Merge pull request #12 from aiyengar2/allow_disabling_embedded_contro…

…llers Add flags allowing disabling embedded Helm Locker or Helm Controller
rancher · May 11, 2022 · 4eea496 · 4eea496
2 parents 223cf20 + 1042606
commit 4eea496
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 31 deletions.
diff --git a/charts/helm-project-operator/README.md b/charts/helm-project-operator/README.md
@@ -72,4 +72,6 @@ By default, the `example-chart` (the underlying chart deployed by Helm Project O
 |`releaseRoleBindings.aggregate`| Whether to automatically create RBAC resources in Project Release namespaces
 |`releaseRoleBindings.clusterRoleRefs.<admin\|edit\|view>`| ClusterRoles to reference to discover subjects to create RoleBindings for in the Project Release Namespace for all corresponding Project Release Roles. See RBAC above for more information |
 |`hardenedNamespaces.enabled`| Whether to automatically patch the default ServiceAccount with `automountServiceAccountToken: false` and create a default NetworkPolicy in all managed namespaces in the cluster; the default values ensure that the creation of the namespace does not break a CIS 1.16 hardened scan |
-|`hardenedNamespaces.configuration`| The configuration to be supplied to the default ServiceAccount or auto-generated NetworkPolicy on managing a namespace |
+|`hardenedNamespaces.configuration`| The configuration to be supplied to the default ServiceAccount or auto-generated NetworkPolicy on managing a namespace |
+|`helmController.enabled`| Whether to enable an embedded k3s-io/helm-controller instance within the Helm Project Operator. Should be disabled for RKE2 clusters since RKE2 clusters already run Helm Controller to manage internal Kubernetes components |
+|`helmLocker.enabled`| Whether to enable an embedded rancher/helm-locker instance within the Helm Project Operator. |
diff --git a/charts/helm-project-operator/questions.yaml b/charts/helm-project-operator/questions.yaml
@@ -1,4 +1,13 @@
 questions:
+- variable: helmController.enabled
+  label: Enable Embedded Helm Controller
+  description: 'Note: If you are running Prometheus Federator in an RKE2 cluster, this should be disabled.'
+  type: boolean
+  group: Helm Controller
+- variable: helmLocker.enabled
+  label: Enable Embedded Helm Locker
+  type: boolean
+  group: Helm Locker
 - variable: projectReleaseNamespaces.labelValue
   label: Project Release Namespace Project ID
   description: By default, the System Project is selected. This can be overriden to a different Project (e.g. p-xxxxx)

diff --git a/charts/helm-project-operator/templates/deployment.yaml b/charts/helm-project-operator/templates/deployment.yaml
@@ -24,7 +24,6 @@ spec:
           - {{ template "helm-project-operator.name" . }}
           - --namespace={{ template "helm-project-operator.namespace" . }}
           - --controller-name={{ template "helm-project-operator.name" . }}
-          - --helm-job-image={{ template "system_default_registry" . }}{{ .Values.helmcontroller.job.image.repository }}:{{ .Values.helmcontroller.job.image.tag }}
           - --values-override-file=/etc/helmprojectoperator/config/values.yaml
 {{- if .Values.global.cattle.systemDefaultRegistry }}
           - --system-default-registry={{ .Values.global.cattle.systemDefaultRegistry }}
@@ -74,6 +73,14 @@ spec:
           - --debug
           - --debug-level={{ .Values.debugLevel }}
 {{- end }}
+{{- if not .Values.helmController.enabled }}
+          - --disable-embedded-helm-controller
+{{- else }}
+           - --helm-job-image={{ template "system_default_registry" . }}{{ .Values.helmController.job.image.repository }}:{{ .Values.helmController.job.image.tag }}
+{{- end }}
+{{- if not .Values.helmLocker.enabled }}
+          - --disable-embedded-helm-locker
+{{- end }}
 {{- if .Values.additionalArgs }}
 {{- toYaml .Values.additionalArgs | nindent 10 }}
 {{- end }}

diff --git a/charts/helm-project-operator/values.yaml b/charts/helm-project-operator/values.yaml
@@ -130,12 +130,18 @@ image:
   tag: v0.0.1-rc4
   pullPolicy: IfNotPresent
 
-helmcontroller:
+helmController:
+  # Note: should be disabled for RKE2 clusters since they already run Helm Controller to manage internal Kubernetes components
+  enabled: true
+
   job:
     image:
       repository: rancher/klipper-helm
       tag: v0.7.0-build20220315
 
