From ce0517c4a7d470a021ecd98a8fccd0013d478806 Mon Sep 17 00:00:00 2001 From: Danny Seymour Date: Tue, 24 Jun 2025 15:36:24 -0700 Subject: [PATCH 1/3] chore: Add tests to detect breaking changes to selector labels --- gremlin/tests/chao_deployment_test.yaml | 27 +++++++++++++++++++++++++ gremlin/tests/daemonset_test.yaml | 24 ++++++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/gremlin/tests/chao_deployment_test.yaml b/gremlin/tests/chao_deployment_test.yaml index f71add3..58dcd2e 100644 --- a/gremlin/tests/chao_deployment_test.yaml +++ b/gremlin/tests/chao_deployment_test.yaml @@ -6,7 +6,18 @@ release: namespace: my-namespace revision: 1 upgrade: true +chart: + version: 1.0.0 tests: + - it: should set the correct default labels and annotations + asserts: + - isSubset: + path: metadata.labels + content: + app.kubernetes.io/instance: chao + app.kubernetes.io/name: chao + app.kubernetes.io/version: "1" + helm.sh/chart: gremlin-1.0.0 - it: should create a deployment set: chao.create: true @@ -19,6 +30,22 @@ tests: - equal: path: metadata.namespace value: my-namespace + - it: should set the correct labels on the pods + asserts: + - isSubset: + path: spec.template.metadata.labels + content: + app.kubernetes.io/instance: chao + app.kubernetes.io/name: chao + app.kubernetes.io/version: "1" + - it: should match the correct labels on the pods + asserts: + - isSubset: + path: spec.selector.matchLabels + content: + app.kubernetes.io/instance: chao + app.kubernetes.io/name: chao + app.kubernetes.io/version: "1" - it: should allow specifying a custom registry and tag set: chaoimage.tag: "0.0.1" diff --git a/gremlin/tests/daemonset_test.yaml b/gremlin/tests/daemonset_test.yaml index ca03954..0e84df9 100644 --- a/gremlin/tests/daemonset_test.yaml +++ b/gremlin/tests/daemonset_test.yaml @@ -6,7 +6,19 @@ release: namespace: my-namespace revision: 1 upgrade: true +chart: + version: 1.0.0 tests: + - it: should set the correct default labels and annotations + asserts: + - isSubset: + path: metadata.labels + content: + app.kubernetes.io/instance: my-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gremlin + helm.sh/chart: gremlin-1.0.0 + version: v1 - it: should create a daemonset asserts: - isKind: @@ -17,6 +29,18 @@ tests: - equal: path: metadata.namespace value: my-namespace + - it: should set the correct labels on the pods + asserts: + - isSubset: + path: spec.template.metadata.labels + content: + app.kubernetes.io/name: gremlin + - it: should match the correct labels on the pods + asserts: + - isSubset: + path: spec.selector.matchLabels + content: + app.kubernetes.io/name: gremlin - it: should allow specifying a custom registry and tag set: image.tag: "0.0.1" From 173cceb0d263da180060343e07a64526e5016478 Mon Sep 17 00:00:00 2001 From: Danny Seymour Date: Tue, 24 Jun 2025 16:16:57 -0700 Subject: [PATCH 2/3] cleanup[BREAKING]: Templatize labels across resources --- gremlin/templates/_helpers.tpl | 20 ++++++++++++++++++ gremlin/templates/apparmor-configmap.yaml | 2 ++ gremlin/templates/apparmor-loader.yaml | 17 ++++++--------- gremlin/templates/chao-deployment.yaml | 21 +++++++------------ gremlin/templates/chao-service-account.yaml | 8 ++++++- gremlin/templates/daemonset.yaml | 17 ++++++--------- gremlin/templates/gremlin-scc.yaml | 4 +++- .../templates/gremlin-seccomp-configmap.yaml | 8 ++----- .../templates/gremlin-service-account.yaml | 12 +++++++++++ gremlin/templates/secret-ssl-cert-file.yaml | 6 +----- gremlin/templates/secret.yaml | 6 +----- 11 files changed, 68 insertions(+), 53 deletions(-) diff --git a/gremlin/templates/_helpers.tpl b/gremlin/templates/_helpers.tpl index d155859..92221e5 100644 --- a/gremlin/templates/_helpers.tpl +++ b/gremlin/templates/_helpers.tpl @@ -31,6 +31,26 @@ Create chart name and version as used by the chart label. {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Common labels +*/}} +{{- define "gremlin.labels" -}} +helm.sh/chart: {{ include "gremlin.chart" . }} +{{ include "gremlin.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gremlin.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gremlin.