diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml index 5e9265c..cdf08fb 100644 --- a/.github/workflows/pull_request.yaml +++ b/.github/workflows/pull_request.yaml @@ -14,7 +14,7 @@ env: jobs: qa: - uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.64 + uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.65 with: MD_CONFIG: .github/md_config.json DOC_SRC: README.md docs diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 957ebe4..7adf86f 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -205,6 +205,9 @@ jobs: helm template reloader deployments/kubernetes/chart/reloader/ > deployments/kubernetes/reloader.yaml helm template reloader deployments/kubernetes/chart/reloader/ --output-dir deployments/kubernetes/manifests && mv deployments/kubernetes/manifests/reloader/templates/* deployments/kubernetes/manifests/ && rm -r deployments/kubernetes/manifests/reloader + - name: Remove labels and annotations from manifests + run: make remove-labels-annotations + # Publish helm chart - name: Login to ghcr via helm run: | diff --git a/.vale.ini b/.vale.ini index a170eb4..cf3f155 100644 --- a/.vale.ini +++ b/.vale.ini @@ -1,7 +1,7 @@ StylesPath = styles MinAlertLevel = warning -Packages = https://github.com/stakater/vale-package/releases/download/v0.0.8/Stakater.zip +Packages = https://github.com/stakater/vale-package/releases/download/v0.0.14/Stakater.zip Vocab = Stakater # Only check MarkDown files diff --git a/Makefile b/Makefile index 7337047..5a2a6c2 100644 --- a/Makefile +++ b/Makefile @@ -86,3 +86,25 @@ bump-chart: sed -i "s/^appVersion:.*/appVersion: v$(VERSION)/" deployments/kubernetes/chart/reloader/Chart.yaml sed -i "s/tag:.*/tag: v$(VERSION)/" deployments/kubernetes/chart/reloader/values.yaml sed -i "s/version:.*/version: v$(VERSION)/" deployments/kubernetes/chart/reloader/values.yaml + +YQ_VERSION = v4.42.1 +YQ_BIN = $(shell pwd)/yq +CURRENT_ARCH := $(shell uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') + +YQ_DOWNLOAD_URL = "https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_linux_$(CURRENT_ARCH)" + +yq-install: + @echo "Downloading yq $(YQ_VERSION) for linux/$(CURRENT_ARCH)" + @curl -sL $(YQ_DOWNLOAD_URL) -o $(YQ_BIN) + @chmod +x $(YQ_BIN) + @echo "yq $(YQ_VERSION) installed at $(YQ_BIN)" + +remove-labels-annotations: yq-install + @for file in $$(find deployments/kubernetes/manifests -type f -name '*.yaml'); do \ + echo "Processing $$file"; \ + $(YQ_BIN) eval 'del(.metadata.labels, .metadata.annotations)' -i "$$file"; \ + done + $(YQ_BIN) eval 'del(.spec.template.metadata.labels)' -i deployments/kubernetes/manifests/deployment.yaml + $(YQ_BIN) eval 'del(.spec.selector.matchLabels)' -i deployments/kubernetes/manifests/deployment.yaml + $(YQ_BIN) eval '.spec.selector.matchLabels.app = "reloader-reloader"' -i deployments/kubernetes/manifests/deployment.yaml + $(YQ_BIN) eval '.spec.template.metadata.labels.app = "reloader-reloader"' -i deployments/kubernetes/manifests/deployment.yaml diff --git a/README.md b/README.md index ca311ec..7c4a3ed 100644 --- a/README.md +++ b/README.md @@ -272,69 +272,116 @@ namespace: reloader Alternatively if you have configured helm on your cluster, you can add Reloader to helm from our public chart repository and deploy it via helm using below-mentioned commands. Follow [this](docs/Helm2-to-Helm3.md) guide, in case you have trouble migrating Reloader from Helm2 to Helm3. +#### Installation + ```bash helm repo add stakater https://stakater.github.io/stakater-charts helm repo update helm install stakater/reloader # For helm3 add --generate-name flag or set the release name + +helm install {{RELEASE_NAME}} stakater/reloader -n {{NAMESPACE}} --set reloader.watchGlobally=false # By default, Reloader watches in all namespaces. To watch in single namespace, set watchGlobally=false + +helm install stakater/reloader --set reloader.watchGlobally=false --namespace test --generate-name # Install Reloader in `test` namespace which will only watch `Deployments`, `Daemonsets` `Statefulsets` and `Rollouts` in `test` namespace. ``` -**Note:** By default Reloader watches in all namespaces. To watch in single namespace, please run following command. It will install Reloader in `test` namespace which will only watch `Deployments`, `Daemonsets` `Statefulsets` and `Rollouts` in `test` namespace. +#### Uninstalling ```bash -helm install stakater/reloader --set reloader.watchGlobally=false --namespace test # For helm3 add --generate-name flag or set the release name +helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}} ``` -Reloader can be configured to ignore the resources `secrets` and `configmaps` by using the following parameters of `values.yaml` file: +### Parameters -| Parameter | Description | Type | Default | -|------------------|----------------------------------------------------------------|---------|---------| -| ignoreSecrets | To ignore secrets. Valid value are either `true` or `false` | boolean | false | -| ignoreConfigMaps | To ignore configMaps. Valid value are either `true` or `false` | boolean | false | +#### Global Parameters -**Note:** At one time only one of these resource can be ignored, trying to do it will cause error in helm template compilation. +| Parameter | Description | Type | Default | +|---------------------------|-----------------------------------------------------------------|-------|---------| +| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | array | `[]` | -Reloader can be configured to only watch namespaces labeled with one or more labels using the `namespaceSelector` parameter +#### Common Parameters -| Parameter | Description | Type | Default | -|-------------------|-----------------------------------------------------------------------------------------------------------|--------|---------| -| namespaceSelector | list of comma separated label selectors, if multiple are provided they are combined with the AND operator | string | "" | +| Parameter | Description | Type | Default | +|--------------------|-------------------------------|--------|---------| +| `nameOverride` | replace the name of the chart | string | `""` | +| `fullnameOverride` | replace the generated name | string | `""` | -Reloader can be configured to only watch configmaps/secrets labeled with one or more labels using the `resourceLabelSelector` parameter +#### Core Reloader Parameters -| Parameter | Description | Type | Default | -|-----------------------|-----------------------------------------------------------------------------------------------------------|--------|---------| -| resourceLabelSelector | list of comma separated label selectors, if multiple are provided they are combined with the AND operator | string | "" | +| Parameter | Description | Type | Default | +|-----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------| +| `reloader.autoReloadAll` | | boolean | `false` | +| `reloader.isArgoRollouts` | Enable Argo `Rollouts`. Valid value are either `true` or `false` | boolean | `false` | +| `reloader.isOpenshift` | Enable OpenShift DeploymentConfigs. Valid value are either `true` or `false` | boolean | `false` | +| `reloader.ignoreSecrets` | To ignore secrets. Valid value are either `true` or `false`. Either `ignoreSecrets` or `ignoreConfigMaps` can be ignored, not both at the same time | boolean | `false` | +| `reloader.ignoreConfigMaps` | To ignore configMaps. Valid value are either `true` or `false` | boolean | `false` | +| `reloader.reloadOnCreate` | Enable reload on create events. Valid value are either `true` or `false` | boolean | `false` | +| `reloader.syncAfterRestart` | Enable sync after Reloader restarts for **Add** events, works only when reloadOnCreate is `true`. Valid value are either `true` or `false` | boolean | `false` | +| `reloader.reloadStrategy` | Strategy to trigger resource restart, set to either `default`, `env-vars` or `annotations` | enumeration | `default` | +| `reloader.ignoreNamespaces` | List of comma separated namespaces to ignore, if multiple are provided, they are combined with the AND operator | string | `""` | +| `reloader.namespaceSelector` | List of comma separated namespaces to select, if multiple are provided, they are combined with the AND operator | string | `""` | +| `reloader.resourceLabelSelector` | List of comma separated label selectors, if multiple are provided they are combined with the AND operator | string | `""` | +| `reloader.logFormat` | Set type of log format. Value could be either `json` or `""` | string | `""` | +| `reloader.watchGlobally` | Allow Reloader to watch in all namespaces (`true`) or just in a single namespace (`false`) | boolean | `true` | +| `reloader.enableHA` | Enable leadership election allowing you to run multiple replicas | boolean | `false` | +| `reloader.readOnlyRootFileSystem` | Enforce readOnlyRootFilesystem | boolean | `false` | +| `reloader.legacy.rbac` | | boolean | `false` | +| `reloader.matchLabels` | Pod labels to match | map | `{}` | -**Note:** Both `namespaceSelector` & `resourceLabelSelector` can be used together. If they are then both conditions must be met for the configmap or secret to be eligible to trigger reload events. (e.g. If a configMap matches `resourceLabelSelector` but `namespaceSelector` does not match the namespace the configmap is in, it will be ignored). +#### Deployment Reloader Parameters -You can also set the log format of Reloader to JSON by setting `logFormat` to `json` in `values.yaml` and apply the chart. +| Parameter | Description | Type | Default | +|-------------------------------------------------|-----------------------------------------------------------------------------------------|--------|-------------------| +| `reloader.deployment.replicas` | Number of replicas, if you wish to run multiple replicas set `reloader.enableHA = true` | int | 1 | +| `reloader.deployment.revisionHistoryLimit` | Limit the number of revisions retained in the revision history | int | 2 | +| `reloader.deployment.nodeSelector` | Scheduling pod to a specific node based on set labels | map | `{}` | +| `reloader.deployment.affinity` | Set affinity rules on pod | map | `{}` | +| `reloader.deployment.securityContext` | Set pod security context | map | `{}` | +| `reloader.deployment.containerSecurityContext` | Set container security context | map | `{}` | +| `reloader.deployment.tolerations` | A list of `tolerations` to be applied to the deployment | array | `[]` | +| `reloader.deployment.topologySpreadConstraints` | Topology spread constraints for pod assignment | array | `[]` | +| `reloader.deployment.annotations` | Set deployment annotations | map | `{}` | +| `reloader.deployment.labels` | Set deployment labels, default to stakater settings | array | `see values.yaml` | +| `reloader.deployment.image` | Set container image name, tag and policy | array | `see values.yaml` | +| `reloader.deployment.env` | Support for extra environment variables | array | `[]` | +| `reloader.deployment.livenessProbe` | Set liveness probe timeout values | map | `{}` | +| `reloader.deployment.readinessProbe` | Set readiness probe timeout values | map | `{}` | +| `reloader.deployment.resources` | Set container requests and limits (e.g. CPU or memory) | map | `{}` | +| `reloader.deployment.pod.annotations` | Set annotations for pod | map | `{}` | +| `reloader.deployment.priorityClassName` | Set priority class for pod in cluster | string | `""` | -You can enable to scrape Reloader's Prometheus metrics by setting `serviceMonitor.enabled` or `podMonitor.enabled` to `true` in `values.yaml` file. Service monitor will be removed in future releases of Reloader in favour of Pod monitor. +#### Other Reloader Parameters -**Note:** Reloading of OpenShift (DeploymentConfig) and/or Argo `Rollouts` has to be enabled explicitly because it might not be always possible to use it on a cluster with restricted permissions. This can be done by changing the following parameters: +| Parameter | Description | Type | Default | +|----------------------------------------|-----------------------------------------------------------------|---------|---------| +| `reloader.service` | | map | `{}` | +| `reloader.rbac.enabled` | Specifies whether a role based access control should be created | boolean | `true` | +| `reloader.serviceAccount.create` | Specifies whether a ServiceAccount should be created | boolean | `true` | +| `reloader.custom_annotations` | Add custom annotations | map | `{}` | +| `reloader.serviceMonitor.enabled` | Enable to scrape Reloader's Prometheus metrics (legacy) | boolean | `false` | +| `reloader.podMonitor.enabled` | Enable to scrape Reloader's Prometheus metrics | boolean | `false` | +| `reloader.podDisruptionBudget.enabled` | Limit the number of pods of a replicated application | boolean | `false` | +| `reloader.netpol.enabled` | | boolean | `false` | +| `reloader.volumeMounts` | Mount volume | array | `[]` | +| `reloader.volumes` | Add volume to a pod | array | `[]` | +| `reloader.webhookUrl` | Add webhook to Reloader | string | `""` | -| Parameter | Description | Type | Default | -|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|---------|---------| -| isOpenshift | Enable OpenShift DeploymentConfigs. Valid value are either `true` or `false` | boolean | false | -| isArgoRollouts | Enable Argo `Rollouts`. Valid value are either `true` or `false` | boolean | false | -| reloadOnCreate | Enable reload on create events. Valid value are either `true` or `false` | boolean | false | -| syncAfterRestart | Enable sync after Reloader restarts for **Add** events, works only when reloadOnCreate is `true`. Valid value are either `true` or `false` | boolean | false | +#### Additional Remarks -**isOpenShift** Recent versions of OpenShift (tested on 4.13.3) require the specified user to be in an `uid` range which is dynamically assigned by the namespace. The solution is to unset the runAsUser variable via ``deployment.securityContext.runAsUser=null`` and let OpenShift assign it at install. - -**reloadOnCreate** controls how Reloader handles secrets being added to the cache for the first time. If reloadOnCreate is set to true: - -- Configmaps/secrets being added to the cache will cause Reloader to perform a rolling update of the associated workload. -- When applications are deployed for the first time, Reloader will perform a rolling update of the associated workload. -- If you are running Reloader in HA mode all workloads will have a rolling update performed when a new leader is elected. - -If reloadOnCreate is set to false: - -- Updates to configMaps/Secrets that occur while there is no leader will not be picked up by the new leader until a subsequent update of the configmap/secret occurs. In the worst case the window in which there can be no leader is 15s as this is the LeaseDuration. - -**Note:** By default, **reloadOnCreate** and **syncAfterRestart** are both set to false. Both need to be enabled explicitly. +- Both `namespaceSelector` & `resourceLabelSelector` can be used together. If they are then both conditions must be met for the configmap or secret to be eligible to trigger reload events. (e.g. If a configMap matches `resourceLabelSelector` but `namespaceSelector` does not match the namespace the configmap is in, it will be ignored). +- At one time only one of the resources `ignoreConfigMaps` or `ignoreSecrets` can be ignored, trying to do both will cause error in helm template compilation +- Reloading of OpenShift (DeploymentConfig) and/or Argo `Rollouts` has to be enabled explicitly because it might not be always possible to use it on a cluster with restricted permissions +- `isOpenShift` Recent versions of OpenShift (tested on 4.13.3) require the specified user to be in an `uid` range which is dynamically assigned by the namespace. The solution is to unset the runAsUser variable via ``deployment.securityContext.runAsUser=null`` and let OpenShift assign it at install +- `reloadOnCreate` controls how Reloader handles secrets being added to the cache for the first time. If `reloadOnCreate` is set to true: + 1. Configmaps/secrets being added to the cache will cause Reloader to perform a rolling update of the associated workload + 1. When applications are deployed for the first time, Reloader will perform a rolling update of the associated workload + 1. If you are running Reloader in HA mode all workloads will have a rolling update performed when a new leader is elected +- `serviceMonitor` will be removed in future releases of Reloader in favour of Pod monitor +- If `reloadOnCreate` is set to false: + 1. Updates to configmaps/secrets that occur while there is no leader will not be picked up by the new leader until a subsequent update of the configmap/secret occurs + 1. In the worst case the window in which there can be no leader is 15s as this is the LeaseDuration +- By default, `reloadOnCreate` and `syncAfterRestart` are both set to false. Both need to be enabled explicitly ## Help @@ -350,7 +397,7 @@ File a GitHub [issue](https://github.com/stakater/Reloader/issues). Join and talk to us on Slack for discussing Reloader -[![Join Slack](https://stakater.github.io/README/stakater-join-slack-btn.png)](https://slack.stakater.com/) +[![Join Slack](https://stakater.github.io/README/stakater-join-slack-btn.png)](https://stakater.slack.com/) [![Chat](https://stakater.github.io/README/stakater-chat-btn.png)](https://stakater-community.slack.com/messages/CC5S05S12) ## Contributing diff --git a/deployments/kubernetes/chart/reloader/Chart.yaml b/deployments/kubernetes/chart/reloader/Chart.yaml index fef4625..c013153 100644 --- a/deployments/kubernetes/chart/reloader/Chart.yaml +++ b/deployments/kubernetes/chart/reloader/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v1 name: reloader description: Reloader chart that runs on kubernetes -version: 1.0.69 -appVersion: v1.0.69 +version: 1.0.75 +appVersion: v1.0.75 keywords: - Reloader - kubernetes diff --git a/deployments/kubernetes/chart/reloader/templates/verticalpodautoscaler.yaml b/deployments/kubernetes/chart/reloader/templates/verticalpodautoscaler.yaml new file mode 100644 index 0000000..9ec2c46 --- /dev/null +++ b/deployments/kubernetes/chart/reloader/templates/verticalpodautoscaler.yaml @@ -0,0 +1,40 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.reloader.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ template "reloader-fullname" . }} + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + {{- include "reloader-labels.chart" . | nindent 4 }} +spec: + {{- with .Values.reloader.verticalPodAutoscaler.recommenders }} + recommenders: + {{- toYaml . | nindent 4 }} + {{- end }} + resourcePolicy: + containerPolicies: + - containerName: {{ template "reloader-fullname" . }} + {{- with .Values.reloader.verticalPodAutoscaler.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.reloader.verticalPodAutoscaler.controlledValues }} + controlledValues: {{ .Values.reloader.verticalPodAutoscaler.controlledValues }} + {{- end }} + {{- if .Values.reloader.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{ toYaml .Values.reloader.verticalPodAutoscaler.maxAllowed | nindent 8 }} + {{- end }} + {{- if .Values.reloader.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{ toYaml .Values.reloader.verticalPodAutoscaler.minAllowed | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "reloader-fullname" . }} + {{- with .Values.reloader.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/deployments/kubernetes/chart/reloader/values.yaml b/deployments/kubernetes/chart/reloader/values.yaml index 3dea62c..5823ff6 100644 --- a/deployments/kubernetes/chart/reloader/values.yaml +++ b/deployments/kubernetes/chart/reloader/values.yaml @@ -55,6 +55,8 @@ reloader: securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault containerSecurityContext: {} # capabilities: @@ -87,10 +89,10 @@ reloader: labels: provider: stakater group: com.stakater.platform - version: v1.0.69 + version: v1.0.75 image: name: ghcr.io/stakater/reloader - tag: v1.0.69 + tag: v1.0.75 pullPolicy: IfNotPresent # Support for extra environment variables. env: @@ -280,7 +282,38 @@ reloader: # matchLabels: # app.kubernetes.io/name: prometheus to: [] - + + # Enable vertical pod autoscaler + verticalPodAutoscaler: + enabled: false + + # Recommender responsible for generating recommendation for the object. + # List should be empty (then the default recommender will generate the recommendation) + # or contain exactly one recommender. + # recommenders: + # - name: custom-recommender-performance + + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + # Specifies which resource values should be controlled: RequestsOnly or RequestsAndLimits. + # controlledValues: RequestsAndLimits + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + updatePolicy: + # Specifies minimal number of replicas which need to be alive for VPA Updater to attempt pod eviction + # minReplicas: 1 + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + updateMode: Auto + volumeMounts: [] volumes: [] diff --git a/deployments/kubernetes/manifests/clusterrole.yaml b/deployments/kubernetes/manifests/clusterrole.yaml index 9c2478c..dc6d67d 100644 --- a/deployments/kubernetes/manifests/clusterrole.yaml +++ b/deployments/kubernetes/manifests/clusterrole.yaml @@ -1,18 +1,8 @@ --- # Source: reloader/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole metadata: - annotations: - meta.helm.sh/release-namespace: "default" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - chart: "reloader-1.0.69" - release: "reloader" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" name: reloader-reloader-role rules: - apiGroups: diff --git a/deployments/kubernetes/manifests/clusterrolebinding.yaml b/deployments/kubernetes/manifests/clusterrolebinding.yaml index 738be0e..43b2028 100644 --- a/deployments/kubernetes/manifests/clusterrolebinding.yaml +++ b/deployments/kubernetes/manifests/clusterrolebinding.yaml @@ -1,18 +1,8 @@ --- # Source: reloader/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding metadata: - annotations: - meta.helm.sh/release-namespace: "default" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - chart: "reloader-1.0.69" - release: "reloader" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" name: reloader-reloader-role-binding roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/deployments/kubernetes/manifests/deployment.yaml b/deployments/kubernetes/manifests/deployment.yaml index 3ebcdd5..887921b 100644 --- a/deployments/kubernetes/manifests/deployment.yaml +++ b/deployments/kubernetes/manifests/deployment.yaml @@ -3,18 +3,6 @@ apiVersion: apps/v1 kind: Deployment metadata: - annotations: - meta.helm.sh/release-namespace: "default" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - chart: "reloader-1.0.69" - release: "reloader" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - group: com.stakater.platform - provider: stakater - version: v1.0.69 name: reloader-reloader namespace: default spec: @@ -23,49 +11,40 @@ spec: selector: matchLabels: app: reloader-reloader - release: "reloader" template: metadata: labels: app: reloader-reloader - chart: "reloader-1.0.69" - release: "reloader" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" - group: com.stakater.platform - provider: stakater - version: v1.0.69 spec: containers: - - image: "ghcr.io/stakater/reloader:v1.0.69" - imagePullPolicy: IfNotPresent - name: reloader-reloader - - ports: - - name: http - containerPort: 9090 - livenessProbe: - httpGet: - path: /live - port: http - timeoutSeconds: 5 - failureThreshold: 5 - periodSeconds: 10 - successThreshold: 1 - initialDelaySeconds: 10 - readinessProbe: - httpGet: - path: /metrics - port: http - timeoutSeconds: 5 - failureThreshold: 5 - periodSeconds: 10 - successThreshold: 1 - initialDelaySeconds: 10 - - securityContext: - {} - securityContext: + - image: "ghcr.io/stakater/reloader:v1.0.75" + imagePullPolicy: IfNotPresent + name: reloader-reloader + ports: + - name: http + containerPort: 9090 + livenessProbe: + httpGet: + path: /live + port: http + timeoutSeconds: 5 + failureThreshold: 5 + periodSeconds: 10 + successThreshold: 1 + initialDelaySeconds: 10 + readinessProbe: + httpGet: + path: /metrics + port: http + timeoutSeconds: 5 + failureThreshold: 5 + periodSeconds: 10 + successThreshold: 1 + initialDelaySeconds: 10 + securityContext: {} + securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: reloader-reloader diff --git a/deployments/kubernetes/manifests/serviceaccount.yaml b/deployments/kubernetes/manifests/serviceaccount.yaml index b24e0f2..0a0190d 100644 --- a/deployments/kubernetes/manifests/serviceaccount.yaml +++ b/deployments/kubernetes/manifests/serviceaccount.yaml @@ -3,14 +3,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - annotations: - meta.helm.sh/release-namespace: "default" - meta.helm.sh/release-name: "reloader" - labels: - app: reloader-reloader - chart: "reloader-1.0.69" - release: "reloader" - heritage: "Helm" - app.kubernetes.io/managed-by: "Helm" name: reloader-reloader namespace: default diff --git a/deployments/kubernetes/reloader.yaml b/deployments/kubernetes/reloader.yaml index 6ec8c74..df5547e 100644 --- a/deployments/kubernetes/reloader.yaml +++ b/deployments/kubernetes/reloader.yaml @@ -8,7 +8,7 @@ metadata: meta.helm.sh/release-name: "reloader" labels: app: reloader-reloader - chart: "reloader-1.0.69" + chart: "reloader-1.0.75" release: "reloader" heritage: "Helm" app.kubernetes.io/managed-by: "Helm" @@ -25,7 +25,7 @@ metadata: meta.helm.sh/release-name: "reloader" labels: app: reloader-reloader - chart: "reloader-1.0.69" + chart: "reloader-1.0.75" release: "reloader" heritage: "Helm" app.kubernetes.io/managed-by: "Helm" @@ -92,7 +92,7 @@ metadata: meta.helm.sh/release-name: "reloader" labels: app: reloader-reloader - chart: "reloader-1.0.69" + chart: "reloader-1.0.75" release: "reloader" heritage: "Helm" app.kubernetes.io/managed-by: "Helm" @@ -115,13 +115,13 @@ metadata: meta.helm.sh/release-name: "reloader" labels: app: reloader-reloader - chart: "reloader-1.0.69" + chart: "reloader-1.0.75" release: "reloader" heritage: "Helm" app.kubernetes.io/managed-by: "Helm" group: com.stakater.platform provider: stakater - version: v1.0.69 + version: v1.0.75 name: reloader-reloader namespace: default spec: @@ -135,16 +135,16 @@ spec: metadata: labels: app: reloader-reloader - chart: "reloader-1.0.69" + chart: "reloader-1.0.75" release: "reloader" heritage: "Helm" app.kubernetes.io/managed-by: "Helm" group: com.stakater.platform provider: stakater - version: v1.0.69 + version: v1.0.75 spec: containers: - - image: "ghcr.io/stakater/reloader:v1.0.69" + - image: "ghcr.io/stakater/reloader:v1.0.75" imagePullPolicy: IfNotPresent name: reloader-reloader @@ -175,4 +175,6 @@ spec: securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: reloader-reloader diff --git a/yq b/yq new file mode 100755 index 0000000..b8e333d Binary files /dev/null and b/yq differ