diff --git a/charts/pyrra/Chart.yaml b/charts/pyrra/Chart.yaml index 5083aee59..a4d5a5359 100644 --- a/charts/pyrra/Chart.yaml +++ b/charts/pyrra/Chart.yaml @@ -16,7 +16,7 @@ type: application # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.11.1 +version: 0.12.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/pyrra/README.md b/charts/pyrra/README.md index 378fc4bc1..986201dbe 100644 --- a/charts/pyrra/README.md +++ b/charts/pyrra/README.md @@ -1,6 +1,6 @@ # pyrra -![Version: 0.11.1](https://img.shields.io/badge/Version-0.11.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.2](https://img.shields.io/badge/AppVersion-v0.7.2-informational?style=flat-square) +![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.2](https://img.shields.io/badge/AppVersion-v0.7.2-informational?style=flat-square) SLO manager and alert generator @@ -8,6 +8,10 @@ SLO manager and alert generator Pyrra needs prometheus to work. You will need to specify that via prometheusUrl variable - default assumes you have default [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) deployed to "monitoring" namespace. Additionaly, you (most likely) will need to specify prometheusExternalUrl with URL to public-facing prometheus UI (ingress or whatever you're using), otherwise pyrra links to graphs will be broken +## Webhook Admissions Controller Validations (Optional) +Pyrra can be configured to validate SLOs and SLO groups using a webhook admission controller. This is an optional feature that can be enabled by setting the `validatingWebhookConfiguration.enabled` value to `true`. The webhook admission controller will validate SLOs when they are created or updated. +If the SLO object is invalid, the admission controller will reject the request and provide a reason for the failure. This requires cert-manager to be installed in the cluster. If cert-manager is not installed, the webhook admission controller will not be created. + ## Values | Key | Type | Default | Description | @@ -46,7 +50,8 @@ Additionaly, you (most likely) will need to specify prometheusExternalUrl with U | serviceMonitor.enabled | bool | `false` | enables servicemonitor for server monitoring | | serviceMonitor.labels | object | `{}` | Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator | | tolerations | object | `{}` | tolerations for scheduling server pod | +| validatingWebhookConfiguration.enabled | bool | `false` | enables admission webhook for server to validate SLOs, this requires cert-manager to be installed | ## Upgrading -A major chart version change indicates that there is an incompatible breaking change needing manual actions. \ No newline at end of file +A major chart version change indicates that there is an incompatible breaking change needing manual actions. diff --git a/charts/pyrra/README.md.gotmpl b/charts/pyrra/README.md.gotmpl index 7c190affe..c9e4f3343 100644 --- a/charts/pyrra/README.md.gotmpl +++ b/charts/pyrra/README.md.gotmpl @@ -12,8 +12,12 @@ Pyrra needs prometheus to work. You will need to specify that via prometheusUrl variable - default assumes you have default [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) deployed to "monitoring" namespace. Additionaly, you (most likely) will need to specify prometheusExternalUrl with URL to public-facing prometheus UI (ingress or whatever you're using), otherwise pyrra links to graphs will be broken +## Webhook Admissions Controller Validations (Optional) +Pyrra can be configured to validate SLOs and SLO groups using a webhook admission controller. This is an optional feature that can be enabled by setting the `validatingWebhookConfiguration.enabled` value to `true`. The webhook admission controller will validate SLOs when they are created or updated. +If the SLO object is invalid, the admission controller will reject the request and provide a reason for the failure. This requires cert-manager to be installed in the cluster. If cert-manager is not installed, the webhook admission controller will not be created. + {{ template "chart.valuesSection" . }} ## Upgrading -A major chart version change indicates that there is an incompatible breaking change needing manual actions. \ No newline at end of file +A major chart version change indicates that there is an incompatible breaking change needing manual actions. diff --git a/charts/pyrra/templates/admissionvalidation.yaml b/charts/pyrra/templates/admissionvalidation.yaml new file mode 100644 index 000000000..2dcbbea32 --- /dev/null +++ b/charts/pyrra/templates/admissionvalidation.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "pyrra.fullname" . }}-selfsigned +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "pyrra.fullname" . }}-webhook-validation +spec: + dnsNames: + - {{ include "pyrra.fullname" . }}.{{ .Release.Namespace }}.svc + issuerRef: + name: {{ include "pyrra.fullname" . }}-selfsigned + secretName: {{ include "pyrra.fullname" . }}-webhook-validation +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "pyrra.fullname" . }}-webhook-validation + name: {{ include "pyrra.fullname" . }}-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "pyrra.fullname" . }} + namespace: {{ .Release.Namespace }} + path: /validate-pyrra-dev-v1alpha1-servicelevelobjective + port: 9443 + failurePolicy: Fail + name: slo.pyrra.dev-servicelevelobjectives + rules: + - apiGroups: + - pyrra.dev + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicelevelobjectives + sideEffects: None +{{- end }} \ No newline at end of file diff --git a/charts/pyrra/templates/deployment.yaml b/charts/pyrra/templates/deployment.yaml index cf6fb77cd..5b93db724 100644 --- a/charts/pyrra/templates/deployment.yaml +++ b/charts/pyrra/templates/deployment.yaml @@ -35,11 +35,19 @@ spec: {{- if .Values.genericRules.enabled }} - --generic-rules {{- end }} + {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }} + - --disable-webhooks=false + {{- end }} {{- with .Values.extraKubernetesArgs }} {{- toYaml . | nindent 12 }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: certs + {{- end }} - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -70,3 +78,9 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }} + volumes: + - name: certs + secret: + secretName: {{ include "pyrra.fullname" . }}-webhook-validation + {{- end }} diff --git a/charts/pyrra/values.yaml b/charts/pyrra/values.yaml index 17730e414..d8e90cfc6 100644 --- a/charts/pyrra/values.yaml +++ b/charts/pyrra/values.yaml @@ -102,3 +102,7 @@ serviceMonitor: genericRules: # -- enables generate Pyrra generic recording rules. Pyrra generates metrics with the same name for each SLO. enabled: false + +validatingWebhookConfiguration: + # -- enables admission webhook for server to validate SLOs, this requires cert-manager to be installed + enabled: false