A lot of work on the workload library

This commit is contained in:
Nikolai Rodionov 2024-05-19 18:56:41 +02:00
parent ac6751d3da
commit 19f22c18a1
Signed by: allanger
GPG Key ID: 0AA46A90E25592AD
40 changed files with 322 additions and 310 deletions

View File

@ -1,3 +1,6 @@
# helm-library
# Softplayer helm library
A helm library for the chart maintained by Bad Houseplants
## About
...
## How to use?
...

View File

@ -1,5 +1,5 @@
apiVersion: v2
name: softplayer-lib-testing
name: softplayer-lib-crd
description: A library to be reused accross softplayer charts
type: library
version: 0.1.0

View File

@ -0,0 +1,16 @@
{{- define "lib.crds" -}}
{{- range $crd := .Values.crds }}
{{ $manifest := $.Files.Get (printf "files/%s.yaml" $crd.file) | fromYaml }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
{{- include "lib.metadata" (dict "Context" $ "customName" $manifest.metadata.name )}}
spec:
group: {{ $manifest.spec.group }}
names:
{{ $manifest.spec.names | toYaml | indent 4 }}
scope: {{ $manifest.spec.scope }}
versions:
{{ $manifest.spec.versions | toYaml | indent 4 }}
{{- end }}
{{- end }}

View File

@ -49,15 +49,3 @@ Selector labels
app.kubernetes.io/name: {{ include "chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

View File

@ -1,20 +0,0 @@
{{- define "lib.env" -}}
{{- range $k, $v := .Values.env }}
{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
---
apiVersion: v1
{{- if not $v.sensitive }}
kind: ConfigMap
{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
data:
{{- else }}
kind: Secret
{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
stringData:
{{- end }}
{{- with $v.data }}
{{ toYaml . | indent 2}}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -1,11 +0,0 @@
{{- define "lib.deployment" -}}
# ---------------------------------------------------------------------
# The deployment is build withing the helm library
# please check the lib/tempaltes/deployment/base
# ---------------------------------------------------------------------
apiVersion: apps/v1
kind: Deployment
{{- include "lib.metadata" (dict "Context" . "customName" "")}}
{{- include "deployment.spec" . }}
{{- end -}}

View File

@ -1,61 +0,0 @@
{{/*
This is a builder for deployments
*/}}
{{- define "deployment.spec" }}
spec:
replicas: {{ .Values.workload.replicas }}
selector:
matchLabels:
{{ include "metadata.selectorLabels" . | indent 6 }}
template:
metadata:
labels:
{{ include "metadata.labels" . | indent 8 }}
spec:
{{ include "lib.securityContext" . | indent 6 }}
{{- if or .Values.storage .Values.extraVolumes }}
volumes:
{{- if .Values.storage }}
{{- range $k, $v := .Values.storage }}
- name: {{ $k }}
persistentVolumeClaim:
claimName: {{ include "chart.fullname" $ }}-data
{{- end }}
{{- end }}
{{- end }}
containers:
{{- range $k,$v := .Values.workload.containers }}
- name: {{ $k }}
{{ include "lib.containerSecurityContext" . | indent 8 }}
image: {{ index $.Chart.Annotations "helm.badhouseplants.net/registry" }}:{{ $.Chart.AppVersion }}
{{- with $v.ports }}
ports:
{{- range $p := $v.ports}}
- containerPort: {{ index (index $.Values.service.ports $p) "targetPort" }}
{{- if $v.envFrom }}
envFrom:
{{- range $k := $v.envFrom }}
{{- if kindIs "string" $k }}
{{- if (index $.Values.env $k) }}
{{- if (index $.Values.env $k).sensitive }}
- secretRef:
{{- else }}
- configMapRef:
{{- end }}
name: {{ printf "%s-%s" (include "chart.fullname" $) $k }}
{{- end }}
{{- else }}
{{- range $k, $v := $k }}
- {{ $k }}:
{{ toYaml $v | indent 14 }}
{{- end }}
{{- end -}}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,3 +0,0 @@
{{- define "lib.notes" -}}
{{ include "helpers.allowed_workloads" . }}
{{- end }}

View File

@ -1,18 +0,0 @@
{{- define "lib.pvc" -}}
{{- range $k, $v := .Values.storage }}
{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
---
apiVersion: v1
kind: PersistentVolumeClaim
{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
spec:
{{- with $v.accessModes }}
accessModes:
{{ toYaml . | indent 4}}
{{- end }}
resources:
requests:
storage: {{ $v.size }}
storageClassName: {{ $v.storageClassName }}
{{- end }}
{{- end -}}

View File

@ -1,29 +0,0 @@
{{- define "lib.securityContext" -}}
{{- if not .Values.workload.securityContext -}}
# ---------------------------------------------------------------------
# Using the default security context, if it doesn't work for you,
# please update `.Values.workload.securityContext`
# ---------------------------------------------------------------------
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
{{- else -}}
{{- with .Values.workload.securityContext -}}
securityContext:
{{ toYaml . | indent 2 }}
{{- end }}
{{- end -}}
{{- end -}}
{{- define "lib.containerSecurityContext" -}}
securityContext:
{{- if not .securityContext }}
runAsUser: 2000
allowPrivilegeEscalation: false
{{- else }}
{{- with .securityContext }}
{{ toYaml . | indent 2 }}
{{- end }}
{{- end -}}
{{- end -}}

View File

@ -1,12 +0,0 @@
{{- define "helpers.allowed_workloads" -}}
{{ index .Chart.Annotations "helm.badhouseplants.net/allowed_workload_kinds" }}
{{- end -}}
{{- define "lib.workload" -}}
---
{{ if eq .Values.workload.kind "Deployment" -}}
{{- if contains .Values.workload.kind (include "helpers.allowed_workloads" .) }}
{{- include "lib.deployment" . }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,97 +0,0 @@
{{/*
This is a builder for deployments
*/}}
{{- define "deployment.spec" }}
spec:
replicas: {{ .Values.workload.replicas }}
selector:
matchLabels:
{{ include "metadata.selectorLabels" . | indent 6 }}
template:
metadata:
labels:
{{ include "metadata.labels" . | indent 8 }}
spec:
{{/* Prepare the securityContext for the pod */}}
{{- include "lib.securityContext" . | indent 6 -}}
{{/* Add all the volues to pod */}}
{{- if or ( or .Values.storage .Values.extraVolumes) .Values.files }}
volumes:
{{- if .Values.storage }}
{{- range $k, $v := .Values.storage }}
- name: {{ $k }}-storage
persistentVolumeClaim:
claimName: " {{- printf "%s-%s" (include "chart.fullname" $) $k }}"
{{- end }}
{{- end }}
{{- if .Values.files }}-file
{{- range $k, $v := .Values.files }}
- name: {{ $k }}
{{- if $v.sensitive }}
secret:
defaultMode: 420
secretName: " {{- printf "%s-%s" (include "chart.fullname" $) $k }}"
{{- else }}
configMap:
name: "{{- printf "%s-%s" (include "chart.fullname" $) $k }}"
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{/* Define containers */}}
containers:
{{- range $k,$v := .Values.workload.containers }}
- name: {{ $k }}
{{/* Prepare the securityContext for the container */}}
{{- include "lib.containerSecurityContext" . | indent 8 -}}
{{/* Image fron chart's annotations */}}
image: {{ index $.Chart.Annotations "helm.badhouseplants.net/registry" }}:{{ $.Chart.AppVersion }}
{{- with $v.command }}
command:
{{. | toYaml | indent 10 }}
{{- end -}}
{{- with $v.args }}
args:
{{. | toYaml | indent 10 }}
{{- end -}}
{{- if $v.mounts }}
mounts:
{{- range $k ,$v := range $v.mounts }}
{{- if $k == "storage" }}
name: {{ $k }}-storage
{{- end }}
{{- end }}
volumeMounts:
{{/* Ports */}}
{{- with $v.ports }}
ports:
{{- range $p := $v.ports}}
- containerPort: {{ index (index $.Values.service.ports $p) "targetPort" }}
{{/* If env should be set from a Configmap/Secret */}}
{{- if $v.envFrom }}
envFrom:
{{- range $k := $v.envFrom }}
{{/* If envFrom entry is a string, then refer to the env created by the library */}}
{{- if kindIs "string" $k }}
{{- if (index $.Values.env $k) }}
{{- if (index $.Values.env $k).sensitive }}
- secretRef:
{{- else }}
- configMapRef:
{{- end }}
name: {{ printf "%s-%s" (include "chart.fullname" $) $k }}
{{- end }}
{{/* Otherwise try to add references directly (if Secrets/ConfigMaps are not managed by the chart) */}}
{{- else }}
{{- range $k, $v := $k }}
- {{ $k }}:
{{ toYaml $v | indent 14 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,34 +0,0 @@
{{- define "lib.securityContext" -}}
{{- if not .Values.workload.securityContext -}}
# ---------------------------------------------------------------------
# Using the default security context, if it doesn't work for you,
# please update `.Values.workload.securityContext`
# ---------------------------------------------------------------------
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
{{- else -}}
{{- with .Values.workload.securityContext -}}
securityContext:
{{ toYaml . | indent 2 }}
{{- end }}
{{- end -}}
{{- end -}}
{{- define "lib.containerSecurityContext" -}}
securityContext:
{{- if not .securityContext }}
runAsUser: 2000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- else }}
{{- with .securityContext }}
{{ toYaml . | indent 2 }}
{{- end }}
{{- end -}}
{{- end -}}

View File

@ -1,5 +1,5 @@
apiVersion: v2
name: softplayer-lib-workload-testing
name: softplayer-lib-workload
description: A library to be reused accross softplayer charts
type: library
version: 0.1.0

View File

@ -1,5 +1,5 @@
{{- define "helpers.allowed_workloads" -}}
{{ index .Chart.Annotations "helm.badhouseplants.net/allowed_workload_kinds" }}
{{ index .Chart.Annotations "allowed_workload_kinds" }}
{{- end -}}
{{- define "lib.workload" -}}
@ -10,3 +10,4 @@
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,13 @@
{{- define "lib.traefik.ingress_route_tcp" -}}
{{- range $k, $v := .Values.traefik.tcpRoutes }}
{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
---
{{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
spec:
{{ tpl ($v | toYaml | indent 2 | toString) $ }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,13 @@
{{- define "lib.traefik.ingress_route_udp" -}}
{{- range $k, $v := .Values.traefik.udpRoutes }}
{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
---
{{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteUDP" }}
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
spec:
{{ tpl ($v | toYaml | indent 2 | toString) $ }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,117 @@
{{- define "helper.deployment.containers" -}} {{- /* (define) */ -}}
{{- if not .Values.workload.containers -}} {{- /* (1) */ -}}
{{ fail ".Values.workload.containers can not be empty (heler.deployment.containers)" }}
{{- end -}} {{- /* /(1) */ -}}
containers:
{{- range $k,$v := .Values.workload.containers }} {{- /* (1) */}}
- name: {{ $k }}
{{- include "helper.workload.containerSecurityContext" . | nindent 4 -}}
{{- include "helper.workload.image" (dict "Chart" $.Chart "Image" .image) | indent 4 -}}
{{- include "helper.container.command" $v | nindent 4 -}}
{{- include "helper.container.args" $v | nindent 4 -}}
{{- include "helper.container.ports" (dict "Context" $ "Container" $v) | nindent 4 -}}
{{- include "helper.container.volumeMounts" $v | nindent 4 -}}
{{- include "helper.container.envFrom" (dict "Context" $ "Container" $v) | nindent 4 -}}
{{- end }} {{- /* /(1) */}}
{{- end -}} {{- /* /(define) */ -}}
{{- define "helper.deployment.initContainers" -}} {{- /* (define) */ -}}
{{- if .Values.workload.initContainers -}} {{- /* (1) */ -}}
initContainers:
{{- range $k,$v := .Values.workload.initContainers }} {{- /* (2) */}}
- name: {{ $k }}
{{- include "helper.workload.containerSecurityContext" . | nindent 4 -}}
{{- include "helper.workload.image" (dict "Chart" $.Chart "Image" .image) | indent 4 -}}
{{- include "helper.container.command" $v | nindent 4 -}}
{{- include "helper.container.args" $v | nindent 4 -}}
{{- include "helper.container.ports" (dict "Context" $ "Container" $v) | nindent 4 -}}
{{- include "helper.container.volumeMounts" $v | nindent 4 -}}
{{- include "helper.container.envFrom" (dict "Context" $ "Container" $v) | nindent 4 -}}
{{- end }} {{- /* /(1) */}}
{{- end -}} {{- /* /(2) */ -}}
{{- end -}} {{- /* /(define) */ -}}
{{- define "helper.deployment.container" -}} {{- /* (define) */ -}}
