From 4db09e0c90edbad3d9e685bfc3a022412ef4f0fd Mon Sep 17 00:00:00 2001 From: Mark Mercado Date: Fri, 26 Jan 2024 10:09:08 -0500 Subject: [PATCH 01/17] Create v1.0.0 and add "Releasing information" --- CHANGELOG.md | 2 +- Chart.yaml | 2 +- README.md | 8 ++++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ab3e082..b03e304c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## In Development +## v1.0.0 * Bump to latest CircleCI orb versions (kubernetes@1.3.1 and helm@3.0.0 by @ZoeLeah) * Remove unsupported k8s Versions (1.24.x and 1.25.x by @ZoeLeah) * Update and add new K8s versions (1.28.3, 1.27.7 and 1.26.10 by @ZoeLeah) diff --git a/Chart.yaml b/Chart.yaml index 6d01f67c..8f450441 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 # StackStorm version which refers to Docker images tag appVersion: "3.8" name: stackstorm-ha -version: 0.110.0 +version: 1.0.0 description: StackStorm K8s Helm Chart, optimized for running StackStorm in HA environment. home: https://stackstorm.com/ icon: https://landscape.cncf.io/logos/stack-storm.svg diff --git a/README.md b/README.md index 562d81f2..48d16c8f 100644 --- a/README.md +++ b/README.md @@ -369,3 +369,11 @@ This approach allows not only extending sub-chart with custom objects and templa but also adds flexibility to include many sub-chart dependencies and pin versions as well as include all the sub-chart values in one single place. This approach is infra-as-code friendly and more reproducible. See official Helm documentation about [Subcharts](https://helm.sh/docs/chart_template_guide/#subcharts-and-global-values) and [Dependencies](https://helm.sh/docs/developing_charts/#managing-dependencies-manually-via-the-charts-directory). + +## Releasing information +In order to create a release, the steps are as follows: +1. Create a pull request by updating [CHANGELOG.md](./CHANGELOG.md) by replacing the "In Development" heading with the new version, and [Chart.yaml](./Chart.yaml) by replacing the `version` value. +2. Once the pull request is merged, create and push the matching tag (for example, if you are creating release `v1.0.0`, then the tag should also be `v1.0.0`). +3. After the tag is pushed, create the corresponding [release](https://github.com/StackStorm/stackstorm-k8s/releases). +4. After the release is created, switch to the `gh-pages` branch, and generate the updated [Helm index](https://helm.sh/docs/helm/helm_repo_index/), [package](https://helm.sh/docs/helm/helm_package/) and [provenance](https://helm.sh/docs/topics/provenance/). +5. After committing and pushing the changes in the previous step, verify that the new release is present on [ArtifactHub](https://artifacthub.io/packages/helm/stackstorm/stackstorm-ha). From 3390cd55f7ebc94bd3eae237c81ad01aa91c823c Mon Sep 17 00:00:00 2001 From: Brandon Marick Date: Tue, 6 Feb 2024 21:07:19 -0800 Subject: [PATCH 02/17] Remove label from deployments for datastore key when disabled --- templates/deployments.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 9620458a..634196ed 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -164,7 +164,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2api") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2api.postStartScript }} checksum/post-start-script: {{ .Values.st2api.postStartScript | sha256sum }} {{- end }} @@ -548,7 +550,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2rulesengine") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2rulesengine.postStartScript }} checksum/post-start-script: {{ .Values.st2rulesengine.postStartScript | sha256sum }} {{- end }} @@ -769,7 +773,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2workflowengine") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2workflowengine.postStartScript }} checksum/post-start-script: {{ .Values.st2workflowengine.postStartScript | sha256sum }} {{- end }} @@ -886,7 +892,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2scheduler") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2scheduler.postStartScript }} checksum/post-start-script: {{ .Values.st2scheduler.postStartScript | sha256sum }} {{- end }} @@ -1137,7 +1145,9 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") $ | sha256sum }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") $ | sha256sum }} - checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") $ | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} + checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if $.Values.st2sensorcontainer.postStartScript }} checksum/post-start-script: {{ $.Values.st2sensorcontainer.postStartScript | sha256sum }} {{- end }} @@ -1318,7 +1328,9 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2actionrunner.postStartScript }} checksum/post-start-script: {{ .Values.st2actionrunner.postStartScript | sha256sum }} {{- end }} @@ -1574,7 +1586,9 @@ spec: checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") . | sha256sum }} checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2.overrides }} checksum/overrides: {{ include (print $.Template.BasePath "/configmaps_overrides.yaml") . | sha256sum }} {{- end }} From 0856933cf31e6867eb55f2f914b11b8f85288d3d Mon Sep 17 00:00:00 2001 From: Brandon Marick Date: Tue, 6 Feb 2024 21:13:02 -0800 Subject: [PATCH 03/17] fix messed up templating --- templates/deployments.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 634196ed..9c0b496f 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -1145,8 +1145,8 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") $ | sha256sum }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") $ | sha256sum }} - {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} - checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }} + {{- if and (ne "disable" (default "" $.Values.st2.datastore_crypto_key)) (not $.Values.st2.existingDatastoreSecret) }} + checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") $ | sha256sum }} {{- end }} {{- if $.Values.st2sensorcontainer.postStartScript }} checksum/post-start-script: {{ $.Values.st2sensorcontainer.postStartScript | sha256sum }} From d6c020ab3f63c46d95b158b1d11bcbf1ad10a6bd Mon Sep 17 00:00:00 2001 From: Brandon Marick Date: Tue, 6 Feb 2024 21:19:58 -0800 Subject: [PATCH 04/17] Add to Change Log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ab3e082..11ccbc0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ * Add terminationGracePeriodSeconds to workflow and actionrunner pods to allow adjustment of grace period in k8 (#374) (by @guzzijones12) * Prevent duplicate init containers on helm upgrade (#375) (by @guzzijones12) * Fix st2 client config issue affecting addon jobs using jobs.extra_hooks (#370) (by @cars) +* Fix generation of DataStore Secret (#385) and checksum labels (#391) (by @bmarick) ## v0.110.0 * Switch st2 to `v3.8` as a new default stable version (#347) From 62964b520bf4a6cc7cb699c9e6c715449ef6c0b8 Mon Sep 17 00:00:00 2001 From: Brandon Marick Date: Wed, 7 Feb 2024 00:31:28 -0800 Subject: [PATCH 05/17] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11ccbc0f..2f0e0636 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ * Add terminationGracePeriodSeconds to workflow and actionrunner pods to allow adjustment of grace period in k8 (#374) (by @guzzijones12) * Prevent duplicate init containers on helm upgrade (#375) (by @guzzijones12) * Fix st2 client config issue affecting addon jobs using jobs.extra_hooks (#370) (by @cars) -* Fix generation of DataStore Secret (#385) and checksum labels (#391) (by @bmarick) +* Stop generating the DataStore Secret (#385) and checksum labels (#391) when existing secret provided or disabled (by @bmarick) ## v0.110.0 * Switch st2 to `v3.8` as a new default stable version (#347) From 1d8ffbf3a411120918e9f5fd7d76a61d4b6f400d Mon Sep 17 00:00:00 2001 From: Jacob Zufelt Date: Fri, 16 Feb 2024 12:25:59 -0700 Subject: [PATCH 06/17] Add missing policy and fix function --- templates/jobs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 3e77c179..4b0b59fe 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -540,7 +540,7 @@ spec: and then delete this st2canary pod manually. INTRO - function __handle_error__(){ + function __handle_error__ { cat <<- 'FAIL' ERROR: One or more volumes in st2.packs.volumes (from helm values) does not meet StackStorm's shared volumes requirements! @@ -577,6 +577,7 @@ spec: {{- toYaml $.Values.st2.packs.volumes.configs | nindent 10 }} {{- end }} # st2canary job does not support extra_volumes. Let us know if you need this. + restartPolicy: OnFailure {{- if $.Values.dnsPolicy }} dnsPolicy: {{ $.Values.dnsPolicy }} {{- end }} From 944ce2d608920b915c5744ee813568d92a724ecc Mon Sep 17 00:00:00 2001 From: Jacob Zufelt Date: Fri, 16 Feb 2024 12:56:53 -0700 Subject: [PATCH 07/17] Change policy --- templates/jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 