Skip to content

Commit

Permalink
chart: add config key to disable resource creation
Browse files Browse the repository at this point in the history
Signed-off-by: Viet Nguyen Duc <[email protected]>
  • Loading branch information
VietND96 committed Sep 21, 2024
1 parent a3b4b62 commit b960241
Show file tree
Hide file tree
Showing 10 changed files with 47 additions and 21 deletions.
17 changes: 12 additions & 5 deletions charts/selenium-grid/CONFIGURATION.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ A Helm chart for creating a Selenium Grid Server in Kubernetes
| global.seleniumGrid.affinity | object | `{}` | Specify affinity for all components, can be overridden individually |
| global.seleniumGrid.topologySpreadConstraints | list | `[]` | Specify topologySpreadConstraints for all components, can be overridden individually |
| global.seleniumGrid.nodeMaxSessions | int | `1` | Specify number of max sessions per node. Can be overridden by individual component (this is also set to scaler trigger parameter `nodeMaxSessions` if `autoscaling` is enabled) |
| tls.create | bool | `true` | Create a Secret resource for TLS certificate and key. If using an external secret set to false and provide its name in `nameOverride` below |
| tls.nameOverride | string | `nil` | Name of external secret containing the TLS certificate and key |
| tls.enabled | bool | `false` | Enable or disable TLS for the server components (and ingress proxy) |
| tls.ingress.enabled | bool | `false` | Enable or disable TLS for the ingress proxy only |
Expand All @@ -67,18 +68,23 @@ A Helm chart for creating a Selenium Grid Server in Kubernetes
| tls.disableHostnameVerification | bool | `true` | Disable verification the hostname included in the server's TLS/SSL certificates matches the hostnames provided |
| registrationSecret.enabled | bool | `false` | Enable feature node registration secret to make sure that the node is one you control and not a rouge node |
| registrationSecret.value | string | `"HappyTesting"` | The secret value to be used for node registration |
| basicAuth.create | bool | `true` | Create a secret resource for basic auth. If using an external secret, set to false and provide its name in `nameOverride` below |
| basicAuth.nameOverride | string | `""` | External secret containing the basic auth username and password for reference |
| basicAuth.enabled | bool | `false` | Enable or disable basic auth for the Hub/Router |
| basicAuth.username | string | `"admin"` | Username for basic auth |
| basicAuth.password | string | `"admin"` | Password for basic auth |
| basicAuth.embeddedUrl | bool | `false` | Embed the basic auth "username:password@" in few URLs e.g. SE_NODE_GRID_URL |
| basicAuth.annotations | object | `{}` | Annotations for basic auth secret resource |
| isolateComponents | bool | `false` | Deploy Router, Distributor, EventBus, SessionMap and Nodes separately |
| serviceAccount.create | bool | `true` | Create a service account for all components |
| serviceAccount.create | bool | `true` | Create a service account for all components. If using an external service account, set to false and provide its name in `nameOverride` below |
| serviceAccount.nameOverride | string | `nil` | Override to use an external service account |
| serviceAccount.annotations | object | `{}` | Annotations for the service account |
| rbacRole | object | `{"annotations":{},"nameOverride":null,"rules":[{"apiGroups":["keda.sh"],"resources":["scaledjobs"],"verbs":["get","list","patch","update","delete"]},{"apiGroups":["keda.sh"],"resources":["scaledobjects"],"verbs":["get","list","patch","update","delete"]},{"apiGroups":["autoscaling"],"resources":["horizontalpodautoscalers"],"verbs":["get","list","patch","update","delete"]}]}` | RBAC settings for patching finalizers KEDA scaled resources |
| rbacRoleBinding | object | `{"annotations":{},"nameOverride":null,"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role"}}` | RBAC role binding settings for patching finalizers KEDA scaled resources |
| rbacRole | object | `{"annotations":{},"create":true,"nameOverride":null,"rules":[{"apiGroups":["keda.sh"],"resources":["scaledjobs"],"verbs":["get","list","patch","update","delete"]},{"apiGroups":["keda.sh"],"resources":["scaledobjects"],"verbs":["get","list","patch","update","delete"]},{"apiGroups":["autoscaling"],"resources":["horizontalpodautoscalers"],"verbs":["get","list","patch","update","delete"]}]}` | RBAC settings for patching finalizers KEDA scaled resources |
| rbacRole.create | bool | `true` | Enable to create RBAC role to access few KEDA resources. If using an external role, set to false and provide its name in `nameOverride` below |
| rbacRole.nameOverride | string | `nil` | Override resource name or provide an external role name |
| rbacRoleBinding | object | `{"annotations":{},"create":true,"nameOverride":null,"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role"},"subjects":[{"kind":"ServiceAccount"}]}` | RBAC role binding settings for patching finalizers KEDA scaled resources |
| rbacRoleBinding.create | bool | `true` | Enable to create RBAC role binding to a service account. If using an external role binding, set to false and provide its name in `nameOverride` below |
| rbacRoleBinding.nameOverride | string | `nil` | Override resource name or provide an external role binding name |
| ingress.enabled | bool | `true` | Enable to create ingress resource |
| ingress.enableWithController | bool | `false` | Enable ingress resource with automatically installing Ingress NGINX Controller |
| ingress.className | string | `""` | Name of ingress class to select which controller will implement ingress resource |
Expand Down Expand Up @@ -154,7 +160,7 @@ A Helm chart for creating a Selenium Grid Server in Kubernetes
| serverConfigMap.nameOverride | string | `nil` | Override the name of the server configMap |
| serverConfigMap.env | object | `{"SE_JAVA_OPTS":"-Djdk.httpclient.keepalive.timeout=300 -Djdk.httpclient.maxstreams=10000 -XX:+UseZGC","SE_SUPERVISORD_LOG_LEVEL":"info"}` | Extra common environment variables for Server (https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) to server configMap |
| serverConfigMap.annotations | object | `{}` | Custom annotations for configmap |
| secrets.create | bool | `true` | Create the default secret for all components |
| secrets.create | bool | `true` | Create the default secret for all components. If using an external secret, set to false and provide its name in `nameOverride` below |
| secrets.nameOverride | string | `nil` | Override to use an external secret |
| secrets.env | object | `{"SE_VNC_PASSWORD":"secret"}` | Extra environment variables set to the secret |
| secrets.annotations | object | `{}` | Custom annotations for secret |
Expand Down Expand Up @@ -310,6 +316,7 @@ A Helm chart for creating a Selenium Grid Server in Kubernetes
| autoscaling.patchObjectFinalizers.enabled | bool | `true` | Enable patching finalizers for KEDA scaled resources. Workaround for Hook post-upgrade selenium-grid/templates/x-node-hpa.yaml failed: object is being deleted: scaledobjects.keda.sh "x" already exists |
| autoscaling.patchObjectFinalizers.activeDeadlineSeconds | int | `120` | Deadline (in seconds) for patch job to complete |
| autoscaling.patchObjectFinalizers.annotations | object | `{"helm.sh/hook":"post-install,post-upgrade,post-rollback,pre-delete","helm.sh/hook-delete-policy":"hook-succeeded,before-hook-creation","helm.sh/hook-weight":"-1"}` | Annotations for patch job |
| autoscaling.patchObjectFinalizers.serviceAccount | string | `""` | Define an external service account name contains permissions to patch KEDA scaled resources |
| autoscaling.patchObjectFinalizers.imagePullSecret | string | `""` | Custom pull secret for container in patch job |
| autoscaling.patchObjectFinalizers.resources | object | `{"limits":{"cpu":"50m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}` | Define resources for container in patch job |
| autoscaling.scaledOptions | object | `{"maxReplicaCount":8,"minReplicaCount":0,"pollingInterval":10}` | Options for KEDA scaled resources (keep only common options used for both ScaledJob and ScaledObject) |
Expand Down Expand Up @@ -498,7 +505,7 @@ A Helm chart for creating a Selenium Grid Server in Kubernetes
| videoRecorder.lifecycle | object | `{}` | Define lifecycle events for video recorder |
| videoRecorder.extraVolumeMounts | list | `[]` | Custom video recorder back-end scripts (video.sh, video_ready.py, etc.) further by ConfigMap. NOTE: For the mount point with the name "video", or "video-scripts", it will override the default. For other names, it will be appended. |
| videoRecorder.extraVolumes | list | `[]` | Extra volumes for video recorder pod |
| videoRecorder.s3 | object | `{"args":[],"command":[],"extraEnvironmentVariables":null,"imageName":"bitnami/aws-cli","imagePullPolicy":"IfNotPresent","imageRegistry":"public.ecr.aws","imageTag":"latest","securityContext":{"runAsUser":0}}` | Container spec for the uploader if above it is defined as "uploader.name: s3" |
| videoRecorder.s3 | object | `{"args":[],"command":[],"extraEnvironmentVariables":null,"imageName":"aws-cli","imagePullPolicy":"IfNotPresent","imageRegistry":"bitnami","imageTag":"latest","securityContext":{"runAsUser":0}}` | Container spec for the uploader if above it is defined as "uploader.name: s3" |
| customLabels | object | `{}` | Custom labels for k8s resources |
| keda.image | object | `{"keda":{"registry":"selenium","repository":"keda","tag":"2.15.1-selenium-grid-20240907"},"metricsApiServer":{"registry":"selenium","repository":"keda-metrics-apiserver","tag":"2.15.1-selenium-grid-20240907"},"webhooks":{"registry":"selenium","repository":"keda-admission-webhooks","tag":"2.15.1-selenium-grid-20240907"}}` | Specify image for KEDA components |
| keda.additionalAnnotations | string | `nil` | Annotations for KEDA resources |
Expand Down
5 changes: 4 additions & 1 deletion charts/selenium-grid/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -672,7 +672,7 @@ There are multiple ways to insert your certificate, private key, truststore to t
--from-file=server.pass=/path/to/your/server.pass
# Deploy chart with your external TLS Secret
helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \
--set tls.enabled=true --set tls.nameOverride=my-external-tls-secret
--set tls.enabled=true --set tls.create=false --set tls.nameOverride=my-external-tls-secret
```

In case your external secret contains key file names are different with default, you can instruct server to use them via following values:
Expand Down Expand Up @@ -717,6 +717,7 @@ helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \
--set isolateComponents=true \
--set components.router.serviceType=NodePort \
--set tls.enabled=true \
--set tls.create=false \
--set tls.nameOverride=my-external-tls-secret
```

