From b7a87ef08f8944a220551d9160183d6f73cdbffb Mon Sep 17 00:00:00 2001 From: Patrick von Steht Date: Fri, 23 Feb 2024 16:07:53 +0100 Subject: [PATCH] feat: add option to add additional custom pod labels Signed-off-by: Patrick von Steht --- api/unversioned/config/config.go | 1 + api/unversioned/eraserconfig_types.go | 19 ++++++++++--------- api/unversioned/zz_generated.deepcopy.go | 7 +++++++ api/v1alpha1/config/config.go | 1 + api/v1alpha1/eraserconfig_types.go | 19 ++++++++++--------- api/v1alpha1/zz_generated.conversion.go | 2 ++ api/v1alpha1/zz_generated.deepcopy.go | 7 +++++++ api/v1alpha2/config/config.go | 1 + api/v1alpha2/eraserconfig_types.go | 19 ++++++++++--------- api/v1alpha2/zz_generated.conversion.go | 2 ++ api/v1alpha2/zz_generated.deepcopy.go | 7 +++++++ api/v1alpha3/config/config.go | 1 + api/v1alpha3/eraserconfig_types.go | 19 ++++++++++--------- api/v1alpha3/zz_generated.conversion.go | 2 ++ api/v1alpha3/zz_generated.deepcopy.go | 7 +++++++ config/manager/controller_manager_config.yaml | 1 + controllers/imagejob/imagejob_controller.go | 6 ++++-- docs/docs/customization.md | 2 ++ .../helmify/kustomize-for-helm.yaml | 3 +++ .../gatekeeper/helmify/replacements.go | 1 + .../gatekeeper/helmify/static/README.md | 2 ++ .../gatekeeper/helmify/static/values.yaml | 2 ++ 22 files changed, 93 insertions(+), 38 deletions(-) diff --git a/api/unversioned/config/config.go b/api/unversioned/config/config.go index 4184354a75..f9e04eac94 100644 --- a/api/unversioned/config/config.go +++ b/api/unversioned/config/config.go @@ -106,6 +106,7 @@ func Default() *unversioned.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: unversioned.Components{ Collector: unversioned.OptionalContainerConfig{ diff --git a/api/unversioned/eraserconfig_types.go b/api/unversioned/eraserconfig_types.go index 0705ccf881..6f0bc5db80 100644 --- a/api/unversioned/eraserconfig_types.go +++ b/api/unversioned/eraserconfig_types.go @@ -156,15 +156,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime RuntimeSpec `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime RuntimeSpec `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/unversioned/zz_generated.deepcopy.go b/api/unversioned/zz_generated.deepcopy.go index b06cf3dd58..1e4a4f2d1c 100644 --- a/api/unversioned/zz_generated.deepcopy.go +++ b/api/unversioned/zz_generated.deepcopy.go @@ -303,6 +303,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha1/config/config.go b/api/v1alpha1/config/config.go index cb64795f0c..0b57512a52 100644 --- a/api/v1alpha1/config/config.go +++ b/api/v1alpha1/config/config.go @@ -61,6 +61,7 @@ func Default() *v1alpha1.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: v1alpha1.Components{ Collector: v1alpha1.OptionalContainerConfig{ diff --git a/api/v1alpha1/eraserconfig_types.go b/api/v1alpha1/eraserconfig_types.go index c27bde1fb0..a2c8f55778 100644 --- a/api/v1alpha1/eraserconfig_types.go +++ b/api/v1alpha1/eraserconfig_types.go @@ -91,15 +91,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime Runtime `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime Runtime `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go index 18dc66b827..f771cd7dfb 100644 --- a/api/v1alpha1/zz_generated.conversion.go +++ b/api/v1alpha1/zz_generated.conversion.go @@ -609,6 +609,7 @@ func autoConvert_v1alpha1_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -632,6 +633,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha1_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 31a79f5fa1..f46a620db2 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -334,6 +334,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha2/config/config.go b/api/v1alpha2/config/config.go index bdd7bcf675..39b6e1ca3e 100644 --- a/api/v1alpha2/config/config.go +++ b/api/v1alpha2/config/config.go @@ -61,6 +61,7 @@ func Default() *v1alpha2.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: v1alpha2.Components{ Collector: v1alpha2.OptionalContainerConfig{ diff --git a/api/v1alpha2/eraserconfig_types.go b/api/v1alpha2/eraserconfig_types.go index f6f8ee8e39..8d24e27606 100644 --- a/api/v1alpha2/eraserconfig_types.go +++ b/api/v1alpha2/eraserconfig_types.go @@ -89,15 +89,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime Runtime `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime Runtime `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha2/zz_generated.conversion.go b/api/v1alpha2/zz_generated.conversion.go index 0a0440450d..adeba64b78 100644 --- a/api/v1alpha2/zz_generated.conversion.go +++ b/api/v1alpha2/zz_generated.conversion.go @@ -340,6 +340,7 @@ func autoConvert_v1alpha2_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -363,6 +364,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha2_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go index 54c04dcef7..1963c1034b 100644 --- a/api/v1alpha2/zz_generated.deepcopy.go +++ b/api/v1alpha2/zz_generated.deepcopy.go @@ -134,6 +134,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha3/config/config.go b/api/v1alpha3/config/config.go index 1ca8f536c0..ae9ea6ce07 100644 --- a/api/v1alpha3/config/config.go +++ b/api/v1alpha3/config/config.go @@ -64,6 +64,7 @@ func Default() *v1alpha3.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: v1alpha3.Components{ Collector: v1alpha3.OptionalContainerConfig{ diff --git a/api/v1alpha3/eraserconfig_types.go b/api/v1alpha3/eraserconfig_types.go index a88aaa0ae0..6f7ef2e434 100644 --- a/api/v1alpha3/eraserconfig_types.go +++ b/api/v1alpha3/eraserconfig_types.go @@ -156,15 +156,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime RuntimeSpec `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime RuntimeSpec `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha3/zz_generated.conversion.go b/api/v1alpha3/zz_generated.conversion.go index b5655e6d7e..b40453f670 100644 --- a/api/v1alpha3/zz_generated.conversion.go +++ b/api/v1alpha3/zz_generated.conversion.go @@ -340,6 +340,7 @@ func autoConvert_v1alpha3_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -368,6 +369,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha3_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } diff --git a/api/v1alpha3/zz_generated.deepcopy.go b/api/v1alpha3/zz_generated.deepcopy.go index 0916bca337..689915b1dd 100644 --- a/api/v1alpha3/zz_generated.deepcopy.go +++ b/api/v1alpha3/zz_generated.deepcopy.go @@ -135,6 +135,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml index 25b6e9b797..031d764b7d 100644 --- a/config/manager/controller_manager_config.yaml +++ b/config/manager/controller_manager_config.yaml @@ -19,6 +19,7 @@ manager: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: diff --git a/controllers/imagejob/imagejob_controller.go b/controllers/imagejob/imagejob_controller.go index b4e3555e43..2bde9cdec1 100644 --- a/controllers/imagejob/imagejob_controller.go +++ b/controllers/imagejob/imagejob_controller.go @@ -409,10 +409,12 @@ func (r *Reconciler) handleNewJob(ctx context.Context, imageJob *eraserv1.ImageJ }, } + pod.Labels = eraserConfig.Manager.AdditionalPodLabels + if containerName == removerContainer { - pod.Labels = map[string]string{imageJobTypeLabelKey: manualJobType} + pod.Labels[imageJobTypeLabelKey] = manualJobType } else { - pod.Labels = map[string]string{imageJobTypeLabelKey: collectorJobType} + pod.Labels[imageJobTypeLabelKey] = collectorJobType } fitness := checkNodeFitness(pod, &nodeList[i]) diff --git a/docs/docs/customization.md b/docs/docs/customization.md index a05a4cf353..408e840244 100644 --- a/docs/docs/customization.md +++ b/docs/docs/customization.md @@ -102,6 +102,7 @@ manager: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/remover priorityClassName: "" # priority class name for collector/scanner/remover + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -207,6 +208,7 @@ timeout: | manager.imageJob.cleanup.delayOnFailure | The amount of time to wait after a failed image job before performing cleanup. | 24h | | manager.pullSecrets | The image pull secrets to use for collector, scanner, and remover containers. | [] | | manager.priorityClassName | The priority class to use for collector, scanner, and remover containers. | "" | +| manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | manager.nodeFilter.type | The type of node filter to use. Must be either "exclude" or "include". | exclude | | manager.nodeFilter.selectors | A list of selectors used to filter nodes. | [] | | components.collector.enabled | Whether to enable the collector component. | true | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml index 13f71eb1cc..09dc28da90 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml @@ -5,6 +5,9 @@ metadata: namespace: eraser-system spec: template: + metadata: + labels: + HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONALPODLABELS: "" spec: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PULL_SECRETS: "" volumes: diff --git a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go index 9a69c06a83..e2b74cc2be 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go +++ b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go @@ -7,6 +7,7 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.deploy.affinity | nindent 8 }}`, `- HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONAL_ARGS`: `{{- if .Values.deploy.additionalArgs }}{{- range .Values.deploy.additionalArgs }}{{ nindent 8 "- " }}{{ . }}{{- end -}}{{ end }}`, `HELMSUBST_CONTROLLER_MANAGER_CONFIG_YAML`: `{{- toYaml .Values.runtimeConfig | nindent 4 }}`, + `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONALPODLABELS: ""`: `{{- if .Values.deploy.additionalPodLabels }}{{- toYaml .Values.deploy.additionalPodLabels | nindent 8 }}{{end}}`, `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PULL_SECRETS: ""`: `{{- if .Values.runtimeConfig.manager.pullSecrets }} imagePullSecrets: diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index a2ad3ced96..b64563f1fd 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -45,6 +45,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | runtimeConfig.manager.imageJob.cleanup | Settings for image job cleanup. | `{}` | | runtimeConfig.manager.pullSecrets | Image pull secrets for collector/scanner/eraser. | `[]` | | runtimeConfig.manager.priorityClassName | Priority class name for collector/scanner/eraser. | `""` | +| runtimeConfig.manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | runtimeConfig.manager.nodeFilter | Filter for nodes. | `{}` | | runtimeConfig.components.collector | Settings for the collector component. | `{ enabled: false }` | | runtimeConfig.components.scanner | Settings for the scanner component. | `{ enabled: false }` | @@ -54,6 +55,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | deploy.image.tag | Overrides the default image tag. | `""` | | deploy.additionalArgs | Additional arguments to pass to the command. | `[]` | | deploy.priorityClassName | Priority class name. | `""` | +| deploy.additionalPodLabels | Additional labels for the controller pod. | `{}` | | deploy.securityContext.allowPrivilegeEscalation | Whether to allow privilege escalation. | `false` | | deploy.resources.limits.memory | Memory limit for the resources. | `30Mi` | | deploy.resources.requests.cpu | CPU request for the resources. | `100m` | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 484d3ca3c2..3c09f3da34 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -29,6 +29,7 @@ runtimeConfig: # delayOnFailure: "" pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -97,6 +98,7 @@ deploy: tag: "v1.4.0-beta.0" additionalArgs: [] priorityClassName: "" + additionalPodLabels: {} securityContext: allowPrivilegeEscalation: false