openkruise
/
charts
mirror of https://github.com/openkruise/charts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge 354c80cb69 into d0cfc2e2d7

This commit is contained in:
Kagaya 2025-07-21 21:27:23 +08:00 committed by GitHub
parent d0cfc2e2d7 354c80cb69
commit 64cead00ec
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 272 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/e2e-kruise.yaml vendored
View File

@ -17,6 +17,7 @@ env:
KIND_VERSION: 'v0.18.0'
KIND_VERSION_FOR_HIGHER: 'v0.22.0'
KIND_CLUSTER_NAME: 'ci-testing'
CERT_MANAGER_VERSION: 'v1.18.2'
# todo: add kruise e2e here
jobs:
# 1.27-
@ -36,6 +37,10 @@ jobs:
cluster_name: ${{ env.KIND_CLUSTER_NAME }}
config: ./test/kind-conf.yaml
version: ${{ env.KIND_VERSION }}
- name: Install Cert-Manager
run: |
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${{ env.CERT_MANAGER_VERSION }}/cert-manager.yaml
kubectl -n cert-manager rollout status deploy/cert-manager-webhook --timeout=180s
- name: Install Kruise
run: |
make install-kruise-from-local
@ -67,6 +72,10 @@ jobs:
cluster_name: ${{ env.KIND_CLUSTER_NAME }}
config: ./test/kind-conf-with-vpa.yaml
version: ${{ env.KIND_VERSION_FOR_HIGHER }}
- name: Install Cert-Manager
run: |
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/${{ env.CERT_MANAGER_VERSION }}/cert-manager.yaml
kubectl -n cert-manager rollout status deploy/cert-manager-webhook --timeout=180s
- name: Install Kruise
run: |
make install-kruise-from-local

1
versions/kruise-game/next/Chart.yaml
View File

@ -9,3 +9,4 @@ sources:
annotations:
artifacthub.io/changes: |
- "[Changed]: https://github.com/openkruise/kruise-game/blob/master/CHANGELOG.md"
- "[Added]: Support for cert-manager with CA injection"

46
versions/kruise-game/next/README.md
View File

@ -31,10 +31,56 @@ The following table lists the configurable parameters of the kruise-game chart a
| `network.totalWaitTime` | Maximum time to wait for network ready, the unit is seconds | `60` |
| `network.probeIntervalTime` | Time interval for detecting network status, the unit is seconds | `5` |
| `cloudProvider.installCRD` | Whether to install CloudProvider CRD | `true` |
| `certificates.autoGenerated` | Whether to auto-generate webhook certificates | `true` |
| `certificates.secretName` | Name of the secret containing webhook certificates | `kruise-game-certs` |
| `certificates.mountPath` | Path to mount webhook certificates in container | `/tmp/webhook-certs/` |
| `certificates.certManager.enabled` | Whether to use cert-manager for certificate management | `false` |
| `certificates.certManager.duration` | Certificate validity duration | `8760h0m0s` |
| `certificates.certManager.renewBefore` | Time before expiry to renew certificate | `5840h0m0s` |
| `certificates.certManager.generateCA` | Whether to generate a Certificate Authority | `true` |
| `certificates.certManager.caSecretName` | Name of the secret containing the CA certificate | `kruise-game-ca` |
| `certificates.certManager.issuer.generate` | Whether to generate the issuer automatically | `true` |
| `certificates.certManager.issuer.name` | Name of the certificate issuer | `kruise-ca` |
| `certificates.certManager.issuer.kind` | Type of the certificate issuer | `ClusterIssuer` |
| `certificates.certManager.issuer.group` | API group of the certificate issuer | `cert-manager.io` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
### Certificate Management
> **Important**: Kruise Game webhook requires TLS certificates for secure communication. Regardless of which certificate management method you choose, you must ensure that the webhook certificate is signed by a trusted CA certificate, and that the CA certificate is properly configured in the Kubernetes cluster so that the API Server can verify the webhook's identity.
Kruise Game supports two methods for webhook certificate management:
#### Auto-generated Certificates (Default)
By default, kruise-game uses auto-generated certificates for webhook TLS:
```bash
$ helm install kruise-game https://... --set certificates.autoGenerated=true
```
#### cert-manager Integration
For production environments, you can use cert-manager to manage webhook certificates:
```bash
$ helm install kruise-game https://... \
--set certificates.autoGenerated=false \
--set certificates.certManager.enabled=true \
```
You can also use a custom issuer instead of generating one:
```bash
$ helm install kruise-game https://... \
--set certificates.certManager.enabled=true \
--set certificates.certManager.issuer.generate=false \
--set certificates.certManager.issuer.name=my-custom-issuer \
--set certificates.certManager.issuer.kind=Issuer
```
### Optional: the local image for China
If you are in China and have problem to pull image from official DockerHub, you can use the registry hosted on Alibaba Cloud:

10
versions/kruise-game/next/templates/cert-manager/okg-issuer.yaml Normal file
View File

@ -0,0 +1,10 @@
{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.issuer.generate }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ .Values.kruiseGame.fullname }}-issuer
namespace: {{ .Values.installation.namespace }}
spec:
ca:
secretName: {{ .Values.certificates.certManager.caSecretName }}
{{- end }}

39
versions/kruise-game/next/templates/cert-manager/okg-tls-certificate.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if .Values.certificates.certManager.enabled }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.kruiseGame.fullname }}-cert
namespace: {{ .Values.installation.namespace }}
spec:
commonName: {{ .Values.kruiseGame.fullname }}
dnsNames:
- {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}
- {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc
- {{ .Values.kruiseGame.webhook.serviceName }}.{{ .Values.installation.namespace }}.svc.{{ .Values.clusterDomain }}
secretName: {{ .Values.certificates.secretName }}
usages:
- server auth
- client auth
privateKey:
rotationPolicy: Always
algorithm: RSA
size: 2048
duration: {{ .Values.certificates.certManager.duration }}
renewBefore: {{ .Values.certificates.certManager.renewBefore }}
issuerRef:
{{- if .Values.certificates.certManager.issuer.generate }}
name: {{ .Values.kruiseGame.fullname }}-issuer
kind: Issuer
group: cert-manager.io
{{- else }}
{{- if .Values.certificates.certManager.issuer.name }}
name: {{ .Values.certificates.certManager.issuer.name }}
{{- end }}
{{- if .Values.certificates.certManager.issuer.kind }}
kind: {{ .Values.certificates.certManager.issuer.kind }}
{{- end }}
{{- if .Values.certificates.certManager.issuer.group }}
group: {{ .Values.certificates.certManager.issuer.group }}
{{- end }}
{{- end }}
{{- end }}

21
versions/kruise-game/next/templates/cert-manager/self-ca.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.kruiseGame.fullname }}-ca
namespace: {{ .Values.installation.namespace }}
spec:
isCA: true
commonName: {{ .Values.kruiseGame.fullname }}
secretName: {{ .Values.certificates.certManager.caSecretName }}
privateKey:
rotationPolicy: Always
algorithm: RSA
size: 2048
duration: 8760h0m0s # 1 year
renewBefore: 720h0m0s # 1 month
issuerRef:
name: {{ .Values.kruiseGame.fullname }}-selfsigned-issuer
kind: Issuer
group: cert-manager.io
{{- end }}

13
versions/kruise-game/next/templates/cert-manager/self-issuer.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
{{- with .Values.additionalAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ .Values.kruiseGame.fullname }}-selfsigned-issuer
namespace: {{ .Values.installation.namespace }}
spec:
selfSigned: {}
{{- end }}

27
versions/kruise-game/next/templates/manager.yaml
View File

@ -59,10 +59,15 @@ spec:
- --provider-config=/etc/kruise-game/config.toml
- --api-server-qps={{ .Values.kruiseGame.apiServerQps }}
- --api-server-qps-burst={{ .Values.kruiseGame.apiServerQpsBurst }}
- --gameserver-workers={{ .Values.kruiseGame.gameserverWorkers }}
- --gameserverset-workers={{ .Values.kruiseGame.gameserversetWorkers }}
- --scale-server-bind-address=:{{ .Values.scale.service.targetPort }}
{{- if .Values.prometheus.enabled }}
- --metrics-bind-address=:{{ .Values.prometheus.monitorService.port }}
{{- end }}
{{- if not .Values.certificates.autoGenerated }}
- --enable-cert-generation={{ .Values.certificates.autoGenerated }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: manager
@ -98,17 +103,10 @@ spec:
volumeMounts:
- mountPath: /etc/kruise-game
name: provider-config
topologySpreadConstraints:
- labelSelector:
matchLabels:
control-plane: {{ .Values.kruiseGame.fullname }}
{{- if and ( eq (int .Capabilities.KubeVersion.Major) 1) ( gt (int .Capabilities.KubeVersion.Minor) 26 ) }}
matchLabelKeys:
- pod-template-hash
{{- end }}
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
{{- if not .Values.certificates.autoGenerated }}
- mountPath: {{ .Values.certificates.mountPath }}
name: certificates
{{- end }}
serviceAccountName: {{ .Values.kruiseGame.fullname }}
terminationGracePeriodSeconds: 10
volumes:
@ -119,3 +117,10 @@ spec:
path: config.toml
name: kruise-game-manager-config
name: provider-config
{{- if not .Values.certificates.autoGenerated }}
- name: certificates
secret:
defaultMode: 420
secretName: {{ .Values.certificates.secretName}}
optional: {{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
{{- end }}

