Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support envfrom secret #94

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support envfrom secret #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4cbdbe2
allow env values from secret
Nov 15, 2022
7675640
add description for envFrom
Nov 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions chart/pyroscope/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ apiVersion: v2
name: pyroscope
description: A Helm chart for Pyroscope
type: application
version: 0.2.37
appVersion: "0.11.1"
version: 0.2.38
appVersion: "0.11.2"
121 changes: 61 additions & 60 deletions chart/pyroscope/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# pyroscope

![Version: 0.2.37](https://img.shields.io/badge/Version-0.2.37-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.1](https://img.shields.io/badge/AppVersion-0.11.1-informational?style=flat-square)
![Version: 0.2.38](https://img.shields.io/badge/Version-0.2.38-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.1](https://img.shields.io/badge/AppVersion-0.11.2-informational?style=flat-square)

A Helm chart for Pyroscope

Expand Down Expand Up @@ -48,62 +48,63 @@ Please refer to [the documentation](https://pyroscope.io/docs/server-configurati

## Values

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Affinity settings for pod assignment |
| deploymentStrategy | object | `{"type":"Recreate"}` | Deployment strategy |
| env | object | `{}` | Extra environment variables |
| extraLabels | object | `{}` | Extra common labels for all resources |
| extraVolumeMounts | list | `[]` | Additional volume mounts for pyroscope server container |
| extraVolumes | list | `[]` | Additional volumes |
| fullnameOverride | string | `""` | Defaults to .Release.Name-.Chart.Name unless .Release.Name contains "pyroscope" |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"pyroscope/pyroscope"` | image to use for deploying |
| image.tag | string | `"0.11.1"` | Tag for pyroscope image to use |
| imagePullSecrets | list | `[]` | Image pull secrets |
| ingress.annotations | object | `{}` | Ingress annotations (values are templated) |
| ingress.className | string | `""` | Ingress class name |
| ingress.enabled | bool | `false` | Enables Ingress |
| ingress.hosts | list | `[{"host":"chart-example.local","paths":[{"path":"/","pathType":"Prefix"}]}]` | Ingress accepted hostnames |
| ingress.rules | list | `[]` | Ingress custom rules. Take precedence over chart built-ins. |
| ingress.tls | list | `[]` | Ingress TLS configuration |
| livenessProbe.enabled | bool | `true` | Enable Pyroscope server liveness |
| livenessProbe.failureThreshold | int | `3` | Pyroscope server liveness check failure threshold |
| livenessProbe.httpGet.path | string | `"/healthz"` | Pyroscope server liveness check path |
| livenessProbe.httpGet.port | int | `4040` | Pyroscope server liveness check port |
| livenessProbe.initialDelaySeconds | int | `30` | Pyroscope server liveness check intial delay in seconds |
| livenessProbe.periodSeconds | int | `15` | Pyroscope server liveness check frequency in seconds |
| livenessProbe.successThreshold | int | `1` | Pyroscope server liveness check success threshold |
| livenessProbe.timeoutSeconds | int | `30` | Pyroscope server liveness check request timeout |
| nameOverride | string | `""` | Defaults to .Chart.Name |
| nodeSelector | object | `{}` | Node labels for pod assignment |
| persistence.accessModes | list | `["ReadWriteOnce"]` | Persistence access modes |
| persistence.enabled | bool | `false` | Use persistent volume to store data |
| persistence.finalizers | list | `["kubernetes.io/pvc-protection"]` | PersistentVolumeClaim finalizers |
| persistence.size | string | `"10Gi"` | Size of persistent volume claim |
| podAnnotations | object | `{}` | Pod annotations |
| podSecurityContext | object | `{"fsGroup":101}` | Pod securityContext |
| pyroscopeConfigs | object | `{}` | Pyroscope server configuration. Please refer to https://pyroscope.io/docs/server-configuration |
| rbac.clusterRole.annotations | object | `{}` | Cluster role annotations |
| rbac.clusterRole.extraRules | list | `[]` | Extra rules for created cluster role |
| rbac.clusterRole.name | string | `""` | Cluster role name. If not set, the fully qualified app name is used |
| rbac.clusterRoleBinding.annotations | object | `{}` | Cluster role binding annotations |
| rbac.clusterRoleBinding.name | string | `""` | Cluster role binding name. If not set, the fully qualified app name is used |
| rbac.create | bool | `false` | Creates Pyroscope cluster role and binds service account to it; requires service account to be created |
| readinessProbe.enabled | bool | `true` | Enable Pyroscope server readiness |
| readinessProbe.failureThreshold | int | `3` | Pyroscope server readiness check failure threshold count |
| readinessProbe.httpGet.path | string | `"/healthz"` | Pyroscope server readiness check path |
| readinessProbe.httpGet.port | int | `4040` | Pyroscope server readiness check port |
| readinessProbe.initialDelaySeconds | int | `30` | Pyroscope server readiness initial delay in seconds |
| readinessProbe.periodSeconds | int | `5` | Pyroscope server readiness check frequency in seconds |
| readinessProbe.successThreshold | int | `1` | Pyroscope server readiness check success threshold count |
| readinessProbe.timeoutSeconds | int | `30` | Pyroscope server readiness check request timeout |
| resources | object | `{}` | CPU/Memory resource requests/limits |
| securityContext | object | `{}` | Deployment securityContext |
| service.annotations | object | `{}` | Service annotations |
| service.port | int | `4040` | Kubernetes port where service is exposed |
| service.type | string | `"ClusterIP"` | Specify a service type |
| serviceAccount.annotations | object | `{}` | ServiceAccount annotations |
| serviceAccount.create | bool | `true` | Create service account |
| serviceAccount.name | string | `""` | Service account name to use, when empty will be set to created account if serviceAccount.create is set else to default |
| tolerations | list | `[]` | Toleration labels for pod assignment |
| Key | Type | Default | Description |
|-------------------------------------|------|---------|-------------------------------------------------------------------------------------------------------------------------------|
| affinity | object | `{}` | Affinity settings for pod assignment |
| deploymentStrategy | object | `{"type":"Recreate"}` | Deployment strategy |
| env | object | `{}` | Extra environment variables |
| envFrom | object | `{}` | Extra environment variables from secret, create secret "{{YOUR CHART FULLNAME}}-env-secret" under same namspace before use it |
| extraLabels | object | `{}` | Extra common labels for all resources |
| extraVolumeMounts | list | `[]` | Additional volume mounts for pyroscope server container |
| extraVolumes | list | `[]` | Additional volumes |
| fullnameOverride | string | `""` | Defaults to .Release.Name-.Chart.Name unless .Release.Name contains "pyroscope" |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"pyroscope/pyroscope"` | image to use for deploying |
| image.tag | string | `"0.11.1"` | Tag for pyroscope image to use |
| imagePullSecrets | list | `[]` | Image pull secrets |
| ingress.annotations | object | `{}` | Ingress annotations (values are templated) |
| ingress.className | string | `""` | Ingress class name |
| ingress.enabled | bool | `false` | Enables Ingress |
| ingress.hosts | list | `[{"host":"chart-example.local","paths":[{"path":"/","pathType":"Prefix"}]}]` | Ingress accepted hostnames |
| ingress.rules | list | `[]` | Ingress custom rules. Take precedence over chart built-ins. |
| ingress.tls | list | `[]` | Ingress TLS configuration |
| livenessProbe.enabled | bool | `true` | Enable Pyroscope server liveness |
| livenessProbe.failureThreshold | int | `3` | Pyroscope server liveness check failure threshold |
| livenessProbe.httpGet.path | string | `"/healthz"` | Pyroscope server liveness check path |
| livenessProbe.httpGet.port | int | `4040` | Pyroscope server liveness check port |
| livenessProbe.initialDelaySeconds | int | `30` | Pyroscope server liveness check intial delay in seconds |
| livenessProbe.periodSeconds | int | `15` | Pyroscope server liveness check frequency in seconds |
| livenessProbe.successThreshold | int | `1` | Pyroscope server liveness check success threshold |
| livenessProbe.timeoutSeconds | int | `30` | Pyroscope server liveness check request timeout |
| nameOverride | string | `""` | Defaults to .Chart.Name |
| nodeSelector | object | `{}` | Node labels for pod assignment |
| persistence.accessModes | list | `["ReadWriteOnce"]` | Persistence access modes |
| persistence.enabled | bool | `false` | Use persistent volume to store data |
| persistence.finalizers | list | `["kubernetes.io/pvc-protection"]` | PersistentVolumeClaim finalizers |
| persistence.size | string | `"10Gi"` | Size of persistent volume claim |
| podAnnotations | object | `{}` | Pod annotations |
| podSecurityContext | object | `{"fsGroup":101}` | Pod securityContext |
| pyroscopeConfigs | object | `{}` | Pyroscope server configuration. Please refer to https://pyroscope.io/docs/server-configuration |
| rbac.clusterRole.annotations | object | `{}` | Cluster role annotations |
| rbac.clusterRole.extraRules | list | `[]` | Extra rules for created cluster role |
| rbac.clusterRole.name | string | `""` | Cluster role name. If not set, the fully qualified app name is used |
| rbac.clusterRoleBinding.annotations | object | `{}` | Cluster role binding annotations |
| rbac.clusterRoleBinding.name | string | `""` | Cluster role binding name. If not set, the fully qualified app name is used |
| rbac.create | bool | `false` | Creates Pyroscope cluster role and binds service account to it; requires service account to be created |
| readinessProbe.enabled | bool | `true` | Enable Pyroscope server readiness |
| readinessProbe.failureThreshold | int | `3` | Pyroscope server readiness check failure threshold count |
| readinessProbe.httpGet.path | string | `"/healthz"` | Pyroscope server readiness check path |
| readinessProbe.httpGet.port | int | `4040` | Pyroscope server readiness check port |
| readinessProbe.initialDelaySeconds | int | `30` | Pyroscope server readiness initial delay in seconds |
| readinessProbe.periodSeconds | int | `5` | Pyroscope server readiness check frequency in seconds |
| readinessProbe.successThreshold | int | `1` | Pyroscope server readiness check success threshold count |
| readinessProbe.timeoutSeconds | int | `30` | Pyroscope server readiness check request timeout |
| resources | object | `{}` | CPU/Memory resource requests/limits |
| securityContext | object | `{}` | Deployment securityContext |
| service.annotations | object | `{}` | Service annotations |
| service.port | int | `4040` | Kubernetes port where service is exposed |
| service.type | string | `"ClusterIP"` | Specify a service type |
| serviceAccount.annotations | object | `{}` | ServiceAccount annotations |
| serviceAccount.create | bool | `true` | Create service account |
| serviceAccount.name | string | `""` | Service account name to use, when empty will be set to created account if serviceAccount.create is set else to default |
| tolerations | list | `[]` | Toleration labels for pod assignment |
22 changes: 22 additions & 0 deletions chart/pyroscope/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,34 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- $fullName := include "pyroscope.fullname" . -}}
{{- if .Values.env }}
env:
{{- range $k, $v := .Values.env }}
- name: {{ $k }}
value: {{ $v }}
{{- end }}
{{- if .Values.envFrom }}
{{- range $key, $val := .Values.envFrom }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $fullName }}-env-secret
key: {{ $val }}
{{- end }}
{{- end }}
{{- end }}
{{- if empty .Values.env }}
{{- if .Values.envFrom }}
env:
{{- range $key, $val := .Values.envFrom }}
- name: {{ $key }}
valueFrom:
secretKeyRef:
name: {{ $fullName }}-env-secret
key: {{ $val }}
{{- end }}
{{- end }}
Comment on lines +40 to +67
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think envFrom might be misleading as there is k8s directive with the same name already that works slightly differently. Please consider changing .Values.envFrom to .Values.envVars.

Also, it might be better to require a user to provide the full structure rather than forcing them to use predefined secret names like pyroscope-env-secret and to not limit them to secretKeyRefenv var source (there are three more of them)

For example (I did't test it):

values.yaml:

      env:
         KEY: value
      envVars:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
            optional: false
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
            optional: true

deployment.yaml:

           {{- if or .Values.env .Values.envVars }}
           env:
           {{- range $k, $v := .Values.env }}
             - name: {{ $k }}
               value: {{ $v }}
           {{- end }}
           {{- with .Values.envVars }}
           {{- toYaml . | indent 12 }} # Not sure about indent
           {{- end }}
           {{- end }}

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, it is better to not limit them to secretKeyRefenv var source, i will update to use toYaml

{{- end }}
ports:
- name: api
Expand Down
2 changes: 2 additions & 0 deletions chart/pyroscope/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,8 @@ extraVolumeMounts: []
# -- Extra environment variables
env: {}

envFrom: {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to have a comment here explaining users the difference with env and which option is preferable in a particular case (e.g if one wants to protect sensitive variables)


rbac:
# -- Creates Pyroscope cluster role and binds service account to it; requires service account to be created
create: false
Expand Down