Merge branch 'affinity' into 'main'

Resolve "Twistlock - Add/Document Affinity"

Closes #4

See merge request !16

CHANGELOG.md

@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [0.0.3-bb.2] - 2021-03-31
+### Added
+- Values passthroughs for affinity and anti-affinity added
+### Changed
+- Split out resources into separate yaml files
+
 ## [0.0.3-bb.0] - 2021-02-12
 ### Added
 - Options under istio values to control labels, annotations, gateways and full URL modification for twistlock VirtualService.

chart/Chart.yaml

 apiVersion: v2
 name: twistlock
-version: 0.0.3-bb.1
+version: 0.0.3-bb.2
 appVersion: 20.12.531

chart/templates/twistlock_console.yaml → chart/templates/configmap.yaml

----
 apiVersion: v1
 kind: ConfigMap
 data:
@@ -6,119 +5,3 @@ data:
 metadata:
   name: twistlock-console
   namespace: {{ .Release.Namespace }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    name: console
-  name: twistlock-console
-  namespace: {{ .Release.Namespace }}
-spec:
-  ports:
-  - name: communication-port
-    port: 8084
-  - name: management-port-https
-    port: 8083
-  - name: mgmt-http
-    port: 8081
-  selector:
-    name: twistlock-console
----
-apiVersion: v1
-kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC)
-metadata:
-  name: twistlock-console
-  namespace: {{ .Release.Namespace }}
----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: twistlock-console
-  namespace: {{ .Release.Namespace }}
-spec:
-  accessModes:
-    - {{ .Values.console.persistence.accessMode }}
-  resources:
-    requests:
-      storage: {{ .Values.console.persistence.size }}
----
-
----
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: twistlock-console
-  namespace: {{ .Release.Namespace }}
-  labels:
-    name: twistlock-console
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      name: twistlock-console
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      name: twistlock-console
-      namespace: {{ .Release.Namespace }}
-      labels:
-        name: twistlock-console
-    spec:
-      restartPolicy: Always
-      serviceAccountName: twistlock-console
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-      - name: twistlock-console
-        image: {{ .Values.console.image.repository }}:{{ .Values.console.image.tag }}
-        ports:
-        - name: mgmt-https
-          containerPort: 8083
-        - name: communication
-          containerPort: 8084
-        - name: mgmt-http
-          containerPort: 8081
-        env:
-        - name: HIGH_AVAILABILITY_ENABLED
-          value: "false"
-        - name: CONFIG_PATH
-          value: /data/config/twistlock.cfg
-        - name: LOG_PROD
-          value: "true"
-        - name: DATA_RECOVERY_ENABLED
-          value: "true"
-        - name: COMMUNICATION_PORT
-          value: "8084"
-        - name: MANAGEMENT_PORT_HTTPS
-          value: "8083"
-        - name: MANAGEMENT_PORT_HTTP
-          value: "8081"
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - name: twistlock-config-volume
-          mountPath: "/data/config/"
-        - name: console-persistent-volume
-          mountPath: "/var/lib/twistlock"
-          subPath: "var/lib/twistlock"
-        - name: console-persistent-volume
-          mountPath: "/var/lib/twistlock-backup"
-          subPath: "var/lib/twistlock-backup"
-        - name: syslog-socket
-          mountPath: "/dev/log"
-      volumes:
-      - name: console-persistent-volume
-        persistentVolumeClaim:
-          claimName: "twistlock-console"
-      - name: twistlock-config-volume
-        configMap:
-          name: twistlock-console
-      - name: syslog-socket
-        hostPath:
-          path: "/dev/log"

