diff --git a/Makefile b/Makefile index a0b41fd..aef6ca3 100644 --- a/Makefile +++ b/Makefile @@ -163,7 +163,7 @@ $(ENVTEST): $(LOCALBIN) test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest helmify: - $(call go-get-tool,$(HELMIFY),github.com/arttor/helmify/cmd/helmify@v0.3.7) + $(call go-get-tool,$(HELMIFY),github.com/arttor/helmify/cmd/helmify@v0.4.5) helm: manifests kustomize helmify $(KUSTOMIZE) build config/default | $(HELMIFY) \ No newline at end of file diff --git a/charts/jobs-manager-operator/templates/deployment.yaml b/charts/jobs-manager-operator/templates/deployment.yaml index cc38f5e..559f9fd 100644 --- a/charts/jobs-manager-operator/templates/deployment.yaml +++ b/charts/jobs-manager-operator/templates/deployment.yaml @@ -1,13 +1,3 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "chart.fullname" . }}-controller-manager - labels: - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: jobs-manager-operator - app.kubernetes.io/part-of: jobs-manager-operator - {{- include "chart.labels" . | nindent 4 }} ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -49,14 +39,10 @@ spec: values: - linux containers: - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=0 + - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }} env: - name: KUBERNETES_CLUSTER_DOMAIN - value: {{ .Values.kubernetesClusterDomain }} + value: {{ quote .Values.kubernetesClusterDomain }} image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag | default .Chart.AppVersion }} name: kube-rbac-proxy @@ -66,20 +52,14 @@ spec: protocol: TCP resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - - args: - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect + securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext + | nindent 10 }} + - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} command: - /manager env: - name: KUBERNETES_CLUSTER_DOMAIN - value: {{ .Values.kubernetesClusterDomain }} + value: {{ quote .Values.kubernetesClusterDomain }} image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }} livenessProbe: @@ -97,11 +77,8 @@ spec: periodSeconds: 10 resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext + | nindent 10 }} securityContext: runAsNonRoot: true serviceAccountName: {{ include "chart.fullname" . }}-controller-manager diff --git a/charts/jobs-manager-operator/templates/managedjob-crd.yaml b/charts/jobs-manager-operator/templates/managedjob-crd.yaml index 0202f7f..083fce4 100644 --- a/charts/jobs-manager-operator/templates/managedjob-crd.yaml +++ b/charts/jobs-manager-operator/templates/managedjob-crd.yaml @@ -747,7 +747,7 @@ spec: and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: - http://kubernetes.io/docs/user-guide/volumes#emptydir' + https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -962,7 +962,8 @@ spec: \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field - is immutable." + is immutable. It can only be + set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -1009,7 +1010,8 @@ spec: it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -2827,7 +2829,7 @@ spec: and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: - http://kubernetes.io/docs/user-guide/volumes#emptydir' + https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -3042,7 +3044,8 @@ spec: \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field - is immutable." + is immutable. It can only be + set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -3089,7 +3092,8 @@ spec: it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -4856,7 +4860,7 @@ spec: be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that - the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -5051,7 +5055,8 @@ spec: that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable." + feature gate. \n This field is immutable. + It can only be set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -5094,7 +5099,8 @@ spec: a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: @@ -6747,7 +6753,7 @@ spec: between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More - info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object @@ -6925,7 +6931,8 @@ spec: defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable." + feature gate. \n This field is immutable. + It can only be set for containers." items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. @@ -6967,7 +6974,8 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: diff --git a/charts/jobs-manager-operator/values.yaml b/charts/jobs-manager-operator/values.yaml index 63a3631..3b06d86 100644 --- a/charts/jobs-manager-operator/values.yaml +++ b/charts/jobs-manager-operator/values.yaml @@ -1,8 +1,18 @@ controllerManager: kubeRbacProxy: + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL image: repository: gcr.io/kubebuilder/kube-rbac-proxy - tag: v0.14.2 + tag: v0.13.1 resources: limits: cpu: 500m @@ -11,9 +21,18 @@ controllerManager: cpu: 5m memory: 64Mi manager: + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL image: repository: ghcr.io/lukaszraczylo/jobs-manager-operator - tag: latest + tag: 0.0.28 resources: limits: cpu: 500m @@ -22,6 +41,8 @@ controllerManager: cpu: 10m memory: 64Mi replicas: 1 + serviceAccount: + annotations: {} kubernetesClusterDomain: cluster.local metricsService: ports: