Add feature flag to control whether we should add don't evict annotation

Signed-off-by: Daishan Peng <[email protected]>
acorn-io · Nov 22, 2023 · ae63210 · ae63210
1 parent 3ff4592
commit ae63210
Show file tree

Hide file tree

Showing 7 changed files with 64 additions and 38 deletions.
diff --git a/pkg/apis/api.acorn.io/v1/types.go b/pkg/apis/api.acorn.io/v1/types.go
@@ -521,42 +521,43 @@ type Config struct {
 	// For repeatable flags, ensure the struct and json fields are plural and the flag name is singular.
 	// See ClusterDomains as an example.
 
-	IngressClassName               *string         `json:"ingressClassName" usage:"The ingress class name to assign to all created ingress resources (default '')"`
-	ClusterDomains                 []string        `json:"clusterDomains" name:"cluster-domain" usage:"The externally addressable cluster domain (default .oss-acorn.io)"`
-	LetsEncrypt                    *string         `json:"letsEncrypt" name:"lets-encrypt" usage:"enabled|disabled|staging. If enabled, acorn generated endpoints will be secured using TLS certificate from Let's Encrypt. Staging uses Let's Encrypt's staging environment. (default disabled)"`
-	LetsEncryptEmail               string          `json:"letsEncryptEmail" name:"lets-encrypt-email" usage:"Required if --lets-encrypt=enabled. The email address to use for Let's Encrypt registration(default '')"`
-	LetsEncryptTOSAgree            *bool           `json:"letsEncryptTOSAgree" name:"lets-encrypt-tos-agree" usage:"Required if --lets-encrypt=enabled. If true, you agree to the Let's Encrypt terms of service (default false)"`
-	SetPodSecurityEnforceProfile   *bool           `json:"setPodSecurityEnforceProfile" usage:"Set the PodSecurity profile on created namespaces (default true)"`
-	PodSecurityEnforceProfile      string          `json:"podSecurityEnforceProfile" usage:"The name of the PodSecurity profile to set (default baseline)" wrangler:"nullable"`
-	HttpEndpointPattern            *string         `json:"httpEndpointPattern" name:"http-endpoint-pattern" usage:"Go template for formatting application http endpoints. Valid variables to use are: App, Container, Namespace, Hash and ClusterDomain. (default pattern is {{hashConcat 8 .Container .App .Namespace | truncate}}.{{.ClusterDomain}})" wrangler:"nullable"`
-	InternalClusterDomain          string          `json:"internalClusterDomain" usage:"The Kubernetes internal cluster domain (default svc.cluster.local)" wrangler:"nullable"`
-	AcornDNS                       *string         `json:"acornDNS" name:"acorn-dns" usage:"enabled|disabled|auto. If enabled, containers created by Acorn will get public FQDNs. Auto functions as disabled if a custom clusterDomain has been supplied (default auto)"`
-	AcornDNSEndpoint               *string         `json:"acornDNSEndpoint" name:"acorn-dns-endpoint" usage:"The URL to access the Acorn DNS service"`
-	AutoUpgradeInterval            *string         `json:"autoUpgradeInterval" name:"auto-upgrade-interval" usage:"For apps configured with automatic upgrades enabled, the interval at which to check for new versions. Upgrade intervals configured at the application level cannot be smaller than this. (default '5m' - 5 minutes)"`
-	RecordBuilds                   *bool           `json:"recordBuilds" name:"record-builds" usage:"Keep a record of each acorn build that happens"`
-	PublishBuilders                *bool           `json:"publishBuilders" name:"publish-builders" usage:"Publish the builders through ingress to so build traffic does not traverse the api-server"`
-	BuilderPerProject              *bool           `json:"builderPerProject" name:"builder-per-project" usage:"Create a dedicated builder per project"`
-	InternalRegistryPrefix         *string         `json:"internalRegistryPrefix" name:"internal-registry-prefix" usage:"The image prefix to use when pushing internal images (example ghcr.io/my-org/)"`
-	IgnoreUserLabelsAndAnnotations *bool           `json:"ignoreUserLabelsAndAnnotations" name:"ignore-user-labels-and-annotations" usage:"Don't propagate user-defined labels and annotations to dependent objects"`
-	AllowUserLabels                []string        `json:"allowUserLabels" name:"allow-user-label" usage:"Allow these labels to propagate to dependent objects, no effect if --ignore-user-labels-and-annotations not true"`
-	AllowUserAnnotations           []string        `json:"allowUserAnnotations" name:"allow-user-annotation" usage:"Allow these annotations to propagate to dependent objects, no effect if --ignore-user-labels-and-annotations not true"`
-	AllowUserMetadataNamespaces    []string        `json:"allowUserMetadataNamespaces" name:"allow-user-metadata-namespace" usage:"Allow these namespaces to propagate labels and annotations to dependent objects, no effect if --ignore-user-labels-and-annotations not true"`
-	WorkloadMemoryDefault          *int64          `json:"workloadMemoryDefault" name:"workload-memory-default" quantity:"true" usage:"Set the default memory for acorn workloads. Accepts binary suffixes (Ki, Mi, Gi, etc) and \".\" and \"_\" separators (default 0)" short:"m"`
-	WorkloadMemoryMaximum          *int64          `json:"workloadMemoryMaximum" name:"workload-memory-maximum" quantity:"true" usage:"Set the maximum memory for acorn workloads. Accepts binary suffixes (Ki, Mi, Gi, etc) and \".\" and \"_\" separators (default 0)"`
-	UseCustomCABundle              *bool           `json:"useCustomCABundle" name:"use-custom-ca-bundle" usage:"Use CA bundle for admin supplied secret for all acorn control plane components. Defaults to false."`
-	PropagateProjectAnnotations    []string        `json:"propagateProjectAnnotations" name:"propagate-project-annotation" usage:"The list of keys of annotations to propagate from acorn project to app namespaces"`
-	PropagateProjectLabels         []string        `json:"propagateProjectLabels" name:"propagate-project-label" usage:"The list of keys of labels to propagate from acorn project to app namespaces"`
-	ManageVolumeClasses            *bool           `json:"manageVolumeClasses" name:"manage-volume-classes" usage:"Manually manage volume classes rather than sync with storage classes, setting to 'true' will delete Acorn-created volume classes"`
-	VolumeSizeDefault              string          `json:"volumeSizeDefault" name:"volume-size-default" usage:"Set the default size for acorn volumes. Accepts storage suffixes (K, M, G, Ki, Mi, Gi, etc) and \".\" and \"_\" separators (default 0)"`
-	NetworkPolicies                *bool           `json:"networkPolicies" name:"network-policies" usage:"Create Kubernetes NetworkPolicies which block cross-project network traffic (default false)"`
-	IngressControllerNamespace     *string         `json:"ingressControllerNamespace" name:"ingress-controller-namespace" usage:"The namespace where the ingress controller runs - used to secure published HTTP ports with NetworkPolicies."`
-	AllowTrafficFromNamespace      []string        `json:"allowTrafficFromNamespace" name:"allow-traffic-from-namespace" usage:"Namespaces that are allowed to send network traffic to all Acorn apps"`
-	ServiceLBAnnotations           []string        `json:"serviceLBAnnotations" name:"service-lb-annotation" usage:"Annotation to add to the service of type LoadBalancer. Defaults to empty. (example key=value)"`
-	AWSIdentityProviderARN         *string         `json:"awsIdentityProviderArn" name:"aws-identity-provider-arn" usage:"ARN of cluster's OpenID Connect provider registered in AWS"`
-	EventTTL                       *string         `json:"eventTTL" name:"event-ttl" usage:"Amount of time an Acorn event will be stored before being deleted (default '168h' - 7 days)"`
-	Features                       map[string]bool `json:"features" name:"features" boolmap:"true" usage:"Enable or disable features. (example foo=true,bar=false)"`
-	CertManagerIssuer              *string         `json:"certManagerIssuer" name:"cert-manager-issuer" usage:"The name of the cert-manager cluster issuer to use for TLS certificates on custom domains" default:""`
-	Profile                        *string         `json:"profile" name:"profile" usage:"The name of the profile to use for the installation. Profiles options are production (prod) and default. (default profile is default)"`
+	IngressClassName                           *string         `json:"ingressClassName" usage:"The ingress class name to assign to all created ingress resources (default '')"`
+	ClusterDomains                             []string        `json:"clusterDomains" name:"cluster-domain" usage:"The externally addressable cluster domain (default .oss-acorn.io)"`
+	LetsEncrypt                                *string         `json:"letsEncrypt" name:"lets-encrypt" usage:"enabled|disabled|staging. If enabled, acorn generated endpoints will be secured using TLS certificate from Let's Encrypt. Staging uses Let's Encrypt's staging environment. (default disabled)"`
+	LetsEncryptEmail                           string          `json:"letsEncryptEmail" name:"lets-encrypt-email" usage:"Required if --lets-encrypt=enabled. The email address to use for Let's Encrypt registration(default '')"`
+	LetsEncryptTOSAgree                        *bool           `json:"letsEncryptTOSAgree" name:"lets-encrypt-tos-agree" usage:"Required if --lets-encrypt=enabled. If true, you agree to the Let's Encrypt terms of service (default false)"`
+	SetPodSecurityEnforceProfile               *bool           `json:"setPodSecurityEnforceProfile" usage:"Set the PodSecurity profile on created namespaces (default true)"`
+	PodSecurityEnforceProfile                  string          `json:"podSecurityEnforceProfile" usage:"The name of the PodSecurity profile to set (default baseline)" wrangler:"nullable"`
+	HttpEndpointPattern                        *string         `json:"httpEndpointPattern" name:"http-endpoint-pattern" usage:"Go template for formatting application http endpoints. Valid variables to use are: App, Container, Namespace, Hash and ClusterDomain. (default pattern is {{hashConcat 8 .Container .App .Namespace | truncate}}.{{.ClusterDomain}})" wrangler:"nullable"`
+	InternalClusterDomain                      string          `json:"internalClusterDomain" usage:"The Kubernetes internal cluster domain (default svc.cluster.local)" wrangler:"nullable"`
+	AcornDNS                                   *string         `json:"acornDNS" name:"acorn-dns" usage:"enabled|disabled|auto. If enabled, containers created by Acorn will get public FQDNs. Auto functions as disabled if a custom clusterDomain has been supplied (default auto)"`
+	AcornDNSEndpoint                           *string         `json:"acornDNSEndpoint" name:"acorn-dns-endpoint" usage:"The URL to access the Acorn DNS service"`
+	AutoUpgradeInterval                        *string         `json:"autoUpgradeInterval" name:"auto-upgrade-interval" usage:"For apps configured with automatic upgrades enabled, the interval at which to check for new versions. Upgrade intervals configured at the application level cannot be smaller than this. (default '5m' - 5 minutes)"`
+	RecordBuilds                               *bool           `json:"recordBuilds" name:"record-builds" usage:"Keep a record of each acorn build that happens"`
+	PublishBuilders                            *bool           `json:"publishBuilders" name:"publish-builders" usage:"Publish the builders through ingress to so build traffic does not traverse the api-server"`
+	BuilderPerProject                          *bool           `json:"builderPerProject" name:"builder-per-project" usage:"Create a dedicated builder per project"`
+	InternalRegistryPrefix                     *string         `json:"internalRegistryPrefix" name:"internal-registry-prefix" usage:"The image prefix to use when pushing internal images (example ghcr.io/my-org/)"`
+	IgnoreUserLabelsAndAnnotations             *bool           `json:"ignoreUserLabelsAndAnnotations" name:"ignore-user-labels-and-annotations" usage:"Don't propagate user-defined labels and annotations to dependent objects"`
+	AllowUserLabels                            []string        `json:"allowUserLabels" name:"allow-user-label" usage:"Allow these labels to propagate to dependent objects, no effect if --ignore-user-labels-and-annotations not true"`
+	AllowUserAnnotations                       []string        `json:"allowUserAnnotations" name:"allow-user-annotation" usage:"Allow these annotations to propagate to dependent objects, no effect if --ignore-user-labels-and-annotations not true"`
+	AllowUserMetadataNamespaces                []string        `json:"allowUserMetadataNamespaces" name:"allow-user-metadata-namespace" usage:"Allow these namespaces to propagate labels and annotations to dependent objects, no effect if --ignore-user-labels-and-annotations not true"`
+	WorkloadMemoryDefault                      *int64          `json:"workloadMemoryDefault" name:"workload-memory-default" quantity:"true" usage:"Set the default memory for acorn workloads. Accepts binary suffixes (Ki, Mi, Gi, etc) and \".\" and \"_\" separators (default 0)" short:"m"`
+	WorkloadMemoryMaximum                      *int64          `json:"workloadMemoryMaximum" name:"workload-memory-maximum" quantity:"true" usage:"Set the maximum memory for acorn workloads. Accepts binary suffixes (Ki, Mi, Gi, etc) and \".\" and \"_\" separators (default 0)"`
+	UseCustomCABundle                          *bool           `json:"useCustomCABundle" name:"use-custom-ca-bundle" usage:"Use CA bundle for admin supplied secret for all acorn control plane components. Defaults to false."`
+	PropagateProjectAnnotations                []string        `json:"propagateProjectAnnotations" name:"propagate-project-annotation" usage:"The list of keys of annotations to propagate from acorn project to app namespaces"`
+	PropagateProjectLabels                     []string        `json:"propagateProjectLabels" name:"propagate-project-label" usage:"The list of keys of labels to propagate from acorn project to app namespaces"`
+	ManageVolumeClasses                        *bool           `json:"manageVolumeClasses" name:"manage-volume-classes" usage:"Manually manage volume classes rather than sync with storage classes, setting to 'true' will delete Acorn-created volume classes"`
+	VolumeSizeDefault                          string          `json:"volumeSizeDefault" name:"volume-size-default" usage:"Set the default size for acorn volumes. Accepts storage suffixes (K, M, G, Ki, Mi, Gi, etc) and \".\" and \"_\" separators (default 0)"`
+	NetworkPolicies                            *bool           `json:"networkPolicies" name:"network-policies" usage:"Create Kubernetes NetworkPolicies which block cross-project network traffic (default false)"`
+	IngressControllerNamespace                 *string         `json:"ingressControllerNamespace" name:"ingress-controller-namespace" usage:"The namespace where the ingress controller runs - used to secure published HTTP ports with NetworkPolicies."`
+	AllowTrafficFromNamespace                  []string        `json:"allowTrafficFromNamespace" name:"allow-traffic-from-namespace" usage:"Namespaces that are allowed to send network traffic to all Acorn apps"`
+	ServiceLBAnnotations                       []string        `json:"serviceLBAnnotations" name:"service-lb-annotation" usage:"Annotation to add to the service of type LoadBalancer. Defaults to empty. (example key=value)"`
+	AWSIdentityProviderARN                     *string         `json:"awsIdentityProviderArn" name:"aws-identity-provider-arn" usage:"ARN of cluster's OpenID Connect provider registered in AWS"`
+	EventTTL                                   *string         `json:"eventTTL" name:"event-ttl" usage:"Amount of time an Acorn event will be stored before being deleted (default '168h' - 7 days)"`
+	Features                                   map[string]bool `json:"features" name:"features" boolmap:"true" usage:"Enable or disable features. (example foo=true,bar=false)"`
+	CertManagerIssuer                          *string         `json:"certManagerIssuer" name:"cert-manager-issuer" usage:"The name of the cert-manager cluster issuer to use for TLS certificates on custom domains" default:""`
+	Profile                                    *string         `json:"profile" name:"profile" usage:"The name of the profile to use for the installation. Profiles options are production (prod) and default. (default profile is default)"`
+	AutoConfigureKarpenterDontEvictAnnotations *bool           `json:"autoConfigureKarpenterDontEvictAnnotations" name:"auto-configure-karpenter-dont-evict-annotations" usage:"Automatically configure Karpenter to not evict pods with the given annotations if app is running a single replica. (default false)"`
 
 	// Flags for setting resource request and limits on sytem components
 	ControllerMemory       *string `json:"controllerMemory" name:"controller-memory" usage:"The memory to allocate to the runtime-controller in the format of <req>:<limit> (example 256Mi:1Gi)"`

diff --git a/pkg/apis/api.acorn.io/v1/zz_generated.deepcopy.go b/pkg/apis/api.acorn.io/v1/zz_generated.deepcopy.go
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -155,6 +155,9 @@ func complete(ctx context.Context, c *apiv1.Config, getter kclient.Reader, inclu
 	if c.CertManagerIssuer == nil {
 		c.CertManagerIssuer = profile.CertManagerIssuer
 	}
+	if c.AutoConfigureKarpenterDontEvictAnnotations == nil {
+		c.AutoConfigureKarpenterDontEvictAnnotations = profile.AutoConfigureKarpenterDontEvictAnnotations
+	}
 	return nil
 }
 
@@ -453,6 +456,9 @@ func merge(oldConfig, newConfig *apiv1.Config) *apiv1.Config {
 	if newConfig.APIServerCPU != nil {
 		mergedConfig.APIServerCPU = newConfig.APIServerCPU
 	}
+	if newConfig.AutoConfigureKarpenterDontEvictAnnotations != nil {
+		mergedConfig.AutoConfigureKarpenterDontEvictAnnotations = newConfig.AutoConfigureKarpenterDontEvictAnnotations
+	}
 
 	return &mergedConfig
 }

diff --git a/pkg/controller/appdefinition/deploy.go b/pkg/controller/appdefinition/deploy.go
@@ -806,7 +806,13 @@ func toDeployment(req router.Request, appInstance *v1.AppInstance, tag name.Refe
 
 	// Set karpenter do-not-evict annotation if scale is nil or 1. This prevents karpenter from evicting the pod if deployment is not running with more than 1 replica.
 	if dep.Spec.Replicas == nil || *dep.Spec.Replicas == 1 {
-		dep.Spec.Template.Annotations["karpenter.sh/do-not-evict"] = "true"
+		cfg, err := config.Get(req.Ctx, req.Client)
+		if err != nil {
+			return nil, err
+		}
+		if z.Dereference(cfg.AutoConfigureKarpenterDontEvictAnnotations) {
+			dep.Spec.Template.Annotations["karpenter.sh/do-not-evict"] = "true"
+		}
 	}
 
 	return dep, nil