chart/templates/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: twistlock-console
+  namespace: {{ .Release.Namespace }}
+  labels:
+    name: twistlock-console
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: twistlock-console
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      name: twistlock-console
+      namespace: {{ .Release.Namespace }}
+      labels:
+        name: twistlock-console
+    spec:
+      restartPolicy: Always
+      serviceAccountName: twistlock-console
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.antiAffinity .Values.nodeAffinity }}
+      affinity:
+        {{- with .Values.antiAffinity }}
+        podAntiAffinity:
+        {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.nodeAffinity }}
+        nodeAffinity:
+        {{ toYaml . | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      containers:
+      - name: twistlock-console
+        image: {{ .Values.console.image.repository }}:{{ .Values.console.image.tag }}
+        ports:
+        - name: mgmt-https
+          containerPort: 8083
+        - name: communication
+          containerPort: 8084
+        - name: mgmt-http
+          containerPort: 8081
+        env:
+        - name: HIGH_AVAILABILITY_ENABLED
+          value: "false"
+        - name: CONFIG_PATH
+          value: /data/config/twistlock.cfg
+        - name: LOG_PROD
+          value: "true"
+        - name: DATA_RECOVERY_ENABLED
+          value: "true"
+        - name: COMMUNICATION_PORT
+          value: "8084"
+        - name: MANAGEMENT_PORT_HTTPS
+          value: "8083"
+        - name: MANAGEMENT_PORT_HTTP
+          value: "8081"
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - name: twistlock-config-volume
+          mountPath: "/data/config/"
+        - name: console-persistent-volume
+          mountPath: "/var/lib/twistlock"
+          subPath: "var/lib/twistlock"
+        - name: console-persistent-volume
+          mountPath: "/var/lib/twistlock-backup"
+          subPath: "var/lib/twistlock-backup"
+        - name: syslog-socket
+          mountPath: "/dev/log"
+      volumes:
+      - name: console-persistent-volume
+        persistentVolumeClaim:
+          claimName: "twistlock-console"
+      - name: twistlock-config-volume
+        configMap:
+          name: twistlock-console
+      - name: syslog-socket
+        hostPath:
+          path: "/dev/log"

chart/templates/pvc.yaml

+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: twistlock-console
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - {{ .Values.console.persistence.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.console.persistence.size }}

chart/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    name: console
+  name: twistlock-console
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: communication-port
+    port: 8084
+  - name: management-port-https
+    port: 8083
+  - name: mgmt-http
+    port: 8081
+  selector:
+    name: twistlock-console

chart/templates/serviceaccount.yaml

+apiVersion: v1
+kind: ServiceAccount # Service Account is used for managing security context constraints policies in Openshift (SCC)
+metadata:
+  name: twistlock-console
+  namespace: {{ .Release.Namespace }}

chart/values.yaml

@@ -27,3 +27,19 @@ console:
   persistence:
     size: 100Gi
     accessMode: ReadWriteOnce
+
+antiAffinity: {}
+  # requiredDuringSchedulingIgnoredDuringExecution:
+  #   - topologyKey: "kubernetes.io/hostname"
+  #     labelSelector:
+  #       matchLabels:
+  #         dont-schedule-with: twistlock
+
+nodeAffinity: {}
+  # requiredDuringSchedulingIgnoredDuringExecution:
+  #   nodeSelectorTerms:
+  #   - matchExpressions:
+  #     - key: node-type
+  #       operator: In
+  #       values:
+  #       - "twistlock"

docs/AFFINITY.md

+# Node Affinity & Anti-Affinity with Twistlock
+
+Affinity is exposed through values options for Twistlock. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeAffinity` value and as needed the `antiAffinity` value. Additional info is provided below as well to help in configuring this.
+
+It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+
+## Values for Affinity
+
+The `nodeAffinity` value at the top level for Twistlock should be used to specify affinity. The format to include follows what you'd specify at a pod/deployment level. See the example below for scheduling the operator pods only to nodes with the label `node-type` equal to `operator`:
+
+```yaml
+nodeAffinity:
+  requiredDuringSchedulingIgnoredDuringExecution:
+    nodeSelectorTerms:
+    - matchExpressions:
+      - key: node-type
+        operator: In
+        values:
+        - operator
+```
+
+## Values for Anti-Affinity
+
+The `antiAffinity` value at the top level for Twistlock can be set in the same way to schedule pods based on anti-affinity. See the below example to schedule Twistlock pods to not be present on the nodes that already have pods with the `dont-schedule-with: twistlock` label.
+
+```yaml
+antiAffinity:
+  requiredDuringSchedulingIgnoredDuringExecution:
+    - topologyKey: "kubernetes.io/hostname"
+      labelSelector:
+        matchLabels:
+          dont-schedule-with: twistlock
+```