helm: allow annotations to be set for preflight resources #27860
Conversation
f5b2658 to
370b4e6
Compare
|
Thanks for the PR! Please note that Travis is failing because some files have not been regenerated: |
|
Thanks, @gandro! I've been focused on getting the |
I'm not sure I entirely understand your proposal. Would the idea be to have global annotations value that applies to all resources (preflight and regular deployments?). I think that's also a fine approach, though there is always a danger that contributors who add new resources might miss that they need to make the annotations customizable, which could lead to inconsistencies over time. Maybe we should have a CI or lint check for that if we decide to annotate all resources. |
So this is part of the diff of what I'm currently working on. I've created an +# -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent)
+annotations: {}
+
# -- Security Context for cilium-agent pods.
podSecurityContext: {}
@@ -965,6 +968,9 @@ hubble:
# -- Enable Hubble (true by default).
enabled: true
+ # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble)
+ annotations: {}
+
# -- Buffer size of the channel Hubble uses to receive monitor events. If this
# value is not set, the queue size is set to the default monitor queue size.
# eventQueueSize: ""
@@ -1177,6 +1183,9 @@ hubble:
# -- Additional hubble-relay environment variables.
extraEnv: []
+ # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay)
+ annotations: {}
+
# -- Annotations to be added to hubble-relay pods
podAnnotations: {}
@@ -1432,6 +1441,9 @@ hubble:
# -- The number of replicas of Hubble UI to deploy.
replicas: 1
+ # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui)
+ annotations: {}
+This does increase the scope of this PR quite a bit, so can revisit this later if that's preferred. |
Ah, thanks for the details! Yeah I think that does make sense too. I'm fine both with extending this PR to add top-level values, or creating a new PR for that. |
370b4e6 to
5aac862
Compare
|
Apologies for the delay. I've pushed what I came up with. While doing this, I had a couple of notes and questions I wanted to bring up. I can make any changes as needed based on feedback.
|
|
This is excellent work! I'll leave a few minor nits in inline comments.
The current solution looks good to me, though I think it might be simpler to use the top-level annotations for all TLS resources, regardless if provided or not.
Yeah, I think we can always add more annotations if needed. From what I can tell, your current choice looks good to me.
Yeah, the if guards look good to me overall. I think that's a good solution.
The PR is already pretty large. I think that is better done in a follow-up PR, but I don't think it's a must-have. |
| @@ -2472,6 +2472,10 @@ | |||
| - Affinity for cilium-preflight | |||
| - object | |||
| - ``{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}`` | |||
| * - :spelling:ignore:`preflight.annotations` | |||
There was a problem hiding this comment.
nit: Please squash this into the previous commit
| @@ -60,12 +60,14 @@ contributors across the globe, there is almost always someone available to help. | |||
| | aksbyocni.enabled | bool | `false` | Enable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (`azure.enabled`) instead. | | |||
| | alibabacloud.enabled | bool | `false` | Enable AlibabaCloud ENI integration | | |||
| | annotateK8sNode | bool | `false` | Annotate k8s node upon initialization with Cilium's metadata. | | |||
| | annotations | object | `{}` | Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) | | |||
There was a problem hiding this comment.
Same as above: Please squash into the previous commit. That way we can use "git bisect" to build without errors
There was a problem hiding this comment.
So to make sure I'm clear, should I end up with two commits like these, or just one commit like the bottom one?
- helm: allow annotations to be set for preflight resources
- helm: allow annotations to be set on nearly all resources
edit:
For the PR feedback, should that be in another commit, or would you like it amended to the helm: allow annotations to be set on nearly all resources commit?
There was a problem hiding this comment.
I think just having the two commits that you outlined will yield a clean git history, that sounds good to me. No need to put the PR feedback in a separate commit, since GitHub can show us those diffs too (as long as you don't change the commits and rebase at the same time).
install/kubernetes/cilium/templates/cilium-nodeinit/serviceaccount.yaml
Outdated
Show resolved
Hide resolved
install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml
Outdated
Show resolved
Hide resolved
install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml
Outdated
Show resolved
Hide resolved
4bde1ae to
cca13be
Compare
|
Thank you for all the feedback! I'm just getting back from being out a few and will work on address this tomorrow. |
|
@bradwhitfield Feel free to move it out of draft once you've addressed all the review comments, and it's ready for review. |
Currently preflight resources, except the serviceaccount, do not allow annotations to be configured at the top level of the resources. This patch adds support for adding annotations. Adding annotations at the top level of resources (not just in pod templates) will allow for use cases like ArgoCD and helm hooks. Signed-off-by: Brad Whitfield <bradswhitfield@gmail.com>
Currently most resources don't allow for setting custom annotations at the top level of the resources. This change allows chart consumers to define annotations for these resources breaking them up by resources under "templates" and additional fine-grained annotations for `tls.auto` resources. Adding annotations at the top level of resources (not just in pod templates) will allow for use cases like ArgoCD and helm hooks. Signed-off-by: Brad Whitfield <bradswhitfield@gmail.com>
77b6173 to
9e4b20b
Compare
…eedback Signed-off-by: Brad Whitfield <bradswhitfield@gmail.com>
9e4b20b to
dea1d18
Compare
|
I think this is ready. I see that the check failed, but I did amend the commit to fix that. It doesn't appear to have retriggered the build if I'm parsing things correctly. Is there a way I can trigger that? |
|
Review was requested from sig-servicemesh, but no one was specifically assigned for reviews. /cc @cilium/sig-servicemesh |
|
Let's run CI as well, before we merge |
|
/test |
|
All required tests have passed. The failing tests are not blockers:
Marking again as ready to merge. There is an outstanding request from sig-servicemesh, but Nick (who is part of that team) has already reviewed. |
| annotations: | ||
| {{- toYaml .Values.serviceAccounts.cilium.annotations | nindent 4 }} | ||
| {{- end }} | ||
| {{- if or .Values.serviceAccounts.cilium.annotations .Values.annotations }} | ||
| annotations: | ||
| {{- with .Values.annotations }} | ||
| {{- toYaml . | nindent 4 }} | ||
| {{- end }} | ||
| {{- with .Values.serviceAccounts.cilium.annotations }} | ||
| {{- toYaml . | nindent 4 }} | ||
| {{- end }} | ||
| {{- end }} |
There was a problem hiding this comment.
@bradwhitfield This is causing a duplicate annotations key if .Values.serviceAccounts.cilium.annotations is specified in the Helm release. Would you mind sending in a PR to fix this?
Fixes cilium#27860 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
Fixes #27860 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
Fixes cilium#27860 Signed-off-by: Marcel Zieba <marcel.zieba@isovalent.com>
Currently preflight resources, except the serviceaccount, do not allow annotations to be configured at the top level of the resources. This patch adds support for adding annotations.
Adding annotations at the top level of resources (not just in pod templates) will allow for use cases like ArgoCD and helm hooks.
Please ensure your pull request adheres to the following guidelines:
description and a
Fixes: #XXXline if the commit addresses a particularGitHub issue.
Fixes: <commit-id>tag, thenplease add the commit author[s] as reviewer[s] to this issue.