Skip to content

Commit

Permalink
CASMPET-6915: use newer plugin image and change it to daemonset
Browse files Browse the repository at this point in the history
  • Loading branch information
@bo-quan
bo-quan committed Apr 5, 2024
1 parent a67e980 commit b7dc5fb
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 54 deletions.
6 changes: 3 additions & 3 deletions kubernetes/cray-opa/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
#
apiVersion: v2
name: cray-opa
version: 1.33.4
version: 1.34.1
description: Cray Open Policy Agent
keywords:
- opa
Expand All @@ -33,9 +33,9 @@ sources:
maintainers:
- name: bo-quan
- name: ndavidson-hpe
appVersion: 0.52.0
appVersion: 0.62.0
annotations:
artifacthub.io/images: |-
- name: cray-opa
image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless
image: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless
artifacthub.io/license: MIT
39 changes: 5 additions & 34 deletions ...rnetes/cray-opa/templates/deployment.yaml → kubernetes/cray-opa/templates/daemonset.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{/*
MIT License

(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP

Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
Expand All @@ -22,29 +22,28 @@ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
*/}}
{{- range $name, $options:= .Values.ingresses }}
{{ $uuid := uuidv4 }}
---
apiVersion: apps/v1
kind: Deployment
kind: DaemonSet
metadata:
name: cray-opa-{{ $name }}
namespace: {{ $.Release.Namespace }}
spec:
replicas: {{ $.Values.opa.replicas }}
strategy:
updateStrategy:
{{- $.Values.opa.strategy | toYaml | nindent 4}}
selector:
matchLabels:
daemonset: cray-opa-{{ $name }}
app.kubernetes.io/name: cray-opa-{{ $name }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
template:
metadata:
labels:
daemonset: cray-opa-{{ $name }}
app.kubernetes.io/name: cray-opa-{{ $name }}
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
deployment/uuid: {{ $uuid }}
spec:
containers:
- image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
Expand Down Expand Up @@ -151,34 +150,6 @@ spec:
- configMap:
name: cray-configmap-ca-public-key
name: fetch-jwt-certs-ca-vol
affinity:
{{- if eq $.Values.affinity.default "preferred" }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- cray-opa-{{ $name }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{- if eq $.Values.affinity.default "required" }}
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: deployment/uuid
operator: In
values:
- {{ $uuid }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{ if $options.affinity }}
{{ toYaml $options.affinity | indent 8 }}
{{- end }}
nodeSelector:
{{ toYaml $.Values.nodeSelector | indent 8 }}
tolerations:
Expand Down
3 changes: 2 additions & 1 deletion kubernetes/cray-opa/templates/service.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{{/*
MIT License

(C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP

Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
Expand Down Expand Up @@ -33,6 +33,7 @@ metadata:
app.kubernetes.io/instance: {{ $.Release.Name }}
app.kubernetes.io/managed-by: {{ $.Release.Service }}
spec:
internalTrafficPolicy: {{ $.Values.opa.internalTrafficPolicy }}
ports:
- name: http
port: {{ $.Values.opa.port }}
Expand Down
4 changes: 2 additions & 2 deletions kubernetes/cray-opa/tests/opa/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# MIT License
#
# (C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
Expand Down Expand Up @@ -37,7 +37,7 @@ RUN cd src/run_tests && go mod download
RUN cd src/run_tests && go build .
RUN ls src/run_tests

FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.52.0-envoy-rootless
FROM artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa:0.62.0-envoy-rootless
WORKDIR /tmp
COPY --from=builder --chown=1000:1000 /go/src/run_tests/run_tests .
COPY --chown=1000:1000 tests/opa/certificate_authority.crt /jwtValidationFetchTls/certificate_authority.crt
18 changes: 4 additions & 14 deletions kubernetes/cray-opa/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#
# MIT License
#
# (C) Copyright 2021-2022 Hewlett Packard Enterprise Development LP
# (C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
Expand All @@ -24,7 +24,7 @@
---
image:
repository: artifactory.algol60.net/csm-docker/stable/docker.io/openpolicyagent/opa
tag: 0.52.0-envoy-rootless # When changing this, also update tests/opa//Dockerfile.
tag: 0.62.0-envoy-rootless # When changing this, also update tests/opa/Dockerfile and precache image.
pullPolicy: IfNotPresent

priorityClassName: csm-high-priority-service
Expand Down Expand Up @@ -89,25 +89,20 @@ ingresses:
issuers: []

opa:
replicas: 3
internalTrafficPolicy: Local
port: 9191
containerPort: 9191
loglevel: info
query: data.istio.authz.allow # this should never really change
tls:
enabled: false # TODO once we have cert manager
secret: ""
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
type: RollingUpdate
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "10Gi"
memory: "800Mi"
# Timeout defaults to 200ms if not specified. Setting it to 20s, an
# arbitrary long timeout, provides sufficient overhead to resolve
# CASMPET-1804/2570 "deadline exceeded" gRPC errors for the ext_authz filter.
Expand All @@ -126,11 +121,6 @@ opa:
heartbeat: false
tpmProvisioner: false

affinity:
# set default to 'preferred' for default preferred anti affinity rule
# set default to 'required' for default required anti affinity rule
default: required

jwtValidation:
keycloak:
jwksUri: "https://istio-ingressgateway.istio-system.svc.cluster.local./keycloak/realms/shasta/protocol/openid-connect/certs"
Expand Down

0 comments on commit b7dc5fb

Please sign in to comment.