From 72954712b4baeb0c63c647ac869bdee85d98b11a Mon Sep 17 00:00:00 2001 From: gnmahanth Date: Wed, 4 Oct 2023 16:20:50 +0000 Subject: [PATCH] refactor deepfence-agent helm chart --- .../helm-charts/deepfence-agent/ReadMe.md | 28 ++-- .../deepfence-agent/templates/_helpers.tpl | 36 +++-- .../templates/cluster_role.yaml | 2 +- .../templates/cluster_role_binding.yaml | 6 +- .../deepfence-agent/templates/daemonset.yaml | 33 ++--- .../deepfence-agent/templates/deployment.yaml | 36 +++-- .../deepfence-agent/templates/secret.yaml | 15 +-- .../templates/serviceaccount.yaml | 8 +- .../helm-charts/deepfence-agent/values.yaml | 127 ++++++++++-------- 9 files changed, 147 insertions(+), 144 deletions(-) diff --git a/deployment-scripts/helm-charts/deepfence-agent/ReadMe.md b/deployment-scripts/helm-charts/deepfence-agent/ReadMe.md index 569a240fe7..0d48d65532 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/ReadMe.md +++ b/deployment-scripts/helm-charts/deepfence-agent/ReadMe.md @@ -29,10 +29,15 @@ helm show values deepfence/deepfence-agent > deepfence_agent_values.yaml ``` - (Optional) Edit values file and set docker hub username and password (if using your own registry) ```yaml -registry: - name: "https://index.docker.io/v1/" - username: "<>" - password: "<>" +imagePullSecret: + # Specifies whether a image pull secret should be created + create: true + registry: "https://index.docker.io/v1/" + username: "" + password: "" + # The name of the imagePullSecret to use. + # If not set and create is true, a name is generated using the fullname template + name: "" ``` - Set Deepfence management console ip address ```yaml @@ -40,15 +45,10 @@ managementConsoleUrl: "" ``` - Set image tag ```yaml -image: - # deepfence agent runs as a daemonset in all nodes in the cluster - name: deepfenceio/deepfence_agent_ce - tag: 2.0.0 - # cluster agent runs as a single pod - clusterAgentImageName: deepfenceio/deepfence_cluster_agent_ce - clusterAgentImageTag: 2.0.0 - pullPolicy: Always - pullSecretName: deepfence-docker-secret +global: + # this image tag is used every where for agents + # to override set tag at agents level + imageTag: 2.0.0 ``` - Set deepfence auth key Set authentication key when it is enabled in management console @@ -99,5 +99,5 @@ kubectl get pods -n deepfence ### Delete ```bash -helm delete deepfence-agent -n deepfence +helm uninstall deepfence-agent -n deepfence ``` \ No newline at end of file diff --git a/deployment-scripts/helm-charts/deepfence-agent/templates/_helpers.tpl b/deployment-scripts/helm-charts/deepfence-agent/templates/_helpers.tpl index 31621baef6..bcf42abe29 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/templates/_helpers.tpl +++ b/deployment-scripts/helm-charts/deepfence-agent/templates/_helpers.tpl @@ -43,15 +43,6 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} -{{- define "deepfence-cluster-agent.labels" -}} -helm.sh/chart: {{ include "deepfence-agent.chart" . }} -{{ include "deepfence-cluster-agent.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - {{/* Selector labels */}} @@ -60,14 +51,31 @@ app.kubernetes.io/name: {{ include "deepfence-agent.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} -{{- define "deepfence-cluster-agent.selectorLabels" -}} -app.kubernetes.io/name: deepfence-cluster-agent -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - {{/* Create secret to access docker registry */}} {{- define "imagePullSecret" }} {{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.registry.name (printf "%s:%s" .Values.registry.username .Values.registry.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Create the name of the imagePullSecret to use +*/}} +{{- define "deepfence-agent.imagePullSecretName" -}} +{{- if .Values.imagePullSecret.create }} +{{- default (include "deepfence-agent.fullname" .) .Values.imagePullSecret.name }} +{{- else }} +{{- .Values.imagePullSecret.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "deepfence-agent.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "deepfence-agent.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role.yaml b/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role.yaml index 6c0de175b5..5193dfbcbf 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role.yaml +++ b/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: deepfence-agent + name: {{ include "deepfence-agent.fullname" . }} labels: {{- include "deepfence-agent.labels" . | nindent 4 }} rules: diff --git a/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role_binding.yaml b/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role_binding.yaml index d0fd3cf6e7..54181589ec 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role_binding.yaml +++ b/deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role_binding.yaml @@ -1,14 +1,14 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: deepfence-agent + name: {{ include "deepfence-agent.fullname" . }} labels: {{- include "deepfence-agent.labels" . | nindent 4 }} roleRef: kind: ClusterRole - name: deepfence-agent + name: {{ include "deepfence-agent.fullname" . }} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} + name: {{ include "deepfence-agent.serviceAccountName" . }} namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/deployment-scripts/helm-charts/deepfence-agent/templates/daemonset.yaml b/deployment-scripts/helm-charts/deepfence-agent/templates/daemonset.yaml index 2fc29052ab..82387dd79a 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/templates/daemonset.yaml +++ b/deployment-scripts/helm-charts/deepfence-agent/templates/daemonset.yaml @@ -1,30 +1,30 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: deepfence-agent - namespace: {{ .Release.Namespace }} + name: {{ include "deepfence-agent.fullname" . }} labels: {{- include "deepfence-agent.labels" . | nindent 4 }} + name: {{ include "deepfence-agent.fullname" . }} spec: selector: matchLabels: {{- include "deepfence-agent.selectorLabels" . | nindent 6 }} + name: {{ include "deepfence-agent.fullname" . }} updateStrategy: type: RollingUpdate template: metadata: labels: {{- include "deepfence-agent.selectorLabels" . | nindent 8 }} + name: {{ include "deepfence-agent.fullname" . }} spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName | quote }} {{- end }} - hostPID: true hostNetwork: true - serviceAccountName: {{ .Values.serviceAccount.name }} + serviceAccountName: {{ include "deepfence-agent.serviceAccountName" . }} dnsPolicy: ClusterFirstWithHostNet - volumes: {{- if .Values.mountContainerRuntimeSocket.dockerSock }} - name: docker-sock @@ -62,25 +62,19 @@ spec: emptyDir: {} - name: fenced-path-compliance-scan-logs emptyDir: {} - containers: - name: deepfence-agent - image: "{{ .Values.image.name }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: "{{ .Values.agent.image.name }}:{{ default .Values.global.imageTag .Values.agent.image.tag }}" + imagePullPolicy: {{ .Values.agent.image.pullPolicy }} securityContext: privileged: true resources: - requests: - cpu: {{ .Values.resources.requests.cpu }} - memory: {{ .Values.resources.requests.memory }} - limits: - cpu: {{ .Values.resources.limits.cpu }} - memory: {{ .Values.resources.limits.memory }} + {{- toYaml .Values.agent.resources | nindent 12 }} env: - name: DEEPFENCE_KEY valueFrom: secretKeyRef: - name: "deepfence-key" + name: {{ include "deepfence-agent.fullname" . }}-key key: "deepfence-key" - name: USER_DEFINED_TAGS value: {{ .Values.userDefinedTags }} @@ -157,18 +151,15 @@ spec: name: fenced-path-compliance - mountPath: /var/log/fenced/compliance-scan-logs name: fenced-path-compliance-scan-logs - imagePullSecrets: - - name: {{ .Values.image.pullSecretName }} - - {{- with .Values.nodeSelector }} + {{- with .Values.agent.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.agent.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.agent.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/deployment-scripts/helm-charts/deepfence-agent/templates/deployment.yaml b/deployment-scripts/helm-charts/deepfence-agent/templates/deployment.yaml index 7e036f0a46..9e6b1cd464 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/templates/deployment.yaml +++ b/deployment-scripts/helm-charts/deepfence-agent/templates/deployment.yaml @@ -1,10 +1,10 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: deepfence-cluster-agent - namespace: {{ .Release.Namespace }} + name: {{ include "deepfence-agent.fullname" . }}-cluster labels: - {{- include "deepfence-cluster-agent.labels" . | nindent 4 }} + {{- include "deepfence-agent.labels" . | nindent 4 }} + name: {{ include "deepfence-agent.fullname" . }}-cluster spec: replicas: 1 revisionHistoryLimit: 2 @@ -12,17 +12,20 @@ spec: type: RollingUpdate selector: matchLabels: - {{- include "deepfence-cluster-agent.selectorLabels" . | nindent 6 }} + {{- include "deepfence-agent.selectorLabels" . | nindent 6 }} + name: {{ include "deepfence-agent.fullname" . }}-cluster template: metadata: labels: - {{- include "deepfence-cluster-agent.selectorLabels" . | nindent 8 }} + {{- include "deepfence-agent.selectorLabels" . | nindent 8 }} + name: {{ include "deepfence-agent.fullname" . }}-cluster spec: hostNetwork: true + serviceAccountName: {{ include "deepfence-agent.serviceAccountName" . }} containers: - name: deepfence-cluster-agent - image: "{{ .Values.image.clusterAgentImageName }}:{{ .Values.image.clusterAgentImageTag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: "{{ .Values.cluster_agent.image.name }}:{{ default .Values.global.imageTag .Values.cluster_agent.image.tag }}" + imagePullPolicy: {{ .Values.cluster_agent.image.pullPolicy }} env: - name: MGMT_CONSOLE_URL value: "{{ required "managementConsoleUrl is required" .Values.managementConsoleUrl }}" @@ -31,7 +34,7 @@ spec: - name: DEEPFENCE_KEY valueFrom: secretKeyRef: - name: "deepfence-key" + name: {{ include "deepfence-agent.fullname" . }}-key key: "deepfence-key" - name: DF_CLUSTER_NAME value: "{{ .Values.clusterName }}" @@ -57,25 +60,16 @@ spec: fieldRef: fieldPath: metadata.namespace resources: - requests: - cpu: {{ .Values.clusterAgentResources.requests.cpu }} - memory: {{ .Values.clusterAgentResources.requests.memory }} - limits: - cpu: {{ .Values.clusterAgentResources.limits.cpu }} - memory: {{ .Values.clusterAgentResources.limits.memory }} - serviceAccountName: {{ .Values.serviceAccount.name }} - imagePullSecrets: - - name: {{ .Values.image.pullSecretName }} - - {{- with .Values.clusterAgentNodeSelector }} + {{- toYaml .Values.cluster_agent.resources | nindent 12 }} + {{- with .Values.cluster_agent.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.clusterAgentAffinity }} + {{- with .Values.cluster_agent.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.clusterAgentTolerations }} + {{- with .Values.cluster_agent.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/deployment-scripts/helm-charts/deepfence-agent/templates/secret.yaml b/deployment-scripts/helm-charts/deepfence-agent/templates/secret.yaml index 627bc2f065..37f482ef55 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/templates/secret.yaml +++ b/deployment-scripts/helm-charts/deepfence-agent/templates/secret.yaml @@ -1,12 +1,11 @@ --- -{{- if .Values.registry.createRegistrySecret }} +{{- if .Values.imagePullSecret.create }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.image.pullSecretName }} + name: {{ include "deepfence-agent.imagePullSecretName" . }} labels: {{- include "deepfence-agent.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: "{{ template "imagePullSecret" . }}" @@ -16,16 +15,10 @@ data: apiVersion: v1 kind: Secret metadata: - name: deepfence-key + name: {{ include "deepfence-agent.fullname" . }}-key labels: {{- include "deepfence-agent.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} type: Opaque data: -{{- if .Values.deepfenceKey }} - deepfence-key: "{{ .Values.deepfenceKey | b64enc }}" -{{- else }} - deepfence-key: "" + deepfence-key: {{ required "deepfenceKey is required" .Values.deepfenceKey | b64enc }} {{- end }} -{{- end }} ---- \ No newline at end of file diff --git a/deployment-scripts/helm-charts/deepfence-agent/templates/serviceaccount.yaml b/deployment-scripts/helm-charts/deepfence-agent/templates/serviceaccount.yaml index 030cefb46e..552a496784 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/templates/serviceaccount.yaml +++ b/deployment-scripts/helm-charts/deepfence-agent/templates/serviceaccount.yaml @@ -1,11 +1,15 @@ +{{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.serviceAccount.name }} + name: {{ include "deepfence-agent.serviceAccountName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "deepfence-agent.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} - {{- end }} \ No newline at end of file + {{- end }} +imagePullSecrets: + - name: {{ include "deepfence-agent.imagePullSecretName" . }} +{{- end }} \ No newline at end of file diff --git a/deployment-scripts/helm-charts/deepfence-agent/values.yaml b/deployment-scripts/helm-charts/deepfence-agent/values.yaml index da0ee7ffc4..94373b2ba6 100644 --- a/deployment-scripts/helm-charts/deepfence-agent/values.yaml +++ b/deployment-scripts/helm-charts/deepfence-agent/values.yaml @@ -1,32 +1,78 @@ -# Default values for deepfence. +# Default values for deepfence-agent. # This is a YAML-formatted file. # Declare variables to be passed into your templates. -registry: - name: "https://index.docker.io/v1/" - # Set docker hub username and password provided by Deepfence - # This will create a secret called "deepfence-docker-secret" +nameOverride: "" +fullnameOverride: "" + +global: + # this image tag is used every where for agents + # to override set tag at agents level + imageTag: 2.0.0 + +imagePullSecret: + # Specifies whether a image pull secret should be created + create: false + registry: "https://index.docker.io/v1/" username: "" password: "" - # If kubernetes secret is already defined externally, change following value to false - # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - createRegistrySecret: true - -image: - # deepfence agent runs as a daemonset in all nodes in the cluster - name: deepfenceio/deepfence_agent_ce - tag: 2.0.0 - # cluster agent runs as a single pod - clusterAgentImageName: deepfenceio/deepfence_cluster_agent_ce - clusterAgentImageTag: 2.0.0 - pullPolicy: Always - pullSecretName: deepfence-docker-secret - + # The name of the imagePullSecret to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# deepfence agent runs as a daemonset in all nodes in the cluster +agent: + image: + name: deepfenceio/deepfence_agent_ce + # tag: 2.0.0 + pullPolicy: Always + affinity: {} + nodeSelector: + kubernetes.io/os: linux + # kubernetes.io/arch: amd64 + tolerations: + - operator: "Exists" + effect: "NoSchedule" + - operator: "Exists" + effect: "NoExecute" + resources: + requests: + cpu: 150m + memory: 512Mi + limits: + cpu: 1500m + memory: 1536Mi + +# cluster agent runs as a single pod +cluster_agent: + image: + name: deepfenceio/deepfence_cluster_agent_ce + # tag: 2.0.0 + pullPolicy: Always + affinity: {} + nodeSelector: + kubernetes.io/os: linux + # kubernetes.io/arch: amd64 + tolerations: + - operator: "Exists" + effect: "NoSchedule" + - operator: "Exists" + effect: "NoExecute" + resources: + requests: + cpu: 25m + memory: 80Mi + limits: + cpu: 1500m + memory: 1536Mi + +# required deepfence management console url and port managementConsoleUrl: "" managementConsolePort: "443" # Auth: Get deepfence api key from UI -> Settings -> User Management deepfenceKey: "" + # If kubernetes secret is already defined externally, change following value to false createDeepfenceKeySecret: true @@ -57,45 +103,12 @@ mountContainerRuntimeSocket: # Change if socket path is not the following crioSockPath: "/var/run/crio/crio.sock" -resources: - requests: - cpu: 150m - memory: 512Mi - limits: - cpu: 1500m - memory: 1536Mi - -clusterAgentResources: - requests: - cpu: 25m - memory: 80Mi - limits: - cpu: 1500m - memory: 1536Mi - -nodeSelector: {"kubernetes.io/os": "linux"} -# "kubernetes.io/arch": "amd64" -clusterAgentNodeSelector: {"kubernetes.io/os": "linux"} - -tolerations: - - operator: "Exists" - effect: "NoSchedule" - - operator: "Exists" - effect: "NoExecute" - -clusterAgentTolerations: - - operator: "Exists" - effect: "NoSchedule" - - operator: "Exists" - effect: "NoExecute" - -affinity: {} -clusterAgentAffinity: {} serviceAccount: + # Specifies whether a service account should be created + create: true # Annotations to add to the service account annotations: {} - name: "deepfence-agent" - -nameOverride: "" -fullnameOverride: "" + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: ""