4b0b59fe..21705bcc 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -577,7 +577,7 @@ spec: {{- toYaml $.Values.st2.packs.volumes.configs | nindent 10 }} {{- end }} # st2canary job does not support extra_volumes. Let us know if you need this. - restartPolicy: OnFailure + restartPolicy: Never {{- if $.Values.dnsPolicy }} dnsPolicy: {{ $.Values.dnsPolicy }} {{- end }} From db7adf7179929c26e1657c2646c335431d12d94a Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Fri, 16 Feb 2024 14:00:14 -0600 Subject: [PATCH 08/17] Add changelog entry --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b03e304c..ad29d134 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## Development +* Fix syntax with ensure-packs-volumes-are-writable job (#403) (by @skiedude) + ## v1.0.0 * Bump to latest CircleCI orb versions (kubernetes@1.3.1 and helm@3.0.0 by @ZoeLeah) * Remove unsupported k8s Versions (1.24.x and 1.25.x by @ZoeLeah) From 01bb2aee788cf3f6ff11335179c8ee3de956a962 Mon Sep 17 00:00:00 2001 From: FileMagic <22534836+FileMagic@users.noreply.github.com> Date: Tue, 27 Feb 2024 14:55:55 -0500 Subject: [PATCH 09/17] Update README.md to fix mispelling of volumes --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 48d16c8f..90c812e4 100644 --- a/README.md +++ b/README.md @@ -241,7 +241,7 @@ NOTE: With care, `st2packs` images can be used with `volumes`. Just make sure to If a pack is installed via an `st2packs` image and then it gets updated with `st2 pack install`, a subsequent `helm upgrade` will revert back to the version in the `st2packs` image. #### Configure the storage volumes -Enable the `st2.packs.voluems` section of Helm values and add volume definitions for both `packs` and `virtualenvs`. +Enable the `st2.packs.volumes` section of Helm values and add volume definitions for both `packs` and `virtualenvs`. Each of the volume definitions should be customized for your cluster and storage solution. For example, to use persistentVolumeClaims: From 96308f8f0611017442c3dc79ec26a15430b40fd0 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Apr 2024 14:29:47 -0500 Subject: [PATCH 10/17] add securityContext for more containers using st2actionrunner as fallback for some Some of the jobs and other utility containers need more permissions to modify files. The st2actionrunner pods are most likely to have the most permissive permissions, so default to that if the deployment/job-specific securityContext values are not defined. --- templates/_helpers.tpl | 9 ++++++--- templates/deployments.yaml | 6 +++--- templates/jobs.yaml | 15 +++++++++------ values.yaml | 7 +++++-- 4 files changed, 23 insertions(+), 14 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 4b98b21c..3e11a79d 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -344,7 +344,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images - | /bin/cp -aR /opt/stackstorm/packs/. /opt/stackstorm/packs-shared && /bin/cp -aR /opt/stackstorm/virtualenvs/. /opt/stackstorm/virtualenvs-shared - {{- with $.Values.securityContext }} + {{- with .securityContext | default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} @@ -365,7 +366,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images - | /bin/cp -aR /opt/stackstorm/packs/. /opt/stackstorm/packs-shared && /bin/cp -aR /opt/stackstorm/virtualenvs/. /opt/stackstorm/virtualenvs-shared - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} @@ -384,7 +386,8 @@ Merge packs and virtualenvs from st2 with those from st2packs images - '-ec' - | /bin/cp -aR /opt/stackstorm/configs/. /opt/stackstorm/configs-shared - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 9620458a..67ee1fe2 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -1600,7 +1600,7 @@ spec: - name: generate-st2client-config image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.st2client.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.securityContext }} + {{- with .Values.st2client.securityContext | default .Values.st2actionrunner.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} envFrom: @@ -1627,7 +1627,7 @@ spec: - name: st2client image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.st2client.image.tag | default .Values.image.tag) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with default .Values.securityContext .Values.st2actionrunner.securityContext }} + {{- with .Values.st2client.securityContext | default .Values.st2actionrunner.