+helmLocker:
+  enabled: true
+
 # Additional arguments to be passed into the Helm Project Operator image
 additionalArgs: []
 

diff --git a/docs/design.md b/docs/design.md
@@ -72,4 +72,6 @@ By default, the `example-chart` (the underlying chart deployed by Helm Project O
 |`releaseRoleBindings.aggregate`| Whether to automatically create RBAC resources in Project Release namespaces
 |`releaseRoleBindings.clusterRoleRefs.<admin\|edit\|view>`| ClusterRoles to reference to discover subjects to create RoleBindings for in the Project Release Namespace for all corresponding Project Release Roles. See RBAC above for more information |
 |`hardenedNamespaces.enabled`| Whether to automatically patch the default ServiceAccount with `automountServiceAccountToken: false` and create a default NetworkPolicy in all managed namespaces in the cluster; the default values ensure that the creation of the namespace does not break a CIS 1.16 hardened scan |
-|`hardenedNamespaces.configuration`| The configuration to be supplied to the default ServiceAccount or auto-generated NetworkPolicy on managing a namespace |
+|`hardenedNamespaces.configuration`| The configuration to be supplied to the default ServiceAccount or auto-generated NetworkPolicy on managing a namespace |
+|`helmController.enabled`| Whether to enable an embedded k3s-io/helm-controller instance within the Helm Project Operator. Should be disabled for RKE2 clusters since RKE2 clusters already run Helm Controller to manage internal Kubernetes components |
+|`helmLocker.enabled`| Whether to enable an embedded rancher/helm-locker instance within the Helm Project Operator. |
diff --git a/pkg/controllers/common/runtime.go b/pkg/controllers/common/runtime.go
@@ -92,6 +92,13 @@ type RuntimeOptions struct {
 
 	// ValuesOverrideFile is the path to the file that contains operated-provided overrides on the values.yaml that should be applied for each ProjectHelmChart
 	ValuesOverrideFile string `usage:"Path to file that contains values.yaml overrides supplied by the operator" default:"values.yaml" env:"VALUES_OVERRIDE_FILE"`
+
+	// DisableEmbeddedHelmLocker determines whether to disable embedded Helm Locker controller in favor of external Helm Locker
+	DisableEmbeddedHelmLocker bool `usage:"Whether to disable embedded Helm Locker controller in favor of external Helm Locker" env:"DISABLE_EMBEDDED_HELM_LOCKER"`
+
+	// DisableEmbeddedHelmController determines whether to disable embedded Helm Controller controller in favor of external Helm Controller
+	// This should be the default in most RKE2 clusters since the RKE2 server binary already embeds a Helm Controller instance that manages HelmCharts
+	DisableEmbeddedHelmController bool `usage:"Whether to disable embedded Helm Controller controller in favor of external Helm Controller (recommended for RKE2 clusters)" env:"DISABLE_EMBEDDED_HELM_CONTROLLER"`
 }
 
 // Validate validates the provided RuntimeOptions

diff --git a/pkg/controllers/controllers.go b/pkg/controllers/controllers.go
@@ -168,34 +168,40 @@ func Register(ctx context.Context, systemNamespace string, cfg clientcmd.ClientC
 		projectGetter,
 	)
 
-	release.Register(ctx,
-		systemNamespace,
-		opts.ControllerName,
-		appCtx.HelmLocker.HelmRelease(),
-		appCtx.HelmLocker.HelmRelease().Cache(),
-		appCtx.Core.Secret(),
-		appCtx.Core.Secret().Cache(),
-		appCtx.K8s,
-		appCtx.ObjectSetRegister,
-		appCtx.ObjectSetHandler,
-		recorder,
-	)
+	if !opts.DisableEmbeddedHelmLocker {
+		logrus.Infof("Registering embedded Helm Locker...")
+		release.Register(ctx,
+			systemNamespace,
+			opts.ControllerName,
+			appCtx.HelmLocker.HelmRelease(),
+			appCtx.HelmLocker.HelmRelease().Cache(),
+			appCtx.Core.Secret(),
+			appCtx.Core.Secret().Cache(),
+			appCtx.K8s,
+			appCtx.ObjectSetRegister,
+			appCtx.ObjectSetHandler,
+			recorder,
+		)
+	}
 
-	chart.Register(ctx,
-		systemNamespace,
-		opts.ControllerName,
-		appCtx.K8s,
-		appCtx.Apply,
-		recorder,
-		appCtx.HelmController.HelmChart(),
-		appCtx.HelmController.HelmChart().Cache(),
-		appCtx.HelmController.HelmChartConfig(),
-		appCtx.HelmController.HelmChartConfig().Cache(),
-		appCtx.Batch.Job(),
-		appCtx.Batch.Job().Cache(),
-		appCtx.RBAC.ClusterRoleBinding(),
-		appCtx.Core.ServiceAccount(),
-		appCtx.Core.ConfigMap())
+	if !opts.DisableEmbeddedHelmController {
+		logrus.Infof("Registering embedded Helm Controller...")
+		chart.Register(ctx,
+			systemNamespace,
+			opts.ControllerName,
+			appCtx.K8s,
+			appCtx.Apply,
+			recorder,
+			appCtx.HelmController.HelmChart(),
+			appCtx.HelmController.HelmChart().Cache(),
+			appCtx.HelmController.HelmChartConfig(),
+			appCtx.HelmController.HelmChartConfig().Cache(),
+			appCtx.Batch.Job(),
+			appCtx.Batch.Job().Cache(),
+			appCtx.RBAC.ClusterRoleBinding(),
+			appCtx.Core.ServiceAccount(),
+			appCtx.Core.ConfigMap())
+	}
 
 	leader.RunOrDie(ctx, systemNamespace, fmt.Sprintf("helm-project-operator-%s-lock", opts.ReleaseName), appCtx.K8s, func(ctx context.Context) {
 		if err := appCtx.start(ctx); err != nil {