Merge pull request #3805 from telepresenceio/thallgren/helm-schema

Add json-schema for the telepresence-oss Helm chart

Author: thallgren

CHANGELOG.yml

@@ -54,6 +54,12 @@ items:
           
           The deprecated `--replace` flag still works, but is hidden from the `telepresence intercept` command help, and
           will print a deprecation warning when used.
+      - type: feature
+        title: Add json-schema for the Telepresence Helm Chart
+        body: |-
+          Helm can validate a chart using a json-schema using the command `helm lint`, and this schema can be part of
+          the actual Helm chart. The telepresence-oss Helm chart now includes such a schema, and a new
+          `telepresence helm lint` command was added so that linting can be performed using the embedded chart.
       - type: feature
         title: No dormant container present during replace.
         body: |-
@@ -90,6 +96,11 @@ items:
         body: >-
           The output of the `telepresence list` command will now include the workload kind (deployment, replicaset,
           statefulset, or rollout) in all entries.
+      - type: feature
+        title: Add ability to override the default securityContext for the Telepresence init-container
+        body: >-
+          Users can now use the Helm value `agent.initSecurityContext` to override the default securityContext for the
+          Telepresence init-container.
       - type: change
         title: Make the DNS recursion check configurable and turn it off by default.
         body: >-

build-aux/main.mk

@@ -293,7 +293,7 @@ push-images: push-tel2-image push-client-image
 .PHONY: helm-chart
 helm-chart: $(BUILDDIR)/telepresence-oss-chart.tgz
 
-$(BUILDDIR)/telepresence-oss-chart.tgz: $(wildcard charts/telepresence-oss/**/*)
+$(BUILDDIR)/telepresence-oss-chart.tgz: $(wildcard charts/**/*)
 	mkdir -p $(BUILDDIR)
 	go run packaging/helmpackage.go -o $@ -v $(TELEPRESENCE_SEMVER)
 

charts/chart.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"os"
 	"sort"
 	"strings"
 
@@ -41,14 +42,19 @@ func filePriority(chartName, filename string) int {
 }
 
 func addFile(tarWriter *tar.Writer, vfs fs.FS, filename string, content []byte) error {
+	var header *tar.Header
 	// Build the tar.Header.
 	fi, err := fs.Stat(vfs, filename)
-	if err != nil {
-		return err
-	}
-	header, err := tar.FileInfoHeader(fi, "")
-	if err != nil {
-		return err
+	if err == nil {
+		header, err = tar.FileInfoHeader(fi, "")
+		if err != nil {
+			return err
+		}
+	} else {
+		if !os.IsNotExist(err) {
+			return err
+		}
+		header = &tar.Header{}
 	}
 	header.Name = filename
 	header.Mode = 0o644
@@ -126,6 +132,18 @@ func WriteChart(helmChartDir DirType, out io.Writer, chartName, version string,
 
 	for _, filename := range filenames {
 		switch filename {
+		case fmt.Sprintf("%s/values.schema.yaml", chartName):
+			content, err := fs.ReadFile(baseDir, filename)
+			if err != nil {
+				return err
+			}
+			content, err = yaml.YAMLToJSON(content)
+			if err != nil {
+				return err
+			}
+			if err = addFile(tarWriter, baseDir, fmt.Sprintf("%s/values.schema.json", chartName), content); err != nil {
+				return err
+			}
 		case fmt.Sprintf("%s/Chart.yaml", chartName):
 			content, err := fs.ReadFile(baseDir, filename)
 			if err != nil {
@@ -141,15 +159,15 @@ func WriteChart(helmChartDir DirType, out io.Writer, chartName, version string,
 			if err != nil {
 				return err
 			}
-			if err := addFile(tarWriter, baseDir, filename, content); err != nil {
+			if err = addFile(tarWriter, baseDir, filename, content); err != nil {
 				return err
 			}
 		default:
 			content, err := fs.ReadFile(baseDir, filename)
 			if err != nil {
 				return err
 			}
-			if err := addFile(tarWriter, baseDir, filename, content); err != nil {
+			if err = addFile(tarWriter, baseDir, filename, content); err != nil {
 				return err
 			}
 		}

charts/telepresence-oss/templates/_helpers.tpl

@@ -183,7 +183,7 @@ telepresence: manager
 Client RBAC name suffix
 */}}
 {{- define "telepresence.clientRbacName" -}}
-{{ printf "%s-%s" (default (include "telepresence.name" $) .Values.rbac.nameOverride) (include "traffic-manager.namespace" $) }}
+{{ printf "%s-%s" (include "telepresence.name" $) (include "traffic-manager.namespace" $) }}
 {{- end -}}
 