{{- end -}} {{- /* /(define) */ -}}
{{- define "helper.container.command" -}} {{- /* (define) */ -}}
{{- with .command }} {{- /* (1) */ -}}
command:
{{ . | toYaml | indent 2 }}
{{- end -}} {{- /* /(1) */ -}}
{{- end -}} {{- /* /(define) */ -}}
{{- define "helper.container.args" -}} {{- /* (define) */ -}}
{{- with .args }} {{- /* (1) */ -}}
args:
{{ . | toYaml | indent 2 }}
{{- end -}} {{- /* /(1) */ -}}
{{- end -}} {{- /* /(define) */ -}}
{{- define "helper.container.ports" -}} {{- /* (define) */ -}}
{{- if .Container.ports -}} {{- /* (1) */ -}}
ports:
{{- range $p := .Container.ports -}} {{- /* (2) */ -}}
{{- if kindIs "string" $p }} {{- /* (3) */}}
- containerPort: {{ index (index $.Context.Values.service.ports $p) "targetPort" }}
protocol: {{ index (index $.Context.Values.service.ports $p) "protocol" }}
{{- else }}
{{ print "-" | indent 2 | -}}
{{ $p | toYaml | nindent 4 -}}
{{- end -}} {{- /* /(3) */ -}}
{{- end -}} {{- /* /(2) */ -}}
{{- end -}} {{- /* /(1) */ -}}
{{- end -}} {{- /* /(define) */ -}}
{{- define "helper.container.volumeMounts" -}} {{- /* (define) */ -}}
{{- if .mounts -}} {{- /* (1) */ -}}
volumeMounts:
{{- range $mountKind, $mountData := .mounts }} {{- /* (2) */}}
{{- if eq $mountKind "storage" }} {{- /* (3) */}}
{{- range $mountName, $mountEntry := $mountData }} {{- /* (4) */}}
- name: {{ printf "%s-storage" $mountName }}
mountPath: {{ $mountEntry.path }}
{{- end }} {{- /* /(4) */}}
{{- end }} {{- /* /(3) */}}
{{- if eq $mountKind "files" }} {{- /* (3) */}}
{{- range $mountName, $mountEntry := $mountData }} {{- /* (4) */}}
- name: {{ printf "%s-file" $mountName }}
mountPath: {{ $mountEntry.path }}
{{- end }} {{- /* /(4) */}}
{{- end }} {{- /* /(3) */}}
{{- if eq $mountKind "extraVolumes" }} {{- /* (3) */}}
{{- range $mountName, $mountEntry := $mountData }} {{- /* (4) */}}
- name: {{ printf "%s-extra" $mountName }}
mountPath: {{ $mountEntry.path }}
{{- end }} {{- /* /(4) */}}
{{- end }} {{- /* /(3) */}}
{{- end }} {{- /* /(2) */}}
{{- end }} {{- /* /(1) */}}
{{- end -}} {{- /* /(define) */ -}}
{{- define "helper.container.envFrom" -}} {{- /* (define) */ -}}
{{/* If env should be set from a Configmap/Secret */}}
{{- if .Container.envFrom }} {{- /* (1) */}}
envFrom:
{{- range $k := .Container.envFrom -}} {{- /* (2) */ -}}
{{/* If envFrom entry is a string, then refer to the env created by the library */}}
{{- if kindIs "string" $k -}} {{- /* (3) */ -}}
{{- if (index $.Context.Values.env $k) -}} {{- /* (4) */ -}}
{{- if (index $.Context.Values.env $k).sensitive }} {{- /* (5) */}}
- secretRef:
{{- else }}
- configMapRef:
{{- end }} {{- /* /(5) */}}
name: {{- printf " %s-%s" (include "chart.fullname" $.Context) $k -}}
{{- end -}} {{- /* /(4) */}}
{{- /* Otherwise try to add references directly (if Secrets/ConfigMaps are not managed by the chart) */ -}}
{{- else -}}
{{- range $k, $v := $k }} {{- /* (5) */}}
- {{ $k }}:
{{ toYaml $v | indent 14 }}
{{- end -}} {{- /* /(4) */ -}}
{{- end -}} {{- /* /(3) */ -}}
{{- end -}} {{- /* /(2) */ -}}
{{- end -}} {{- /* /(1) */ -}}
{{- end -}} {{- /* /(define) */ -}}

View File

@ -0,0 +1,29 @@
{{/*
This is a builder for deployments
*/}}
{{- define "deployment.spec" }} {{- /* (define) */}}
# ---------------------------------------------------------------------
# The spec is build within the helm library
# please check the lib/templates/deployment/spec
# ---------------------------------------------------------------------
spec:
replicas: {{ .Values.workload.replicas | default 1}}
selector:
matchLabels:
{{ include "metadata.selectorLabels" . | indent 6 }}
{{ include "lib.deployment.template" . | indent 2 }}
{{- end -}}
{{- define "lib.deployment.template" -}} {{- /* (define) */ -}}
template:
metadata:
labels:
{{- include "metadata.labels" . | nindent 6 }}
spec:
{{- include "helper.workload.securityContext" . | nindent 4 -}}
{{- include "helper.deployment.volumes" . | nindent 4 }}
{{- include "helper.deployment.containers" . | nindent 4 }}
{{- include "helper.deployment.initContainers" . | nindent 4 }}
{{- end -}} {{- /* /(define) */ -}}

View File

@ -0,0 +1,32 @@
{{- define "helper.deployment.volumes" -}} {{- /* (define) */ -}}
{{- if or ( or .Values.storage .Values.extraVolumes) .Values.files }} {{- /* (1)*/}}
volumes:
{{- /* If storage is defined, mount the pvc */ -}}
{{- if .Values.storage }} {{- /* (2) */}}
{{- range $k, $v := .Values.storage }} {{- /* (3) */}}
- name: {{ $k }}-storage
persistentVolumeClaim:
claimName: " {{- printf "%s-%s" (include "chart.fullname" $) $k }}"
{{- end }} {{- /* /(3) */}}
{{- end }} {{- /* /(2) */}}
{{- if .Values.extraVolumes}} {{- /* (2) */}}
{{- range $k, $v := .Values.extraVolumes}} {{- /* (3) */}}
- name: {{ $k }}-extra
{{- $v | toYaml | nindent 4 }}
{{- end }} {{- /* /(3) */}}
{{- end }} {{- /* /(2) */}}
{{- if .Values.files }} {{- /* (2) */}}
{{- range $k, $v := .Values.files }} {{- /* (3) */}}
- name: {{ $k }}-file
{{- if $v.sensitive }} {{- /* (4) */}}
secret:
defaultMode: 420
secretName: "{{ printf "%s-%s" (include "chart.fullname" $) $k }}"
{{- else }}
configMap:
name: "{{- printf "%s-%s" (include "chart.fullname" $) $k }}"
{{- end }} {{- /* /(4) */}}
{{- end }} {{- /* /(3) */}}
{{- end }} {{- /* /(2) */}}
{{- end -}} {{- /* /(1)*/ -}}
{{- end -}} {{- /* /(define) */ -}}

View File

@ -0,0 +1,8 @@
{{- define "lib.notes" -}}
*** Release metadata ***
Chart: {{ .Chart.Name }}
Chart version: {{ .Chart.Version }}
App version: {{ .Chart.Version }}
Image: {{ index $.Chart.Annotations "helm.badhouseplants.net/registry" }}
Release name: {{ .Release.Name }}
{{- end }}

