From 5107f47cd946b0a0a101a5b98d45d586b5bdb308 Mon Sep 17 00:00:00 2001 From: Marino Borges Date: Mon, 26 May 2025 21:41:43 -0300 Subject: [PATCH 1/3] Allow disabling kruise-daemon-config namespace & move DaemonSet manifests to a separate file & make DaemonSet namespace name configurable Signed-off-by: Marino Borges --- versions/kruise/next/templates/daemonset.yaml | 149 ++++++++++++++++++ versions/kruise/next/templates/manager.yaml | 148 ----------------- versions/kruise/next/templates/rbac_role.yaml | 4 +- versions/kruise/next/values.yaml | 3 + 4 files changed, 154 insertions(+), 150 deletions(-) create mode 100644 versions/kruise/next/templates/daemonset.yaml diff --git a/versions/kruise/next/templates/daemonset.yaml b/versions/kruise/next/templates/daemonset.yaml new file mode 100644 index 0000000..dcbab9e --- /dev/null +++ b/versions/kruise/next/templates/daemonset.yaml @@ -0,0 +1,149 @@ +{{- if not (contains "KruiseDaemon=false" .Values.featureGates) }} +{{- if .Values.installation.daemonSet.createNamespace }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.installation.daemonSet.namespace }} +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kruise-daemon +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} +{{- end }} + namespace: {{ .Values.installation.daemonSet.namespace }} +{{ ( include "serviceAccountDaemon" . ) }} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kruise-daemon + namespace: {{ .Values.installation.daemonSet.namespace }} + labels: + control-plane: daemon +spec: + selector: + matchLabels: + control-plane: daemon + minReadySeconds: 3 + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 10% + template: + metadata: + labels: + control-plane: daemon + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: +{{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.daemon.affinity }} + affinity: +{{ toYaml .Values.daemon.affinity | indent 8 }} +{{- end }} +{{- if .Values.daemon.nodeSelector }} + nodeSelector: +{{ toYaml .Values.daemon.nodeSelector | indent 8 }} +{{- end }} + containers: + - command: + - /kruise-daemon + args: + - --logtostderr=true + - --v=4 + - --addr=:{{ .Values.daemon.port }} + - --feature-gates={{ .Values.featureGates }} + - --socket-file={{ .Values.daemon.socketFile }} +{{- if not .Values.daemon.enablePprof }} + - --enable-pprof=false +{{- else }} + - --enable-pprof=true + - --pprof-addr={{ .Values.daemon.pprofAddr }} +{{- end }} +{{- if .Values.daemon.credentialProvider.enable }} + - --plugin-config-file=/credential-provider-config/CredentialProviderPlugin.yaml + - --plugin-bin-dir=/credential-provider-plugin +{{- end }} + image: {{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} + imagePullPolicy: Always + securityContext: + capabilities: + drop: + - all + add: [ 'NET_BIND_SERVICE' ] + allowPrivilegeEscalation: false + name: daemon + env: +{{- if .Values.enableKubeCacheMutationDetector }} + - name: KUBE_CACHE_MUTATION_DETECTOR + value: "true" +{{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + {{- if .Values.daemon.extraEnvs }} + {{- toYaml .Values.daemon.extraEnvs | nindent 8 }} + {{- end }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: {{ .Values.daemon.port }} + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + {{- toYaml .Values.daemon.resources | nindent 12 }} + volumeMounts: + - mountPath: /hostvarrun + name: runtime-socket + readOnly: true +{{- if .Values.daemon.credentialProvider.enable }} + - name: credential-provider-plugin-config + mountPath: /credential-provider-config + readOnly: true + - name: credential-provider-plugin + mountPath: /credential-provider-plugin + readOnly: true + {{- if ne .Values.daemon.credentialProvider.awsCredentialsDir "" }} + - name: aws-credentials-dir + mountPath: /root/.aws + readOnly: true + {{- end }} +{{- end }} + tolerations: + - operator: Exists + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + terminationGracePeriodSeconds: 10 + serviceAccountName: kruise-daemon + volumes: + - hostPath: + path: {{ .Values.daemon.socketLocation }} + type: "" + name: runtime-socket +{{- if .Values.daemon.credentialProvider.enable }} + - name: credential-provider-plugin-config + configMap: + name: {{ .Values.daemon.credentialProvider.configmap }} + - hostPath: + path: {{ .Values.daemon.credentialProvider.hostPath }} + type: "" + name: credential-provider-plugin + {{- if ne .Values.daemon.credentialProvider.awsCredentialsDir "" }} + - hostPath: + path: {{ .Values.daemon.credentialProvider.awsCredentialsDir }} + type: "" + name: aws-credentials-dir + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/versions/kruise/next/templates/manager.yaml b/versions/kruise/next/templates/manager.yaml index e942674..81009e5 100644 --- a/versions/kruise/next/templates/manager.yaml +++ b/versions/kruise/next/templates/manager.yaml @@ -8,11 +8,6 @@ metadata: {{- end }} --- apiVersion: v1 -kind: Namespace -metadata: - name: kruise-daemon-config ---- -apiVersion: v1 kind: Service metadata: name: kruise-webhook-service @@ -160,146 +155,3 @@ metadata: {{- end }} namespace: {{ .Values.installation.namespace }} {{ ( include "serviceAccountManager" . ) }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kruise-daemon -{{- if .Values.serviceAccount.annotations }} - annotations: -{{ toYaml .Values.serviceAccount.annotations | indent 4 }} -{{- end }} - namespace: {{ .Values.installation.namespace }} -{{ ( include "serviceAccountDaemon" . ) }} ---- -{{ if contains "KruiseDaemon=false" .Values.featureGates }}{{ else }} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kruise-daemon - namespace: {{ .Values.installation.namespace }} - labels: - control-plane: daemon -spec: - selector: - matchLabels: - control-plane: daemon - minReadySeconds: 3 - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 10% - template: - metadata: - labels: - control-plane: daemon - spec: -{{- with .Values.imagePullSecrets }} - imagePullSecrets: -{{- toYaml . | nindent 8 }} -{{- end }} -{{- if .Values.daemon.affinity }} - affinity: -{{ toYaml .Values.daemon.affinity | indent 8 }} -{{- end }} -{{- if .Values.daemon.nodeSelector }} - nodeSelector: -{{ toYaml .Values.daemon.nodeSelector | indent 8 }} -{{- end }} - containers: - - command: - - /kruise-daemon - args: - - --logtostderr=true - - --v=4 - - --addr=:{{ .Values.daemon.port }} - - --feature-gates={{ .Values.featureGates }} - - --socket-file={{ .Values.daemon.socketFile }} -{{- if not .Values.daemon.enablePprof }} - - --enable-pprof=false -{{- else }} - - --enable-pprof=true - - --pprof-addr={{ .Values.daemon.pprofAddr }} -{{- end }} -{{- if .Values.daemon.credentialProvider.enable }} - - --plugin-config-file=/credential-provider-config/CredentialProviderPlugin.yaml - - --plugin-bin-dir=/credential-provider-plugin -{{- end }} - image: {{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} - imagePullPolicy: Always - securityContext: - capabilities: - drop: - - all - add: [ 'NET_BIND_SERVICE' ] - allowPrivilegeEscalation: false - name: daemon - env: -{{- if .Values.enableKubeCacheMutationDetector }} - - name: KUBE_CACHE_MUTATION_DETECTOR - value: "true" -{{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - {{- if .Values.daemon.extraEnvs }} - {{- toYaml .Values.daemon.extraEnvs | nindent 8 }} - {{- end }} - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: {{ .Values.daemon.port }} - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - {{- toYaml .Values.daemon.resources | nindent 12 }} - volumeMounts: - - mountPath: /hostvarrun - name: runtime-socket - readOnly: true -{{- if .Values.daemon.credentialProvider.enable }} - - name: credential-provider-plugin-config - mountPath: /credential-provider-config - readOnly: true - - name: credential-provider-plugin - mountPath: /credential-provider-plugin - readOnly: true - {{- if ne .Values.daemon.credentialProvider.awsCredentialsDir "" }} - - name: aws-credentials-dir - mountPath: /root/.aws - readOnly: true - {{- end }} -{{- end }} - tolerations: - - operator: Exists - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - terminationGracePeriodSeconds: 10 - serviceAccountName: kruise-daemon - volumes: - - hostPath: - path: {{ .Values.daemon.socketLocation }} - type: "" - name: runtime-socket -{{- if .Values.daemon.credentialProvider.enable }} - - name: credential-provider-plugin-config - configMap: - name: {{ .Values.daemon.credentialProvider.configmap }} - - hostPath: - path: {{ .Values.daemon.credentialProvider.hostPath }} - type: "" - name: credential-provider-plugin - {{- if ne .Values.daemon.credentialProvider.awsCredentialsDir "" }} - - hostPath: - path: {{ .Values.daemon.credentialProvider.awsCredentialsDir }} - type: "" - name: aws-credentials-dir - {{- end }} -{{- end }} -{{- end }} diff --git a/versions/kruise/next/templates/rbac_role.yaml b/versions/kruise/next/templates/rbac_role.yaml index 695de73..c6f34f7 100644 --- a/versions/kruise/next/templates/rbac_role.yaml +++ b/versions/kruise/next/templates/rbac_role.yaml @@ -927,7 +927,7 @@ kind: Role metadata: creationTimestamp: null name: kruise-daemon-secret-role - namespace: kruise-daemon-config + namespace: {{ .Values.installation.daemonSet.namespace }} rules: - apiGroups: - "" @@ -942,7 +942,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kruise-daemon-secret-rolebinding - namespace: kruise-daemon-config + namespace: {{ .Values.installation.daemonSet.namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/versions/kruise/next/values.yaml b/versions/kruise/next/values.yaml index 3e34287..f33a8bb 100644 --- a/versions/kruise/next/values.yaml +++ b/versions/kruise/next/values.yaml @@ -7,6 +7,9 @@ crds: installation: namespace: kruise-system createNamespace: true + daemonSet: + namespace: kruise-daemon-config + createNamespace: true roleListGroups: - '*' From 4f56107886d5fea355e7e0cfc94c1b98b1517092 Mon Sep 17 00:00:00 2001 From: Marino Borges Date: Mon, 26 May 2025 21:45:13 -0300 Subject: [PATCH 2/3] Bump up chart version Signed-off-by: Marino Borges --- versions/kruise/next/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/kruise/next/Chart.yaml b/versions/kruise/next/Chart.yaml index 4e9e20b..0c07b08 100644 --- a/versions/kruise/next/Chart.yaml +++ b/versions/kruise/next/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kruise description: Helm chart for kruise components -version: 1.8.1 +version: 1.8.2 appVersion: 1.8.0 kubeVersion: ">= 1.18.0-0" icon: https://openkruise.io/img/openkruise-logo-bg.jpg From cf96f2c0b2b0b2f001bac8bbfa926f60295e0a1f Mon Sep 17 00:00:00 2001 From: Marino Borges Date: Mon, 26 May 2025 23:11:23 -0300 Subject: [PATCH 3/3] Fix DS & SA namespaces Signed-off-by: Marino Borges --- versions/kruise/next/templates/daemonset.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versions/kruise/next/templates/daemonset.yaml b/versions/kruise/next/templates/daemonset.yaml index dcbab9e..85fce69 100644 --- a/versions/kruise/next/templates/daemonset.yaml +++ b/versions/kruise/next/templates/daemonset.yaml @@ -14,14 +14,14 @@ metadata: annotations: {{ toYaml .Values.serviceAccount.annotations | indent 4 }} {{- end }} - namespace: {{ .Values.installation.daemonSet.namespace }} + namespace: {{ .Values.installation.namespace }} {{ ( include "serviceAccountDaemon" . ) }} --- apiVersion: apps/v1 kind: DaemonSet metadata: name: kruise-daemon - namespace: {{ .Values.installation.daemonSet.namespace }} + namespace: {{ .Values.installation.namespace }} labels: control-plane: daemon spec: