.yaml -additionalEnvVars: - - name: TOKEN_ENV_VAR_NAME - valueFrom: - secretKeyRef: - name: robusta-secrets - key: robustaSinkToken -``` #### Option B: Different Namespace If the enforcer is installed in a **different namespace than Robusta**, provide the Robusta credentials explicitly: @@ -96,7 +87,7 @@ additionalEnvVars: # key: robustaSinkToken ``` -2. **Install with default settings**: +3. **Install with default settings**: ```bash helm install krr-enforcer robusta/krr-enforcer -f enforcer-values.yaml ```