fix: refactor deployment templates to use common port definitions and…

… update service account token settings On-behalf-of: @SAP angel.kafazov@sap.com Signed-off-by: Angel Kafazov <akafazov@cst-bg.net>
openmfp · Nov 25, 2024 · 0e0b3ae · 0e0b3ae
1 parent 566ff49
commit 0e0b3ae
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 24 deletions.
diff --git a/charts/account-operator/templates/deployment.yaml b/charts/account-operator/templates/deployment.yaml
@@ -38,12 +38,7 @@ spec:
           name: manager
           {{ include "common.security" . | nindent 10 }}
           ports:
-          - containerPort: {{ .Values.metrics.port }}
-            name: metrics
-            protocol: TCP
-          - name: health-port
-            containerPort: {{ .Values.health.port }}
-            protocol: TCP
+          {{ include "common.PortsMetricsHealth" . | nindent 10 }}
           {{- if .Values.webhooks.enabled }}
           - name: webhook-port
             containerPort: 9443

diff --git a/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap b/charts/account-operator/tests/__snapshot__/deployment_test.yaml.snap
@@ -297,7 +297,7 @@ operator match the snapshot:
                 - --leader-elect
                 - --log-level=warn
                 - --health-probe-bind-address=:8081
-              automountServiceAccountToken: true
+              automountServiceAccountToken: false
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
@@ -675,7 +675,7 @@ operator match the snapshot (with kubeconfigSecret):
                 - --leader-elect
                 - --log-level=warn
                 - --health-probe-bind-address=:8081
-              automountServiceAccountToken: true
+              automountServiceAccountToken: false
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"
@@ -1063,7 +1063,7 @@ operator match the snapshot with webhook enabled:
                 - --leader-elect
                 - --log-level=warn
                 - --health-probe-bind-address=:8081
-              automountServiceAccountToken: true
+              automountServiceAccountToken: false
               env:
                 - name: SUBROUTINES_NAMESPACE_ENABLED
                   value: "true"

diff --git a/charts/account-operator/tests/deployment_test.yaml b/charts/account-operator/tests/deployment_test.yaml
@@ -15,15 +15,20 @@ tests:
   - it: operator match the snapshot with webhook enabled
     set:
       health:
+        port: 8081
         liveness:
           path: "/healthz"
           # failureThreshold: 1
       webhooks:
         enabled: true
+        certDir: /certs
     asserts:
       - matchSnapshot: {}
   - it: deployment with security context
     template: deployment.yaml
+    set:
+      security:
+        mountServiceAccountToken: true
     asserts:
       - equal:
           path: spec.template.spec.containers[0].securityContext

diff --git a/charts/account-operator/values.yaml b/charts/account-operator/values.yaml
@@ -1,12 +1,18 @@
 image:
+  # @param image.name The image repository
   name: ghcr.io/openmfp/account-operator
+  # @param image.tag The image tag
   tag: latest
 
+# @param imagePullSecret The secret used to pull the image
 imagePullSecret: "github"
 
+# @param crds.enabled Enable CRDs
 crds:
   enabled: true
 
+# @param webhooks.enabled Enable webhooks
+# @param webhooks.certDir The directory for webhook certificates
 webhooks:
   enabled: false
   certDir: /certs
@@ -35,10 +41,19 @@ health:
   #   path: "/readyz"
   #   failureThreshold: 30
 
-
+# The metrics configuration
+## @param metrics.port The port for the metrics
 metrics:
   port: 8080
 
+# The deployment configuration
+## @param deployment.specTemplate.annotations The annotations to add to the deployment template
+## @param deployment.specTemplate.labels The labels to add to the deployment template
+## @param deployment.revisionHistoryLimit The number of old ReplicaSets to retain to allow rollback
+## @param deployment.resources.limits.cpu The maximum amount of CPU the container is allowed to use
+## @param deployment.resources.limits.memory The maximum amount of memory the container is allowed to use
+## @param deployment.resources.requests.cpu The amount of CPU requested for the container
+## @param deployment.resources.requests.memory The amount of memory requested for the container
 deployment:
   specTemplate:
     annotations: {}
@@ -52,10 +67,23 @@ deployment:
       cpu: 150m
       memory: 128Mi
 
