diff --git a/CHANGELOG.md b/CHANGELOG.md index 042e26be1acf5adebf34a5f03eea9f85bb23d6d0..93ea1acc433ac39296c3fd3af1603bffa8e143ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [0.0.3-bb.2] - 2021-03-31 +### Added +- Values passthroughs for affinity and anti-affinity added +### Changed +- Split out resources into separate yaml files + ## [0.0.3-bb.0] - 2021-02-12 ### Added - Options under istio values to control labels, annotations, gateways and full URL modification for twistlock VirtualService. diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 7821cfc7b90690d1aef768c1b7b35fb5d8392a02..f64111d3f0d507f128cf7706af23ef7cf488275f 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: twistlock -version: 0.0.3-bb.1 +version: 0.0.3-bb.2 appVersion: 20.12.531 diff --git a/chart/templates/twistlock_console.yaml b/chart/templates/configmap.yaml similarity index 60% rename from chart/templates/twistlock_console.yaml rename to chart/templates/configmap.yaml index ca6f99740bd594f0415d04ae2ab35abfcfefc93c..34a4680886d1ab73aaf3c8c06eee63549a2276a1 100644 --- a/chart/templates/twistlock_console.yaml +++ b/chart/templates/configmap.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: ConfigMap data: @@ -6,119 +5,3 @@ data: metadata: name: twistlock-console namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: - name: console - name: twistlock-console - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: communication-port - port: 8084 - - name: management-port-https - port: 8083 - - name: mgmt-http - port: 8081 - selector: - name: twistlock-console ---- -apiVersion: v1 -kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC) -metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} -spec: - accessModes: - - {{ .Values.console.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.console.persistence.size }} ---- - ---- - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} - labels: - name: twistlock-console -spec: - replicas: 1 - selector: - matchLabels: - name: twistlock-console - strategy: - type: Recreate - template: - metadata: - name: twistlock-console - namespace: {{ .Release.Namespace }} - labels: - name: twistlock-console - spec: - restartPolicy: Always - serviceAccountName: twistlock-console - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: twistlock-console - image: {{ .Values.console.image.repository }}:{{ .Values.console.image.tag }} - ports: - - name: mgmt-https - containerPort: 8083 - - name: communication - containerPort: 8084 - - name: mgmt-http - containerPort: 8081 - env: - - name: HIGH_AVAILABILITY_ENABLED - value: "false" - - name: CONFIG_PATH - value: /data/config/twistlock.cfg - - name: LOG_PROD - value: "true" - - name: DATA_RECOVERY_ENABLED - value: "true" - - name: COMMUNICATION_PORT - value: "8084" - - name: MANAGEMENT_PORT_HTTPS - value: "8083" - - name: MANAGEMENT_PORT_HTTP - value: "8081" - securityContext: - readOnlyRootFilesystem: true - volumeMounts: - - name: twistlock-config-volume - mountPath: "/data/config/" - - name: console-persistent-volume - mountPath: "/var/lib/twistlock" - subPath: "var/lib/twistlock" - - name: console-persistent-volume - mountPath: "/var/lib/twistlock-backup" - subPath: "var/lib/twistlock-backup" - - name: syslog-socket - mountPath: "/dev/log" - volumes: - - name: console-persistent-volume - persistentVolumeClaim: - claimName: "twistlock-console" - - name: twistlock-config-volume - configMap: - name: twistlock-console - - name: syslog-socket - hostPath: - path: "/dev/log" diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d671f672edd67957a989ba3a6cc9ea0c5971229a --- /dev/null +++ b/chart/templates/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} + labels: + name: twistlock-console +spec: + replicas: 1 + selector: + matchLabels: + name: twistlock-console + strategy: + type: Recreate + template: + metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} + labels: + name: twistlock-console + spec: + restartPolicy: Always + serviceAccountName: twistlock-console + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.antiAffinity .Values.nodeAffinity }} + affinity: + {{- with .Values.antiAffinity }} + podAntiAffinity: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.nodeAffinity }} + nodeAffinity: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} + containers: + - name: twistlock-console + image: {{ .Values.console.image.repository }}:{{ .Values.console.image.tag }} + ports: + - name: mgmt-https + containerPort: 8083 + - name: communication + containerPort: 8084 + - name: mgmt-http + containerPort: 8081 + env: + - name: HIGH_AVAILABILITY_ENABLED + value: "false" + - name: CONFIG_PATH + value: /data/config/twistlock.cfg + - name: LOG_PROD + value: "true" + - name: DATA_RECOVERY_ENABLED + value: "true" + - name: COMMUNICATION_PORT + value: "8084" + - name: MANAGEMENT_PORT_HTTPS + value: "8083" + - name: MANAGEMENT_PORT_HTTP + value: "8081" + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - name: twistlock-config-volume + mountPath: "/data/config/" + - name: console-persistent-volume + mountPath: "/var/lib/twistlock" + subPath: "var/lib/twistlock" + - name: console-persistent-volume + mountPath: "/var/lib/twistlock-backup" + subPath: "var/lib/twistlock-backup" + - name: syslog-socket + mountPath: "/dev/log" + volumes: + - name: console-persistent-volume + persistentVolumeClaim: + claimName: "twistlock-console" + - name: twistlock-config-volume + configMap: + name: twistlock-console + - name: syslog-socket + hostPath: + path: "/dev/log" diff --git a/chart/templates/pvc.yaml b/chart/templates/pvc.yaml new file mode 100644 index 0000000000000000000000000000000000000000..28e7f078ed544081bec558e3caf70c8e8d697623 --- /dev/null +++ b/chart/templates/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} +spec: + accessModes: + - {{ .Values.console.persistence.accessMode }} + resources: + requests: + storage: {{ .Values.console.persistence.size }} diff --git a/chart/templates/service.yaml b/chart/templates/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2e3391b92d474bf43cdba65942941c3fcad09109 --- /dev/null +++ b/chart/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + name: console + name: twistlock-console + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: communication-port + port: 8084 + - name: management-port-https + port: 8083 + - name: mgmt-http + port: 8081 + selector: + name: twistlock-console diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4b0cd7742783bec92c8b7e105d467dccb93db84e --- /dev/null +++ b/chart/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC) +metadata: + name: twistlock-console + namespace: {{ .Release.Namespace }} diff --git a/chart/values.yaml b/chart/values.yaml index db55f169647e5a26e35fbef7e560b1415d39061b..61e8a858d48c7e1293d0e1902396354dfd21fabe 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -26,4 +26,20 @@ console: persistence: size: 100Gi - accessMode: ReadWriteOnce \ No newline at end of file + accessMode: ReadWriteOnce + +antiAffinity: {} + # requiredDuringSchedulingIgnoredDuringExecution: + # - topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # dont-schedule-with: twistlock + +nodeAffinity: {} + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-type + # operator: In + # values: + # - "twistlock" diff --git a/docs/AFFINITY.md b/docs/AFFINITY.md new file mode 100644 index 0000000000000000000000000000000000000000..f24af8de77913353f0e229a645f1c9dd71917157 --- /dev/null +++ b/docs/AFFINITY.md @@ -0,0 +1,33 @@ +# Node Affinity & Anti-Affinity with Twistlock + +Affinity is exposed through values options for Twistlock. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeAffinity` value and as needed the `antiAffinity` value. Additional info is provided below as well to help in configuring this. + +It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +## Values for Affinity + +The `nodeAffinity` value at the top level for Twistlock should be used to specify affinity. The format to include follows what you'd specify at a pod/deployment level. See the example below for scheduling the operator pods only to nodes with the label `node-type` equal to `operator`: + +```yaml +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-type + operator: In + values: + - operator +``` + +## Values for Anti-Affinity + +The `antiAffinity` value at the top level for Twistlock can be set in the same way to schedule pods based on anti-affinity. See the below example to schedule Twistlock pods to not be present on the nodes that already have pods with the `dont-schedule-with: twistlock` label. + +```yaml +antiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: + dont-schedule-with: twistlock +```