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} env: @@ -1728,7 +1728,7 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default .Values.podSecurityContext .Values.st2client.podSecurityContext }} + {{- with .Values.st2client.podSecurityContext | default .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.st2client.nodeSelector }} diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 21705bcc..1d9ec459 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -411,7 +411,8 @@ spec: - name: st2-register-content-custom-init image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.jobs.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 10 }} {{- end }} command: {{- toYaml $.Values.jobs.preRegisterContentCommand | nindent 8 }} @@ -425,7 +426,8 @@ spec: - name: st2-register-content image: '{{ template "stackstorm-ha.imageRepository" . }}/st2actionrunner:{{ tpl (.Values.jobs.image.tag | default (.Values.st2actionrunner.image.tag | default .Values.image.tag)) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 10 }} {{- end }} command: @@ -470,7 +472,8 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.podSecurityContext }} + {{- with .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }} + {{/* st2actionrunner is likely the most permissive so use that if defined. */}} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.jobs.nodeSelector }} @@ -641,7 +644,7 @@ spec: - name: generate-st2client-config image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl ($.Values.jobs.image.tag | default ($.Values.st2actionrunner.image.tag | default $.Values.image.tag)) $ }}' imagePullPolicy: {{ $.Values.image.pullPolicy }} - {{- with $.Values.securityContext }} + {{- with default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} envFrom: @@ -668,7 +671,7 @@ spec: - name: {{ $name }} image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl ($.Values.jobs.image.tag | default ($.Values.st2actionrunner.image.tag | default $.Values.image.tag)) $ }}' imagePullPolicy: {{ $.Values.image.pullPolicy }} - {{- with $.Values.securityContext }} + {{- with .securityContext | default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} {{- if $.Values.jobs.env }} @@ -718,7 +721,7 @@ spec: {{- with $.Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with $.Values.podSecurityContext }} + {{- with $.Values.jobs.podSecurityContext | default $.Values.st2actionrunner.podSecurityContext | default $.Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with $.Values.jobs.nodeSelector }} diff --git a/values.yaml b/values.yaml index 81038d37..47628190 100644 --- a/values.yaml +++ b/values.yaml @@ -150,6 +150,8 @@ st2: # pullPolicy: IfNotPresent # Optional name of the imagePullSecret if your custom packs image is hosted by a private Docker registry # pullSecret: st2packs-auth + # Optional .securityContext override for container + # securityContext: # Custom packs volumes definitions. # @@ -288,7 +290,7 @@ st2: ## ## Default SecurityContext for pods and containers. -## Overrides available for st2web, st2actionrunner, st2sensorcontainer, and st2client pods. +## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images. ## podSecurityContext: {} securityContext: {} @@ -703,7 +705,7 @@ st2actionrunner: attach: false # override the default .podSecurityContext or .securityContext here podSecurityContext: {} - securityContext: {} + securityContext: {} # also applies to init or jobs containers that copy/modify files # postStartScript is optional. It has the contents of a bash script. # k8s will run the script in the st2 container in parallel with the ENTRYPOINT. # The pod will not be marked as "running" until this script completes successfully. @@ -984,6 +986,7 @@ jobs: # hook: post-install # required "helm.sh/hook" # hook_weight: 10 # optional hook_weight (defaults to 10) # resources: {} # optional definition of resources to request + # securityContext: {} # optional definition of container securityContext override # command: # required command to run # - st2 # - run From 17e5fca27a38164d77160e341ce8ba8d531f50e0 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Apr 2024 15:13:32 -0500 Subject: [PATCH 11/17] more consistent securityContext --- templates/deployments.yaml | 12 ++++++------ templates/jobs.yaml | 4 ++-- values.yaml | 1 + 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 67ee1fe2..ae53abf2 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -428,7 +428,7 @@ spec: - name: st2web image: '{{ template "stackstorm-ha.imageRepository" . }}/st2web:{{ tpl (.Values.st2web.image.tag | default .Values.image.tag) . }}' imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with default .Values.securityContext .Values.st2web.securityContext }} + {{- with .Values.st2web.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} ports: @@ -515,7 +515,7 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default .Values.podSecurityContext .Values.st2client.podSecurityContext }} + {{- with .Values.st2client.podSecurityContext | default .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.st2web.nodeSelector }} @@ -1187,7 +1187,7 @@ spec: - name: {{ $name }} image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2sensorcontainer:{{ tpl ($sensor.image.tag | default $.Values.image.tag) $ }}' imagePullPolicy: {{ $.Values.image.pullPolicy }} - {{- with default $.Values.securityContext $sensor.securityContext }} + {{- with $sensor.securityContext | default $.Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} {{- with $sensor.readinessProbe }} @@ -1282,7 +1282,7 @@ spec: {{- with $.Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default $.Values.podSecurityContext $sensor.podSecurityContext }} + {{- with $sensor.podSecurityContext | default $.Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with $sensor.nodeSelector }} @@ -1353,7 +1353,7 @@ spec: image: '{{ .image.repository | default (include "stackstorm-ha.imageRepository" $) }}/{{ .image.name | default "st2actionrunner" }}:{{ tpl (.image.tag | default $.Values.image.tag) $ }}' {{- end }} imagePullPolicy: {{ .Values.st2actionrunner.image.pullPolicy | default .Values.image.pullPolicy }} - {{- with default .Values.securityContext .Values.st2actionrunner.securityContext }} + {{- with .Values.st2actionrunner.securityContext | default .Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} # TODO: Add liveness/readiness probes (#3) @@ -1436,7 +1436,7 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with default .Values.podSecurityContext .Values.st2actionrunner.podSecurityContext }} + {{- with .Values.st2actionrunner.podSecurityContext | default .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.st2actionrunner.nodeSelector }} diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 1d9ec459..fc8aad94 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -644,7 +644,7 @@ spec: - name: generate-st2client-config image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl ($.Values.jobs.image.tag | default ($.Values.st2actionrunner.image.tag | default $.Values.image.tag)) $ }}' imagePullPolicy: {{ $.Values.image.pullPolicy }} - {{- with default $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} + {{- with $.Values.st2actionrunner.securityContext | default $.Values.securityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} envFrom: @@ -721,7 +721,7 @@ spec: {{- with $.Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with $.Values.jobs.podSecurityContext | default $.Values.st2actionrunner.podSecurityContext | default $.Values.podSecurityContext }} + {{- with .podSecurityContext | default $.Values.st2actionrunner.podSecurityContext | default $.Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with $.Values.jobs.nodeSelector }} diff --git a/values.yaml b/values.yaml index 47628190..06a77d7c 100644 --- a/values.yaml +++ b/values.yaml @@ -986,6 +986,7 @@ jobs: # hook: post-install # required "helm.sh/hook" # hook_weight: 10 # optional hook_weight (defaults to 10) # resources: {} # optional definition of resources to request + # podSecurityContext: {} # optional definition of pod securityContext override # securityContext: {} # optional definition of container securityContext override # command: # required command to run # - st2 From 819cda935d6bfa288c2eaa207eb242118b80925a Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Apr 2024 15:20:10 -0500 Subject: [PATCH 12/17] add changelog entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad29d134..18981fae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Development * Fix syntax with ensure-packs-volumes-are-writable job (#403) (by @skiedude) +* Add securityContext support to custom st2packs images, extra_hooks jobs; Also fallback to st2actionrunner securityContext for misc init container jobs and pods. (#410) (by @cognifloyd) ## v1.0.0 * Bump to latest CircleCI orb versions (kubernetes@1.3.1 and helm@3.0.0 by @ZoeLeah) From 9d4bbffceb82a6a598425951d8561ab568f0c193 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Apr 2024 16:44:01 -0500 Subject: [PATCH 13/17] test securityContext fallback improvements --- tests/unit/security_context_test.yaml | 210 +++++++++++++++++++++++++- 1 file changed, 207 insertions(+), 3 deletions(-) diff --git a/tests/unit/security_context_test.yaml b/tests/unit/security_context_test.yaml index bde31b3d..c5b275b2 100644 --- a/tests/unit/security_context_test.yaml +++ b/tests/unit/security_context_test.yaml @@ -18,6 +18,9 @@ templates: - secrets_st2auth.yaml - secrets_st2chatops.yaml +# TODO: test initContainers that use st2.packs.images[].securityContext +# (there is no good way to select initContainers) + tests: - it: Deployment and Job Pods+Containers have no SecurityContext by default templates: @@ -34,6 +37,7 @@ tests: # job-st2-apikey-load # job-st2-key-load # job-st2-register-content + # job-ensure-packs-volumes-are-writable # extra_hooks job set: st2chatops: @@ -135,7 +139,16 @@ tests: template: deployments.yaml set: st2: - packs: { sensors: [] } # ensure only 1 sensor + packs: + sensors: [] # ensure only 1 sensor + #images: &st2_packs_images + # - repository: index.docker.io/stackstorm + # name: st2packs + # tag: example + # securityContext: &st2packs_security_context + # capabilities: + # drop: [ALL] + # add: [kill, net_raw, chown, fowner] rbac: { enabled: true } # enable rbac job podSecurityContext: *global_pod_security_context @@ -159,8 +172,14 @@ tests: securityContext: *security_context_override st2client: - podSecurityContext: *pod_security_context_override - securityContext: *security_context_override + podSecurityContext: &pod_security_context_override_2 + fsGroup: 8888 + supplementalGroups: [4444] + securityContext: &security_context_override_2 + capabilities: + drop: [ALL] + add: [kill, net_raw, chown] + asserts: - hasDocuments: count: 13 @@ -231,16 +250,201 @@ tests: # st2client pod - notEqual: *global_pod_security_context_assert documentIndex: 12 + - notEqual: *override_pod_security_context_assert + documentIndex: 12 + - equal: &override_pod_security_context_assert_2 + path: spec.template.spec.securityContext + value: *pod_security_context_override_2 + documentIndex: 12 + + # st2client container + - notEqual: *global_container0_security_context_assert + documentIndex: 12 + - notEqual: *override_container0_security_context_assert + documentIndex: 12 + - equal: &override_container0_security_context_assert_2 + path: spec.template.spec.containers[0].securityContext + value: *security_context_override_2 + documentIndex: 12 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 12 + #- notEqual: *override_initcontainers_security_context_assert + # documentIndex: 12 + #- equal: &override_initcontainers_security_context_assert_2 + # path: spec.template.spec.initContainers[].securityContext + # value: *security_context_override + # documentIndex: 12 + + - it: st2client Deployment Pod+Containers default to st2actionrunner SecurityContext overrides + template: deployments.yaml + set: + st2: + packs: + sensors: [] # ensure only 1 sensor + #images: *st2_packs_images + rbac: { enabled: true } # enable rbac job + + podSecurityContext: *global_pod_security_context + securityContext: *global_security_context + + st2actionrunner: + podSecurityContext: *pod_security_context_override + securityContext: *security_context_override + + #st2client: no override defined + + asserts: + - hasDocuments: + count: 13 + + # st2client pod + - notEqual: *global_pod_security_context_assert + documentIndex: 12 + - notEqual: *override_pod_security_context_assert_2 + documentIndex: 12 - equal: *override_pod_security_context_assert documentIndex: 12 # st2client container - notEqual: *global_container0_security_context_assert documentIndex: 12 + - notEqual: *override_container0_security_context_assert_2 + documentIndex: 12 - equal: *override_container0_security_context_assert documentIndex: 12 # path can only select one element, not all initContainers (if present). #- notEqual: *global_initcontainers_security_context_assert # documentIndex: 12 + #- notEqual: *override_initcontainers_security_context_assert_2 + # documentIndex: 12 #- equal: *override_initcontainers_security_context_assert # documentIndex: 12 + + # overrides for register-content job and extra_hooks job(s) + # document indexes: 3, 5 + + - it: extra_hooks Jobs Pod+Containers accept SecurityContext overrides + template: jobs.yaml + set: + st2: + packs: + sensors: [] # ensure only 1 sensor + images: [] + volumes: *volumes_enabled + configs: {} # has one core.yaml config file by default (dicts get merged) + rbac: { enabled: true } # enable rbac job + + podSecurityContext: *global_pod_security_context + securityContext: *global_security_context + + st2actionrunner: + podSecurityContext: *pod_security_context_override + securityContext: *security_context_override + + jobs: + extra_hooks: + - name: upgrade-warning + hook: pre-upgrade, pre-rollback + hook_weight: -5 + podSecurityContext: *pod_security_context_override_2 + securityContext: *security_context_override_2 + + asserts: + - hasDocuments: + count: 6 + + # extra_hooks job pod + - notEqual: *global_pod_security_context_assert + documentIndex: 5 + - notEqual: *override_pod_security_context_assert + documentIndex: 5 + - equal: *override_pod_security_context_assert_2 + documentIndex: 5 + + # extra_hooks job container + - notEqual: *global_container0_security_context_assert + documentIndex: 5 + - notEqual: *override_container0_security_context_assert + documentIndex: 5 + - equal: *override_container0_security_context_assert_2 + documentIndex: 5 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 5 + #- notEqual: *override_initcontainers_security_context_assert + # documentIndex: 5 + #- equal: *override_initcontainers_security_context_assert_2 + # documentIndex: 5 + + - it: register-content and extra_hooks Jobs Pod+Containers default to st2actionrunner SecurityContext overrides + template: jobs.yaml + set: + st2: + packs: + sensors: [] # ensure only 1 sensor + images: [] + volumes: *volumes_enabled + configs: {} # has one core.yaml config file by default (dicts get merged) + rbac: { enabled: true } # enable rbac job + + podSecurityContext: *global_pod_security_context + securityContext: *global_security_context + + st2actionrunner: + podSecurityContext: *pod_security_context_override + securityContext: *security_context_override + + jobs: + extra_hooks: *jobs_extra_hooks + # does not override podSecurityContext or securityContext + + asserts: + - hasDocuments: + count: 6 + + # job-register-content pod + - notEqual: *global_pod_security_context_assert + documentIndex: 3 + - notEqual: *override_pod_security_context_assert_2 + documentIndex: 3 + - equal: *override_pod_security_context_assert + documentIndex: 3 + + # job-register-content container + - notEqual: *global_container0_security_context_assert + documentIndex: 3 + - notEqual: *override_container0_security_context_assert_2 + documentIndex: 3 + - equal: *override_container0_security_context_assert + documentIndex: 3 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 3 + #- notEqual: *override_initcontainers_security_context_assert_2 + # documentIndex: 3 + #- equal: *override_initcontainers_security_context_assert + # documentIndex: 3 + + # extra_hooks job pod + - notEqual: *global_pod_security_context_assert + documentIndex: 5 + - notEqual: *override_pod_security_context_assert_2 + documentIndex: 5 + - equal: *override_pod_security_context_assert + documentIndex: 5 + + # extra_hooks job container + - notEqual: *global_container0_security_context_assert + documentIndex: 5 + - notEqual: *override_container0_security_context_assert_2 + documentIndex: 5 + - equal: *override_container0_security_context_assert + documentIndex: 5 + # path can only select one element, not all initContainers (if present). + #- notEqual: *global_initcontainers_security_context_assert + # documentIndex: 5 + #- notEqual: *override_initcontainers_security_context_assert_2 + # documentIndex: 5 + #- equal: *override_initcontainers_security_context_assert + # documentIndex: 5 From 7c3673bdbb89c1e575ff50ffe239804f1e29237e Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Apr 2024 19:27:26 -0500 Subject: [PATCH 14/17] fix test --- tests/unit/security_context_test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/unit/security_context_test.yaml b/tests/unit/security_context_test.yaml index c5b275b2..0468d362 100644 --- a/tests/unit/security_context_test.yaml +++ b/tests/unit/security_context_test.yaml @@ -347,6 +347,7 @@ tests: - name: upgrade-warning hook: pre-upgrade, pre-rollback hook_weight: -5 + command: ["st2", "run", "--tail", "custom_pack.warn_about_upgrade"] podSecurityContext: *pod_security_context_override_2 securityContext: *security_context_override_2 From 6ab5d025f2b5d44a6c19fc77c99be580994db8d1 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Apr 2024 19:47:51 -0500 Subject: [PATCH 15/17] fix st2web podSecurityContext use --- templates/deployments.