From e0509e3be2363831663f83610345feed1413e596 Mon Sep 17 00:00:00 2001 From: Patrick von Steht Date: Fri, 23 Feb 2024 16:07:53 +0100 Subject: [PATCH 1/5] feat: add option to add additional custom pod labels Signed-off-by: Patrick von Steht --- api/unversioned/config/config.go | 1 + api/unversioned/eraserconfig_types.go | 19 ++++++++++--------- api/unversioned/zz_generated.deepcopy.go | 7 +++++++ api/v1alpha1/config/config.go | 1 + api/v1alpha1/eraserconfig_types.go | 19 ++++++++++--------- api/v1alpha1/zz_generated.conversion.go | 2 ++ api/v1alpha1/zz_generated.deepcopy.go | 7 +++++++ api/v1alpha2/config/config.go | 1 + api/v1alpha2/eraserconfig_types.go | 19 ++++++++++--------- api/v1alpha2/zz_generated.conversion.go | 2 ++ api/v1alpha2/zz_generated.deepcopy.go | 7 +++++++ api/v1alpha3/config/config.go | 1 + api/v1alpha3/eraserconfig_types.go | 19 ++++++++++--------- api/v1alpha3/zz_generated.conversion.go | 2 ++ api/v1alpha3/zz_generated.deepcopy.go | 7 +++++++ config/manager/controller_manager_config.yaml | 1 + controllers/imagejob/imagejob_controller.go | 6 ++++-- docs/docs/customization.md | 2 ++ .../helmify/kustomize-for-helm.yaml | 3 +++ .../gatekeeper/helmify/replacements.go | 1 + .../gatekeeper/helmify/static/README.md | 2 ++ .../gatekeeper/helmify/static/values.yaml | 2 ++ 22 files changed, 93 insertions(+), 38 deletions(-) diff --git a/api/unversioned/config/config.go b/api/unversioned/config/config.go index 4184354a75..f9e04eac94 100644 --- a/api/unversioned/config/config.go +++ b/api/unversioned/config/config.go @@ -106,6 +106,7 @@ func Default() *unversioned.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: unversioned.Components{ Collector: unversioned.OptionalContainerConfig{ diff --git a/api/unversioned/eraserconfig_types.go b/api/unversioned/eraserconfig_types.go index 0705ccf881..6f0bc5db80 100644 --- a/api/unversioned/eraserconfig_types.go +++ b/api/unversioned/eraserconfig_types.go @@ -156,15 +156,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime RuntimeSpec `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime RuntimeSpec `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/unversioned/zz_generated.deepcopy.go b/api/unversioned/zz_generated.deepcopy.go index b06cf3dd58..1e4a4f2d1c 100644 --- a/api/unversioned/zz_generated.deepcopy.go +++ b/api/unversioned/zz_generated.deepcopy.go @@ -303,6 +303,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha1/config/config.go b/api/v1alpha1/config/config.go index cb64795f0c..0b57512a52 100644 --- a/api/v1alpha1/config/config.go +++ b/api/v1alpha1/config/config.go @@ -61,6 +61,7 @@ func Default() *v1alpha1.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: v1alpha1.Components{ Collector: v1alpha1.OptionalContainerConfig{ diff --git a/api/v1alpha1/eraserconfig_types.go b/api/v1alpha1/eraserconfig_types.go index c27bde1fb0..a2c8f55778 100644 --- a/api/v1alpha1/eraserconfig_types.go +++ b/api/v1alpha1/eraserconfig_types.go @@ -91,15 +91,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime Runtime `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime Runtime `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go index 18dc66b827..f771cd7dfb 100644 --- a/api/v1alpha1/zz_generated.conversion.go +++ b/api/v1alpha1/zz_generated.conversion.go @@ -609,6 +609,7 @@ func autoConvert_v1alpha1_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -632,6 +633,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha1_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 31a79f5fa1..f46a620db2 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -334,6 +334,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha2/config/config.go b/api/v1alpha2/config/config.go index bdd7bcf675..39b6e1ca3e 100644 --- a/api/v1alpha2/config/config.go +++ b/api/v1alpha2/config/config.go @@ -61,6 +61,7 @@ func Default() *v1alpha2.