Skip to content

Commit

Permalink
Expose the deployment strategy values for the policy controller
Browse files Browse the repository at this point in the history
Prior to this change, the policy controller webhook was not able to have
its deployment strategy modified. If you only deployed a single replica,
it could not perform a rolling update due to the default `maxSurge:
25%` being rounded down to 0.

This change exposes those values, so that the `maxSurge` can be updated
and a single instance can be rolled.

Fixes #748.

Signed-off-by: Alex Shearn <[email protected]>
  • Loading branch information
shearn89 committed Oct 10, 2024
1 parent f9584c8 commit 5d739b5
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 0 deletions.
54 changes: 54 additions & 0 deletions charts/policy-controller/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,60 @@ The Helm chart for Policy Controller

* <https://github.com/sigstore/policy-controller>

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| commonAnnotations | object | `{}` | |
| commonNodeSelector | object | `{}` | |
| commonTolerations | list | `[]` | |
| cosign.cosignPub | string | `""` | |
| cosign.webhookName | string | `"policy.sigstore.dev"` | |
| imagePullSecrets | list | `[]` | |
| installCRDs | bool | `true` | |
| leasescleanup.image.pullPolicy | string | `"IfNotPresent"` | |
| leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` | |
| leasescleanup.image.version | string | `"latest-dev"` | |
| loglevel | string | `"info"` | |
| serviceMonitor.enabled | bool | `false` | |
| webhook.configData | object | `{}` | |
| webhook.customLabels | object | `{}` | |
| webhook.env | object | `{}` | |
| webhook.extraArgs | object | `{}` | |
| webhook.failurePolicy | string | `"Fail"` | |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | |
| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | |
| webhook.name | string | `"webhook"` | |
| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | |
| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | |
| webhook.namespaceSelector.matchExpressions[0].values[0] | string | `"true"` | |
| webhook.podDisruptionBudget.enabled | bool | `true` | |
| webhook.podDisruptionBudget.minAvailable | int | `1` | |
| webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| webhook.podSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| webhook.podSecurityContext.enabled | bool | `true` | |
| webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| webhook.podSecurityContext.runAsUser | int | `1000` | |
| webhook.registryCaBundle | object | `{}` | |
| webhook.replicaCount | int | `1` | |
| webhook.resources.limits.cpu | string | `"200m"` | |
| webhook.resources.limits.memory | string | `"512Mi"` | |
| webhook.resources.requests.cpu | string | `"100m"` | |
| webhook.resources.requests.memory | string | `"128Mi"` | |
| webhook.securityContext.enabled | bool | `false` | |
| webhook.securityContext.runAsUser | int | `65532` | |
| webhook.service.annotations | object | `{}` | |
| webhook.service.port | int | `443` | |
| webhook.service.type | string | `"ClusterIP"` | |
| webhook.serviceAccount.annotations | object | `{}` | |
| webhook.serviceAccount.create | bool | `true` | |
| webhook.serviceAccount.name | string | `""` | |
| webhook.volumeMounts | list | `[]` | |
| webhook.volumes | list | `[]` | |
| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | |
| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | |

### Deploy `policy-controller` Helm Chart

Install `policy-controller` using Helm:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ spec:
matchLabels:
{{- include "policy-controller.selectorLabels" . | nindent 6 }}
control-plane: {{ template "policy-controller.fullname" . }}-webhook

{{- if .Values.deployment.strategy }}
strategy:
{{ toYaml .Values.deployment.strategy | trim | indent 4 }}
{{ if eq .Values.deployment.strategy.type "Recreate" }}rollingUpdate: null{{ end }}
{{- end }}

template:
metadata:
{{- with .Values.webhook.podAnnotations }}
Expand Down
7 changes: 7 additions & 0 deletions charts/policy-controller/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ imagePullSecrets: []

loglevel: info

deployment:
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1

webhook:
customLabels: {}
configData: {}
Expand Down

0 comments on commit 5d739b5

Please sign in to comment.