Expand Down Expand Up @@ -770,6 +771,7 @@ helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \
--set ingress.enabled=true \
--set ingress.hostname="selenium-grid.prod.domain.com" \
--set tls.ingress.enabled=true \
--set tls.create=false \
--set tls.nameOverride=my-external-tls-secret
```

Expand All @@ -795,6 +797,7 @@ For example (replace `$RELEASENAME` and `$NAMESPACE` with your values):
helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \
--set global.K8S_PUBLIC_IP=$(hostname -i) \
--set tls.ingress.enableWithController=true \
--set tls.create=false \
--set tls.nameOverride=my-external-tls-secret \
--set ingress-nginx.controller.extraArgs.default-ssl-certificate=$NAMESPACE/my-external-tls-secret
```
Expand Down
2 changes: 1 addition & 1 deletion charts/selenium-grid/templates/basic-auth-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if (not $.Values.basicAuth.nameOverride) }}
{{- if $.Values.basicAuth.create }}
apiVersion: v1
kind: Secret
metadata:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ spec:
name: {{ template "seleniumGrid.keda.patchObjectsJob.fullname" $ }}
spec:
activeDeadlineSeconds: {{ $.Values.autoscaling.patchObjectFinalizers.activeDeadlineSeconds }}
serviceAccountName: {{ template "seleniumGrid.serviceAccount.fullname" $ }}
serviceAccount: {{ template "seleniumGrid.serviceAccount.fullname" $ }}
serviceAccountName: {{ default (include "seleniumGrid.serviceAccount.fullname" $) $.Values.autoscaling.patchObjectFinalizers.serviceAccount }}
serviceAccount: {{ default (include "seleniumGrid.serviceAccount.fullname" $) $.Values.autoscaling.patchObjectFinalizers.serviceAccount }}
containers:
- name: {{ template "seleniumGrid.keda.patchObjectsJob.fullname" $ }}
- name: kubectl
image: {{ $.Values.global.seleniumGrid.kubectlImage }}
command: ["/bin/sh", "-c"]
args:
Expand Down
2 changes: 1 addition & 1 deletion charts/selenium-grid/templates/patch-keda/rbac-role.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if and (eq (include "seleniumGrid.useKEDA" $) "true") $.Values.autoscaling.patchObjectFinalizers.enabled }}
{{- if and (eq (include "seleniumGrid.useKEDA" $) "true") $.Values.autoscaling.patchObjectFinalizers.enabled (not $.Values.autoscaling.patchObjectFinalizers.serviceAccount) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if and (eq (include "seleniumGrid.useKEDA" $) "true") $.Values.autoscaling.patchObjectFinalizers.enabled }}
{{- if and (eq (include "seleniumGrid.useKEDA" $) "true") $.Values.autoscaling.patchObjectFinalizers.enabled (not $.Values.autoscaling.patchObjectFinalizers.serviceAccount) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand All @@ -9,17 +9,18 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
deploymentName: {{ template "seleniumGrid.rbac.roleBinding.fullname" $ }}
app: {{ template "seleniumGrid.rbac.roleBinding.fullname" $ }}
app.kubernetes.io/name: {{ template "seleniumGrid.rbac.roleBinding.fullname" $ }}
{{- include "seleniumGrid.commonLabels" $ | nindent 4 }}
{{- with $.Values.customLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "seleniumGrid.serviceAccount.fullname" $ }}
name: {{ default (include "seleniumGrid.serviceAccount.fullname" $) $.Values.autoscaling.patchObjectFinalizers.serviceAccount }}
{{ with $.Values.rbacRoleBinding.roleRef }}
{{- $roleRef := merge (dict "name" (include "seleniumGrid.rbac.role.fullname" $)) . -}}
roleRef:
{{ $roleRef | toYaml | nindent 2 }}
{{- $roleRef | toYaml | nindent 2 }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/selenium-grid/templates/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.serviceAccount.create }}
{{- if $.Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
2 changes: 1 addition & 1 deletion charts/selenium-grid/templates/tls-cert-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if and (not $.Values.tls.nameOverride) (or (eq (include "seleniumGrid.ingress.secureConnection" $) "true") (eq (include "seleniumGrid.server.secureConnection" $) "true")) }}
{{- if and $.Values.tls.create (or (eq (include "seleniumGrid.ingress.secureConnection" $) "true") (eq (include "seleniumGrid.server.secureConnection" $) "true")) }}
apiVersion: v1
kind: Secret
metadata:
Expand Down
22 changes: 18 additions & 4 deletions charts/selenium-grid/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ global:
nodeMaxSessions: 1