View File

@ -18,6 +18,8 @@ spec:
resources:
requests:
storage: {{ $v.size }}
{{- if ne $v.storageClassName "default" }}
storageClassName: {{ $v.storageClassName }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -1,25 +1,31 @@
{{- define "lib.service" }}
{{- define "lib.services" }}
{{- range $k, $v := .Values.services }}
{{- $customName := printf "%s-%s" (include "chart.fullname" $) $k }}
---
# ---------------------------------------------------------------------
# This service is created as a part of badhouseplants helm library
# This service is created as a part of softplayer helm library
# please see /lib/tempaltes/service/_service.tpl
# ---------------------------------------------------------------------
apiVersion: v1
kind: Service
{{- include "lib.metadata" (dict "Context" . "customName" "")}}
{{- include "lib.metadata" (dict "Context" $ "customName" $customName)}}
spec:
{{- if (.Values.service).type }}
type: {{ .Values.service.type }}
{{- if ($v).type }}
type: {{ $v.type }}
{{- else }}
type: ClusterIP
{{- end }}
selector:
{{ include "metadata.selectorLabels" . | indent 4}}
{{ include "metadata.selectorLabels" $ | indent 4}}
ports:
{{- range $k,$v := .Values.service.ports }}
{{- range $k,$v := $v.ports }}
- name: {{ $k }}
port: {{ $v.port }}
targetPort: {{ $v.targetPort}}
protocol: {{ $v.protocol}}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,33 @@
# ---------------------------------------------------------------------
# Main workload helpers
# ---------------------------------------------------------------------
{{/*
Prepare a tag for the container image
Example:
{{ include "helper.workload.tag" (dict "AppVersion" $.Chart.AppVersion "Tag" .Image.tag) }}
*/}}
{{- define "helper.workload.tag" -}} {{/* (define) */}}
{{- if or .Tag .AppVersion -}} {{/* (1) */}}
{{- if .Tag -}} {{/* (2) */}}
{{- .Tag -}}
{{- else -}}
{{- .AppVersion -}}
{{- end -}} {{/* /(2) */}}
{{- else -}}
{{ fail ".Tag or .AppVersion must be passed to this helper (helper.workload.tag)"}}
{{- end -}} {{/* /(1) */}}
{{- end -}} {{/* /(define) */}}
{{/*
Prepare the image name for the container
Example:
{{ include "helper.workload.image" (dict "Chart" $.Chart "Image" .image) }}
*/}}
{{- define "helper.workload.image" -}} {{/* (define) */}}
{{- if and .Chart .Image -}} {{/* (1) */}}
image: {{ printf "%s/%s:%s" .Image.registry .Image.repository (include "helper.workload.tag" (dict "AppVersion" $.Chart.AppVersion "Tag" .Image.tag)) }}
imagePullPolicy: {{ .Image.pullPolicy | default "Always" }}
{{- else -}}
{{ fail ".Chart and .Image must be passed to this helper (helper.workload.image)"}}
{{- end -}} {{/* /(1) */}}
{{- end -}} {{/* /(define) */}}

View File

@ -0,0 +1,36 @@
{{/* Build a pod security context */}}
{{- define "helper.workload.securityContext" -}} {{- /* (define) */ -}}
{{- if not .Values.workload.securityContext -}} {{- /* (1) */ -}}
# ---------------------------------------------------------------------
# Using the default security context, if it doesn't work for you,
# please update `.Values.workload.securityContext`
# ---------------------------------------------------------------------
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
{{- else -}}
{{- with .Values.workload.securityContext -}} {{- /* (2) */ -}}
securityContext:
{{ toYaml . | indent 2 }}
{{- end }} {{- /* /(2) */}}
{{- end -}} {{- /* /(1) */ -}}
{{- end -}} {{- /* /(define) */ -}}
{{/* Build a container security context */}}
{{- define "helper.workload.containerSecurityContext" -}} {{- /* (define) */ -}}
securityContext:
{{- if not .securityContext }} {{- /* (1) */}}
runAsUser: 2000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
{{- else }}
{{- with .securityContext }} {{- /* (2) */}}
{{ toYaml . | indent 2 }}
{{- end }} {{- /* /(2) */}}
{{- end -}} {{- /* /(1) */ -}}
{{- end -}} {{- /* /(define) */ -}}