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + {{/* Because we've evolved the recommended way to pass the secret name over time, we hide the following order of operations behind this computed value: In later versions of this chart, we will remove the use of the fallback value of `gremlin-team-cert` diff --git a/gremlin/templates/apparmor-configmap.yaml b/gremlin/templates/apparmor-configmap.yaml index 11f094e..918a623 100644 --- a/gremlin/templates/apparmor-configmap.yaml +++ b/gremlin/templates/apparmor-configmap.yaml @@ -4,6 +4,8 @@ kind: ConfigMap metadata: name: {{ .Release.Name }}-apparmor-profile-content namespace: {{ .Release.Namespace }} + labels: + {{- include "gremlin.labels" . | nindent 4 }} data: agent_apparmor.profile: |- {{ .Files.Get "agent_apparmor.profile" | nindent 4 | trim }} diff --git a/gremlin/templates/apparmor-loader.yaml b/gremlin/templates/apparmor-loader.yaml index 9c6910d..4fca9fb 100644 --- a/gremlin/templates/apparmor-loader.yaml +++ b/gremlin/templates/apparmor-loader.yaml @@ -6,24 +6,19 @@ metadata: # Namespace must match that of the ConfigMap. namespace: {{ .Release.Namespace}} labels: - daemon: apparmor-loader - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - version: v1 + {{- include "gremlin.labels" . | nindent 4 }} + app.kubernetes.io/component: apparmor-loader spec: selector: matchLabels: - daemon: apparmor-loader + {{- include "gremlin.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: apparmor-loader template: metadata: name: apparmor-loader labels: - daemon: apparmor-loader - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - version: v1 + {{- include "gremlin.labels" . | nindent 8 }} + app.kubernetes.io/component: apparmor-loader {{- if .Values.gremlin.podSecurity.seccomp.enabled }} annotations: container.seccomp.security.alpha.kubernetes.io/{{ .Chart.Name }}: {{ .Values.gremlin.podSecurity.seccomp.profile }} diff --git a/gremlin/templates/chao-deployment.yaml b/gremlin/templates/chao-deployment.yaml index 582b4b6..4efeb20 100644 --- a/gremlin/templates/chao-deployment.yaml +++ b/gremlin/templates/chao-deployment.yaml @@ -2,16 +2,14 @@ apiVersion: apps/v1 kind: Deployment metadata: + name: chao + namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/instance: chao - app.kubernetes.io/name: chao - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/version: "1" + {{- include "gremlin.labels" . | nindent 4 }} + app.kubernetes.io/component: chao {{- if .Values.chao.podLabels }} {{- toYaml .Values.chao.podLabels | nindent 4 }} {{- end }} - name: chao - namespace: {{ .Release.Namespace }} spec: replicas: 1 {{- if .Values.chao.updateStrategy }} @@ -20,16 +18,13 @@ spec: {{- end }} selector: matchLabels: - app.kubernetes.io/instance: chao - app.kubernetes.io/name: chao - app.kubernetes.io/version: "1" + {{ include "gremlin.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: chao template: metadata: labels: - app.kubernetes.io/instance: chao - app.kubernetes.io/name: chao - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/version: "1" + {{ include "gremlin.labels" . | nindent 8 }} + app.kubernetes.io/component: chao {{- if .Values.chao.podLabels }} {{- toYaml .Values.chao.podLabels | nindent 8 }} {{- end }} diff --git a/gremlin/templates/chao-service-account.yaml b/gremlin/templates/chao-service-account.yaml index 0848352..13a1ec1 100644 --- a/gremlin/templates/chao-service-account.yaml +++ b/gremlin/templates/chao-service-account.yaml @@ -5,6 +5,12 @@ kind: ServiceAccount metadata: name: chao namespace: {{ .Release.Namespace }} + labels: + {{- include "gremlin.labels" . | nindent 4 }} + app.kubernetes.io/component: chao + {{- if .Values.chao.serviceAccount.labels }} + {{- toYaml .Values.chao.serviceAccount.labels | nindent 4 }} + {{- end }} annotations: {{- with .Values.chao.serviceAccount.annotations }} {{- toYaml . | nindent 4 }} @@ -29,7 +35,7 @@ rules: verbs: ["get", "watch", "list"] - apiGroups: ["argoproj.io"] resources: ["rollouts"] - verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/gremlin/templates/daemonset.yaml b/gremlin/templates/daemonset.yaml index 748c81c..88844bc 100644 --- a/gremlin/templates/daemonset.yaml +++ b/gremlin/templates/daemonset.yaml @@ -4,18 +4,16 @@ metadata: name: {{ include "gremlin.fullname" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ include "gremlin.name" . }} - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - version: v1 + {{- include "gremlin.labels" . | nindent 4 }} + app.kubernetes.io/component: agent {{- if .Values.gremlin.podLabels }} {{- toYaml .Values.gremlin.podLabels | nindent 4 }} {{- end }} spec: selector: matchLabels: - app.kubernetes.io/name: {{ include "gremlin.name" . }} + {{ include "gremlin.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: agent {{- if .Values.gremlin.updateStrategy }} updateStrategy: {{- toYaml .Values.gremlin.updateStrategy | nindent 4 }} @@ -23,11 +21,8 @@ spec: template: metadata: labels: - app.kubernetes.io/name: {{ include "gremlin.name" . }} - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - version: v1 + {{ include "gremlin.labels" . | nindent 8 }} + app.kubernetes.io/component: agent {{- if .Values.gremlin.podLabels }} {{- toYaml .Values.gremlin.podLabels | nindent 8 }} {{- end }} diff --git a/gremlin/templates/gremlin-scc.yaml b/gremlin/templates/gremlin-scc.yaml index d7dd8af..33c94f7 100644 --- a/gremlin/templates/gremlin-scc.yaml +++ b/gremlin/templates/gremlin-scc.yaml @@ -3,11 +3,13 @@ kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: + name: gremlin + labels: + {{- include "gremlin.labels" . | nindent 4 }} annotations: kubernetes.io/description: 'This SCC provides as many restrictions from the `restricted` SCC as possible while allowing host mounts, any UID by a pod, and forces the process to run as the gremlin.process SELinux type. This is intended to be used solely by Gremlin. WARNING: this SCC allows host file system access as root Grant with caution.' - name: gremlin allowHostDirVolumePlugin: {{ .Values.gremlin.podSecurity.securityContextConstraints.allowHostDirVolumePlugin }} allowHostIPC: false allowHostNetwork: {{ .Values.gremlin.hostNetwork }} diff --git a/gremlin/templates/gremlin-seccomp-configmap.yaml b/gremlin/templates/gremlin-seccomp-configmap.yaml index 4b94d15..6b6526b 100644 --- a/gremlin/templates/gremlin-seccomp-configmap.yaml +++ b/gremlin/templates/gremlin-seccomp-configmap.yaml @@ -6,11 +6,7 @@ metadata: name: {{ template "gremlin.fullname" . }}-seccomp namespace: {{ .Release.Namespace }} labels: - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/name: {{ include "gremlin.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: "1" + {{- include "gremlin.labels" . | nindent 4 }} data: # The following profile extends Docker's default seccomp profile, adding `keyctl` and `pivot_root` to the list of # allowed syscalls. @@ -840,4 +836,4 @@ data: } ] } -{{- end }} \ No newline at end of file +{{- end }} diff --git a/gremlin/templates/gremlin-service-account.yaml b/gremlin/templates/gremlin-service-account.yaml index 794c63e..08cd21e 100644 --- a/gremlin/templates/gremlin-service-account.yaml +++ b/gremlin/templates/gremlin-service-account.yaml @@ -5,6 +5,12 @@ kind: ServiceAccount metadata: name: gremlin namespace: {{ .Release.Namespace }} + labels: + {{- include "gremlin.labels" . | nindent 4 }} + app.kubernetes.io/component: agent + {{- if .Values.chao.serviceAccount.labels }} + {{- toYaml .Values.chao.serviceAccount.labels | nindent 4 }} + {{- end }} annotations: {{- with .Values.gremlin.serviceAccount.annotations }} {{- toYaml . | nindent 4 }} @@ -14,6 +20,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gremlin-metadata-reader + labels: + {{- include "gremlin.labels" . | nindent 4 }} rules: - apiGroups: [""] resources: @@ -32,6 +40,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gremlin-metadata-reader + labels: + {{- include "gremlin.labels" . | nindent 4 }} subjects: - kind: ServiceAccount name: gremlin @@ -78,6 +88,7 @@ kind: Role metadata: name: scc:gremlin labels: + {{- include "gremlin.labels" . | nindent 4 }} addonmanager.kubernetes.io/mode: EnsureExists rules: - apiGroups: ['security.openshift.io'] @@ -91,6 +102,7 @@ kind: RoleBinding metadata: name: default:gremlin