+# The KCP configuration
+## @param kcp.enabled Enable KCP
+## @param kcp.virtualWorkspaceUrl The URL for the virtual workspace
 kcp:
   enabled: false
   virtualWorkspaceUrl: ""
 
+# The subroutines configuration
+## @param subroutines.namespace.enabled Enable namespace subroutines
+## @param subroutines.fga.enabled Enable FGA subroutines
+## @param subroutines.fga.grpcAddr The gRPC address for FGA
+## @param subroutines.fga.rootNamespace The root namespace for FGA
+## @param subroutines.fga.objectType The object type for FGA
+## @param subroutines.fga.parentRelation The parent relation for FGA
+## @param subroutines.fga.creatorRelation The creator relation for FGA
+## @param subroutines.extension.enabled Enable extension subroutines
+## @param subroutines.extensionReady.enabled Enable extension ready subroutines
 subroutines:
   namespace:
     enabled: true
@@ -71,5 +99,11 @@ subroutines:
   extensionReady:
     enabled: true
 
+# @param kubeconfigSecret The secret for kubeconfig
 kubeconfigSecret: ""
+# @param logLevel The log level
 logLevel: warn
+
+## @param security.mountServiceAccountToken Mount the service account token
+security:
+  mountServiceAccountToken: false
diff --git a/charts/common/templates/_deploymentHelpers.tpl b/charts/common/templates/_deploymentHelpers.tpl
@@ -31,12 +31,7 @@ ports:
   - name: http
     containerPort: {{ .Values.port | default 8080 }}
     protocol: TCP
-  - name: metrics
-    containerPort: {{ .Values.metricsPort | default 2112 }}
-    protocol: TCP
-  - name: health-port
-    containerPort: {{ (.Values.health).port | default 3389 }}
-    protocol: TCP
+  {{ include "common.PortsMetricsHealth" | nindent 4 }}
 {{- end}}
 
 {{- define "common.technicalIssuers" }}
@@ -114,7 +109,7 @@ readinessProbe:
   initialDelaySeconds: {{ ((.Values.health).readiness).initialDelaySeconds | default 45 }}
   periodSeconds: {{ (.Values.health).periodSeconds | default 10 }}
 {{- end }}
-{{- define "common.security" }}
+{{- define "common.security" -}}
 securityContext:
   runAsNonRoot: true
   readOnlyRootFilesystem: true
@@ -126,7 +121,6 @@ automountServiceAccountToken: {{ not (eq (.Values.security).mountServiceAccountT
 {{- define "common.terminationGracePeriodSeconds" -}}
 {{ .Values.terminationGracePeriodSeconds | default 10 }}
 {{- end }}
-
 {{- define "common.imagePullPolicy" -}}
 {{- if and .Values.global (.Values.global.imagePullPolicy) -}}
 {{ .Values.global.imagePullPolicy }}
@@ -136,3 +130,11 @@ automountServiceAccountToken: {{ not (eq (.Values.security).mountServiceAccountT
 Always
 {{- end -}}
 {{- end }}
+{{- define "common.PortsMetricsHealth" -}}
+- name: metrics
+  containerPort: {{ ((.Values).metrics).port | default 2112 }}
+  protocol: TCP
+- name: health-port
+  containerPort: {{ (.Values.health).port | default 3389 }}
+  protocol: TCP
+{{- end -}}
diff --git a/charts/extension-manager-operator/templates/deployment.yaml b/charts/extension-manager-operator/templates/deployment.yaml
@@ -35,12 +35,7 @@ spec:
           name: manager
           {{ include "common.security" . | nindent 10 }}
           ports:
-          - containerPort: {{ .Values.metrics.port }}
-            name: metrics
-            protocol: TCP
-          - name: health-port
-            containerPort: {{ .Values.health.port }}
-            protocol: TCP
+          {{ include "common.PortsMetricsHealth" . | nindent 10 }}
           {{ include "common.operatorHealthAndReadyness" . | nindent 10 }}
           resources:
             limits: