From 9cc489d3ad223fbc2c1205510281ee8d700f4485 Mon Sep 17 00:00:00 2001 From: Andrew Karpow Date: Mon, 17 Nov 2025 15:41:50 +0100 Subject: [PATCH] run go-makefile-maker and ghcr.io workflow --- .dockerignore | 3 - .github/renovate.json | 2 +- .github/workflows/checks.yaml | 4 +- .github/workflows/ci.yaml | 6 +- .github/workflows/cleanup-ghcr.yaml.yml | 24 ++++++++ .github/workflows/codeql.yaml | 2 +- .../workflows/container-registry-ghcr.yaml | 56 +++++++++++++++++++ .github/workflows/publish-helm.yml | 40 +++++++++++++ .golangci.yaml | 10 +++- .license-scan-overrides.jsonl | 1 + Dockerfile | 35 +++++++++++- Makefile | 25 ++------- Makefile.maker.yaml | 9 +++ charts/kvm-node-agent/crds/migration-crd.yaml | 8 ++- .../kvm-node-agent/templates/daemonset.yaml | 10 ++-- .../templates/leader-election-rbac.yaml | 2 +- .../templates/manager-rbac.yaml | 2 +- .../templates/metrics-auth-rbac.yaml | 2 +- .../templates/serviceaccount.yaml | 9 ++- charts/kvm-node-agent/values.yaml | 13 ++++- shell.nix | 1 - 21 files changed, 219 insertions(+), 45 deletions(-) create mode 100644 .github/workflows/cleanup-ghcr.yaml.yml create mode 100644 .github/workflows/container-registry-ghcr.yaml create mode 100644 .github/workflows/publish-helm.yml diff --git a/.dockerignore b/.dockerignore index 723093e..1edcee3 100644 --- a/.dockerignore +++ b/.dockerignore @@ -7,13 +7,10 @@ # TODO: uncomment when applications no longer use git to get version information #.git/ /.github/ -/.gitignore -/.golangci.yaml /.goreleaser.yml /.vscode/ /CONTRIBUTING.md /Dockerfile -/LICENSE* /Makefile.maker.yaml /README.md /build/ diff --git a/.github/renovate.json b/.github/renovate.json index 8fe8c0c..4357f17 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -65,7 +65,7 @@ "matchPackageNames": [ "/^k8s.io\\//" ], - "allowedVersions": "0.28.x" + "allowedVersions": "0.33.x" } ], "prHourlyLimit": 0, diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 40c58b6..58bb0bf 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -29,9 +29,9 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.3 + go-version: 1.25.4 - name: Run golangci-lint - uses: golangci/golangci-lint-action@v8 + uses: golangci/golangci-lint-action@v9 with: version: latest - name: Delete pre-installed shellcheck diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 083c2a0..9073b8a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,7 +32,7 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.3 + go-version: 1.25.4 - name: Build all binaries run: make build-all code_coverage: @@ -65,11 +65,11 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.3 + go-version: 1.25.4 - name: Run tests and generate coverage report run: make build/cover.out - name: Archive code coverage results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: code-coverage path: build/cover.out diff --git a/.github/workflows/cleanup-ghcr.yaml.yml b/.github/workflows/cleanup-ghcr.yaml.yml new file mode 100644 index 0000000..7b4ffdd --- /dev/null +++ b/.github/workflows/cleanup-ghcr.yaml.yml @@ -0,0 +1,24 @@ +# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company +# SPDX-License-Identifier: Apache-2.0 + +name: Cleanup GHCR Images +"on": + push: + branches: + - main + workflow_dispatch: {} +permissions: + contents: read + packages: write +jobs: + cleanup: + name: Cleanup old container images in GHCR + runs-on: ubuntu-latest + steps: + - name: Delete untagged GHCR images + uses: actions/delete-package-versions@v5 + with: + package-name: 'kvm-node-agent' + package-type: 'container' + min-versions-to-keep: 1 + delete-only-untagged-versions: 'true' diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index bb1e370..ecefa3c 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -32,7 +32,7 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.3 + go-version: 1.25.4 - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: diff --git a/.github/workflows/container-registry-ghcr.yaml b/.github/workflows/container-registry-ghcr.yaml new file mode 100644 index 0000000..01eff9f --- /dev/null +++ b/.github/workflows/container-registry-ghcr.yaml @@ -0,0 +1,56 @@ +################################################################################ +# This file is AUTOGENERATED with # +# Edit Makefile.maker.yaml instead. # +################################################################################ + +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company +# SPDX-License-Identifier: Apache-2.0 + +name: Container Registry GHCR +"on": + push: + branches: + - main + workflow_dispatch: {} +permissions: + contents: read + packages: write +jobs: + build-and-push-image: + name: Push container to ghcr.io + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v5 + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + username: ${{ github.actor }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: | + # https://github.com/docker/metadata-action#typeedge + type=edge + # https://github.com/docker/metadata-action#latest-tag + type=raw,value=latest,enable={{is_default_branch}} + # https://github.com/docker/metadata-action#typesemver + type=semver,pattern={{raw}} + type=semver,pattern=v{{major}}.{{minor}} + type=semver,pattern=v{{major}} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + context: . + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml new file mode 100644 index 0000000..d6864b6 --- /dev/null +++ b/.github/workflows/publish-helm.yml @@ -0,0 +1,40 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company +# SPDX-License-Identifier: Apache-2.0 + +name: Publish Helm Chart GHCR +"on": + push: + branches: + - main + paths: + - 'charts/**' + workflow_dispatch: {} + + +jobs: + publish-chart: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Required to push to GHCR + + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Install Helm + uses: azure/setup-helm@v4.3.0 + + - name: Package Helm chart + run: | + helm package ./charts/kvm-node-agent + + - name: Log in to GHCR + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin + + - name: Push Helm chart to GHCR + run: | + CHART_NAME=kvm-node-agent + CHART_VERSION=$(grep "version:" ./charts/${CHART_NAME}/Chart.yaml | awk '{print $2}') + helm push "${CHART_NAME}-${CHART_VERSION}.tgz" "oci://ghcr.io/${{ github.repository_owner }}" diff --git a/.golangci.yaml b/.golangci.yaml index daff948..ef4f630 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -57,6 +57,7 @@ linters: - intrange - iotamixing - misspell + - modernize - nilerr - nolintlint - nosprintfhostport @@ -144,6 +145,13 @@ linters: enable-all: true nolintlint: require-specific: true + modernize: + disable: + # omitzero requires removing omitempty tags in kubernetes api struct types which are nested, which is intepreted by controller-gen and breaks the CRDs. + - omitzero + perfsprint: + # modernize generates nicer fix code + concat-loop: false staticcheck: dot-import-whitelist: - github.com/majewsky/gg/option @@ -168,13 +176,13 @@ linters: exclusions: generated: lax presets: - - comments - common-false-positives - legacy - std-error-handling rules: - linters: - bodyclose + - revive path: _test\.go # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors. # Ref: https://go.dev/doc/effective_go#redeclaration diff --git a/.license-scan-overrides.jsonl b/.license-scan-overrides.jsonl index 0a8feb2..2e279c1 100644 --- a/.license-scan-overrides.jsonl +++ b/.license-scan-overrides.jsonl @@ -1,4 +1,5 @@ {"name": "github.com/chzyer/logex", "licenceType": "MIT"} +{"name": "github.com/grpc-ecosystem/go-grpc-middleware/v2", "licenceType": "Apache-2.0"} {"name": "github.com/hashicorp/vault/api/auth/approle", "licenceType": "MPL-2.0"} {"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"} {"name": "github.com/logrusorgru/aurora", "licenceType": "Unlicense"} diff --git a/Dockerfile b/Dockerfile index ab3edce..318e39e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company # SPDX-License-Identifier: Apache-2.0 -FROM golang:1.25.3-alpine3.22 AS builder +FROM golang:1.25.4-alpine3.22 AS builder RUN apk add --no-cache --no-progress ca-certificates gcc git make musl-dev @@ -11,6 +11,39 @@ RUN make -C /src install PREFIX=/pkg GOTOOLCHAIN=local ################################################################################ +# To only build the tests run: docker build . --target test +# We can't do `FROM builder AS test` here, as then make prepare-static-check would not be cached during interactive use when developing +# and caching all the tools, especially golangci-lint, takes a few minutes. +FROM golang:1.25.4-alpine3.22 AS test + +COPY Makefile /src/Makefile + +# used below by USER +RUN addgroup -g 4200 appgroup \ + && adduser -h /home/appuser -s /sbin/nologin -G appgroup -D -u 4200 appuser + +RUN apk add --no-cache --no-progress git make py3-pip \ + && pip3 install --break-system-packages reuse \ + && make -C /src prepare-static-check + + +# We only copy here because we want the "prepare-static-check" to be cacheable. +# It is not a problem that we are overwriting the go cache from the earlier steps because we do not need to rebuild those tools. +COPY --from=builder /go /go +COPY --from=builder /src /src + +RUN make -C /src static-check + +# Some things like postgres do not like to run as root. For simplicity, just always run as an unprivileged user, +# but for it to be able to read the go cache, we need to allow it. +RUN chown -R 4200:4200 /src/ /go/ +USER 4200:4200 +RUN cd /src \ + && git config --global --add safe.directory /src \ + && make build/cover.out + +################################################################################ + FROM alpine:3.22 # upgrade all installed packages to fix potential CVEs in advance diff --git a/Makefile b/Makefile index 885920f..d39c073 100644 --- a/Makefile +++ b/Makefile @@ -46,8 +46,8 @@ install-crds: generate ## Install CRDs into the K8s cluster specified in ~/.kube kubectl kustomize config/crd | kubectl apply -f - .PHONY: helmify -helm: manifests kustomize helmify - $(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir charts/kvm-node-agent +helmify: + kubectl kustomize config/default | helmify -crd-dir charts/kvm-node-agent install-goimports: FORCE @if ! hash goimports 2>/dev/null; then printf "\e[1;36m>> Installing goimports (this may take a while)...\e[0m\n"; go install golang.org/x/tools/cmd/goimports@latest; fi @@ -55,9 +55,6 @@ install-goimports: FORCE install-golangci-lint: FORCE @if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest; fi -install-modernize: FORCE - @if ! hash modernize 2>/dev/null; then printf "\e[1;36m>> Installing modernize (this may take a while)...\e[0m\n"; go install golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest; fi - install-shellcheck: FORCE @if ! hash shellcheck 2>/dev/null; then printf "\e[1;36m>> Installing shellcheck...\e[0m\n"; SHELLCHECK_ARCH=$(shell uname -m); if [[ "$$SHELLCHECK_ARCH" == "arm64" ]]; then SHELLCHECK_ARCH=aarch64; fi; SHELLCHECK_OS=$(shell uname -s | tr '[:upper:]' '[:lower:]'); SHELLCHECK_VERSION="stable"; if command -v curl >/dev/null 2>&1; then GET="curl -sLo-"; elif command -v wget >/dev/null 2>&1; then GET="wget -O-"; else echo "Didn't find curl or wget to download shellcheck"; exit 2; fi; $$GET "https://github.com/koalaman/shellcheck/releases/download/$$SHELLCHECK_VERSION/shellcheck-$$SHELLCHECK_VERSION.$$SHELLCHECK_OS.$$SHELLCHECK_ARCH.tar.xz" | tar -Jxf -; BIN=$$(go env GOBIN); if [[ -z $$BIN ]]; then BIN=$$(go env GOPATH)/bin; fi; install -Dm755 shellcheck-$$SHELLCHECK_VERSION/shellcheck -t "$$BIN"; rm -rf shellcheck-$$SHELLCHECK_VERSION; fi @@ -68,9 +65,9 @@ install-addlicense: FORCE @if ! hash addlicense 2>/dev/null; then printf "\e[1;36m>> Installing addlicense (this may take a while)...\e[0m\n"; go install github.com/google/addlicense@latest; fi install-reuse: FORCE - @if ! hash reuse 2>/dev/null; then if ! hash pip3 2>/dev/null; then printf "\e[1;31m>> Cannot install reuse because no pip3 was found. Either install it using your package manager or install pip3\e[0m\n"; else printf "\e[1;36m>> Installing reuse...\e[0m\n"; pip3 install --user reuse; fi; fi + @if ! hash reuse 2>/dev/null; then if ! hash pipx 2>/dev/null; then printf "\e[1;31m>> You are required to manually intervene to install reuse as go-makefile-maker cannot automatically resolve installing reuse on all setups.\e[0m\n"; printf "\e[1;31m>> The preferred way for go-makefile-maker to install python tools after nix-shell is pipx which could not be found. Either install pipx using your package manager or install reuse using your package manager if at least version 6 is available.\e[0m\n"; printf "\e[1;31m>> As your Python was likely installed by your package manager, just doing pip install --user sadly does no longer work as pip issues a warning about breaking your system. Generally running --break-system-packages with --user is safe to do but you should only run this command if you can resolve issues with it yourself: pip3 install --user --break-system-packages reuse\e[0m\n"; else printf "\e[1;36m>> Installing reuse...\e[0m\n"; pipx install reuse; fi; fi -prepare-static-check: FORCE install-golangci-lint install-modernize install-shellcheck install-go-licence-detector install-addlicense install-reuse +prepare-static-check: FORCE install-goimports install-golangci-lint install-shellcheck install-go-licence-detector install-addlicense install-reuse install-controller-gen: FORCE @if ! hash controller-gen 2>/dev/null; then printf "\e[1;36m>> Installing controller-gen (this may take a while)...\e[0m\n"; go install sigs.k8s.io/controller-tools/cmd/controller-gen@latest; fi @@ -127,16 +124,13 @@ generate: install-controller-gen @printf "\e[1;36m>> controller-gen\e[0m\n" @controller-gen crd rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases @controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..." + @controller-gen applyconfiguration paths="./..." run-golangci-lint: FORCE install-golangci-lint @printf "\e[1;36m>> golangci-lint\e[0m\n" @golangci-lint config verify @golangci-lint run -run-modernize: FORCE install-modernize - @printf "\e[1;36m>> modernize\e[0m\n" - @modernize $(GO_TESTPKGS) - run-shellcheck: FORCE install-shellcheck @printf "\e[1;36m>> shellcheck\e[0m\n" @find . -type f \( -name '*.bash' -o -name '*.ksh' -o -name '*.zsh' -o -name '*.sh' -o -name '*.shlib' \) -exec shellcheck {} + @@ -160,7 +154,7 @@ check-reuse: FORCE install-reuse check-license-headers: FORCE check-addlicense check-reuse -__static-check: FORCE run-shellcheck run-golangci-lint run-modernize check-dependency-licenses check-license-headers +__static-check: FORCE run-shellcheck run-golangci-lint check-dependency-licenses check-license-headers static-check: FORCE @$(MAKE) --keep-going --no-print-directory __static-check @@ -189,10 +183,6 @@ goimports: FORCE install-goimports @printf "\e[1;36m>> goimports -w -local https://github.com/cobaltcore-dev/kvm-node-agent\e[0m\n" @goimports -w -local github.com/cobaltcore-dev/kvm-node-agent $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...)) -modernize: FORCE install-modernize - @printf "\e[1;36m>> modernize -fix ./...\e[0m\n" - @modernize -fix ./... - clean: FORCE git clean -dxf build @@ -225,7 +215,6 @@ help: FORCE @printf "\e[1mPrepare\e[0m\n" @printf " \e[36minstall-goimports\e[0m Install goimports required by goimports/static-check\n" @printf " \e[36minstall-golangci-lint\e[0m Install golangci-lint required by run-golangci-lint/static-check\n" - @printf " \e[36minstall-modernize\e[0m Install modernize required by run-modernize/static-check\n" @printf " \e[36minstall-shellcheck\e[0m Install shellcheck required by run-shellcheck/static-check\n" @printf " \e[36minstall-go-licence-detector\e[0m Install-go-licence-detector required by check-dependency-licenses/static-check\n" @printf " \e[36minstall-addlicense\e[0m Install addlicense required by check-license-headers/license-headers/static-check\n" @@ -243,7 +232,6 @@ help: FORCE @printf " \e[36mcheck\e[0m Run the test suite (unit tests and golangci-lint).\n" @printf " \e[36mgenerate\e[0m Generate code for Kubernetes CRDs and deepcopy.\n" @printf " \e[36mrun-golangci-lint\e[0m Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n" - @printf " \e[36mrun-modernize\e[0m Install and run modernize. Installing is used in CI, but you should probably install modernize using your package manager.\n" @printf " \e[36mrun-shellcheck\e[0m Install and run shellcheck. Installing is used in CI, but you should probably install shellcheck using your package manager.\n" @printf " \e[36mbuild/cover.out\e[0m Run tests and generate coverage report.\n" @printf " \e[36mbuild/cover.html\e[0m Generate an HTML file with source code annotations from the coverage report.\n" @@ -257,7 +245,6 @@ help: FORCE @printf " \e[36mlicense-headers\e[0m Add (or overwrite) license headers on all non-vendored source code files.\n" @printf " \e[36mcheck-dependency-licenses\e[0m Check all dependency licenses using go-licence-detector.\n" @printf " \e[36mgoimports\e[0m Run goimports on all non-vendored .go files\n" - @printf " \e[36mmodernize\e[0m Run modernize on all non-vendored .go files\n" @printf " \e[36mclean\e[0m Run git clean.\n" .PHONY: FORCE diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml index b5cd199..a1fcd67 100644 --- a/Makefile.maker.yaml +++ b/Makefile.maker.yaml @@ -36,6 +36,15 @@ githubWorkflow: securityChecks: enabled: true queries: security-extended + pushContainerToGhcr: + enabled: true + platforms: "linux/amd64,linux/arm64" + tagStrategy: + - edge + - latest + - semver + license: + enabled: true metadata: url: https://github.com/cobaltcore-dev/kvm-node-agent diff --git a/charts/kvm-node-agent/crds/migration-crd.yaml b/charts/kvm-node-agent/crds/migration-crd.yaml index a023909..66eb2d7 100644 --- a/charts/kvm-node-agent/crds/migration-crd.yaml +++ b/charts/kvm-node-agent/crds/migration-crd.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.17.2 + controller-gen.kubebuilder.io/version: v0.19.0 name: migrations.kvm.cloud.sap spec: group: kvm.cloud.sap @@ -141,7 +141,13 @@ spec: type: string type: type: string + required: + - started type: object + required: + - metadata + - spec + - status type: object served: true storage: true diff --git a/charts/kvm-node-agent/templates/daemonset.yaml b/charts/kvm-node-agent/templates/daemonset.yaml index 15079d7..ab76551 100644 --- a/charts/kvm-node-agent/templates/daemonset.yaml +++ b/charts/kvm-node-agent/templates/daemonset.yaml @@ -105,14 +105,14 @@ spec: volumeMounts: - mountPath: /host name: host + nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }} securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} - serviceAccountName: {{ include "kvm-node-agent.fullname" . }}-controller-manager + serviceAccountName: {{ include "kvm-node-agent.serviceAccountName" . }} terminationGracePeriodSeconds: 10 - tolerations: - - effect: NoSchedule - key: node.gardener.cloud/critical-components-not-ready - operator: Exists + tolerations: {{- toYaml .Values.controllerManager.tolerations | nindent 8 }} + topologySpreadConstraints: {{- toYaml .Values.controllerManager.topologySpreadConstraints + | nindent 8 }} volumes: - hostPath: path: /run/libvirt diff --git a/charts/kvm-node-agent/templates/leader-election-rbac.yaml b/charts/kvm-node-agent/templates/leader-election-rbac.yaml index 4721236..122af84 100644 --- a/charts/kvm-node-agent/templates/leader-election-rbac.yaml +++ b/charts/kvm-node-agent/templates/leader-election-rbac.yaml @@ -49,5 +49,5 @@ roleRef: name: '{{ include "kvm-node-agent.fullname" . }}-leader-election-role' subjects: - kind: ServiceAccount - name: '{{ include "kvm-node-agent.fullname" . }}-controller-manager' + name: '{{ include "kvm-node-agent.serviceAccountName" . }}' namespace: '{{ .Release.Namespace }}' diff --git a/charts/kvm-node-agent/templates/manager-rbac.yaml b/charts/kvm-node-agent/templates/manager-rbac.yaml index 59f3cd4..0d4c21c 100644 --- a/charts/kvm-node-agent/templates/manager-rbac.yaml +++ b/charts/kvm-node-agent/templates/manager-rbac.yaml @@ -79,5 +79,5 @@ roleRef: name: '{{ include "kvm-node-agent.fullname" . }}-manager-role' subjects: - kind: ServiceAccount - name: '{{ include "kvm-node-agent.fullname" . }}-controller-manager' + name: '{{ include "kvm-node-agent.serviceAccountName" . }}' namespace: '{{ .Release.Namespace }}' diff --git a/charts/kvm-node-agent/templates/metrics-auth-rbac.yaml b/charts/kvm-node-agent/templates/metrics-auth-rbac.yaml index e013bc0..6bdb612 100644 --- a/charts/kvm-node-agent/templates/metrics-auth-rbac.yaml +++ b/charts/kvm-node-agent/templates/metrics-auth-rbac.yaml @@ -30,5 +30,5 @@ roleRef: name: '{{ include "kvm-node-agent.fullname" . }}-metrics-auth-role' subjects: - kind: ServiceAccount - name: '{{ include "kvm-node-agent.fullname" . }}-controller-manager' + name: '{{ include "kvm-node-agent.serviceAccountName" . }}' namespace: '{{ .Release.Namespace }}' diff --git a/charts/kvm-node-agent/templates/serviceaccount.yaml b/charts/kvm-node-agent/templates/serviceaccount.yaml index e23633d..3d62be2 100644 --- a/charts/kvm-node-agent/templates/serviceaccount.yaml +++ b/charts/kvm-node-agent/templates/serviceaccount.yaml @@ -1,8 +1,13 @@ +{{ if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "kvm-node-agent.fullname" . }}-controller-manager + name: {{ include "kvm-node-agent.serviceAccountName" . }} labels: {{- include "kvm-node-agent.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} annotations: - {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/charts/kvm-node-agent/values.yaml b/charts/kvm-node-agent/values.yaml index 16a6843..5f23204 100644 --- a/charts/kvm-node-agent/values.yaml +++ b/charts/kvm-node-agent/values.yaml @@ -27,11 +27,15 @@ controllerManager: requests: cpu: 10m memory: 64Mi + nodeSelector: {} podSecurityContext: supplementalGroups: - 108 - serviceAccount: - annotations: {} + tolerations: + - effect: NoSchedule + key: node.gardener.cloud/critical-components-not-ready + operator: Exists + topologySpreadConstraints: [] kubernetesClusterDomain: cluster.local metricsService: ports: @@ -40,3 +44,8 @@ metricsService: protocol: TCP targetPort: 8443 type: ClusterIP +serviceAccount: + annotations: {} + automount: true + create: true + name: "" diff --git a/shell.nix b/shell.nix index 8178dbe..84db48e 100644 --- a/shell.nix +++ b/shell.nix @@ -8,7 +8,6 @@ with pkgs; mkShell { nativeBuildInputs = [ addlicense - ginkgo go-licence-detector go_1_25 golangci-lint