44
versions/kruise-game/next/templates/webhooks/mutatingconfiguration.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- if not .Values.certificates.autoGenerated }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
{{- if .Values.certificates.certManager.enabled }}
{{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }}
{{- else }}
cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert
{{- end }}
{{- end }}
labels:
app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }}
name: kruise-game-mutating-webhook
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: {{ .Values.kruiseGame.webhook.serviceName }}
namespace: {{ .Values.installation.namespace }}
path: /mutate-v1-pod
failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }}
matchPolicy: Equivalent
name: mgameserverset.kb.io
rules:
- operations:
- CREATE
- UPDATE
- DELETE
apiGroups:
- ""
apiVersions:
- v1
resources:
- pods
objectSelector:
matchExpressions:
- key: game.kruise.io/owner-gss
operator: Exists
sideEffects: None
{{- end}}

2
versions/kruise-game/next/templates/webhook_service.yaml → versions/kruise-game/next/templates/webhooks/service.yaml
View File

@ -2,7 +2,7 @@
apiVersion: v1
kind: Service
metadata:
name: kruise-game-webhook-service
name: {{ .Values.kruiseGame.webhook.serviceName }}
namespace: {{ .Values.installation.namespace }}
spec:
ports:

42
versions/kruise-game/next/templates/webhooks/validatingconfiguration.yaml Normal file
View File

@ -0,0 +1,42 @@
{{- if not .Values.certificates.autoGenerated }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
{{- if .Values.certificates.certManager.enabled }}
{{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
cert-manager.io/inject-ca-from-secret: {{ .Values.installation.namespace }}/{{ .Values.certificates.certManager.caSecretName }}
{{- else }}
cert-manager.io/inject-ca-from: {{ .Values.installation.namespace }}/{{ .Values.kruiseGame.fullname }}-cert
{{- end }}
{{- end }}
labels:
app.kubernetes.io/name: {{ .Values.kruiseGame.fullname }}
name: kruise-game-validating-webhook
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: {{ .Values.kruiseGame.webhook.serviceName }}
namespace: {{ .Values.installation.namespace }}
path: /validate-v1alpha1-gss
failurePolicy: {{ .Values.kruiseGame.webhook.failurePolicy }}
matchPolicy: Equivalent
name: vgameserverset.kb.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- game.kruise.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- gameserversets
sideEffects: None
timeoutSeconds: 10
{{- end}}

29
versions/kruise-game/next/values.yaml
View File

@ -11,16 +11,20 @@ kruiseGame:
fullname: kruise-game-controller-manager
healthBindPort: "8082"
webhook:
serviceName: kruise-game-webhook-service
port: 443
targetPort: 9876
failurePolicy: Fail
apiServerQps: 5
apiServerQpsBurst: 10
gameserverWorkers: 10
gameserversetWorkers: 10
replicaCount: 1
image:
repository: openkruise/kruise-game-manager
tag: v0.9.0
tag: v1.0.0
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
@ -64,3 +68,26 @@ network:
cloudProvider:
installCRD: true
indexOffsetScheduler:
enabled: false
# Kubernetes cluster domain
clusterDomain: cluster.local
certificates:
autoGenerated: true
secretName: kruise-game-certs
mountPath: /tmp/webhook-certs/
certManager:
enabled: false
duration: 8760h0m0s # 1 year
renewBefore: 5840h0m0s # 8 months
generateCA: true
caSecretName: "kruise-game-ca"
# -- Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required
issuer:
generate: true
name: kruise-ca
kind: ClusterIssuer
group: cert-manager.io