From 58d57719cba8e9e239b222016d52531c02c04e23 Mon Sep 17 00:00:00 2001 From: Pavel Okhlopkov <36456348+ldmonster@users.noreply.github.com> Date: Fri, 24 Oct 2025 13:19:07 +0300 Subject: [PATCH 01/23] Revert "In the helm_lib_module_image helper, we need to insert the lowerCamelCase module name (#142)" (#149) This reverts commit ab830b40b8c3fe433b93809bfd8e7cd45979b54c. Signed-off-by: Pavel Okhlopkov --- charts/helm_lib/templates/_module_image.tpl | 16 +++++++--------- tests/tests/helm_lib_module_image_test.yaml | 10 +++++----- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl index 642824f..da797f5 100644 --- a/charts/helm_lib/templates/_module_image.tpl +++ b/charts/helm_lib/templates/_module_image.tpl @@ -19,7 +19,7 @@ {{- if index $context.Values $moduleName "registry" }} {{- if index $context.Values $moduleName "registry" "base" }} {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }} - {{- $path := trimAll "/" $moduleName }} + {{- $path := trimAll "/" (include "helm_lib_module_kebabcase_name" $rawModuleName) }} {{- $registryBase = join "/" (list $host $path) }} {{- end }} {{- end }} @@ -33,11 +33,10 @@ {{- define "helm_lib_module_image_no_fail" }} {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} - {{- $rawModuleName := $context.Chart.Name }} + {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }} {{- if ge (len .) 3 }} - {{- $rawModuleName = (index . 2) }} {{- /* Optional module name */ -}} + {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}} {{- end }} - {{- $moduleName := (include "helm_lib_module_camelcase_name" $rawModuleName) }} {{- $imageDigest := index $context.Values.global.modulesImages.digests $moduleName $containerName }} {{- if $imageDigest }} {{- $registryBase := $context.Values.global.modulesImages.registry.base }} @@ -45,7 +44,7 @@ {{- if index $context.Values $moduleName "registry" }} {{- if index $context.Values $moduleName "registry" "base" }} {{- $host := trimAll "/" (index $context.Values $moduleName "registry" "base") }} - {{- $path := trimAll "/" $moduleName }} + {{- $path := trimAll "/" $context.Chart.Name }} {{- $registryBase = join "/" (list $host $path) }} {{- end }} {{- end }} @@ -102,12 +101,11 @@ {{- define "helm_lib_module_image_digest_no_fail" }} {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} - {{- $rawModuleName := $context.Chart.Name }} + {{- $moduleName := (include "helm_lib_module_camelcase_name" $context) }} {{- if ge (len .) 3 }} - {{- $rawModuleName = (index . 2) }} {{- /* Optional module name */ -}} + {{- $moduleName = (include "helm_lib_module_camelcase_name" (index . 2)) }} {{- /* Optional module name */ -}} {{- end }} - {{- $moduleName := (include "helm_lib_module_camelcase_name" $rawModuleName) }} {{- $moduleMap := index $context.Values.global.modulesImages.digests $moduleName | default dict }} {{- $imageDigest := index $moduleMap $containerName | default "" }} {{- printf "%s" $imageDigest }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/tests/tests/helm_lib_module_image_test.yaml b/tests/tests/helm_lib_module_image_test.yaml index 0dee152..313de51 100644 --- a/tests/tests/helm_lib_module_image_test.yaml +++ b/tests/tests/helm_lib_module_image_test.yaml @@ -39,13 +39,13 @@ tests: asserts: - equal: path: "externalModuleImage" - value: "registry.deckhouse.io/modules/testModule@sha321" + value: "registry.deckhouse.io/modules/test-module@sha321" - equal: path: "externalModuleImageWithOptionalName" - value: "registry.flant.com/modules/someModule@sha543" + value: "registry.flant.com/modules/some-module@sha543" - equal: path: "externalModuleKebabImageWithOptionalName" - value: "registry.flant.com/modules/someModule@sha543" + value: "registry.flant.com/modules/some-module@sha543" - it: should render external module image with trail slash documentIndex: 1 @@ -59,7 +59,7 @@ tests: asserts: - equal: path: "externalModuleImage" - value: "registry.deckhouse.io/modules/testModule@sha321" + value: "registry.deckhouse.io/modules/test-module@sha321" - it: should render external module image digest documentIndex: 2 @@ -115,4 +115,4 @@ tests: value: "registry.deckhouse.io/deckhouse/ce@sha999" - equal: path: "commonImageNoFailNotExist" - value: null \ No newline at end of file + value: null From 3966dc0018ad6f8dc59219b73822eab67429867a Mon Sep 17 00:00:00 2001 From: Pavel Okhlopkov <36456348+ldmonster@users.noreply.github.com> Date: Fri, 24 Oct 2025 13:21:38 +0300 Subject: [PATCH 02/23] [lib-helm] feat/bump chart ver 1 64 1 (#150) Signed-off-by: Pavel Okhlopkov --- charts/helm_lib/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 9d1e306..65cc1d6 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.0 +version: 1.64.1 description: "Helm utils template definitions for Deckhouse modules." From 53af0e0d3ad473d40104c5df543ae3c6f55438b1 Mon Sep 17 00:00:00 2001 From: Vasily Oleynikov Date: Thu, 13 Nov 2025 20:36:03 +0300 Subject: [PATCH 03/23] Fix HA replicas count (#152) Signed-off-by: v.oleynikov --- charts/helm_lib/Chart.yaml | 2 +- charts/helm_lib/templates/_csi_controller.tpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 65cc1d6..bdabcc8 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.1 +version: 1.64.2 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl index 646c319..e51e89b 100644 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -187,7 +187,7 @@ metadata: spec: {{- if $csiControllerHaMode }} - {{- include "helm_lib_deployment_strategy_and_replicas_for_ha" $context | nindent 2 }} + {{- include "helm_lib_deployment_on_master_strategy_and_replicas_for_ha" $context | nindent 2 }} {{- else }} replicas: 1 strategy: From 4adce614b055c40d4f3b28080e8ff14a1b803d65 Mon Sep 17 00:00:00 2001 From: Vasily Oleynikov Date: Fri, 14 Nov 2025 19:13:38 +0300 Subject: [PATCH 04/23] Fix seccomp profile (#153) Signed-off-by: v.oleynikov --- charts/helm_lib/Chart.yaml | 2 +- charts/helm_lib/README.md | 6 ++++-- charts/helm_lib/templates/_csi_controller.tpl | 14 +++++++------- charts/helm_lib/templates/_csi_node.tpl | 4 +++- .../templates/_module_security_context.tpl | 14 ++++++++++---- 5 files changed, 25 insertions(+), 15 deletions(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index bdabcc8..d7a3218 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.2 +version: 1.64.3 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md index e5120af..f86d38f 100644 --- a/charts/helm_lib/README.md +++ b/charts/helm_lib/README.md @@ -650,16 +650,18 @@ list: ### helm_lib_module_container_security_context_pss_restricted_flexible - SecurityContext for Deckhouse UID/GID 64535, PSS Restricted + SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted Optional keys: .ro – bool, read-only root FS (default true) .caps – []string, capabilities.add (default empty) .uid – int, runAsUser/runAsGroup (default 64535) .seccompProfile – bool, disable seccompProfile when false (default true) + .runAsNonRoot – bool, run as Deckhouse user when true, root when false (default true) + .seccompProfile – bool, disable seccompProfile when false (default true) #### Usage -`include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false) ` +`include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true) ` diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl index e51e89b..5eda31a 100644 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -241,7 +241,7 @@ spec: automountServiceAccountToken: true containers: - name: provisioner - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }} image: {{ $provisionerImage | quote }} args: - "--timeout={{ $provisionerTimeout }}" @@ -294,7 +294,7 @@ spec: {{- include "provisioner_resources" $context | nindent 12 }} {{- end }} - name: attacher - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }} image: {{ $attacherImage | quote }} args: - "--timeout={{ $attacherTimeout }}" @@ -325,7 +325,7 @@ spec: {{- end }} {{- if $resizerEnabled }} - name: resizer - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }} image: {{ $resizerImage | quote }} args: - "--timeout={{ $resizerTimeout }}" @@ -357,7 +357,7 @@ spec: {{- end }} {{- if $syncerEnabled }} - name: syncer - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }} image: {{ $syncerImage | quote }} args: - "--leader-election" @@ -384,7 +384,7 @@ spec: {{- end }} {{- if $snapshotterEnabled }} - name: snapshotter - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }} image: {{ $snapshotterImage | quote }} args: - "--timeout={{ $snapshotterTimeout }}" @@ -418,7 +418,7 @@ spec: {{- end }} {{- end }} - name: livenessprobe - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }} image: {{ $livenessprobeImage | quote }} args: - "--csi-address=$(ADDRESS)" @@ -454,7 +454,7 @@ spec: {{- if $forceCsiControllerPrivilegedContainer }} {{- include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . | nindent 