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: v1alpha2.Components{ Collector: v1alpha2.OptionalContainerConfig{ diff --git a/api/v1alpha2/eraserconfig_types.go b/api/v1alpha2/eraserconfig_types.go index f6f8ee8e39..8d24e27606 100644 --- a/api/v1alpha2/eraserconfig_types.go +++ b/api/v1alpha2/eraserconfig_types.go @@ -89,15 +89,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime Runtime `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime Runtime `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha2/zz_generated.conversion.go b/api/v1alpha2/zz_generated.conversion.go index 0a0440450d..adeba64b78 100644 --- a/api/v1alpha2/zz_generated.conversion.go +++ b/api/v1alpha2/zz_generated.conversion.go @@ -340,6 +340,7 @@ func autoConvert_v1alpha2_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -363,6 +364,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha2_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go index 54c04dcef7..1963c1034b 100644 --- a/api/v1alpha2/zz_generated.deepcopy.go +++ b/api/v1alpha2/zz_generated.deepcopy.go @@ -134,6 +134,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha3/config/config.go b/api/v1alpha3/config/config.go index 1ca8f536c0..ae9ea6ce07 100644 --- a/api/v1alpha3/config/config.go +++ b/api/v1alpha3/config/config.go @@ -64,6 +64,7 @@ func Default() *v1alpha3.EraserConfig { "eraser.sh/cleanup.filter", }, }, + AdditionalPodLabels: map[string]string{}, }, Components: v1alpha3.Components{ Collector: v1alpha3.OptionalContainerConfig{ diff --git a/api/v1alpha3/eraserconfig_types.go b/api/v1alpha3/eraserconfig_types.go index a88aaa0ae0..6f7ef2e434 100644 --- a/api/v1alpha3/eraserconfig_types.go +++ b/api/v1alpha3/eraserconfig_types.go @@ -156,15 +156,16 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime RuntimeSpec `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` + Runtime RuntimeSpec `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` + AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha3/zz_generated.conversion.go b/api/v1alpha3/zz_generated.conversion.go index b5655e6d7e..b40453f670 100644 --- a/api/v1alpha3/zz_generated.conversion.go +++ b/api/v1alpha3/zz_generated.conversion.go @@ -340,6 +340,7 @@ func autoConvert_v1alpha3_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -368,6 +369,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha3_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName + out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } diff --git a/api/v1alpha3/zz_generated.deepcopy.go b/api/v1alpha3/zz_generated.deepcopy.go index 0916bca337..689915b1dd 100644 --- a/api/v1alpha3/zz_generated.deepcopy.go +++ b/api/v1alpha3/zz_generated.deepcopy.go @@ -135,6 +135,13 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) + if in.AdditionalPodLabels != nil { + in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml index 25b6e9b797..031d764b7d 100644 --- a/config/manager/controller_manager_config.yaml +++ b/config/manager/controller_manager_config.yaml @@ -19,6 +19,7 @@ manager: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: diff --git a/controllers/imagejob/imagejob_controller.go b/controllers/imagejob/imagejob_controller.go index b4e3555e43..2bde9cdec1 100644 --- a/controllers/imagejob/imagejob_controller.go +++ b/controllers/imagejob/imagejob_controller.go @@ -409,10 +409,12 @@ func (r *Reconciler) handleNewJob(ctx context.Context, imageJob *eraserv1.ImageJ }, } + pod.Labels = eraserConfig.Manager.AdditionalPodLabels + if containerName == removerContainer { - pod.Labels = map[string]string{imageJobTypeLabelKey: manualJobType} + pod.Labels[imageJobTypeLabelKey] = manualJobType } else { - pod.Labels = map[string]string{imageJobTypeLabelKey: collectorJobType} + pod.Labels[imageJobTypeLabelKey] = collectorJobType } fitness := checkNodeFitness(pod, &nodeList[i]) diff --git a/docs/docs/customization.md b/docs/docs/customization.md index a05a4cf353..408e840244 100644 --- a/docs/docs/customization.md +++ b/docs/docs/customization.md @@ -102,6 +102,7 @@ manager: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/remover priorityClassName: "" # priority class name for collector/scanner/remover + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -207,6 +208,7 @@ timeout: | manager.imageJob.cleanup.delayOnFailure | The amount of time to wait after a failed image job before performing cleanup. | 24h | | manager.pullSecrets | The image pull secrets to use for collector, scanner, and remover containers. | [] | | manager.priorityClassName | The priority class to use for collector, scanner, and remover