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/deployments.yaml b/templates/deployments.yaml index ae53abf2..d7a05365 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -515,7 +515,7 @@ spec: {{- with .Values.dnsConfig }} dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.st2client.podSecurityContext | default .Values.podSecurityContext }} + {{- with .Values.st2web.podSecurityContext | default .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.st2web.nodeSelector }} From 00ea9a57b51c6bf2573b379f00cd6079043bc5c5 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Apr 2024 21:29:53 -0500 Subject: [PATCH 16/17] Move changelog entry up --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index be165811..855ade7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Development * Fix syntax with ensure-packs-volumes-are-writable job (#403) (by @skiedude) * Add securityContext support to custom st2packs images, extra_hooks jobs; Also fallback to st2actionrunner securityContext for misc init container jobs and pods. (#410) (by @cognifloyd) +* Stop generating the DataStore Secret (#385) and checksum labels (#391) when existing secret provided or disabled (by @bmarick) ## v1.0.0 * Bump to latest CircleCI orb versions (kubernetes@1.3.1 and helm@3.0.0 by @ZoeLeah) @@ -20,7 +21,6 @@ * Add terminationGracePeriodSeconds to workflow and actionrunner pods to allow adjustment of grace period in k8 (#374) (by @guzzijones12) * Prevent duplicate init containers on helm upgrade (#375) (by @guzzijones12) * Fix st2 client config issue affecting addon jobs using jobs.extra_hooks (#370) (by @cars) -* Stop generating the DataStore Secret (#385) and checksum labels (#391) when existing secret provided or disabled (by @bmarick) ## v0.110.0 * Switch st2 to `v3.8` as a new default stable version (#347) From b2788502883875aa9948c24803fce6f99e617f8e Mon Sep 17 00:00:00 2001 From: Brandon Marick Date: Wed, 10 Apr 2024 20:05:49 -0700 Subject: [PATCH 17/17] Stop generating the checksum labels for Auth Secret when existing secret provided (#392) --- CHANGELOG.md | 1 + templates/deployments.yaml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 855ade7b..d8a2be78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Fix syntax with ensure-packs-volumes-are-writable job (#403) (by @skiedude) * Add securityContext support to custom st2packs images, extra_hooks jobs; Also fallback to st2actionrunner securityContext for misc init container jobs and pods. (#410) (by @cognifloyd) * Stop generating the DataStore Secret (#385) and checksum labels (#391) when existing secret provided or disabled (by @bmarick) +* Stop generating the checksum labels for Auth Secret (#392) when existing secret provided or disabled (by @bmarick) ## v1.0.0 * Bump to latest CircleCI orb versions (kubernetes@1.3.1 and helm@3.0.0 by @ZoeLeah) diff --git a/templates/deployments.yaml b/templates/deployments.yaml index d66b0de1..3acada39 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -28,7 +28,9 @@ spec: labels: {{- include "stackstorm-ha.labels" (list $ "st2auth") | nindent 8 }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} + {{- if not .Values.st2.existingAuthSecret }} checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} + {{- end }} {{- if .Values.st2auth.postStartScript }} checksum/post-start-script: {{ .Values.st2auth.postStartScript | sha256sum }} {{- end }} @@ -1584,7 +1586,9 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }} checksum/rbac: {{ include (print $.Template.BasePath "/configmaps_rbac.yaml") . | sha256sum }} checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") . | sha256sum }} + {{- if not .Values.st2.existingAuthSecret }} checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }} + {{- end }} checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }} {{- if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }} checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }}