feat(helm): allow hardcodes to be configurable (#4207)

* feat(helm): allow hardcodes to be configurable

Signed-off-by: t3mi <[email protected]>

* docs: update comment for container security context

Co-authored-by: Matthew Christopher <[email protected]>

---------

Signed-off-by: t3mi <[email protected]>
Co-authored-by: Matthew Christopher <[email protected]>

Author: t3mi

v2/charts/azure-service-operator/templates/aadpodidentity.yaml

@@ -1,9 +1,9 @@
-{{if .Values.aadPodIdentity.enable}}
+{{- if .Values.aadPodIdentity.enable }}
 apiVersion: "aadpodidentity.k8s.io/v1"
 kind: AzureIdentity
 metadata:
   name: aso-identity
-  namespace: {{.Release.Namespace}}
+  namespace: {{ .Release.Namespace }}
 spec:
   type: 0
   resourceID: {{ .Values.aadPodIdentity.azureManagedIdentityResourceId }}
@@ -13,8 +13,8 @@ apiVersion: "aadpodidentity.k8s.io/v1"
 kind: AzureIdentityBinding
 metadata:
   name: aso-identity-binding
-  namespace: {{.Release.Namespace}}
+  namespace: {{ .Release.Namespace }}
 spec:
   azureIdentity: aso-identity
   selector: aso-manager-binding
-{{ end }}
+{{- end }}

v2/charts/azure-service-operator/templates/apps_v1_deployment_azureserviceoperator-controller-manager.yaml

@@ -1,6 +1,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  {{- with .Values.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     app.kubernetes.io/name: azure-service-operator
     app.kubernetes.io/version: v2.9.0
@@ -9,23 +13,27 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   replicas: 1
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
   selector:
     matchLabels:
       control-plane: controller-manager
   template:
     metadata:
       annotations:
-        {{- if .Values.podAnnotations }}
-        {{ toYaml .Values.podAnnotations }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8}}
         {{- end }}
         kubectl.kubernetes.io/default-container: manager
       labels:
-        {{- if or (eq .Values.multitenant.enable false) (eq .Values.azureOperatorMode "watchers") }}
+        {{- if .Values.aadPodIdentity.enable }}
         aadpodidbinding: aso-manager-binding
         {{- end }}
         app.kubernetes.io/name: azure-service-operator
         app.kubernetes.io/version: v2.9.0
         control-plane: controller-manager
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- with .Values.tolerations }}
       tolerations:
@@ -191,16 +199,14 @@ spec:
             path: /readyz
             port: 8081
           initialDelaySeconds: 60
+        {{- with .Values.resources }}
         resources:
-          limits:
-            cpu: 500m
-            memory: 512Mi
-          requests:
-            cpu: 200m
-            memory: 256Mi
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - mountPath: /var/run/secrets/tokens
           name: azure-identity
@@ -210,8 +216,17 @@ spec:
           name: cert
           readOnly: true
         {{- end }}
+      {{- with .Values.nodeSelector }}
       nodeSelector:
-        kubernetes.io/os: linux
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: "{{ . }}"
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "azure-service-operator.serviceAccountName" . }}
       terminationGracePeriodSeconds: 10
       volumes:

v2/charts/azure-service-operator/values.yaml

@@ -132,10 +132,10 @@ installCRDs: true
 # together to enable other scenarios, such as dbformysql.azure.com/FlexibleServersFirewallRules, and it's generally
 # easier to just include the whole group.
 # See https://azure.github.io/azure-service-operator/guide/crd-management for more details.
-crdPattern: ''
+crdPattern: ""
 
-# podAnnotations contain the pod annotations for Azure Service Operator
-podAnnotations: {}
+# deploymentAnnotations contain the deployment annotations for Azure Service Operator
+deploymentAnnotations: {}
 
 # multitenant contains the value to enable multi-tenant mode for ASOv2. If multitenant.enable is true + azureOperatorMode set to "webhooks", chart will
 # install a cluster and if multitenant.enable is true + azureOperatorMode set to "watchers", chart will install a tenant.
@@ -155,6 +155,47 @@ networkPolicies:
   # Destination CIDR for talking to PostgreSQL servers
   postgresqlCIDR: 0.0.0.0/0
 
+# Node labels for pod assignment
+# Ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector:
+  kubernetes.io/os: linux
+
+# podAnnotations contain the pod annotations for Azure Service Operator
+podAnnotations: {}
+
+# Labels to be added to the pod
+podLabels: {}
+
+# The securityContext of the pod
+# See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+podSecurityContext: {}
+
+# Assign a PriorityClassName to pods if set
+priorityClassName: ""
+
+# Recomended initial values for resources
+# adjust them as necessary
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 256Mi
+
+# Number of old history to retain to allow rollback
+# Default Kubernetes value is set to 10
+revisionHistoryLimit: 10
+
+# Specify security settings for a Container
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+# It is not recommended to reduce the restrictions in this list, but additional restrictions outside of the default set 
+# can be applied. If you believe additional securityContext configuration should be specified by default
+# please raise an issue.
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+
 # Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling
 # For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration.
 tolerations: []