From 56d5f8a24ca8975593e381b9b3fadedbe1451b4d Mon Sep 17 00:00:00 2001 From: Jan Date: Wed, 22 Jan 2025 18:38:44 +0100 Subject: [PATCH 1/6] allow omitting the identity migration pre-upgrade hook --- charts/ziti-router/templates/pre-upgrade-configmap.yaml | 5 +++-- charts/ziti-router/templates/pre-upgrade-job.yaml | 3 +++ charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml | 4 +++- charts/ziti-router/values.yaml | 5 +++++ 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/charts/ziti-router/templates/pre-upgrade-configmap.yaml b/charts/ziti-router/templates/pre-upgrade-configmap.yaml index 7c3691177..7bdb54747 100644 --- a/charts/ziti-router/templates/pre-upgrade-configmap.yaml +++ b/charts/ziti-router/templates/pre-upgrade-configmap.yaml @@ -1,4 +1,4 @@ - +{{if not .Values.omitIdentityMigration}} --- apiVersion: v1 kind: ConfigMap @@ -78,4 +78,5 @@ data: {{ include "ziti-router.fullname" . }}-identity else echo "INFO: identity secret does not exist" - fi \ No newline at end of file + fi +{{end}} \ No newline at end of file diff --git a/charts/ziti-router/templates/pre-upgrade-job.yaml b/charts/ziti-router/templates/pre-upgrade-job.yaml index 488ad0522..cb9e99608 100644 --- a/charts/ziti-router/templates/pre-upgrade-job.yaml +++ b/charts/ziti-router/templates/pre-upgrade-job.yaml @@ -1,3 +1,5 @@ +{{if not .Values.omitIdentityMigration}} +--- apiVersion: batch/v1 kind: Job metadata: @@ -72,3 +74,4 @@ spec: {{- else }} emptyDir: {} {{- end }} +{{end}} \ No newline at end of file diff --git a/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml b/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml index 8cd05e771..32bea50b1 100644 --- a/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml +++ b/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml @@ -1,4 +1,5 @@ - +{{if not .Values.omitIdentityMigration}} +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -40,3 +41,4 @@ subjects: - kind: ServiceAccount name: {{ include "ziti-router.fullname" . }}-hook-serviceaccount namespace: {{ .Release.Namespace }} +{{end}} \ No newline at end of file diff --git a/charts/ziti-router/values.yaml b/charts/ziti-router/values.yaml index c3e86b4d4..1c6bec7d9 100644 --- a/charts/ziti-router/values.yaml +++ b/charts/ziti-router/values.yaml @@ -373,6 +373,11 @@ tolerations: [] # -- deployment template spec affinity affinity: {} +# -- omit migration of identity secret to persistent volume +# Previous versions of this chart stored the router identity in a secret resource. A migration is provided by the execution of a pre-upgrade hook. +# If want to omit this migration (pre-upgrade hook) set this value to true. +omitIdentityMigration: false + ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## From dfd5b9f4f9c12e20222539470209a5894afe3e0d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 22 Jan 2025 17:39:14 +0000 Subject: [PATCH 2/6] helm-docs: automated action --- charts/ziti-router/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md index d8deeefd6..49833e41f 100644 --- a/charts/ziti-router/README.md +++ b/charts/ziti-router/README.md @@ -303,6 +303,7 @@ identity: | linkListeners.transport.service.labels | object | `{}` | service labels | | linkListeners.transport.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer | | nodeSelector | object | `{}` | deployment template spec node selector | +| omitIdentityMigration | bool | `false` | omit migration of identity secret to persistent volume Previous versions of this chart stored the router identity in a secret resource. A migration is provided by the execution of a pre-upgrade hook. If want to omit this migration (pre-upgrade hook) set this value to true. | | persistence.accessMode | string | `"ReadWriteOnce"` | PVC access mode: ReadWriteOnce (concurrent mounts not allowed), ReadWriteMany (concurrent allowed) | | persistence.annotations | object | `{}` | annotations for the PVC | | persistence.enabled | bool | `true` | required: place a storage claim for the ctrl endpoints state file | From 549a520d63438592f3f5854809eb7cc427cd2359 Mon Sep 17 00:00:00 2001 From: Jan Date: Wed, 29 Jan 2025 09:45:49 +0100 Subject: [PATCH 3/6] rename key in values file for preventing the deployment of helm hooks --- .../ziti-router/templates/pre-upgrade-configmap.yaml | 2 +- charts/ziti-router/templates/pre-upgrade-job.yaml | 2 +- .../templates/pre-upgrade-serviceaccount.yaml | 2 +- charts/ziti-router/values.yaml | 12 ++++++------ 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/ziti-router/templates/pre-upgrade-configmap.yaml b/charts/ziti-router/templates/pre-upgrade-configmap.yaml index 7bdb54747..80e80f800 100644 --- a/charts/ziti-router/templates/pre-upgrade-configmap.yaml +++ b/charts/ziti-router/templates/pre-upgrade-configmap.yaml @@ -1,4 +1,4 @@ -{{if not .Values.omitIdentityMigration}} +{{if not .Values.noHelmHooks}} --- apiVersion: v1 kind: ConfigMap diff --git a/charts/ziti-router/templates/pre-upgrade-job.yaml b/charts/ziti-router/templates/pre-upgrade-job.yaml index cb9e99608..9bb2e50c4 100644 --- a/charts/ziti-router/templates/pre-upgrade-job.yaml +++ b/charts/ziti-router/templates/pre-upgrade-job.yaml @@ -1,4 +1,4 @@ -{{if not .Values.omitIdentityMigration}} +{{if not .Values.noHelmHooks}} --- apiVersion: batch/v1 kind: Job diff --git a/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml b/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml index 32bea50b1..e6c18a38e 100644 --- a/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml +++ b/charts/ziti-router/templates/pre-upgrade-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{if not .Values.omitIdentityMigration}} +{{if not .Values.noHelmHooks}} --- apiVersion: v1 kind: ServiceAccount diff --git a/charts/ziti-router/values.yaml b/charts/ziti-router/values.yaml index 1c6bec7d9..158bd5a80 100644 --- a/charts/ziti-router/values.yaml +++ b/charts/ziti-router/values.yaml @@ -7,7 +7,7 @@ ctrl: # -- required control plane endpoint, e.g., ctrl.ziti.example.com:443 endpoint: "" -# -- Explicit proxy setting in the router configuration. Router can be deployed in a site +# -- Explicit proxy setting in the router configuration. Router can be deployed in a site # where all egress traffic is forwarded through an explicit proxy. # The enrollment will also be forwarded through the proxy. proxy: {} @@ -373,10 +373,10 @@ tolerations: [] # -- deployment template spec affinity affinity: {} -# -- omit migration of identity secret to persistent volume -# Previous versions of this chart stored the router identity in a secret resource. A migration is provided by the execution of a pre-upgrade hook. -# If want to omit this migration (pre-upgrade hook) set this value to true. -omitIdentityMigration: false +# -- disable the execution of hooks, defined within this chart +# This chart makes use of Helm hooks. Setting this to true will prevent the hooks from being deployed. +# This is useful when using the chart with tools like ArgoCD +noHelmHooks: false ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ @@ -404,7 +404,7 @@ persistence: volumeName: # -- PVC access mode: ReadWriteOnce (concurrent mounts not allowed), ReadWriteMany (concurrent allowed) accessMode: ReadWriteOnce - # -- 50Mi is plenty for this state file + # -- 50Mi is plenty for this state file size: 50Mi fabric: metrics: From 28bd5f5929aaf472613baa3817f55a33902098e1 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 29 Jan 2025 08:46:09 +0000 Subject: [PATCH 4/6] helm-docs: automated action --- charts/ziti-router/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md index 49833e41f..05ecf1f46 100644 --- a/charts/ziti-router/README.md +++ b/charts/ziti-router/README.md @@ -302,19 +302,19 @@ identity: | linkListeners.transport.service.enabled | bool | `true` | create a cluster service for the router transport link listener; unnecessary if advertisedHost is shared with edge listener (the default) | | linkListeners.transport.service.labels | object | `{}` | service labels | | linkListeners.transport.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer | +| noHelmHooks | bool | `false` | disable the execution of hooks, defined within this chart This chart makes use of Helm hooks. Setting this to true will prevent the hooks from being deployed. This is useful when using the chart with tools like ArgoCD | | nodeSelector | object | `{}` | deployment template spec node selector | -| omitIdentityMigration | bool | `false` | omit migration of identity secret to persistent volume Previous versions of this chart stored the router identity in a secret resource. A migration is provided by the execution of a pre-upgrade hook. If want to omit this migration (pre-upgrade hook) set this value to true. | | persistence.accessMode | string | `"ReadWriteOnce"` | PVC access mode: ReadWriteOnce (concurrent mounts not allowed), ReadWriteMany (concurrent allowed) | | persistence.annotations | object | `{}` | annotations for the PVC | | persistence.enabled | bool | `true` | required: place a storage claim for the ctrl endpoints state file | | persistence.existingClaim | string | `""` | A manually managed Persistent Volume and Claim Requires persistence.enabled: true If defined, PVC must be created manually before volume will be bound | -| persistence.size | string | `"50Mi"` | 50Mi is plenty for this state file | +| persistence.size | string | `"50Mi"` | 50Mi is plenty for this state file | | persistence.storageClass | string | `""` | Storage class of PV to bind. By default it looks for the default storage class. If the PV uses a different storage class, specify that here. | | persistence.volumeName | string | `nil` | PVC volume name | | podAnnotations | object | `{}` | annotations to apply to all pods deployed by this chart | | podSecurityContext | object | `{"fsGroup":2171}` | deployment template spec security context | | podSecurityContext.fsGroup | int | `2171` | this is the GID of "ziggy" run-as user in the container that has access to any files created by the router process in the emptyDir volume used to persist the list of ctrl endpoints | -| proxy | object | `{}` | Explicit proxy setting in the router configuration. Router can be deployed in a site where all egress traffic is forwarded through an explicit proxy. The enrollment will also be forwarded through the proxy. | +| proxy | object | `{}` | Explicit proxy setting in the router configuration. Router can be deployed in a site where all egress traffic is forwarded through an explicit proxy. The enrollment will also be forwarded through the proxy. | | resources | object | `{}` | deployment container resources | | securityContext | string | `nil` | deployment container security context | | tolerations | list | `[]` | deployment template spec tolerations | From 7acd81351d524c6bf31b5495b271194257f7c433 Mon Sep 17 00:00:00 2001 From: Jan Date: Wed, 29 Jan 2025 10:01:42 +0100 Subject: [PATCH 5/6] add hint regarding the use of this chart in the context of gitops --- charts/ziti-router/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md index 05ecf1f46..73bde45a1 100644 --- a/charts/ziti-router/README.md +++ b/charts/ziti-router/README.md @@ -229,6 +229,10 @@ identity: serverKey: /etc/ziti/alt-server-cert-3/server3.key ``` +## GitOps + +If you plan to use this chart with a GitOps tool like ArgoCD, set the `noHelmHooks` flag to `true`. This is because GitOps tools may not handle Helm hooks consistently. + ## Values Reference | Key | Type | Default | Description | From 8d7b82d48150cbb398554506195b7f773e0e8176 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 29 Jan 2025 09:02:03 +0000 Subject: [PATCH 6/6] helm-docs: automated action --- charts/ziti-router/README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md index 73bde45a1..05ecf1f46 100644 --- a/charts/ziti-router/README.md +++ b/charts/ziti-router/README.md @@ -229,10 +229,6 @@ identity: serverKey: /etc/ziti/alt-server-cert-3/server3.key ``` -## GitOps - -If you plan to use this chart with a GitOps tool like ArgoCD, set the `noHelmHooks` flag to `true`. This is because GitOps tools may not handle Helm hooks consistently. - ## Values Reference | Key | Type | Default | Description |