diff --git a/config/charts/knative-operator/templates/operator.yaml b/config/charts/knative-operator/templates/operator.yaml index cc34e3688..b7f151ba2 100644 --- a/config/charts/knative-operator/templates/operator.yaml +++ b/config/charts/knative-operator/templates/operator.yaml @@ -48,6 +48,10 @@ metadata: app.kubernetes.io/component: operator-webhook app.kubernetes.io/version: "{{ .Chart.Version }}" app.kubernetes.io/name: knative-operator + {{- if and .Values.knative_operator.operator_webhook.annotations }} + annotations: + {{ toYaml .Values.knative_operator.operator_webhook.annotations }} + {{- end }} spec: selector: matchLabels: @@ -62,6 +66,10 @@ spec: app.kubernetes.io/version: "{{ .Chart.Version }}" app.kubernetes.io/name: knative-operator sidecar.istio.io/inject: "false" + {{- if and .Values.knative_operator.operator_webhook.podAnnotations }} + annotations: + {{ toYaml .Values.knative_operator.operator_webhook.podAnnotations }} + {{- end }} spec: # To avoid node becoming SPOF, spread our replicas to different nodes. affinity: @@ -73,7 +81,10 @@ spec: app: operator-webhook topologyKey: kubernetes.io/hostname weight: 100 - + {{- if and .Values.knative_operator.operator_webhook.securityContext }} + securityContext: + {{ toYaml .Values.knative_operator.operator_webhook.securityContext }} + {{- end }} serviceAccountName: operator-webhook containers: - name: operator-webhook @@ -83,11 +94,11 @@ spec: resources: requests: - cpu: 100m - memory: 100Mi + cpu: {{ .Values.knative_operator.operator_webhook.resources.requests.cpu }} + memory: {{ .Values.knative_operator.operator_webhook.resources.requests.memory }} limits: - cpu: 500m - memory: 500Mi + cpu: {{ .Values.knative_operator.operator_webhook.resources.limits.cpu }} + memory: {{ .Values.knative_operator.operator_webhook.resources.limits.memory }} env: - name: POD_NAME @@ -114,12 +125,12 @@ spec: - name: KUBERNETES_MIN_VERSION value: "{{ .Values.knative_operator.kubernetes_min_version }}" securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true + allowPrivilegeEscalation: {{ .Values.knative_operator.operator_webhook.containerSecurityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.knative_operator.operator_webhook.containerSecurityContext.readOnlyRootFilesystem }} + runAsNonRoot: {{ .Values.knative_operator.operator_webhook.containerSecurityContext.runAsNonRoot }} capabilities: drop: - - all + - ALL ports: - name: metrics @@ -1337,6 +1348,20 @@ spec: type: object type: object type: array + namespace: + description: A field of namespace name to override the labels and annotations + type: object + properties: + labels: + additionalProperties: + type: string + description: Labels overrides labels for the namespace and its template. + type: object + annotations: + additionalProperties: + type: string + description: Annotations overrides labels for the namespace and its template. + type: object deployments: description: A mapping of deployment name to override type: array @@ -2396,6 +2421,12 @@ spec: - type: string description: An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%". x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable". + x-kubernetes-int-or-string: true source: description: The source configuration for Knative Eventing properties: @@ -3715,6 +3746,20 @@ spec: type: object type: object type: array + namespace: + description: A field of namespace name to override the labels and annotations + type: object + properties: + labels: + additionalProperties: + type: string + description: Labels overrides labels for the namespace and its template. + type: object + annotations: + additionalProperties: + type: string + description: Annotations overrides labels for the namespace and its template. + type: object deployments: description: A mapping of deployment name to override type: array @@ -4774,6 +4819,12 @@ spec: - type: string description: An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%". x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable". + x-kubernetes-int-or-string: true ingress: description: The ingress configuration for Knative Serving properties: @@ -4823,6 +4874,17 @@ spec: format: string type: string type: object + tls: + properties: + mode: + description: TLS mode can be SIMPLE, MUTUAL, ISTIO_MUTUAL. + format: string + type: string + credentialName: + description: TLS certificate name. + format: string + type: string + type: object type: object type: array type: object @@ -4861,6 +4923,17 @@ spec: format: string type: string type: object + tls: + properties: + mode: + description: TLS mode can be SIMPLE, MUTUAL, ISTIO_MUTUAL. + format: string + type: string + credentialName: + description: TLS certificate name. + format: string + type: string + type: object type: object type: array type: object @@ -4872,8 +4945,14 @@ spec: type: boolean service-type: type: string + service-load-balancer-ip: + type: string bootstrap-configmap: type: string + http-port: + type: integer + https-port: + type: integer type: object type: object security: @@ -5579,6 +5658,8 @@ rules: - watch - update - patch + - create + - delete - apiGroups: - rbac.authorization.k8s.io resources: @@ -5702,6 +5783,32 @@ rules: verbs: - deletecollection + # Eventing TLS + - apiGroups: + - "cert-manager.io" + resources: + - certificates + - issuers + - clusterissuers + verbs: + - create + - delete + - update + - list + - get + - watch + - apiGroups: + - "trust.cert-manager.io" + resources: + - bundles + verbs: + - create + - delete + - update + - list + - get + - watch + --- # Copyright 2020 The Knative Authors # @@ -6205,6 +6312,10 @@ metadata: labels: app.kubernetes.io/name: knative-operator app.kubernetes.io/version: "{{ .Chart.Version }}" + {{- if and .Values.knative_operator.knative_operator.annotations }} + annotations: + {{ toYaml .Values.knative_operator.knative_operator.annotations }} + {{- end }} spec: replicas: 1 selector: @@ -6217,11 +6328,26 @@ spec: app.kubernetes.io/name: knative-operator app.kubernetes.io/version: "{{ .Chart.Version }}" sidecar.istio.io/inject: "false" + {{- if and .Values.knative_operator.knative_operator.podAnnotations }} + annotations: + {{ toYaml .Values.knative_operator.knative_operator.podAnnotations }} + {{- end }} spec: serviceAccountName: knative-operator + {{- if and .Values.knative_operator.knative_operator.securityContext }} + securityContext: + {{ toYaml .Values.knative_operator.knative_operator.securityContext }} + {{- end }} containers: - name: knative-operator image: "{{ .Values.knative_operator.knative_operator.image }}:{{ .Values.knative_operator.knative_operator.tag }}" + resources: + requests: + cpu: {{ .Values.knative_operator.knative_operator.resources.requests.cpu }} + memory: {{ .Values.knative_operator.knative_operator.resources.requests.memory }} + limits: + cpu: {{ .Values.knative_operator.knative_operator.resources.limits.cpu }} + memory: {{ .Values.knative_operator.knative_operator.resources.limits.memory }} imagePullPolicy: IfNotPresent env: - name: POD_NAME @@ -6240,6 +6366,13 @@ spec: value: config-observability - name: KUBERNETES_MIN_VERSION value: "{{ .Values.knative_operator.kubernetes_min_version }}" + securityContext: + allowPrivilegeEscalation: {{ .Values.knative_operator.knative_operator.containerSecurityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.knative_operator.knative_operator.containerSecurityContext.readOnlyRootFilesystem }} + runAsNonRoot: {{ .Values.knative_operator.knative_operator.containerSecurityContext.runAsNonRoot }} + capabilities: + drop: + - ALL ports: - name: metrics containerPort: 9090 diff --git a/config/charts/knative-operator/values.yaml b/config/charts/knative-operator/values.yaml index 5fc147c85..3492e4373 100644 --- a/config/charts/knative-operator/values.yaml +++ b/config/charts/knative-operator/values.yaml @@ -2,7 +2,29 @@ knative_operator: knative_operator: image: gcr.io/knative-releases/knative.dev/operator/cmd/operator tag: {{ tag }} + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 1000m + memory: 1000Mi operator_webhook: image: gcr.io/knative-releases/knative.dev/operator/cmd/webhook tag: {{ tag }} + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 500m + memory: 500Mi kubernetes_min_version: v1.25.0 diff --git a/hack/generate-helm.sh b/hack/generate-helm.sh index 3e6c867ca..70840c122 100755 --- a/hack/generate-helm.sh +++ b/hack/generate-helm.sh @@ -36,26 +36,6 @@ readonly TARGET_DIR="${CHARTS_DIR}/${NAME}" # Create the directory, if it does not exist. mkdir -p ${TARGET_DIR}/templates -# Generate the template based on the yaml files under config -echo "" > ${TARGET_DIR}/templates/operator.yaml -for filename in config/*.yaml; do - if [[ $filename == *namespace.yaml ]]; then - continue - fi - cat $filename >> ${TARGET_DIR}/templates/operator.yaml - echo -e "\n---" >> ${TARGET_DIR}/templates/operator.yaml -done - -# Replace the namespace and images with the helm parameters -sed -i.bak 's/namespace: knative-operator/namespace: "{{ .Release.Namespace }}"/g' ${TARGET_DIR}/templates/operator.yaml -sed -i.bak 's/image: ko:\/\/knative.dev\/operator\/cmd\/operator/image: "{{ .Values.knative_operator.knative_operator.image }}:{{ .Values.knative_operator.knative_operator.tag }}"/g' ${TARGET_DIR}/templates/operator.yaml -sed -i.bak 's/image: ko:\/\/knative.dev\/operator\/cmd\/webhook/image: "{{ .Values.knative_operator.operator_webhook.image }}:{{ .Values.knative_operator.operator_webhook.tag }}"/g' ${TARGET_DIR}/templates/operator.yaml -sed -i.bak 's/operator.knative.dev\/release: devel/operator.knative.dev\/release: "v{{ .Chart.Version }}"/g' ${TARGET_DIR}/templates/operator.yaml -sed -i.bak 's/app.kubernetes.io\/version: devel/app.kubernetes.io\/version: "{{ .Chart.Version }}"/g' ${TARGET_DIR}/templates/operator.yaml -sed -i.bak 's/value: ""/value: "{{ .Values.knative_operator.kubernetes_min_version }}"/g' ${TARGET_DIR}/templates/operator.yaml - -rm ${TARGET_DIR}/templates/operator.yaml.bak - sed -i.bak "s/{{ version }}/${VERSION:1}/g" ${TARGET_DIR}/Chart.yaml sed -i.bak "s/{{ tag }}/${VERSION}/g" ${TARGET_DIR}/values.yaml