tls:
# -- Create a Secret resource for TLS certificate and key. If using an external secret set to false and provide its name in `nameOverride` below
create: true
# -- Name of external secret containing the TLS certificate and key
nameOverride:
# -- Enable or disable TLS for the server components (and ingress proxy)
Expand Down Expand Up @@ -105,6 +107,8 @@ registrationSecret:

# Basic auth settings for Selenium Grid
basicAuth:
# -- Create a secret resource for basic auth. If using an external secret, set to false and provide its name in `nameOverride` below
create: true
# -- External secret containing the basic auth username and password for reference
nameOverride: ""
# -- Enable or disable basic auth for the Hub/Router
Expand All @@ -123,7 +127,7 @@ isolateComponents: false

# Service Account for all components
serviceAccount:
# -- Create a service account for all components
# -- Create a service account for all components. If using an external service account, set to false and provide its name in `nameOverride` below
create: true
# -- Override to use an external service account
nameOverride:
Expand All @@ -133,6 +137,9 @@ serviceAccount:

# -- RBAC settings for patching finalizers KEDA scaled resources
rbacRole:
# -- Enable to create RBAC role to access few KEDA resources. If using an external role, set to false and provide its name in `nameOverride` below
create: true
# -- Override resource name or provide an external role name
nameOverride:
annotations: {}
rules:
Expand All @@ -154,8 +161,13 @@ rbacRole:

# -- RBAC role binding settings for patching finalizers KEDA scaled resources
rbacRoleBinding:
# -- Enable to create RBAC role binding to a service account. If using an external role binding, set to false and provide its name in `nameOverride` below
create: true
# -- Override resource name or provide an external role binding name
nameOverride:
annotations: {}
subjects:
- kind: ServiceAccount
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
Expand Down Expand Up @@ -347,7 +359,7 @@ serverConfigMap:

# Secrets for all components. Component environment variables contain sensitive data should be stored in secrets.
secrets:
# -- Create the default secret for all components
# -- Create the default secret for all components. If using an external secret, set to false and provide its name in `nameOverride` below
create: true
# -- Override to use an external secret
nameOverride:
Expand Down Expand Up @@ -807,6 +819,8 @@ autoscaling:
"helm.sh/hook": post-install,post-upgrade,post-rollback,pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
"helm.sh/hook-weight": "-1"
# -- Define an external service account name contains permissions to patch KEDA scaled resources
serviceAccount: ""
# -- Custom pull secret for container in patch job
imagePullSecret: ""
# -- Define resources for container in patch job
Expand Down Expand Up @@ -1504,8 +1518,8 @@ videoRecorder:

# -- Container spec for the uploader if above it is defined as "uploader.name: s3"
s3:
imageRegistry: public.ecr.aws
imageName: bitnami/aws-cli
imageRegistry: bitnami
imageName: aws-cli
imageTag: latest
imagePullPolicy: IfNotPresent
securityContext:
Expand Down
1 change: 1 addition & 0 deletions tests/charts/make/chart_test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,7 @@ fi

if [ "${SECURE_USE_EXTERNAL_CERT}" = "true" ] && [ "${RENDER_HELM_TEMPLATE_ONLY}" != "true" ]; then
HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \
--set tls.create=false
--set tls.nameOverride=${EXTERNAL_TLS_SECRET_NAME} \
--set ingress.nginx.sslSecret="${SELENIUM_NAMESPACE}/${EXTERNAL_TLS_SECRET_NAME}" \
"
Expand Down

0 comments on commit b960241

Please sign in to comment.