containers. | "" | +| manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | manager.nodeFilter.type | The type of node filter to use. Must be either "exclude" or "include". | exclude | | manager.nodeFilter.selectors | A list of selectors used to filter nodes. | [] | | components.collector.enabled | Whether to enable the collector component. | true | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml index 13f71eb1cc..09dc28da90 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml @@ -5,6 +5,9 @@ metadata: namespace: eraser-system spec: template: + metadata: + labels: + HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONALPODLABELS: "" spec: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PULL_SECRETS: "" volumes: diff --git a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go index 9a69c06a83..e2b74cc2be 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go +++ b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go @@ -7,6 +7,7 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.deploy.affinity | nindent 8 }}`, `- HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONAL_ARGS`: `{{- if .Values.deploy.additionalArgs }}{{- range .Values.deploy.additionalArgs }}{{ nindent 8 "- " }}{{ . }}{{- end -}}{{ end }}`, `HELMSUBST_CONTROLLER_MANAGER_CONFIG_YAML`: `{{- toYaml .Values.runtimeConfig | nindent 4 }}`, + `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_ADDITIONALPODLABELS: ""`: `{{- if .Values.deploy.additionalPodLabels }}{{- toYaml .Values.deploy.additionalPodLabels | nindent 8 }}{{end}}`, `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PULL_SECRETS: ""`: `{{- if .Values.runtimeConfig.manager.pullSecrets }} imagePullSecrets: diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index a2ad3ced96..b64563f1fd 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -45,6 +45,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | runtimeConfig.manager.imageJob.cleanup | Settings for image job cleanup. | `{}` | | runtimeConfig.manager.pullSecrets | Image pull secrets for collector/scanner/eraser. | `[]` | | runtimeConfig.manager.priorityClassName | Priority class name for collector/scanner/eraser. | `""` | +| runtimeConfig.manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | runtimeConfig.manager.nodeFilter | Filter for nodes. | `{}` | | runtimeConfig.components.collector | Settings for the collector component. | `{ enabled: false }` | | runtimeConfig.components.scanner | Settings for the scanner component. | `{ enabled: false }` | @@ -54,6 +55,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | deploy.image.tag | Overrides the default image tag. | `""` | | deploy.additionalArgs | Additional arguments to pass to the command. | `[]` | | deploy.priorityClassName | Priority class name. | `""` | +| deploy.additionalPodLabels | Additional labels for the controller pod. | `{}` | | deploy.securityContext.allowPrivilegeEscalation | Whether to allow privilege escalation. | `false` | | deploy.resources.limits.memory | Memory limit for the resources. | `30Mi` | | deploy.resources.requests.cpu | CPU request for the resources. | `100m` | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 484d3ca3c2..3c09f3da34 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -29,6 +29,7 @@ runtimeConfig: # delayOnFailure: "" pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -97,6 +98,7 @@ deploy: tag: "v1.4.0-beta.0" additionalArgs: [] priorityClassName: "" + additionalPodLabels: {} securityContext: allowPrivilegeEscalation: false From 8932e8dfbcff3c519b02db5d3b585cb5b683cae5 Mon Sep 17 00:00:00 2001 From: Patrick von Steht Date: Mon, 26 Feb 2024 17:11:17 +0100 Subject: [PATCH 2/5] Remove changes from api/v1alpha1 and api/v1alpha2 and add changes to manifest_staging directory Signed-off-by: Patrick von Steht --- api/v1alpha1/config/config.go | 1 - api/v1alpha1/eraserconfig_types.go | 19 +++++++++---------- api/v1alpha1/zz_generated.conversion.go | 3 +-- api/v1alpha1/zz_generated.deepcopy.go | 7 ------- api/v1alpha2/config/config.go | 1 - api/v1alpha2/eraserconfig_types.go | 19 +++++++++---------- api/v1alpha2/zz_generated.conversion.go | 3 +-- api/v1alpha2/zz_generated.deepcopy.go | 7 ------- manifest_staging/charts/eraser/README.md | 2 ++ .../eraser-controller-manager-deployment.yaml | 1 + manifest_staging/charts/eraser/values.yaml | 2 ++ manifest_staging/deploy/eraser.yaml | 1 + 12 files changed, 26 insertions(+), 40 deletions(-) diff --git a/api/v1alpha1/config/config.go b/api/v1alpha1/config/config.go index 0b57512a52..cb64795f0c 100644 --- a/api/v1alpha1/config/config.go +++ b/api/v1alpha1/config/config.go @@ -61,7 +61,6 @@ func Default() *v1alpha1.EraserConfig { "eraser.sh/cleanup.filter", }, }, - AdditionalPodLabels: map[string]string{}, }, Components: v1alpha1.Components{ Collector: v1alpha1.OptionalContainerConfig{ diff --git a/api/v1alpha1/eraserconfig_types.go b/api/v1alpha1/eraserconfig_types.go index a2c8f55778..c27bde1fb0 100644 --- a/api/v1alpha1/eraserconfig_types.go +++ b/api/v1alpha1/eraserconfig_types.go @@ -91,16 +91,15 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime Runtime `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` - AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` + Runtime Runtime `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go index f771cd7dfb..98f62f724c 100644 --- a/api/v1alpha1/zz_generated.conversion.go +++ b/api/v1alpha1/zz_generated.conversion.go @@ -609,7 +609,6 @@ func autoConvert_v1alpha1_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName - out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -633,7 +632,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha1_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName - out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) + // WARNING: in.AdditionalPodLabels requires manual conversion: does not exist in peer-type return nil } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index f46a620db2..31a79f5fa1 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -334,13 +334,6 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) - if in.AdditionalPodLabels != nil { - in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/api/v1alpha2/config/config.go b/api/v1alpha2/config/config.go index 39b6e1ca3e..bdd7bcf675 100644 --- a/api/v1alpha2/config/config.go +++ b/api/v1alpha2/config/config.go @@ -61,7 +61,6 @@ func Default() *v1alpha2.EraserConfig { "eraser.sh/cleanup.filter", }, }, - AdditionalPodLabels: map[string]string{}, }, Components: v1alpha2.Components{ Collector: v1alpha2.OptionalContainerConfig{ diff --git a/api/v1alpha2/eraserconfig_types.go b/api/v1alpha2/eraserconfig_types.go index 8d24e27606..f6f8ee8e39 100644 --- a/api/v1alpha2/eraserconfig_types.go +++ b/api/v1alpha2/eraserconfig_types.go @@ -89,16 +89,15 @@ type ContainerConfig struct { } type ManagerConfig struct { - Runtime Runtime `json:"runtime,omitempty"` - OTLPEndpoint string `json:"otlpEndpoint,omitempty"` - LogLevel string `json:"logLevel,omitempty"` - Scheduling ScheduleConfig `json:"scheduling,omitempty"` - Profile ProfileConfig `json:"profile,omitempty"` - ImageJob ImageJobConfig `json:"imageJob,omitempty"` - PullSecrets []string `json:"pullSecrets,omitempty"` - NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` - PriorityClassName string `json:"priorityClassName,omitempty"` - AdditionalPodLabels map[string]string `json:"additionalPodLabels,omitempty"` + Runtime Runtime `json:"runtime,omitempty"` + OTLPEndpoint string `json:"otlpEndpoint,omitempty"` + LogLevel string `json:"logLevel,omitempty"` + Scheduling ScheduleConfig `json:"scheduling,omitempty"` + Profile ProfileConfig `json:"profile,omitempty"` + ImageJob ImageJobConfig `json:"imageJob,omitempty"` + PullSecrets []string `json:"pullSecrets,omitempty"` + NodeFilter NodeFilterConfig `json:"nodeFilter,omitempty"` + PriorityClassName string `json:"priorityClassName,omitempty"` } type ScheduleConfig struct { diff --git a/api/v1alpha2/zz_generated.conversion.go b/api/v1alpha2/zz_generated.conversion.go index adeba64b78..b7e282cf68 100644 --- a/api/v1alpha2/zz_generated.conversion.go +++ b/api/v1alpha2/zz_generated.conversion.go @@ -340,7 +340,6 @@ func autoConvert_v1alpha2_ManagerConfig_To_unversioned_ManagerConfig(in *Manager return err } out.PriorityClassName = in.PriorityClassName - out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) return nil } @@ -364,7 +363,7 @@ func autoConvert_unversioned_ManagerConfig_To_v1alpha2_ManagerConfig(in *unversi return err } out.PriorityClassName = in.PriorityClassName - out.AdditionalPodLabels = *(*map[string]string)(unsafe.Pointer(&in.AdditionalPodLabels)) + // WARNING: in.AdditionalPodLabels requires manual conversion: does not exist in peer-type return nil } diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go index 1963c1034b..54c04dcef7 100644 --- a/api/v1alpha2/zz_generated.deepcopy.go +++ b/api/v1alpha2/zz_generated.deepcopy.go @@ -134,13 +134,6 @@ func (in *ManagerConfig) DeepCopyInto(out *ManagerConfig) { copy(*out, *in) } in.NodeFilter.DeepCopyInto(&out.NodeFilter) - if in.AdditionalPodLabels != nil { - in, out := &in.AdditionalPodLabels, &out.AdditionalPodLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerConfig. diff --git a/manifest_staging/charts/eraser/README.md b/manifest_staging/charts/eraser/README.md index a2ad3ced96..b64563f1fd 100644 --- a/manifest_staging/charts/eraser/README.md +++ b/manifest_staging/charts/eraser/README.md @@ -45,6 +45,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | runtimeConfig.manager.imageJob.cleanup | Settings for image job cleanup. | `{}` | | runtimeConfig.manager.pullSecrets | Image pull secrets for collector/scanner/eraser. | `[]` | | runtimeConfig.manager.priorityClassName | Priority class name for collector/scanner/eraser. | `""` | +| runtimeConfig.manager.additionalPodLabels | Additional labels for all pods that the controller creates at runtime. | `{}` | | runtimeConfig.manager.nodeFilter | Filter for nodes. | `{}` | | runtimeConfig.components.collector | Settings for the collector component. | `{ enabled: false }` | | runtimeConfig.components.scanner | Settings for the scanner component. | `{ enabled: false }` | @@ -54,6 +55,7 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen | deploy.image.tag | Overrides the default image tag. | `""` | | deploy.additionalArgs | Additional arguments to pass to the command. | `[]` | | deploy.priorityClassName | Priority class name. | `""` | +| deploy.additionalPodLabels | Additional labels for the controller pod. | `{}` | | deploy.securityContext.allowPrivilegeEscalation | Whether to allow privilege escalation. | `false` | | deploy.resources.limits.memory | Memory limit for the resources. | `30Mi` | | deploy.resources.requests.cpu | CPU request for the resources. | `100m` | diff --git a/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml b/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml index 05d2ffe028..b132e439c2 100644 --- a/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml +++ b/manifest_staging/charts/eraser/templates/eraser-controller-manager-deployment.yaml @@ -21,6 +21,7 @@ spec: template: metadata: labels: + {{- if .Values.deploy.additionalPodLabels }}{{- toYaml .Values.deploy.additionalPodLabels | nindent 8 }}{{end}} app.kubernetes.io/instance: '{{ .Release.Name }}' app.kubernetes.io/managed-by: '{{ .Release.Service }}' app.kubernetes.io/name: '{{ template "eraser.name" . }}' diff --git a/manifest_staging/charts/eraser/values.yaml b/manifest_staging/charts/eraser/values.yaml index 484d3ca3c2..3c09f3da34 100644 --- a/manifest_staging/charts/eraser/values.yaml +++ b/manifest_staging/charts/eraser/values.yaml @@ -29,6 +29,7 @@ runtimeConfig: # delayOnFailure: "" pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: @@ -97,6 +98,7 @@ deploy: tag: "v1.4.0-beta.0" additionalArgs: [] priorityClassName: "" + additionalPodLabels: {} securityContext: allowPrivilegeEscalation: false diff --git a/manifest_staging/deploy/eraser.yaml b/manifest_staging/deploy/eraser.yaml index 314d8210d9..1b1cf2ab2b 100644 --- a/manifest_staging/deploy/eraser.yaml +++ b/manifest_staging/deploy/eraser.yaml @@ -432,6 +432,7 @@ data: delayOnFailure: 24h pullSecrets: [] # image pull secrets for collector/scanner/eraser priorityClassName: "" # priority class name for collector/scanner/eraser + additionalPodLabels: {} nodeFilter: type: exclude # must be either exclude|include selectors: From 7a54d6cbc4d95e911d65ad770a1d1523b8a8a131 Mon Sep 17 00:00:00 2001 From: Patrick von Steht Date: Mon, 26 Feb 2024 23:07:02 +0100 Subject: [PATCH 3/5] Correctly handle case that additionalPodLabels parameter is not present at all in manager config Signed-off-by: Patrick von Steht --- controllers/imagejob/imagejob_controller.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/controllers/imagejob/imagejob_controller.go b/controllers/imagejob/imagejob_controller.go index 2bde9cdec1..a7a27a5117 100644 --- a/controllers/imagejob/imagejob_controller.go +++ b/controllers/imagejob/imagejob_controller.go @@ -409,7 +409,11 @@ func (r *Reconciler) handleNewJob(ctx context.Context, imageJob *eraserv1.ImageJ }, } - pod.Labels = eraserConfig.Manager.AdditionalPodLabels + pod.Labels = map[string]string{} + + for k, v := range eraserConfig.Manager.AdditionalPodLabels { + pod.Labels[k] = v + } if containerName == removerContainer { pod.Labels[imageJobTypeLabelKey] = manualJobType From f5eddc90c0b3db53cc4c5579c2facff47480f7e7 Mon Sep 17 00:00:00 2001 From: Patrick von Steht Date: Mon, 25 Mar 2024 14:53:50 +0100 Subject: [PATCH 4/5] Add labels to ImageJob PodTemplateSpec Signed-off-by: Patrick von Steht --- controllers/imagecollector/imagecollector_controller.go | 8 ++++++++ controllers/imagelist/imagelist_controller.go | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/controllers/imagecollector/imagecollector_controller.go b/controllers/imagecollector/imagecollector_controller.go index 400ba36f46..5567288a25 100644 --- a/controllers/imagecollector/imagecollector_controller.go +++ b/controllers/imagecollector/imagecollector_controller.go @@ -323,7 +323,15 @@ func (r *Reconciler) createImageJob(ctx context.Context) (ctrl.Result, error) { pullSecrets = append(pullSecrets, corev1.LocalObjectReference{Name: secret}) } + labels := map[string]string{} + for k, v := range mgrCfg.AdditionalPodLabels { + labels[k] = v + } + jobTemplate := corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: labels, + }, Spec: corev1.PodSpec{ Volumes: []corev1.Volume{ { diff --git a/controllers/imagelist/imagelist_controller.go b/controllers/imagelist/imagelist_controller.go index 940d8efc79..59dd2935ea 100644 --- a/controllers/imagelist/imagelist_controller.go +++ b/controllers/imagelist/imagelist_controller.go @@ -291,7 +291,15 @@ func (r *Reconciler) handleImageListEvent(ctx context.Context, imageList *eraser pullSecrets = append(pullSecrets, corev1.LocalObjectReference{Name: secret}) } + labels := map[string]string{} + for k, v := range eraserConfig.Manager.AdditionalPodLabels { + labels[k] = v + } + jobTemplate := corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: labels, + }, Spec: corev1.PodSpec{ Volumes: []corev1.Volume{ { From 5208553c6946e960551e57cb5053f22855a8a278 Mon Sep 17 00:00:00 2001 From: Patrick von Steht Date: Wed, 27 Mar 2024 09:08:24 +0100 Subject: [PATCH 5/5] Remove labels from ImageJob PodTemplateSpec Signed-off-by: Patrick von Steht --- controllers/imagecollector/imagecollector_controller.go | 8 -------- controllers/imagelist/imagelist_controller.go | 8 -------- 2 files changed, 16 deletions(-) diff --git a/controllers/imagecollector/imagecollector_controller.go b/controllers/imagecollector/imagecollector_controller.go index 5567288a25..400ba36f46 100644 --- a/controllers/imagecollector/imagecollector_controller.go +++ b/controllers/imagecollector/imagecollector_controller.go @@ -323,15 +323,7 @@ func (r *Reconciler) createImageJob(ctx context.Context) (ctrl.Result, error) { pullSecrets = append(pullSecrets, corev1.LocalObjectReference{Name: secret}) } - labels := map[string]string{} - for k, v := range mgrCfg.AdditionalPodLabels { - labels[k] = v - } - jobTemplate := corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: labels, - }, Spec: corev1.PodSpec{ Volumes: []corev1.Volume{ { diff --git a/controllers/imagelist/imagelist_controller.go b/controllers/imagelist/imagelist_controller.go index 59dd2935ea..940d8efc79 100644 --- a/controllers/imagelist/imagelist_controller.go +++ b/controllers/imagelist/imagelist_controller.go @@ -291,15 +291,7 @@ func (r *Reconciler) handleImageListEvent(ctx context.Context, imageList *eraser pullSecrets = append(pullSecrets, corev1.LocalObjectReference{Name: secret}) } - labels := map[string]string{} - for k, v := range eraserConfig.Manager.AdditionalPodLabels { - labels[k] = v - } - jobTemplate := corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: labels, - }, Spec: corev1.PodSpec{ Volumes: []corev1.Volume{ {