labels: + {{- include "gremlin.labels" . | nindent 4 }} addonmanager.kubernetes.io/mode: EnsureExists roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/gremlin/templates/secret-ssl-cert-file.yaml b/gremlin/templates/secret-ssl-cert-file.yaml index 7e102c6..1ef3a6c 100644 --- a/gremlin/templates/secret-ssl-cert-file.yaml +++ b/gremlin/templates/secret-ssl-cert-file.yaml @@ -6,11 +6,7 @@ metadata: name: ssl-cert-file namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ include "gremlin.name" . }} - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - version: v1 + {{- include "gremlin.labels" . | nindent 4 }} type: kubernetes.io/Opaque data: certfile.pem: {{ default .Values.ssl.certFile | toString | b64enc }} diff --git a/gremlin/templates/secret.yaml b/gremlin/templates/secret.yaml index 1ef9e51..337f05a 100644 --- a/gremlin/templates/secret.yaml +++ b/gremlin/templates/secret.yaml @@ -6,11 +6,7 @@ metadata: name: {{ include "gremlin.secretName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: {{ include "gremlin.name" . }} - helm.sh/chart: {{ include "gremlin.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - version: v1 + {{- include "gremlin.labels" . | nindent 4 }} type: kubernetes.io/Opaque stringData: GREMLIN_CLUSTER_ID: {{ default .Values.gremlin.clusterID .Values.gremlin.secret.clusterID | required "required: .Values.gremlin.secret.clusterID" | toString }} From 554d8272838efd2792a5cae96f585255be68d2d9 Mon Sep 17 00:00:00 2001 From: Danny Seymour Date: Tue, 24 Jun 2025 16:21:26 -0700 Subject: [PATCH 3/3] chore: Fix label tests on resources --- gremlin/tests/chao_deployment_test.yaml | 21 ++++++++++++--------- gremlin/tests/daemonset_test.yaml | 8 +++++++- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/gremlin/tests/chao_deployment_test.yaml b/gremlin/tests/chao_deployment_test.yaml index 58dcd2e..76180fd 100644 --- a/gremlin/tests/chao_deployment_test.yaml +++ b/gremlin/tests/chao_deployment_test.yaml @@ -14,9 +14,10 @@ tests: - isSubset: path: metadata.labels content: - app.kubernetes.io/instance: chao - app.kubernetes.io/name: chao - app.kubernetes.io/version: "1" + app.kubernetes.io/component: chao + app.kubernetes.io/instance: my-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gremlin helm.sh/chart: gremlin-1.0.0 - it: should create a deployment set: @@ -35,17 +36,19 @@ tests: - isSubset: path: spec.template.metadata.labels content: - app.kubernetes.io/instance: chao - app.kubernetes.io/name: chao - app.kubernetes.io/version: "1" + app.kubernetes.io/component: chao + app.kubernetes.io/instance: my-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gremlin + helm.sh/chart: gremlin-1.0.0 - it: should match the correct labels on the pods asserts: - isSubset: path: spec.selector.matchLabels content: - app.kubernetes.io/instance: chao - app.kubernetes.io/name: chao - app.kubernetes.io/version: "1" + app.kubernetes.io/component: chao + app.kubernetes.io/instance: my-release + app.kubernetes.io/name: gremlin - it: should allow specifying a custom registry and tag set: chaoimage.tag: "0.0.1" diff --git a/gremlin/tests/daemonset_test.yaml b/gremlin/tests/daemonset_test.yaml index 0e84df9..1f1b9f3 100644 --- a/gremlin/tests/daemonset_test.yaml +++ b/gremlin/tests/daemonset_test.yaml @@ -14,11 +14,11 @@ tests: - isSubset: path: metadata.labels content: + app.kubernetes.io/component: agent app.kubernetes.io/instance: my-release app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: gremlin helm.sh/chart: gremlin-1.0.0 - version: v1 - it: should create a daemonset asserts: - isKind: @@ -34,12 +34,18 @@ tests: - isSubset: path: spec.template.metadata.labels content: + app.kubernetes.io/component: agent + app.kubernetes.io/instance: my-release + app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: gremlin + helm.sh/chart: gremlin-1.0.0 - it: should match the correct labels on the pods asserts: - isSubset: path: spec.selector.matchLabels content: + app.kubernetes.io/component: agent + app.kubernetes.io/instance: my-release app.kubernetes.io/name: gremlin - it: should allow specifying a custom registry and tag set: