From d67b68c892702d60eb8220e7b9e887cc03a7c1b7 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Thu, 29 Aug 2024 10:57:12 -0500 Subject: [PATCH 1/7] Adding extra pod labels to post-upgrade and post-delete hook job pods --- examples/chart/teleport-kube-agent/templates/delete_hook.yaml | 4 ++++ examples/chart/teleport-kube-agent/templates/hook.yaml | 4 ++++ examples/chart/teleport-kube-agent/values.yaml | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml index 3690ae754e78..3e2f51857482 100644 --- a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml +++ b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml @@ -73,6 +73,10 @@ spec: template: metadata: name: {{ .Release.Name }}-delete-hook + annotations: +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: diff --git a/examples/chart/teleport-kube-agent/templates/hook.yaml b/examples/chart/teleport-kube-agent/templates/hook.yaml index e6d7de50a80f..3a84f3ef1297 100644 --- a/examples/chart/teleport-kube-agent/templates/hook.yaml +++ b/examples/chart/teleport-kube-agent/templates/hook.yaml @@ -63,6 +63,10 @@ spec: template: metadata: name: {{ .Release.Name }}-hook + annotations: +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index 0af79df0e87a..beb0d284b1ef 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -1120,7 +1120,7 @@ extraLabels: # extraLabels.job(object) -- are labels to set on the post-delete Job created by the chart. job: {} # extraLabels.pod(object) -- are labels to set on the Pods created by the - # Deployment or StatefulSet. + # Deployment, StatefulSet, or Job. pod: {} # extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget. podDisruptionBudget: {} From d2caf2c4ad52e56c5542a9d6529595e7b6ad886c Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 30 Aug 2024 07:41:33 -0500 Subject: [PATCH 2/7] Update examples/chart/teleport-kube-agent/templates/delete_hook.yaml Co-authored-by: Tiago Silva --- .../chart/teleport-kube-agent/templates/delete_hook.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml index 3e2f51857482..f0a4b2edf6b0 100644 --- a/examples/chart/teleport-kube-agent/templates/delete_hook.yaml +++ b/examples/chart/teleport-kube-agent/templates/delete_hook.yaml @@ -73,7 +73,12 @@ spec: template: metadata: name: {{ .Release.Name }}-delete-hook +{{- if .Values.annotations.pod }} annotations: + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} {{- if .Values.extraLabels.pod }} {{- toYaml .Values.extraLabels.pod | nindent 8 }} {{- end }} From a5635065683c8de846bfa28284c1a8267416c009 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 30 Aug 2024 08:05:26 -0500 Subject: [PATCH 3/7] Update snapshot to include app label in delete hook job --- .../teleport-kube-agent/templates/hook.yaml | 101 ------------------ .../tests/__snapshot__/job_test.yaml.snap | 2 + 2 files changed, 2 insertions(+), 101 deletions(-) delete mode 100644 examples/chart/teleport-kube-agent/templates/hook.yaml diff --git a/examples/chart/teleport-kube-agent/templates/hook.yaml b/examples/chart/teleport-kube-agent/templates/hook.yaml deleted file mode 100644 index 3a84f3ef1297..000000000000 --- a/examples/chart/teleport-kube-agent/templates/hook.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace .Release.Name ) -}} -{{- if $deployment }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Release.Name }}-hook - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-4" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ .Release.Name }}-hook - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -rules: - - apiGroups: ["apps"] - resources: ["statefulsets"] - resourceNames: ["{{ .Release.Name }}"] - verbs: ["get", "watch", "list"] - - apiGroups: [""] - resources: ["pods",] - verbs: ["get", "watch"] - - apiGroups: ["apps"] - resources: ["deployments",] - resourceNames: ["{{ .Release.Name }}"] - verbs: ["get", "delete", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ .Release.Name }}-hook - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-2" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Release.Name }}-hook -subjects: -- kind: ServiceAccount - name: {{ .Release.Name }}-hook - namespace: {{ .Release.Namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ .Release.Name }}-hook - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-1" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - template: - metadata: - name: {{ .Release.Name }}-hook - annotations: -{{- if .Values.extraLabels.pod }} - {{- toYaml .Values.extraLabels.pod | nindent 8 }} -{{- end }} - spec: -{{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: - {{- toYaml .Values.tolerations | nindent 6 }} -{{- end }} - serviceAccountName: {{ .Release.Name }}-hook - restartPolicy: OnFailure -{{- if .Values.nodeSelector }} - nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 8 }} -{{- end }} - containers: - - name: post-install-job - image: alpine/k8s:1.26.0 - command: - - sh - - "-c" - - | - /bin/sh <<'EOF' - set -eu -o pipefail - # wait until statefulset is ready - kubectl rollout status --watch --timeout=600s statefulset/{{ .Release.Name }} - # delete deployment - kubectl delete deployment/{{ .Release.Name }} - EOF - {{- if .Values.securityContext }} - securityContext: {{- toYaml .Values.securityContext | nindent 10 }} - {{- end }} -{{- end}} diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap index 34b1f8008ee6..4b1f642aa5f2 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -51,6 +51,8 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i helm.sh/hook-weight: "-3" name: RELEASE-NAME-delete-hook namespace: NAMESPACE + labels: + app: RELEASE-NAME rules: - apiGroups: - "" From 8b6ec76cb432f56020dc4eb932e0be72ed39657a Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 30 Aug 2024 08:10:47 -0500 Subject: [PATCH 4/7] Correct snapshot app label to be in delete hook job, not the role --- .../teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap index 4b1f642aa5f2..05a125808098 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -51,8 +51,6 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i helm.sh/hook-weight: "-3" name: RELEASE-NAME-delete-hook namespace: NAMESPACE - labels: - app: RELEASE-NAME rules: - apiGroups: - "" @@ -90,6 +88,8 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i helm.sh/hook-weight: "-1" name: RELEASE-NAME-delete-hook namespace: NAMESPACE + labels: + app: RELEASE-NAME spec: template: metadata: From e07d766847488abb53b1051569ab01276424d1d2 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 30 Aug 2024 08:17:45 -0500 Subject: [PATCH 5/7] Correct snapshot app label to be in spec metadata --- .../teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap index 05a125808098..f6533a0aeea9 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/job_test.yaml.snap @@ -88,11 +88,11 @@ should not create ServiceAccount for post-delete hook if serviceAccount.create i helm.sh/hook-weight: "-1" name: RELEASE-NAME-delete-hook namespace: NAMESPACE - labels: - app: RELEASE-NAME spec: template: metadata: + labels: + app: RELEASE-NAME name: RELEASE-NAME-delete-hook spec: containers: From db510713d413081e07cf5af7d8f4fc8b553b342a Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 30 Aug 2024 13:01:26 -0500 Subject: [PATCH 6/7] Adding a test for extraLabels.pod --- .../teleport-kube-agent/tests/job_test.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/examples/chart/teleport-kube-agent/tests/job_test.yaml b/examples/chart/teleport-kube-agent/tests/job_test.yaml index febb020f6d9d..f694e0644bb8 100644 --- a/examples/chart/teleport-kube-agent/tests/job_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/job_test.yaml @@ -251,3 +251,21 @@ tests: apiVersion: rbac.authorization.k8s.io/v1 - matchSnapshot: path: spec.template.spec + + - it: should contain pod labels in the Job's pod spec if extraLabels.pod is set + template: delete_hook.yaml + # documentIndex: 0=ServiceAccount 1=Role 2=RoleBinding 3=Job + documentIndex: 3 + values: + - ../.lint/backwards-compatibility.yaml + set: + extraLabels: + pod: + testLabel: testValue + asserts: + - equal: + path: spec.template.metadata.labels + value: + app: RELEASE-NAME + testLabel: testValue + From 4ee6671aa7a58d64d1959db8218841b99b40ca21 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Wed, 4 Sep 2024 09:23:07 -0500 Subject: [PATCH 7/7] Adding back hook.yaml --- .../teleport-kube-agent/templates/hook.yaml | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 examples/chart/teleport-kube-agent/templates/hook.yaml diff --git a/examples/chart/teleport-kube-agent/templates/hook.yaml b/examples/chart/teleport-kube-agent/templates/hook.yaml new file mode 100644 index 000000000000..3a2f13e98e8f --- /dev/null +++ b/examples/chart/teleport-kube-agent/templates/hook.yaml @@ -0,0 +1,106 @@ +{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace .Release.Name ) -}} +{{- if $deployment }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: ["apps"] + resources: ["statefulsets"] + resourceNames: ["{{ .Release.Name }}"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["pods",] + verbs: ["get", "watch"] + - apiGroups: ["apps"] + resources: ["deployments",] + resourceNames: ["{{ .Release.Name }}"] + verbs: ["get", "delete", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-hook +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-hook + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + metadata: + name: {{ .Release.Name }}-hook +{{- if .Values.annotations.pod }} + annotations: + {{- toYaml .Values.annotations.pod | nindent 8 }} +{{- end }} + labels: + app: {{ .Release.Name }} +{{- if .Values.extraLabels.pod }} + {{- toYaml .Values.extraLabels.pod | nindent 8 }} +{{- end }} + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} +{{- end }} + serviceAccountName: {{ .Release.Name }}-hook + restartPolicy: OnFailure +{{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} +{{- end }} + containers: + - name: post-install-job + image: alpine/k8s:1.26.0 + command: + - sh + - "-c" + - | + /bin/sh <<'EOF' + set -eu -o pipefail + # wait until statefulset is ready + kubectl rollout status --watch --timeout=600s statefulset/{{ .Release.Name }} + # delete deployment + kubectl delete deployment/{{ .Release.Name }} + EOF + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} +{{- end}}