Skip to content

Commit

Permalink
fix(helm): add values for declaratively enabling PDBs (kyverno#8652)
Browse files Browse the repository at this point in the history
* fix(helm): add values for declaratively enabling PDBs

Signed-off-by: Erik Godding Boye <[email protected]>

* update codegen docs

Signed-off-by: ShutingZhao <[email protected]>

---------

Signed-off-by: Erik Godding Boye <[email protected]>
Signed-off-by: ShutingZhao <[email protected]>
Co-authored-by: ShutingZhao <[email protected]>
  • Loading branch information
erikgb and realshuting authored Oct 16, 2023
1 parent dbc55c1 commit 1be3e6d
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 4 deletions.
4 changes: 4 additions & 0 deletions charts/kyverno/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -352,6 +352,7 @@ The chart values are organised per component.
| admissionController.nodeAffinity | object | `{}` | Node affinity constraints. |
| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| admissionController.podSecurityContext | object | `{}` | Security context for the pod |
| admissionController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
Expand Down Expand Up @@ -443,6 +444,7 @@ The chart values are organised per component.
| backgroundController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| backgroundController.podSecurityContext | object | `{}` | Security context for the pod |
| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| backgroundController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
| backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| backgroundController.metricsService.create | bool | `true` | Create service. |
Expand Down Expand Up @@ -510,6 +512,7 @@ The chart values are organised per component.
| cleanupController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| cleanupController.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
| cleanupController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| cleanupController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| cleanupController.service.port | int | `443` | Service port. |
Expand Down Expand Up @@ -579,6 +582,7 @@ The chart values are organised per component.
| reportsController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| reportsController.podSecurityContext | object | `{}` | Security context for the pod |
| reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| reportsController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
| reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if (gt (int .Values.admissionController.replicas) 1) -}}
{{- if or .Values.admissionController.podDisruptionBudget.enabled (gt (int .Values.admissionController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.backgroundController.enabled -}}
{{- if (gt (int .Values.backgroundController.replicas) 1) -}}
{{- if or .Values.backgroundController.podDisruptionBudget.enabled (gt (int .Values.backgroundController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.cleanupController.enabled -}}
{{- if (gt (int .Values.cleanupController.replicas) 1) -}}
{{- if or .Values.cleanupController.podDisruptionBudget.enabled (gt (int .Values.cleanupController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- if .Values.reportsController.enabled -}}
{{- if (gt (int .Values.reportsController.replicas) 1) -}}
{{- if or .Values.reportsController.podDisruptionBudget.enabled (gt (int .Values.reportsController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
Expand Down
12 changes: 12 additions & 0 deletions charts/kyverno/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -781,6 +781,9 @@ admissionController:
podSecurityContext: {}

podDisruptionBudget:
# -- Enable PodDisruptionBudget.
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
enabled: false
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
Expand Down Expand Up @@ -1161,6 +1164,9 @@ backgroundController:
type: RuntimeDefault

podDisruptionBudget:
# -- Enable PodDisruptionBudget.
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
enabled: false
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
Expand Down Expand Up @@ -1426,6 +1432,9 @@ cleanupController:
type: RuntimeDefault

podDisruptionBudget:
# -- Enable PodDisruptionBudget.
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
enabled: false
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
Expand Down Expand Up @@ -1669,6 +1678,9 @@ reportsController:
type: RuntimeDefault

podDisruptionBudget:
# -- Enable PodDisruptionBudget.
# Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
enabled: false
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
Expand Down

0 comments on commit 1be3e6d

Please sign in to comment.