8 }} {{- else }} - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }} {{- end }} image: {{ $controllerImage | quote }} args: diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl index 115a2ab..a063c8b 100644 --- a/charts/helm_lib/templates/_csi_node.tpl +++ b/charts/helm_lib/templates/_csi_node.tpl @@ -138,7 +138,7 @@ spec: {{- end }} containers: - name: node-driver-registrar - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" $context | nindent 8 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true "uid" "0" "runAsNonRoot" false) | nindent 8 }} image: {{ $driverRegistrarImage | quote }} args: - "--v=5" @@ -182,6 +182,8 @@ spec: securityContext: privileged: true readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault {{- if $setSysAdminCapability }} capabilities: add: diff --git a/charts/helm_lib/templates/_module_security_context.tpl b/charts/helm_lib/templates/_module_security_context.tpl index bee7d89..4832f0b 100644 --- a/charts/helm_lib/templates/_module_security_context.tpl +++ b/charts/helm_lib/templates/_module_security_context.tpl @@ -69,13 +69,15 @@ securityContext: {{- end }} -{{- /* SecurityContext for Deckhouse UID/GID 64535, PSS Restricted */ -}} +{{- /* SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted */ -}} {{- /* Optional keys: */ -}} {{- /* .ro – bool, read-only root FS (default true) */ -}} {{- /* .caps – []string, capabilities.add (default empty) */ -}} {{- /* .uid – int, runAsUser/runAsGroup (default 64535) */ -}} {{- /* .seccompProfile – bool, disable seccompProfile when false (default true) */ -}} -{{- /* Usage: include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false) */ -}} +{{- /* .runAsNonRoot – bool, run as Deckhouse user when true, root when false (default true) */ -}} +{{- /* .seccompProfile – bool, disable seccompProfile when false (default true) */ -}} +{{- /* Usage: include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true) */ -}} {{- define "helm_lib_module_container_security_context_pss_restricted_flexible" -}} {{- $ro := true -}} {{- if hasKey . "ro" -}} @@ -87,10 +89,14 @@ securityContext: {{- end -}} {{- $caps := default (list) .caps -}} {{- $uid := default 64535 .uid -}} +{{- $runAsNonRoot := true -}} +{{- if hasKey . "runAsNonRoot" -}} + {{- $runAsNonRoot = .runAsNonRoot -}} +{{- end -}} securityContext: readOnlyRootFilesystem: {{ $ro }} - allowPrivilegeEscalation: false + allowPrivilegeEscalation: {{ not $runAsNonRoot }} capabilities: drop: - ALL @@ -99,7 +105,7 @@ securityContext: {{- end }} runAsUser: {{ $uid }} runAsGroup: {{ $uid }} - runAsNonRoot: true + runAsNonRoot: {{ $runAsNonRoot }} {{- if $seccompProfile }} seccompProfile: type: RuntimeDefault From 18dee8cdd954420b6aba864d8a83af74c70ce9a8 Mon Sep 17 00:00:00 2001 From: Nikolay Zykov Date: Wed, 19 Nov 2025 14:55:49 +0300 Subject: [PATCH 05/23] [security_context] security_context_pss_restricted_flexible fix Signed-off-by: borg-z --- charts/helm_lib/Chart.yaml | 2 +- charts/helm_lib/README.md | 1 - charts/helm_lib/templates/_module_security_context.tpl | 8 +++++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index d7a3218..cfc4079 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.3 +version: 1.64.4 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md index f86d38f..e33c79d 100644 --- a/charts/helm_lib/README.md +++ b/charts/helm_lib/README.md @@ -655,7 +655,6 @@ list: .ro – bool, read-only root FS (default true) .caps – []string, capabilities.add (default empty) .uid – int, runAsUser/runAsGroup (default 64535) - .seccompProfile – bool, disable seccompProfile when false (default true) .runAsNonRoot – bool, run as Deckhouse user when true, root when false (default true) .seccompProfile – bool, disable seccompProfile when false (default true) diff --git a/charts/helm_lib/templates/_module_security_context.tpl b/charts/helm_lib/templates/_module_security_context.tpl index 4832f0b..003958f 100644 --- a/charts/helm_lib/templates/_module_security_context.tpl +++ b/charts/helm_lib/templates/_module_security_context.tpl @@ -74,7 +74,6 @@ securityContext: {{- /* .ro – bool, read-only root FS (default true) */ -}} {{- /* .caps – []string, capabilities.add (default empty) */ -}} {{- /* .uid – int, runAsUser/runAsGroup (default 64535) */ -}} -{{- /* .seccompProfile – bool, disable seccompProfile when false (default true) */ -}} {{- /* .runAsNonRoot – bool, run as Deckhouse user when true, root when false (default true) */ -}} {{- /* .seccompProfile – bool, disable seccompProfile when false (default true) */ -}} {{- /* Usage: include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true) */ -}} @@ -97,14 +96,17 @@ securityContext: securityContext: readOnlyRootFilesystem: {{ $ro }} allowPrivilegeEscalation: {{ not $runAsNonRoot }} +{{- if not $runAsNonRoot }} + privileged: false +{{- end }} capabilities: drop: - ALL {{- if $caps }} add: {{ $caps | toJson }} {{- end }} - runAsUser: {{ $uid }} - runAsGroup: {{ $uid }} + runAsUser: {{ ternary $uid 0 $runAsNonRoot }} + runAsGroup: {{ ternary $uid 0 $runAsNonRoot }} runAsNonRoot: {{ $runAsNonRoot }} {{- if $seccompProfile }} seccompProfile: From 03b13b08993f0cbf6d99933dbf5ff210ff2a6d43 Mon Sep 17 00:00:00 2001 From: Nikolay Zykov Date: Wed, 19 Nov 2025 18:47:09 +0300 Subject: [PATCH 06/23] security_context_pss_restricted_flexible fix (#156) Signed-off-by: borg-z --- charts/helm_lib/Chart.yaml | 2 +- charts/helm_lib/templates/_module_security_context.tpl | 2 +- ...container_security_context_pss_restricted_flexible_test.yaml | 1 + tests/tests/helm_lib_module_init_container_test.yaml | 1 + 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index cfc4079..b259429 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.4 +version: 1.64.5 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/templates/_module_security_context.tpl b/charts/helm_lib/templates/_module_security_context.tpl index 003958f..1f51081 100644 --- a/charts/helm_lib/templates/_module_security_context.tpl +++ b/charts/helm_lib/templates/_module_security_context.tpl @@ -96,7 +96,7 @@ securityContext: securityContext: readOnlyRootFilesystem: {{ $ro }} allowPrivilegeEscalation: {{ not $runAsNonRoot }} -{{- if not $runAsNonRoot }} +{{- if $runAsNonRoot }} privileged: false {{- end }} capabilities: diff --git a/tests/tests/helm_lib_module_container_security_context_pss_restricted_flexible_test.yaml b/tests/tests/helm_lib_module_container_security_context_pss_restricted_flexible_test.yaml index 9b968c3..802b8ae 100644 --- a/tests/tests/helm_lib_module_container_security_context_pss_restricted_flexible_test.yaml +++ b/tests/tests/helm_lib_module_container_security_context_pss_restricted_flexible_test.yaml @@ -13,6 +13,7 @@ tests: drop: - ALL runAsUser: 64535 + privileged: false runAsGroup: 64535 runAsNonRoot: true seccompProfile: diff --git a/tests/tests/helm_lib_module_init_container_test.yaml b/tests/tests/helm_lib_module_init_container_test.yaml index 9312181..8314c33 100644 --- a/tests/tests/helm_lib_module_init_container_test.yaml +++ b/tests/tests/helm_lib_module_init_container_test.yaml @@ -97,6 +97,7 @@ tests: drop: - ALL readOnlyRootFilesystem: true + privileged: false runAsGroup: 64535 runAsNonRoot: true runAsUser: 64535 From 07e7a3ee165b19c7740e7ffe623397a9d72ec6a3 Mon Sep 17 00:00:00 2001 From: chupakobra6 <112656648+chupakobra6@users.noreply.github.com> Date: Fri, 21 Nov 2025 08:40:22 +0100 Subject: [PATCH 07/23] feat: add registry.d8-system.svc to no_proxy list (#157) Signed-off-by: chupakobra6 --- charts/helm_lib/Chart.yaml | 2 +- charts/helm_lib/templates/_envs_for_proxy.tpl | 2 +- tests/tests/helm_lib_envs_for_proxy_test.yaml | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index b259429..137dd46 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.5 +version: 1.64.6 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/templates/_envs_for_proxy.tpl b/charts/helm_lib/templates/_envs_for_proxy.tpl index 60423cd..f052cff 100644 --- a/charts/helm_lib/templates/_envs_for_proxy.tpl +++ b/charts/helm_lib/templates/_envs_for_proxy.tpl @@ -17,7 +17,7 @@ - name: https_proxy value: {{ $context.Values.global.clusterConfiguration.proxy.httpsProxy | quote }} {{- end }} - {{- $noProxy := list "127.0.0.1" "169.254.169.254" $context.Values.global.clusterConfiguration.clusterDomain $context.Values.global.clusterConfiguration.podSubnetCIDR $context.Values.global.clusterConfiguration.serviceSubnetCIDR }} + {{- $noProxy := list "127.0.0.1" "169.254.169.254" "registry.d8-system.svc" $context.Values.global.clusterConfiguration.clusterDomain $context.Values.global.clusterConfiguration.podSubnetCIDR $context.Values.global.clusterConfiguration.serviceSubnetCIDR }} {{- if $context.Values.global.clusterConfiguration.proxy.noProxy }} {{- $noProxy = concat $noProxy $context.Values.global.clusterConfiguration.proxy.noProxy }} {{- end }} diff --git a/tests/tests/helm_lib_envs_for_proxy_test.yaml b/tests/tests/helm_lib_envs_for_proxy_test.yaml index 2f838f2..64adcf6 100644 --- a/tests/tests/helm_lib_envs_for_proxy_test.yaml +++ b/tests/tests/helm_lib_envs_for_proxy_test.yaml @@ -44,13 +44,13 @@ tests: value: "NO_PROXY" - equal: path: "proxyEnvs[4].value" - value: "127.0.0.1,169.254.169.254,cluster.local,10.0.0.0/16,10.1.0.0/16,example.com" + value: "127.0.0.1,169.254.169.254,registry.d8-system.svc,cluster.local,10.0.0.0/16,10.1.0.0/16,example.com" - equal: path: "proxyEnvs[5].name" value: "no_proxy" - equal: path: "proxyEnvs[5].value" - value: "127.0.0.1,169.254.169.254,cluster.local,10.0.0.0/16,10.1.0.0/16,example.com" + value: "127.0.0.1,169.254.169.254,registry.d8-system.svc,cluster.local,10.0.0.0/16,10.1.0.0/16,example.com" - it: should render proxy env vars with only http proxy set: @@ -79,13 +79,13 @@ tests: value: "NO_PROXY" - equal: path: "proxyEnvs[2].value" - value: "127.0.0.1,169.254.169.254,cluster.local,10.0.0.0/16,10.1.0.0/16" + value: "127.0.0.1,169.254.169.254,registry.d8-system.svc,cluster.local,10.0.0.0/16,10.1.0.0/16" - equal: path: "proxyEnvs[3].name" value: "no_proxy" - equal: path: "proxyEnvs[3].value" - value: "127.0.0.1,169.254.169.254,cluster.local,10.0.0.0/16,10.1.0.0/16" + value: "127.0.0.1,169.254.169.254,registry.d8-system.svc,cluster.local,10.0.0.0/16,10.1.0.0/16" - it: should not render proxy env vars when no proxy configured set: From b0da2dd42ea5632069a85dd9fb27d376ccb5683a Mon Sep 17 00:00:00 2001 From: Maksim Madzhuga Date: Mon, 17 Nov 2025 15:58:36 +0400 Subject: [PATCH 08/23] [observability] Add propagated prometheus rules Signed-off-by: Maksim Madzhuga --- .../_monitoring_prometheus_rules.tpl | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl index 794fe30..30c689c 100644 --- a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl +++ b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl @@ -42,22 +42,40 @@ {{- end }} - {{ $definition = $definitionStruct.Rules | toYaml }} - {{- $resourceName := (regexReplaceAllLiteral "\\.(yaml|tpl)$" $path "") }} {{- $resourceName = ($resourceName | replace " " "-" | replace "." "-" | replace "_" "-") }} {{- $resourceName = (slice ($resourceName | splitList "/") $folderNamesIndex | join "-") }} {{- $resourceName = (printf "%s-%s" $context.Chart.Name $resourceName) }} + {{- $propagated := contains "propagated-" $resourceName }} + {{- $hasObservabilityModule := has "observability" $context.Values.global.enabledModules }} + {{- $useObservabilityRules := has "observability.deckhouse.io/v1alpha1/ClusterObservabilityMetricsRulesGroup" $context.Values.global.discovery.apiVersions }} + {{- if and $hasObservabilityModule $useObservabilityRules }} + {{- range $idx, $group := $definitionStruct.Rules }} + {{- $_ := unset $group "name" }} + {{- $resourceName = $resourceName | replace "propagated-" "" }} + {{- $groupResourceName := printf "%s-%d" $resourceName $idx }} +--- +apiVersion: observability.deckhouse.io/v1alpha1 +kind: {{ $propagated | ternary "ClusterObservabilityPropagatedMetricsRulesGroup" "ClusterObservabilityMetricsRulesGroup" }} +metadata: + name: {{ $groupResourceName }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} +spec: + {{- $group | toYaml | nindent 2 }} + {{- end }} + {{- else }} + {{- $definition := $definitionStruct.Rules | toYaml }} --- apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ $resourceName }} namespace: {{ $namespace }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} spec: groups: {{- $definition | nindent 4 }} + {{- end }} {{- end }} {{- $subDirs := list }} From 94abe9d2d8637d13a05e030b429bc181fe035130 Mon Sep 17 00:00:00 2001 From: Vadim Lazovsky Date: Wed, 26 Nov 2025 12:49:21 +0200 Subject: [PATCH 09/23] Restore Signed-off-by: Vadim Lazovsky --- charts/helm_lib/templates/_monitoring_prometheus_rules.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl index 30c689c..7aed8f9 100644 --- a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl +++ b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl @@ -71,7 +71,7 @@ kind: PrometheusRule metadata: name: {{ $resourceName }} namespace: {{ $namespace }} - {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} + {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} spec: groups: {{- $definition | nindent 4 }} From b2a3b3117ae529a0d8e86c5b984fda299d2507ab Mon Sep 17 00:00:00 2001 From: Vadim Lazovsky Date: Wed, 26 Nov 2025 14:19:00 +0200 Subject: [PATCH 10/23] Add tests Signed-off-by: Vadim Lazovsky --- .../helm_lib_prometheus_rules_recursion.yaml | 1 + .../deadbeef/propagated-ingress-nginx.yaml | 13 +++++++ ...m_lib_prometheus_rules_recursion_test.yaml | 37 +++++++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 tests/templates/helm_lib_prometheus_rules_recursion.yaml create mode 100644 tests/testdata/monitoring/deadbeef/propagated-ingress-nginx.yaml create mode 100644 tests/tests/helm_lib_prometheus_rules_recursion_test.yaml diff --git a/tests/templates/helm_lib_prometheus_rules_recursion.yaml b/tests/templates/helm_lib_prometheus_rules_recursion.yaml new file mode 100644 index 0000000..f94593b --- /dev/null +++ b/tests/templates/helm_lib_prometheus_rules_recursion.yaml @@ -0,0 +1 @@ +{{- include "helm_lib_prometheus_rules_recursion" (list . "d8-observability" "testdata/monitoring") }} \ No newline at end of file diff --git a/tests/testdata/monitoring/deadbeef/propagated-ingress-nginx.yaml b/tests/testdata/monitoring/deadbeef/propagated-ingress-nginx.yaml new file mode 100644 index 0000000..19462d0 --- /dev/null +++ b/tests/testdata/monitoring/deadbeef/propagated-ingress-nginx.yaml @@ -0,0 +1,13 @@ +- name: kubernetes.ingress-nginx.group-one + rules: + - alert: NginxIngressSslWillExpire + expr: vector(1) + - alert: NginxIngressSslExpired + expr: vector(1) +- name: kubernetes.ingress-nginx.group-two + rules: + - alert: NginxIngress5xxErrors + expr: vector(1) + - alert: NginxIngress5xxErrors + expr: vector(1) + diff --git a/tests/tests/helm_lib_prometheus_rules_recursion_test.yaml b/tests/tests/helm_lib_prometheus_rules_recursion_test.yaml new file mode 100644 index 0000000..a6c7c3c --- /dev/null +++ b/tests/tests/helm_lib_prometheus_rules_recursion_test.yaml @@ -0,0 +1,37 @@ +suite: test helm_lib_prometheus_rules_recursion +templates: + - helm_lib_prometheus_rules_recursion.yaml +tests: + - it: should generate PrometheusRule + set: + global.enabledModules: ["observability"] + global.discovery.prometheusScrapeInterval: 30s + global.discovery.apiVersions: [] + asserts: + - equal: + path: kind + value: PrometheusRule + - equal: + path: metadata.name + value: test-module-deadbeef-propagated-ingress-nginx + - hasDocuments: + count: 1 + - it: should generate ClusterObservabilityPropagatedMetricsRulesGroup + set: + global.enabledModules: ["observability"] + global.discovery.prometheusScrapeInterval: 30s + global.discovery.apiVersions: ["observability.deckhouse.io/v1alpha1/ClusterObservabilityMetricsRulesGroup"] + asserts: + - equal: + path: kind + value: ClusterObservabilityPropagatedMetricsRulesGroup + - equal: + path: metadata.name + value: test-module-deadbeef-ingress-nginx-0 + documentIndex: 0 + - equal: + path: metadata.name + value: test-module-deadbeef-ingress-nginx-1 + documentIndex: 1 + - hasDocuments: + count: 2 From 4c130c632eafcbbdb5418a06f1a43c920c5c994e Mon Sep 17 00:00:00 2001 From: Vadim Lazovsky Date: Wed, 26 Nov 2025 16:51:27 +0200 Subject: [PATCH 11/23] Bump version Signed-off-by: Vadim Lazovsky --- charts/helm_lib/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index d7a3218..cfc4079 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.3 +version: 1.64.4 description: "Helm utils template definitions for Deckhouse modules." From 1fe8b06ad1de3921f65582ef9685d98c166a4d20 Mon Sep 17 00:00:00 2001 From: Vadim Lazovsky Date: Thu, 27 Nov 2025 13:09:33 +0200 Subject: [PATCH 12/23] Bump version Signed-off-by: Vadim Lazovsky --- charts/helm_lib/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index cfc4079..4865035 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.4 +version: 1.64.7 description: "Helm utils template definitions for Deckhouse modules." From b94837a9af660b91175cb8c063dea3f7ae19cab9 Mon Sep 17 00:00:00 2001 From: "v.oleynikov" Date: Tue, 2 Dec 2025 20:24:18 +0300 Subject: [PATCH 13/23] [csi] switch to storage foundation module Signed-off-by: v.oleynikov --- charts/helm_lib/templates/_csi_controller.tpl | 10 +++++----- charts/helm_lib/templates/_csi_node.tpl | 2 +- charts/helm_lib/templates/_module_image.tpl | 20 +++++++++++++++++++ 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl index 5eda31a..94c5bab 100644 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -78,22 +78,22 @@ memory: 50Mi {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} {{- $provisionerImageName := join "" (list "csiExternalProvisioner" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $provisionerImage := include "helm_lib_module_common_image_no_fail" (list $context $provisionerImageName) }} + {{- $provisionerImage := include "helm_lib_csi_image_with_common_fallback" (list $context $provisionerImageName) }} {{- $attacherImageName := join "" (list "csiExternalAttacher" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $attacherImage := include "helm_lib_module_common_image_no_fail" (list $context $attacherImageName) }} + {{- $attacherImage := include "helm_lib_csi_image_with_common_fallback" (list $context $attacherImageName) }} {{- $resizerImageName := join "" (list "csiExternalResizer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $resizerImage := include "helm_lib_module_common_image_no_fail" (list $context $resizerImageName) }} + {{- $resizerImage := include "helm_lib_csi_image_with_common_fallback" (list $context $resizerImageName) }} {{- $syncerImageName := join "" (list "csiVsphereSyncer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} {{- $syncerImage := include "helm_lib_module_common_image_no_fail" (list $context $syncerImageName) }} {{- $snapshotterImageName := join "" (list "csiExternalSnapshotter" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $snapshotterImage := include "helm_lib_module_common_image_no_fail" (list $context $snapshotterImageName) }} + {{- $snapshotterImage := include "helm_lib_csi_image_with_common_fallback" (list $context $snapshotterImageName) }} {{- $livenessprobeImageName := join "" (list "csiLivenessprobe" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $livenessprobeImage := include "helm_lib_module_common_image_no_fail" (list $context $livenessprobeImageName) }} + {{- $livenessprobeImage := include "helm_lib_csi_image_with_common_fallback" (list $context $livenessprobeImageName) }} {{- if $provisionerImage }} {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl index a063c8b..3d51fa7 100644 --- a/charts/helm_lib/templates/_csi_node.tpl +++ b/charts/helm_lib/templates/_csi_node.tpl @@ -38,7 +38,7 @@ memory: 25Mi {{- $csiNodeHostPID := $config.csiNodeHostPID | default "false" }} {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} {{- $driverRegistrarImageName := join "" (list "csiNodeDriverRegistrar" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $driverRegistrarImage := include "helm_lib_module_common_image_no_fail" (list $context $driverRegistrarImageName) }} + {{- $driverRegistrarImage := include "helm_lib_csi_image_with_common_fallback" (list $context $driverRegistrarImageName) }} {{- if $driverRegistrarImage }} {{- if or $forceCsiNodeAndStaticNodesDepoloy (include "_helm_lib_cloud_or_hybrid_cluster" $context) }} {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl index da797f5..c6bcc07 100644 --- a/charts/helm_lib/templates/_module_image.tpl +++ b/charts/helm_lib/templates/_module_image.tpl @@ -109,3 +109,23 @@ {{- $imageDigest := index $moduleMap $containerName | default "" }} {{- printf "%s" $imageDigest }} {{- end }} + +{{- /* Usage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "") }} */ -}} +{{- /* returns image name from storage foundation module if enabled, otherwise from common module */ -}} +{{- define "helm_lib_csi_image_with_common_fallback" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} + {{- $imageDigest := "" }} + {{- $registryBase := $context.Values.global.modulesImages.registry.base }} + {{- /* Try to get from storage foundation module if enabled */}} + {{- if $context.Values.global.enabledModules | has "storage-foundation" }} + {{- $registryBase = join "/" (list $registryBase "modules" "storage-foundation" ) }} + {{- $imageDigest = index $context.Values.global.modulesImages.digests "storageFoundation" $containerName | default "" }} + {{- /* Fallback to common module if not found in storage foundation */}} + {{- else }} + {{- $imageDigest = index $context.Values.global.modulesImages.digests "common" $containerName | default "" }} + {{- end }} + {{- if $imageDigest }} + {{- printf "%s@%s" $registryBase $imageDigest }} + {{- end }} +{{- end }} From 4e3977f986ca0b4fbcefd30c51affe390554830a Mon Sep 17 00:00:00 2001 From: "v.oleynikov" Date: Tue, 2 Dec 2025 20:24:41 +0300 Subject: [PATCH 14/23] [csi] switch to storage foundation module Signed-off-by: v.oleynikov --- charts/helm_lib/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 4865035..620406a 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.7 +version: 1.64.8 description: "Helm utils template definitions for Deckhouse modules." From eb6e08ff304e307c3e7467becef4bbbdd00b67ad Mon Sep 17 00:00:00 2001 From: "v.oleynikov" Date: Tue, 2 Dec 2025 20:25:58 +0300 Subject: [PATCH 15/23] [csi] switch to storage foundation module Signed-off-by: v.oleynikov --- charts/helm_lib/README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md index e33c79d..bde9a11 100644 --- a/charts/helm_lib/README.md +++ b/charts/helm_lib/README.md @@ -39,6 +39,7 @@ | [helm_lib_module_common_image_no_fail](#helm_lib_module_common_image_no_fail) | | [helm_lib_module_image_digest](#helm_lib_module_image_digest) | | [helm_lib_module_image_digest_no_fail](#helm_lib_module_image_digest_no_fail) | +| [helm_lib_csi_image_with_common_fallback](#helm_lib_csi_image_with_common_fallback) | | **Module Ingress Class** | | [helm_lib_module_ingress_class](#helm_lib_module_ingress_class) | | **Module Ingress Snippets** | @@ -468,6 +469,21 @@ list: - Template context with .Values, .Chart, etc - Container name + +### helm_lib_csi_image_with_common_fallback + + returns image name from storage foundation module if enabled, otherwise from common module + +#### Usage + +`{{ include "helm_lib_csi_image_with_common_fallback" (list . "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Container name + ## Module Ingress Class ### helm_lib_module_ingress_class From 417a7fecbb31e21f43bbe1cd651be4ab29816136 Mon Sep 17 00:00:00 2001 From: "v.oleynikov" Date: Wed, 3 Dec 2025 11:57:09 +0300 Subject: [PATCH 16/23] [csi] switch to storage foundation module Signed-off-by: v.oleynikov --- charts/helm_lib/templates/_csi_controller.tpl | 15 ++++------- charts/helm_lib/templates/_csi_node.tpl | 3 +-- charts/helm_lib/templates/_module_image.tpl | 25 ++++++++++++++++--- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl index 94c5bab..a73bb96 100644 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -77,23 +77,18 @@ memory: 50Mi {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} - {{- $provisionerImageName := join "" (list "csiExternalProvisioner" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $provisionerImage := include "helm_lib_csi_image_with_common_fallback" (list $context $provisionerImageName) }} + {{- $provisionerImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalProvisioner" $kubernetesSemVer) }} - {{- $attacherImageName := join "" (list "csiExternalAttacher" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $attacherImage := include "helm_lib_csi_image_with_common_fallback" (list $context $attacherImageName) }} + {{- $attacherImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalAttacher" $kubernetesSemVer) }} - {{- $resizerImageName := join "" (list "csiExternalResizer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $resizerImage := include "helm_lib_csi_image_with_common_fallback" (list $context $resizerImageName) }} + {{- $resizerImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalResizer" $kubernetesSemVer) }} {{- $syncerImageName := join "" (list "csiVsphereSyncer" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} {{- $syncerImage := include "helm_lib_module_common_image_no_fail" (list $context $syncerImageName) }} - {{- $snapshotterImageName := join "" (list "csiExternalSnapshotter" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $snapshotterImage := include "helm_lib_csi_image_with_common_fallback" (list $context $snapshotterImageName) }} + {{- $snapshotterImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiExternalSnapshotter" $kubernetesSemVer) }} - {{- $livenessprobeImageName := join "" (list "csiLivenessprobe" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $livenessprobeImage := include "helm_lib_csi_image_with_common_fallback" (list $context $livenessprobeImageName) }} + {{- $livenessprobeImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiLivenessprobe" $kubernetesSemVer) }} {{- if $provisionerImage }} {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl index 3d51fa7..cc4e449 100644 --- a/charts/helm_lib/templates/_csi_node.tpl +++ b/charts/helm_lib/templates/_csi_node.tpl @@ -37,8 +37,7 @@ memory: 25Mi {{- $csiNodeHostNetwork := $config.csiNodeHostNetwork | default "true" }} {{- $csiNodeHostPID := $config.csiNodeHostPID | default "false" }} {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} - {{- $driverRegistrarImageName := join "" (list "csiNodeDriverRegistrar" $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $driverRegistrarImage := include "helm_lib_csi_image_with_common_fallback" (list $context $driverRegistrarImageName) }} + {{- $driverRegistrarImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiNodeDriverRegistrar" $kubernetesSemVer) }} {{- if $driverRegistrarImage }} {{- if or $forceCsiNodeAndStaticNodesDepoloy (include "_helm_lib_cloud_or_hybrid_cluster" $context) }} {{- if ($context.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl index c6bcc07..b0f11b3 100644 --- a/charts/helm_lib/templates/_module_image.tpl +++ b/charts/helm_lib/templates/_module_image.tpl @@ -110,19 +110,38 @@ {{- printf "%s" $imageDigest }} {{- end }} -{{- /* Usage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "") }} */ -}} +{{- /* Usage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "" "") }} */ -}} {{- /* returns image name from storage foundation module if enabled, otherwise from common module */ -}} {{- define "helm_lib_csi_image_with_common_fallback" }} {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $containerName := index . 1 | trimAll "\"" }} {{- /* Container name */ -}} + {{- $rawContainerName := index . 1 | trimAll "\"" }} {{- /* Container raw name */ -}} + {{- $kubernetesSemVer := index . 2 }} {{- /* Kubernetes semantic version */ -}} {{- $imageDigest := "" }} {{- $registryBase := $context.Values.global.modulesImages.registry.base }} {{- /* Try to get from storage foundation module if enabled */}} {{- if $context.Values.global.enabledModules | has "storage-foundation" }} {{- $registryBase = join "/" (list $registryBase "modules" "storage-foundation" ) }} - {{- $imageDigest = index $context.Values.global.modulesImages.digests "storageFoundation" $containerName | default "" }} + {{- $storageFoundationDigests := index $context.Values.global.modulesImages.digests "storageFoundation" | default dict }} + {{- $currentMinor := int $kubernetesSemVer.Minor }} + {{- $kubernetesMajor := int $kubernetesSemVer.Major }} + {{- /* Iterate from currentMinor down to 0: use offset from 0 to currentMinor, then calculate minorVersion = currentMinor - offset */}} + {{- range $offset := until (int (add $currentMinor 1)) }} + {{- if not $imageDigest }} + {{- $minorVersion := int (sub $currentMinor $offset) }} + {{- $containerName := join "" (list $rawContainerName "ForK8SGE" $kubernetesMajor $minorVersion) }} + {{- $digest := index $storageFoundationDigests $containerName | default "" }} + {{- if $digest }} + {{- $imageDigest = $digest }} + {{- end }} + {{- end }} + {{- end }} + {{- /* Fallback to base container name if no versioned image found (when minor reached 0) */}} + {{- if not $imageDigest }} + {{- $imageDigest = index $storageFoundationDigests $rawContainerName | default "" }} + {{- end }} {{- /* Fallback to common module if not found in storage foundation */}} {{- else }} + {{- $containerName := join "" (list $rawContainerName $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} {{- $imageDigest = index $context.Values.global.modulesImages.digests "common" $containerName | default "" }} {{- end }} {{- if $imageDigest }} From ebef58b18277b5ce9a8992000ba238983f9e2b74 Mon Sep 17 00:00:00 2001 From: "v.oleynikov" Date: Wed, 3 Dec 2025 12:36:56 +0300 Subject: [PATCH 17/23] [csi] switch to storage foundation module Signed-off-by: v.oleynikov --- charts/helm_lib/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md index bde9a11..c16d5c9 100644 --- a/charts/helm_lib/README.md +++ b/charts/helm_lib/README.md @@ -476,13 +476,14 @@ list: #### Usage -`{{ include "helm_lib_csi_image_with_common_fallback" (list . "") }} ` +`{{ include "helm_lib_csi_image_with_common_fallback" (list . "" "") }} ` #### Arguments list: - Template context with .Values, .Chart, etc -- Container name +- Container raw name +- Kubernetes semantic version ## Module Ingress Class From 02cb86ec0e8006d382be0beacb4cefc21fee058b Mon Sep 17 00:00:00 2001 From: "v.oleynikov" Date: Wed, 3 Dec 2025 16:05:52 +0300 Subject: [PATCH 18/23] [csi] switch to storage foundation module Signed-off-by: v.oleynikov --- charts/helm_lib/templates/_module_image.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl index b0f11b3..418f59b 100644 --- a/charts/helm_lib/templates/_module_image.tpl +++ b/charts/helm_lib/templates/_module_image.tpl @@ -139,7 +139,7 @@ {{- if not $imageDigest }} {{- $imageDigest = index $storageFoundationDigests $rawContainerName | default "" }} {{- end }} - {{- /* Fallback to common module if not found in storage foundation */}} + {{- /* Fallback to common module if storage foundation module is not enabled */}} {{- else }} {{- $containerName := join "" (list $rawContainerName $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} {{- $imageDigest = index $context.Values.global.modulesImages.digests "common" $containerName | default "" }} From 2159b2adf9dbda13108e1a2fc87283a3bca006f8 Mon Sep 17 00:00:00 2001 From: Aleksandr Zimin Date: Wed, 3 Dec 2025 16:26:43 +0300 Subject: [PATCH 19/23] add tests Signed-off-by: Aleksandr Zimin --- ...lm_lib_csi_image_with_common_fallback.yaml | 17 ++ ...b_csi_image_with_common_fallback_test.yaml | 173 ++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 tests/templates/helm_lib_csi_image_with_common_fallback.yaml create mode 100644 tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml diff --git a/tests/templates/helm_lib_csi_image_with_common_fallback.yaml b/tests/templates/helm_lib_csi_image_with_common_fallback.yaml new file mode 100644 index 0000000..349b61f --- /dev/null +++ b/tests/templates/helm_lib_csi_image_with_common_fallback.yaml @@ -0,0 +1,17 @@ +storageFoundationEnabledWithVersion: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.25.0")) }} +--- +storageFoundationEnabledWithoutVersion: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalAttacher" (semver "1.25.0")) }} +--- +storageFoundationEnabledNotFoundFallbackCommon: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalResizer" (semver "1.25.0")) }} +--- +storageFoundationDisabledUseCommon: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalSnapshotter" (semver "1.25.0")) }} +--- +storageFoundationVersionFallback: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiLivenessprobe" (semver "1.34.0")) }} +--- +storageFoundationEnabledNoImage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiNodeDriverRegistrar" (semver "1.25.0")) }} +--- +storageFoundationK8s126: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.26.0")) }} +--- +commonFallbackDifferentVersion: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalSnapshotter" (semver "1.24.0")) }} +--- +storageFoundationVersionIteration: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.34.0")) }} diff --git a/tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml b/tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml new file mode 100644 index 0000000..02b66b2 --- /dev/null +++ b/tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml @@ -0,0 +1,173 @@ +suite: helm_lib_csi_image_with_common_fallback definition +templates: + - helm_lib_csi_image_with_common_fallback.yaml +tests: + - it: should return image from storage-foundation when enabled and image found with version + documentIndex: 0 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalProvisionerForK8SGE125: "sha256:storage-foundation-provisioner-125" + common: + csiExternalProvisioner125: "sha256:common-provisioner-125" + asserts: + - equal: + path: "storageFoundationEnabledWithVersion" + value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-provisioner-125" + + - it: should return image from storage-foundation base name when versioned not found + documentIndex: 1 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalAttacher: "sha256:storage-foundation-attacher-base" + common: + csiExternalAttacher125: "sha256:common-attacher-125" + asserts: + - equal: + path: "storageFoundationEnabledWithoutVersion" + value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-attacher-base" + + - it: should return null when storage-foundation enabled but image not found (no fallback to common in current implementation) + documentIndex: 2 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalProvisionerForK8SGE125: "sha256:provisioner-125" + common: + csiExternalResizer125: "sha256:common-resizer-125" + asserts: + - equal: + path: "storageFoundationEnabledNotFoundFallbackCommon" + value: null + + - it: should use common module when storage-foundation disabled + documentIndex: 3 + set: + global: + enabledModules: [] + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalSnapshotterForK8SGE125: "sha256:storage-foundation-snapshotter-125" + common: + csiExternalSnapshotter125: "sha256:common-snapshotter-125" + asserts: + - equal: + path: "storageFoundationDisabledUseCommon" + value: "registry.deckhouse.io/deckhouse/ce@sha256:common-snapshotter-125" + + - it: should fallback to lower minor version when exact version not found + documentIndex: 4 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiLivenessprobeForK8SGE133: "sha256:storage-foundation-livenessprobe-133" + common: + csiLivenessprobe134: "sha256:common-livenessprobe-134" + asserts: + - equal: + path: "storageFoundationVersionFallback" + value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-livenessprobe-133" + + - it: should return null when no image found in storage-foundation and common + documentIndex: 5 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalProvisionerForK8SGE125: "sha256:provisioner-125" + common: + csiExternalProvisioner125: "sha256:provisioner-125" + asserts: + - equal: + path: "storageFoundationEnabledNoImage" + value: null + + - it: should handle different Kubernetes versions correctly + documentIndex: 6 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalProvisionerForK8SGE126: "sha256:storage-foundation-provisioner-126" + common: + csiExternalProvisioner126: "sha256:common-provisioner-126" + asserts: + - equal: + path: "storageFoundationK8s126" + value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-provisioner-126" + + - it: should use common module with correct version format when storage-foundation disabled + documentIndex: 7 + set: + global: + enabledModules: [] + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalSnapshotterForK8SGE124: "sha256:storage-foundation-snapshotter-124" + common: + csiExternalSnapshotter124: "sha256:common-snapshotter-124" + asserts: + - equal: + path: "commonFallbackDifferentVersion" + value: "registry.deckhouse.io/deckhouse/ce@sha256:common-snapshotter-124" + + - it: should iterate through minor versions from current down to 0 + documentIndex: 8 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalProvisionerForK8SGE130: "sha256:storage-foundation-provisioner-130" + common: + csiExternalProvisioner134: "sha256:common-provisioner-134" + asserts: + - equal: + path: "storageFoundationVersionIteration" + value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-provisioner-130" + From 24198646347ba1afb866f4fa446e07a75620a8f0 Mon Sep 17 00:00:00 2001 From: Aleksandr Zimin Date: Wed, 3 Dec 2025 16:35:07 +0300 Subject: [PATCH 20/23] fix some test Signed-off-by: Aleksandr Zimin --- ...lm_lib_csi_image_with_common_fallback.yaml | 10 ++- ...b_csi_image_with_common_fallback_test.yaml | 85 +++++++++++++------ 2 files changed, 68 insertions(+), 27 deletions(-) diff --git a/tests/templates/helm_lib_csi_image_with_common_fallback.yaml b/tests/templates/helm_lib_csi_image_with_common_fallback.yaml index 349b61f..dc031e6 100644 --- a/tests/templates/helm_lib_csi_image_with_common_fallback.yaml +++ b/tests/templates/helm_lib_csi_image_with_common_fallback.yaml @@ -2,16 +2,20 @@ storageFoundationEnabledWithVersion: {{ include "helm_lib_csi_image_with_common_ --- storageFoundationEnabledWithoutVersion: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalAttacher" (semver "1.25.0")) }} --- -storageFoundationEnabledNotFoundFallbackCommon: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalResizer" (semver "1.25.0")) }} +storageFoundationEnabledNotFound: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalResizer" (semver "1.25.0")) }} --- storageFoundationDisabledUseCommon: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalSnapshotter" (semver "1.25.0")) }} --- storageFoundationVersionFallback: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiLivenessprobe" (semver "1.34.0")) }} --- -storageFoundationEnabledNoImage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiNodeDriverRegistrar" (semver "1.25.0")) }} ---- storageFoundationK8s126: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.26.0")) }} --- commonFallbackDifferentVersion: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalSnapshotter" (semver "1.24.0")) }} --- storageFoundationVersionIteration: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.34.0")) }} +--- +commonNotFound: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.25.0")) }} +--- +otherModulesEnabled: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.25.0")) }} +--- +emptyStorageFoundationDigests: {{ include "helm_lib_csi_image_with_common_fallback" (list . "csiExternalProvisioner" (semver "1.25.0")) }} diff --git a/tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml b/tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml index 02b66b2..c597f35 100644 --- a/tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml +++ b/tests/tests/helm_lib_csi_image_with_common_fallback_test.yaml @@ -40,7 +40,7 @@ tests: path: "storageFoundationEnabledWithoutVersion" value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-attacher-base" - - it: should return null when storage-foundation enabled but image not found (no fallback to common in current implementation) + - it: should return null when storage-foundation enabled but image not found documentIndex: 2 set: global: @@ -56,7 +56,7 @@ tests: csiExternalResizer125: "sha256:common-resizer-125" asserts: - equal: - path: "storageFoundationEnabledNotFoundFallbackCommon" + path: "storageFoundationEnabledNotFound" value: null - it: should use common module when storage-foundation disabled @@ -96,27 +96,8 @@ tests: path: "storageFoundationVersionFallback" value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-livenessprobe-133" - - it: should return null when no image found in storage-foundation and common - documentIndex: 5 - set: - global: - enabledModules: - - storage-foundation - modulesImages: - registry: - base: "registry.deckhouse.io/deckhouse/ce" - digests: - storageFoundation: - csiExternalProvisionerForK8SGE125: "sha256:provisioner-125" - common: - csiExternalProvisioner125: "sha256:provisioner-125" - asserts: - - equal: - path: "storageFoundationEnabledNoImage" - value: null - - it: should handle different Kubernetes versions correctly - documentIndex: 6 + documentIndex: 5 set: global: enabledModules: @@ -135,7 +116,7 @@ tests: value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-provisioner-126" - it: should use common module with correct version format when storage-foundation disabled - documentIndex: 7 + documentIndex: 6 set: global: enabledModules: [] @@ -153,7 +134,7 @@ tests: value: "registry.deckhouse.io/deckhouse/ce@sha256:common-snapshotter-124" - it: should iterate through minor versions from current down to 0 - documentIndex: 8 + documentIndex: 7 set: global: enabledModules: @@ -171,3 +152,59 @@ tests: path: "storageFoundationVersionIteration" value: "registry.deckhouse.io/deckhouse/ce/modules/storage-foundation@sha256:storage-foundation-provisioner-130" + - it: should return null when common module image not found + documentIndex: 8 + set: + global: + enabledModules: [] + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalProvisionerForK8SGE125: "sha256:storage-foundation-provisioner-125" + common: + csiExternalAttacher125: "sha256:common-attacher-125" + asserts: + - equal: + path: "commonNotFound" + value: null + + - it: should use common module when other modules enabled but not storage-foundation + documentIndex: 9 + set: + global: + enabledModules: + - monitoring + - ingress-nginx + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: + csiExternalProvisionerForK8SGE125: "sha256:storage-foundation-provisioner-125" + common: + csiExternalProvisioner125: "sha256:common-provisioner-125" + asserts: + - equal: + path: "otherModulesEnabled" + value: "registry.deckhouse.io/deckhouse/ce@sha256:common-provisioner-125" + + - it: should return null when storage-foundation enabled but digests empty + documentIndex: 10 + set: + global: + enabledModules: + - storage-foundation + modulesImages: + registry: + base: "registry.deckhouse.io/deckhouse/ce" + digests: + storageFoundation: {} + common: + csiExternalProvisioner125: "sha256:common-provisioner-125" + asserts: + - equal: + path: "emptyStorageFoundationDigests" + value: null + From 9e9e7ca93b55c27b52fcf1e120816febcebb0fdf Mon Sep 17 00:00:00 2001 From: Alexey Voronov Date: Thu, 4 Dec 2025 17:41:13 +0700 Subject: [PATCH 21/23] [csi] make dnsPolicy configurable (#159) Signed-off-by: Alexey Voronov --- .gitignore | 1 + charts/helm_lib/Chart.yaml | 2 +- charts/helm_lib/templates/_csi_controller.tpl | 3 +- charts/helm_lib/templates/_csi_node.tpl | 7 +- .../helm_lib_csi_controller_value.yaml | 1 + tests/tests/helm_lib_csi_controller_test.yaml | 155 ++++++++++++++++++ 6 files changed, 164 insertions(+), 5 deletions(-) create mode 100644 .gitignore create mode 100644 tests/templates/helm_lib_csi_controller_value.yaml create mode 100644 tests/tests/helm_lib_csi_controller_test.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dd76df5 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.debug diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 620406a..46e67c0 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.8 +version: 1.64.9 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl index a73bb96..95cd905 100644 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -74,6 +74,7 @@ memory: 50Mi {{- $customNodeSelector := $config.customNodeSelector }} {{- $additionalPullSecrets := $config.additionalPullSecrets }} {{- $forceCsiControllerPrivilegedContainer := $config.forceCsiControllerPrivilegedContainer | default false }} + {{- $dnsPolicy := $config.dnsPolicy | default "ClusterFirstWithHostNet" }} {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} @@ -212,7 +213,7 @@ spec: hostNetwork: {{ $csiControllerHostNetwork }} hostPID: {{ $csiControllerHostPID }} {{- if eq $csiControllerHostNetwork "true" }} - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: {{ $dnsPolicy | quote }} {{- end }} imagePullSecrets: - name: deckhouse-registry diff --git a/charts/helm_lib/templates/_csi_node.tpl b/charts/helm_lib/templates/_csi_node.tpl index cc4e449..fb3d9b7 100644 --- a/charts/helm_lib/templates/_csi_node.tpl +++ b/charts/helm_lib/templates/_csi_node.tpl @@ -28,7 +28,7 @@ memory: 25Mi {{- $customNodeSelector := $config.customNodeSelector }} {{- $forceCsiNodeAndStaticNodesDepoloy := $config.forceCsiNodeAndStaticNodesDepoloy | default false }} {{- $setSysAdminCapability := $config.setSysAdminCapability | default false }} - {{- $additionalContainers := $config.additionalContainers }} + {{- $additionalContainers := $config.additionalContainers }} {{- $initContainers := $config.initContainers }} {{- $additionalPullSecrets := $config.additionalPullSecrets }} {{- $csiNodeLifecycle := $config.csiNodeLifecycle | default false }} @@ -36,6 +36,7 @@ memory: 25Mi {{- $additionalCsiNodePodAnnotations := $config.additionalCsiNodePodAnnotations | default false }} {{- $csiNodeHostNetwork := $config.csiNodeHostNetwork | default "true" }} {{- $csiNodeHostPID := $config.csiNodeHostPID | default "false" }} + {{- $dnsPolicy := $config.dnsPolicy | default "ClusterFirstWithHostNet" }} {{- $kubernetesSemVer := semver $context.Values.global.discovery.kubernetesVersion }} {{- $driverRegistrarImage := include "helm_lib_csi_image_with_common_fallback" (list $context "csiNodeDriverRegistrar" $kubernetesSemVer) }} {{- if $driverRegistrarImage }} @@ -133,7 +134,7 @@ spec: hostNetwork: {{ $csiNodeHostNetwork }} hostPID: {{ $csiNodeHostPID }} {{- if eq $csiNodeHostNetwork "true" }} - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: {{ $dnsPolicy | quote }} {{- end }} containers: - name: node-driver-registrar @@ -208,7 +209,7 @@ spec: port: {{ $livenessProbePort }} initialDelaySeconds: 5 timeoutSeconds: 5 - {{- end }} + {{- end }} volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet diff --git a/tests/templates/helm_lib_csi_controller_value.yaml b/tests/templates/helm_lib_csi_controller_value.yaml new file mode 100644 index 0000000..7afa49e --- /dev/null +++ b/tests/templates/helm_lib_csi_controller_value.yaml @@ -0,0 +1 @@ +{{ include "helm_lib_csi_controller_manifests" (list . .Values._testvalues) }} diff --git a/tests/tests/helm_lib_csi_controller_test.yaml b/tests/tests/helm_lib_csi_controller_test.yaml new file mode 100644 index 0000000..0a252ed --- /dev/null +++ b/tests/tests/helm_lib_csi_controller_test.yaml @@ -0,0 +1,155 @@ +suite: helm_lib_csi_controller_value definition +templates: + - helm_lib_csi_controller_value.yaml +tests: + - it: renders csi controller manifests + + set: + global: + modules: + placement: {} + modulesImages: + registry: + base: "deckhouse.io/deckhouse/ce" + digests: + common: + csiExternalAttacher125: csiControllerAttacher125 + csiExternalProvisioner125: csiControllerProvisioner125 + csiExternalResizer125: csiControllerResizer125 + csiExternalSnapshotter125: csiControllerSnapshotter125 + csiVsphereSyncer125: csiControllerSyncer125 + csiLivenessprobe125: csiLivenessProbe125 + discovery: + kubernetesVersion: "1.25" + d8SpecificNodeCountByRole: {} + _testvalues: + controllerImage: controllerImage + syncerEnabled: "true" + + documentSelector: + path: kind + value: Deployment + + asserts: + - hasDocuments: + count: 2 + + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: csi-controller + namespace: d8-test-module + + - equal: + path: spec.template.spec.dnsPolicy + value: "ClusterFirstWithHostNet" + + - equal: + path: spec.template.spec.containers[0].image + value: "deckhouse.io/deckhouse/ce@csiControllerProvisioner125" + + - equal: + path: spec.template.spec.containers[1].image + value: "deckhouse.io/deckhouse/ce@csiControllerAttacher125" + + - equal: + path: spec.template.spec.containers[2].image + value: "deckhouse.io/deckhouse/ce@csiControllerResizer125" + + - equal: + path: spec.template.spec.containers[3].image + value: "deckhouse.io/deckhouse/ce@csiControllerSyncer125" + + - equal: + path: spec.template.spec.containers[4].image + value: "deckhouse.io/deckhouse/ce@csiControllerSnapshotter125" + + - equal: + path: spec.template.spec.containers[5].image + value: "deckhouse.io/deckhouse/ce@csiLivenessProbe125" + + - equal: + path: spec.template.spec.containers[6].image + value: "controllerImage" + + - it: renders csi controller manifests with dnsPolicy defined + + set: + global: + modules: + placement: {} + modulesImages: + registry: + base: "deckhouse.io/deckhouse/ce" + digests: + common: + csiExternalAttacher125: csiControllerAttacher125 + csiExternalProvisioner125: csiControllerProvisioner125 + csiExternalResizer125: csiControllerResizer125 + csiExternalSnapshotter125: csiControllerSnapshotter125 + csiLivenessprobe125: csiLivenessProbe125 + discovery: + kubernetesVersion: "1.25" + d8SpecificNodeCountByRole: {} + _testvalues: + controllerImage: controllerImage + dnsPolicy: Default + + documentSelector: + path: kind + value: Deployment + + asserts: + - hasDocuments: + count: 2 + + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: csi-controller + namespace: d8-test-module + + - equal: + path: spec.template.spec.dnsPolicy + value: "Default" + + - it: renders csi controller manifests with no dnsPolicy when hostNetwork is false + + set: + global: + modules: + placement: {} + modulesImages: + registry: + base: "deckhouse.io/deckhouse/ce" + digests: + common: + csiExternalAttacher125: csiControllerAttacher125 + csiExternalProvisioner125: csiControllerProvisioner125 + csiExternalResizer125: csiControllerResizer125 + csiExternalSnapshotter125: csiControllerSnapshotter125 + csiLivenessprobe125: csiLivenessProbe125 + discovery: + kubernetesVersion: "1.25" + d8SpecificNodeCountByRole: {} + _testvalues: + controllerImage: controllerImage + csiControllerHostNetwork: "false" + dnsPolicy: Default + + documentSelector: + path: kind + value: Deployment + + asserts: + - hasDocuments: + count: 2 + + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: csi-controller + namespace: d8-test-module + + - notExists: + path: spec.template.spec.dnsPolicy From c6885ec0f0170bace0d9a12dc70234eac63a8cd7 Mon Sep 17 00:00:00 2001 From: Vasily Oleynikov Date: Thu, 4 Dec 2025 14:08:07 +0300 Subject: [PATCH 22/23] [csi] temporary fix image templates (#160) Signed-off-by: Vasily Oleynikov --- charts/helm_lib/Chart.yaml | 2 +- charts/helm_lib/README.md | 36 +++++++++-------- charts/helm_lib/templates/_csi_controller.tpl | 40 +++++++++++++++++++ charts/helm_lib/templates/_module_image.tpl | 39 ------------------ 4 files changed, 60 insertions(+), 57 deletions(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 46e67c0..5a720b9 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.9 +version: 1.64.10 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md index c16d5c9..60d3b68 100644 --- a/charts/helm_lib/README.md +++ b/charts/helm_lib/README.md @@ -9,6 +9,8 @@ | **Api Version And Kind** | | [helm_lib_kind_exists](#helm_lib_kind_exists) | | [helm_lib_get_api_version_by_kind](#helm_lib_get_api_version_by_kind) | +| **Csi Controller** | +| [helm_lib_csi_image_with_common_fallback](#helm_lib_csi_image_with_common_fallback) | | **Enable Ds Eviction** | | [helm_lib_prevent_ds_eviction_annotation](#helm_lib_prevent_ds_eviction_annotation) | | **Envs For Proxy** | @@ -39,7 +41,6 @@ | [helm_lib_module_common_image_no_fail](#helm_lib_module_common_image_no_fail) | | [helm_lib_module_image_digest](#helm_lib_module_image_digest) | | [helm_lib_module_image_digest_no_fail](#helm_lib_module_image_digest_no_fail) | -| [helm_lib_csi_image_with_common_fallback](#helm_lib_csi_image_with_common_fallback) | | **Module Ingress Class** | | [helm_lib_module_ingress_class](#helm_lib_module_ingress_class) | | **Module Ingress Snippets** | @@ -164,6 +165,23 @@ list: - Template context with .Values, .Chart, etc - Kind name portion +## Csi Controller + +### helm_lib_csi_image_with_common_fallback + + returns image name from storage foundation module if enabled, otherwise from common module + +#### Usage + +`{{ include "helm_lib_csi_image_with_common_fallback" (list . "" "") }} ` + +#### Arguments + +list: +- Template context with .Values, .Chart, etc +- Container raw name +- Kubernetes semantic version + ## Enable Ds Eviction ### helm_lib_prevent_ds_eviction_annotation @@ -469,22 +487,6 @@ list: - Template context with .Values, .Chart, etc - Container name - -### helm_lib_csi_image_with_common_fallback - - returns image name from storage foundation module if enabled, otherwise from common module - -#### Usage - -`{{ include "helm_lib_csi_image_with_common_fallback" (list . "" "") }} ` - -#### Arguments - -list: -- Template context with .Values, .Chart, etc -- Container raw name -- Kubernetes semantic version - ## Module Ingress Class ### helm_lib_module_ingress_class diff --git a/charts/helm_lib/templates/_csi_controller.tpl b/charts/helm_lib/templates/_csi_controller.tpl index 95cd905..da0de1b 100644 --- a/charts/helm_lib/templates/_csi_controller.tpl +++ b/charts/helm_lib/templates/_csi_controller.tpl @@ -1,3 +1,43 @@ +{{- /* Usage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "" "") }} */ -}} +{{- /* returns image name from storage foundation module if enabled, otherwise from common module */ -}} +{{- define "helm_lib_csi_image_with_common_fallback" }} + {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} + {{- $rawContainerName := index . 1 | trimAll "\"" }} {{- /* Container raw name */ -}} + {{- $kubernetesSemVer := index . 2 }} {{- /* Kubernetes semantic version */ -}} + {{- $imageDigest := "" }} + {{- $registryBase := $context.Values.global.modulesImages.registry.base }} + {{- /* Try to get from storage foundation module if enabled */}} + {{- if $context.Values.global.enabledModules | has "storage-foundation" }} + {{- $registryBase = join "/" (list $registryBase "modules" "storage-foundation" ) }} + {{- $storageFoundationDigests := index $context.Values.global.modulesImages.digests "storageFoundation" | default dict }} + {{- $currentMinor := int $kubernetesSemVer.Minor }} + {{- $kubernetesMajor := int $kubernetesSemVer.Major }} + {{- /* Iterate from currentMinor down to 0: use offset from 0 to currentMinor, then calculate minorVersion = currentMinor - offset */}} + {{- range $offset := until (int (add $currentMinor 1)) }} + {{- if not $imageDigest }} + {{- $minorVersion := int (sub $currentMinor $offset) }} + {{- $containerName := join "" (list $rawContainerName "ForK8SGE" $kubernetesMajor $minorVersion) }} + {{- $digest := index $storageFoundationDigests $containerName | default "" }} + {{- if $digest }} + {{- $imageDigest = $digest }} + {{- end }} + {{- end }} + {{- end }} + {{- /* Fallback to base container name if no versioned image found (when minor reached 0) */}} + {{- if not $imageDigest }} + {{- $imageDigest = index $storageFoundationDigests $rawContainerName | default "" }} + {{- end }} + {{- /* Fallback to common module if storage foundation module is not enabled */}} + {{- else }} + {{- $containerName := join "" (list $rawContainerName $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} + {{- $imageDigest = index $context.Values.global.modulesImages.digests "common" $containerName | default "" }} + {{- end }} + {{- if $imageDigest }} + {{- printf "%s@%s" $registryBase $imageDigest }} + {{- end }} +{{- end }} + + {{- define "attacher_resources" }} cpu: 10m memory: 25Mi diff --git a/charts/helm_lib/templates/_module_image.tpl b/charts/helm_lib/templates/_module_image.tpl index 418f59b..da797f5 100644 --- a/charts/helm_lib/templates/_module_image.tpl +++ b/charts/helm_lib/templates/_module_image.tpl @@ -109,42 +109,3 @@ {{- $imageDigest := index $moduleMap $containerName | default "" }} {{- printf "%s" $imageDigest }} {{- end }} - -{{- /* Usage: {{ include "helm_lib_csi_image_with_common_fallback" (list . "" "") }} */ -}} -{{- /* returns image name from storage foundation module if enabled, otherwise from common module */ -}} -{{- define "helm_lib_csi_image_with_common_fallback" }} - {{- $context := index . 0 }} {{- /* Template context with .Values, .Chart, etc */ -}} - {{- $rawContainerName := index . 1 | trimAll "\"" }} {{- /* Container raw name */ -}} - {{- $kubernetesSemVer := index . 2 }} {{- /* Kubernetes semantic version */ -}} - {{- $imageDigest := "" }} - {{- $registryBase := $context.Values.global.modulesImages.registry.base }} - {{- /* Try to get from storage foundation module if enabled */}} - {{- if $context.Values.global.enabledModules | has "storage-foundation" }} - {{- $registryBase = join "/" (list $registryBase "modules" "storage-foundation" ) }} - {{- $storageFoundationDigests := index $context.Values.global.modulesImages.digests "storageFoundation" | default dict }} - {{- $currentMinor := int $kubernetesSemVer.Minor }} - {{- $kubernetesMajor := int $kubernetesSemVer.Major }} - {{- /* Iterate from currentMinor down to 0: use offset from 0 to currentMinor, then calculate minorVersion = currentMinor - offset */}} - {{- range $offset := until (int (add $currentMinor 1)) }} - {{- if not $imageDigest }} - {{- $minorVersion := int (sub $currentMinor $offset) }} - {{- $containerName := join "" (list $rawContainerName "ForK8SGE" $kubernetesMajor $minorVersion) }} - {{- $digest := index $storageFoundationDigests $containerName | default "" }} - {{- if $digest }} - {{- $imageDigest = $digest }} - {{- end }} - {{- end }} - {{- end }} - {{- /* Fallback to base container name if no versioned image found (when minor reached 0) */}} - {{- if not $imageDigest }} - {{- $imageDigest = index $storageFoundationDigests $rawContainerName | default "" }} - {{- end }} - {{- /* Fallback to common module if storage foundation module is not enabled */}} - {{- else }} - {{- $containerName := join "" (list $rawContainerName $kubernetesSemVer.Major $kubernetesSemVer.Minor) }} - {{- $imageDigest = index $context.Values.global.modulesImages.digests "common" $containerName | default "" }} - {{- end }} - {{- if $imageDigest }} - {{- printf "%s@%s" $registryBase $imageDigest }} - {{- end }} -{{- end }} From 234b60a82eac910245a3271ce1991e617800d3fd Mon Sep 17 00:00:00 2001 From: Sergey Kurkin Date: Tue, 23 Dec 2025 03:45:41 +0300 Subject: [PATCH 23/23] fix prometheus rules Signed-off-by: Sergey Kurkin --- charts/helm_lib/Chart.yaml | 2 +- .../templates/_monitoring_prometheus_rules.tpl | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml index 5a720b9..ac355c4 100644 --- a/charts/helm_lib/Chart.yaml +++ b/charts/helm_lib/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 type: library name: deckhouse_lib_helm -version: 1.64.10 +version: 1.64.11 description: "Helm utils template definitions for Deckhouse modules." diff --git a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl index 7aed8f9..20cabef 100644 --- a/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl +++ b/charts/helm_lib/templates/_monitoring_prometheus_rules.tpl @@ -51,9 +51,10 @@ {{- $useObservabilityRules := has "observability.deckhouse.io/v1alpha1/ClusterObservabilityMetricsRulesGroup" $context.Values.global.discovery.apiVersions }} {{- if and $hasObservabilityModule $useObservabilityRules }} {{- range $idx, $group := $definitionStruct.Rules }} - {{- $_ := unset $group "name" }} - {{- $resourceName = $resourceName | replace "propagated-" "" }} - {{- $groupResourceName := printf "%s-%d" $resourceName $idx }} + {{- if $group.rules }} + {{- $_ := unset $group "name" }} + {{- $resourceName = $resourceName | replace "propagated-" "" }} + {{- $groupResourceName := printf "%s-%d" $resourceName $idx }} --- apiVersion: observability.deckhouse.io/v1alpha1 kind: {{ $propagated | ternary "ClusterObservabilityPropagatedMetricsRulesGroup" "ClusterObservabilityMetricsRulesGroup" }} @@ -62,8 +63,10 @@ metadata: {{- include "helm_lib_module_labels" (list $context (dict "app" "prometheus" "prometheus" "main" "component" "rules")) | nindent 2 }} spec: {{- $group | toYaml | nindent 2 }} + {{- end }} {{- end }} {{- else }} + {{- if $definitionStruct.Rules }} {{- $definition := $definitionStruct.Rules | toYaml }} --- apiVersion: monitoring.coreos.com/v1 @@ -75,6 +78,7 @@ metadata: spec: groups: {{- $definition | nindent 4 }} + {{- end }} {{- end }} {{- end }}