 {{- /*

charts/telepresence-oss/templates/agentInjectorWebhook.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.rbac.only) .Values.agentInjector.enabled }}
+{{- if and (not (and .Values.rbac .Values.rbac.only)) .Values.agentInjector.enabled }}
 {{- $namespaceSelector := mustFromJson (include "traffic-manager.namespaceSelector" $) }}
 {{- /*
 Perform a check that the new namespaceSelector doesn't select namespaces that are
@@ -64,11 +64,11 @@ already managed by some other traffic-manager.
     {{- end }}
   {{- end }}
 {{- end }}
----
 {{- $altNames := list ( printf "agent-injector.%s" (include "traffic-manager.namespace" $)) ( printf "agent-injector.%s.svc" (include "traffic-manager.namespace" $)) -}}
 {{- $genCA := genCA "agent-injector-ca" 365 -}}
 {{- $genCert := genSignedCert "agent-injector" nil $altNames 365 $genCA -}}
 {{- $secretData := (lookup "v1" "Secret" (include "traffic-manager.namespace" $) .Values.agentInjector.secret.name).data -}}
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:

charts/telepresence-oss/templates/clientRbac/connect.yaml

@@ -1,4 +1,5 @@
-{{- if .Values.clientRbac.create }}
+{{- with .Values.clientRbac }}
+{{- if .create }}
 {{- /*
 Client must have the following RBAC in the traffic-manager.namespace to establish
 a port-forward to the traffic-manager pod.
@@ -32,10 +33,11 @@ metadata:
   labels:
     {{- include "telepresence.labels" $ | nindent 4 }}
 subjects:
-{{ toYaml .Values.clientRbac.subjects }}
+{{ toYaml .subjects }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   name: traffic-manager-connect
   kind: Role
 
 {{- end }}
+{{- end }}

charts/telepresence-oss/templates/deployment.yaml

@@ -1,5 +1,5 @@
 {{- with .Values }}
-{{- if not .rbac.only }}
+{{- if not (and .rbac .rbac.only) }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -114,87 +114,57 @@ spec:
         {{- /*
         Traffic agent configuration
         */}}
-          {{- if .agent.logLevel }}
+          {{- with .agent }}
+          {{- if .logLevel }}
           - name: AGENT_LOG_LEVEL
-            value: {{ .agent.logLevel }}
+            value: {{ .logLevel }}
           {{- end }}
-          {{- if .agent.port }}
+          {{- if .port }}
           - name: AGENT_PORT
-            value: {{ .agent.port | quote }}
+            value: {{ .port | quote }}
           {{- end }}
-          {{- /* replaced by agent.appProtocolStrategy. Retained for backward compatibility */}}
-          {{- if $.Values.agentInjector.appProtocolStrategy }}
-          - name: AGENT_APP_PROTO_STRATEGY
-            value: {{ $.Values.agentInjector.appProtocolStrategy }}
-          {{- else }}
-          {{- if .agent.appProtocolStrategy }}
+          {{- if .appProtocolStrategy }}
           - name: AGENT_APP_PROTO_STRATEGY
-            value: {{ .agent.appProtocolStrategy }}
+            value: {{ .appProtocolStrategy }}
           {{- end }}
-          {{- end }}
-          {{- /* replaced by agent.resources. Retained for backward compatibility */}}
-          {{- if $.Values.agentInjector.agentImage.resources }}
-          - name: AGENT_RESOURCES
-            value: '{{ toJson $.Values.agentInjector.agentImage.resources }}'
-          {{- else }}
-          {{- if .agent.resources }}
+          {{- if .resources }}
           - name: AGENT_RESOURCES
-            value: '{{ toJson .agent.resources }}'
-          {{- end }}
+            value: '{{ toJson .resources }}'
           {{- end }}
-          {{- /* replaced by agent.initResoruces. Retained for backward compatibility */}}
-          {{- if $.Values.agentInjector.agentImage.initResources }}
+          {{- if .initResources }}
           - name: AGENT_INIT_RESOURCES
-            value: '{{ toJson $.Values.agentInjector.agentImage.initResources }}'
-          {{- else }}
-          {{- if .agent.initResources }}
-          - name: AGENT_INIT_RESOURCES
-            value: '{{ toJson .agent.initResources }}'
+            value: '{{ toJson .initResources }}'
           {{- end }}
-          {{- end }}
-          {{- /* replaced by agent.image.name Retained for backward compatibility */}}
-          {{- if .agentInjector.agentImage.name }}
-          - name: AGENT_IMAGE_NAME
-            value: {{ .agentInjector.agentImage.name }}
-          {{- else }}
-          {{- if .agent.image.name }}
+          {{- with .image }}
+          {{- if .name }}
           - name: AGENT_IMAGE_NAME
-            value: {{ .agent.image.name }}
+            value: {{ .name }}
           {{- end }}
-          {{- end }}
-          {{- if .agentInjector.agentImage.tag }}
-          - name: AGENT_IMAGE_TAG
-            value: {{ .agentInjector.agentImage.tag }}
-          {{- else }}
-          {{- if .agent.image.tag }}
+          {{- if .tag }}
           - name: AGENT_IMAGE_TAG
-            value: {{ .agent.image.tag }}
-          {{- end }}
+            value: {{ .tag }}
           {{- end }}
-          {{- /* replaced by agent.image.registry Retained for backward compatibility */}}
-          {{- if .agentInjector.agentImage.registry }}
+          {{- if .registry }}
           - name: AGENT_REGISTRY
-            value: {{ .agentInjector.agentImage.registry }}
-          {{- else }}
-          {{- if .agent.image.registry }}
-          - name: AGENT_REGISTRY
-            value: {{ .agent.image.registry }}
-          {{- end }}
+            value: {{ .registry }}
           {{- end }}
-          {{- with .agent.image.pullSecrets }}
+          {{- with .pullSecrets }}
           - name: AGENT_IMAGE_PULL_SECRETS
             value: '{{ toJson . }}'
           {{- end }}
           - name: AGENT_IMAGE_PULL_POLICY
-            value: {{ .agent.image.pullPolicy }}
-          {{- /* to allow running with no security context, must check against nil - this allows specifying an empty dict for the value */}}
-          {{- if not (eq .agent.securityContext nil) }}
+            value: {{ .pullPolicy }}
+          {{- end }}
+          {{- /* must check against nil. An empty security context is a valid override */}}
+          {{- if not (eq .securityContext nil) }}
           - name: AGENT_SECURITY_CONTEXT
-            value: '{{ toJson .agent.securityContext }}'
+            value: '{{ toJson .securityContext }}'
           {{- end }}
-          {{- if .agent.initSecurityContext }}
+          {{- /* must check against nil. An empty security context is a valid override */}}
+          {{- if not (eq .initSecurityContext nil) }}
           - name: AGENT_INIT_SECURITY_CONTEXT
-            value: '{{ toJson .agent.initSecurityContext }}'
+            value: '{{ toJson .initSecurityContext }}'
+          {{- end }}
           {{- end }}
           {{- with fromJsonArray (include "traffic-manager.namespaces" $) }}
           {{- /*
@@ -228,17 +198,6 @@ spec:
           {{- with .client }}
           - name: CLIENT_CONNECTION_TTL
             value: {{ .connectionTTL }}
-          {{- /* replaced by client.routing. Retained for backward compatibility */}}
-          {{- with $.Values.dnsConfig }}
-          {{- if .alsoProxySubnets }}
-          - name: CLIENT_ROUTING_ALSO_PROXY_SUBNETS
-            value: "{{ join " " .alsoProxySubnets }}"
-          {{- end }}
-          {{- if .neverProxySubnets }}
-          - name: CLIENT_ROUTING_NEVER_PROXY_SUBNETS
-            value: "{{ join " " .neverProxySubnets }}"
-          {{- end }}
-          {{- else }}
           {{- with .routing }}
           {{- if .alsoProxySubnets }}
           - name: CLIENT_ROUTING_ALSO_PROXY_SUBNETS
@@ -253,7 +212,6 @@ spec:
             value: "{{ join " " .allowConflictingSubnets }}"
           {{- end }}
           {{- end }}
-          {{- end }}
           {{- with .dns }}
           {{- with .excludeSuffixes }}
           - name: CLIENT_DNS_EXCLUDE_SUFFIXES

charts/telepresence-oss/templates/pre-delete-hook.yaml

@@ -1,4 +1,4 @@
-{{- if and (not .Values.rbac.only) .Values.agentInjector.enabled }}
+{{- if and (not (and .Values.rbac .Values.rbac.only)) .Values.agentInjector.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:

charts/telepresence-oss/templates/service.yaml

@@ -1,5 +1,5 @@
 {{- with .Values }}
-{{- if not .rbac.only }}
+{{- if not (and .rbac .rbac.only) }}
 apiVersion: v1
 kind: Service
 metadata:

charts/telepresence-oss/templates/tests/test-connection.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.rbac.only }}
+{{- if not (and .Values.rbac .Values.rbac.only) }}
 apiVersion: v1
 kind: Pod
 metadata:

charts/telepresence-oss/templates/trafficManager-configmap.yaml

@@ -10,9 +10,11 @@ data:
   client.yaml: |
     {{- toYaml .Values.client | nindent 4 }}
 {{- end }}
-{{- if .Values.intercept.environment }}
+{{- with .Values.intercept }}
+{{- if .environment }}
   agent-env.yaml: |
-    {{- toYaml .Values.intercept.environment | nindent 4 }}
+    {{- toYaml .environment | nindent 4 }}
+{{- end }}
 {{- end }}
   namespace-selector.yaml: |
     {{- toYaml (mustFromJson (include "traffic-manager.namespaceSelector" $)) | nindent 4 }}