Merge "Enable {priority,runtime}ClassName for Keystone" into stable/2024.1diff --git a/charts/keystone/templates/cron-job-credential-rotate.yaml b/charts/keystone/templates/cron-job-credential-rotate.yaml
index 5906079..6fabd9d 100644
--- a/charts/keystone/templates/cron-job-credential-rotate.yaml
+++ b/charts/keystone/templates/cron-job-credential-rotate.yaml
@@ -70,6 +70,12 @@
labels:
{{ tuple $envAll "keystone" "credential-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
spec:
+{{ with .Values.pod.priorityClassName.keystone_credential_rotate }}
+ priorityClassName: {{ . }}
+{{ end }}
+{{ with .Values.pod.runtimeClassName.keystone_credential_rotate }}
+ runtimeClassName: {{ . }}
+{{ end }}
serviceAccountName: {{ $serviceAccountName }}
initContainers:
{{ tuple $envAll "credential_rotate" $mounts_keystone_credential_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
diff --git a/charts/keystone/templates/cron-job-fernet-rotate.yaml b/charts/keystone/templates/cron-job-fernet-rotate.yaml
index a059f92..e911842 100644
--- a/charts/keystone/templates/cron-job-fernet-rotate.yaml
+++ b/charts/keystone/templates/cron-job-fernet-rotate.yaml
@@ -71,6 +71,12 @@
labels:
{{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
spec:
+{{ with .Values.pod.priorityClassName.keystone_fernet_rotate }}
+ priorityClassName: {{ . }}
+{{ end }}
+{{ with .Values.pod.runtimeClassName.keystone_fernet_rotate }}
+ runtimeClassName: {{ . }}
+{{ end }}
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "fernet_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
initContainers:
diff --git a/charts/keystone/templates/deployment-api.yaml b/charts/keystone/templates/deployment-api.yaml
index ee4e13c..36050a5 100644
--- a/charts/keystone/templates/deployment-api.yaml
+++ b/charts/keystone/templates/deployment-api.yaml
@@ -54,6 +54,12 @@
{{ dict "envAll" $envAll "podName" "keystone-api" "containerNames" (list "keystone-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+{{ with .Values.pod.priorityClassName.keystone_api }}
+ priorityClassName: {{ . }}
+{{ end }}
+{{ with .Values.pod.runtimeClassName.keystone_api }}
+ runtimeClassName: {{ . }}
+{{ end }}
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
diff --git a/charts/keystone/templates/pod-rally-test.yaml b/charts/keystone/templates/pod-rally-test.yaml
index ad5b23a..155dbae 100644
--- a/charts/keystone/templates/pod-rally-test.yaml
+++ b/charts/keystone/templates/pod-rally-test.yaml
@@ -42,6 +42,12 @@
{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
nodeSelector:
{{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ with .Values.pod.priorityClassName.keystone_tests }}
+ priorityClassName: {{ . }}
+{{ end }}
+{{ with .Values.pod.runtimeClassName.keystone_tests }}
+ runtimeClassName: {{ . }}
+{{ end }}
serviceAccountName: {{ $serviceAccountName }}
initContainers:
{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
diff --git a/charts/keystone/values.yaml b/charts/keystone/values.yaml
index 27e767c..c23a4ac 100644
--- a/charts/keystone/values.yaml
+++ b/charts/keystone/values.yaml
@@ -158,6 +158,18 @@
service: local_image_registry
pod:
+ priorityClassName:
+ keystone_api: null
+ keystone_tests: null
+ keystone_credential_rotate: null
+ keystone_fernet_rotate: null
+ db_sync: null
+ runtimeClassName:
+ keystone_api: null
+ keystone_tests: null
+ keystone_credential_rotate: null
+ keystone_fernet_rotate: null
+ db_sync: null
security_context:
keystone:
pod:
diff --git a/charts/patches/keystone/0001-Enable-priority-runtime-ClassName-for-Keystone.patch b/charts/patches/keystone/0001-Enable-priority-runtime-ClassName-for-Keystone.patch
new file mode 100644
index 0000000..3212d71
--- /dev/null
+++ b/charts/patches/keystone/0001-Enable-priority-runtime-ClassName-for-Keystone.patch
@@ -0,0 +1,107 @@
+From 9f293fef1eed2e6ef7aa372ad5a7c9293b11a15f Mon Sep 17 00:00:00 2001
+From: Dong Ma <dong.ma@vexxhost.com>
+Date: Mon, 10 Feb 2025 14:58:50 +0000
+Subject: [PATCH] Enable {priority,runtime}ClassName for Keystone
+
+---
+ keystone/templates/cron-job-credential-rotate.yaml | 6 ++++++
+ keystone/templates/cron-job-fernet-rotate.yaml | 6 ++++++
+ keystone/templates/deployment-api.yaml | 6 ++++++
+ keystone/templates/pod-rally-test.yaml | 6 ++++++
+ keystone/values.yaml | 12 ++++++++++++
+ 5 files changed, 36 insertions(+)
+
+diff --git a/keystone/templates/cron-job-credential-rotate.yaml b/keystone/templates/cron-job-credential-rotate.yaml
+index 59060796..6fabd9dd 100644
+--- a/keystone/templates/cron-job-credential-rotate.yaml
++++ b/keystone/templates/cron-job-credential-rotate.yaml
+@@ -70,6 +70,12 @@ spec:
+ labels:
+ {{ tuple $envAll "keystone" "credential-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
++{{ with .Values.pod.priorityClassName.keystone_credential_rotate }}
++ priorityClassName: {{ . }}
++{{ end }}
++{{ with .Values.pod.runtimeClassName.keystone_credential_rotate }}
++ runtimeClassName: {{ . }}
++{{ end }}
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+ {{ tuple $envAll "credential_rotate" $mounts_keystone_credential_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
+diff --git a/keystone/templates/cron-job-fernet-rotate.yaml b/keystone/templates/cron-job-fernet-rotate.yaml
+index a059f929..e9118423 100644
+--- a/keystone/templates/cron-job-fernet-rotate.yaml
++++ b/keystone/templates/cron-job-fernet-rotate.yaml
+@@ -71,6 +71,12 @@ spec:
+ labels:
+ {{ tuple $envAll "keystone" "fernet-rotate" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 12 }}
+ spec:
++{{ with .Values.pod.priorityClassName.keystone_fernet_rotate }}
++ priorityClassName: {{ . }}
++{{ end }}
++{{ with .Values.pod.runtimeClassName.keystone_fernet_rotate }}
++ runtimeClassName: {{ . }}
++{{ end }}
+ serviceAccountName: {{ $serviceAccountName }}
+ {{ dict "envAll" $envAll "application" "fernet_rotate" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
+ initContainers:
+diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
+index ee4e13c9..36050a5c 100644
+--- a/keystone/templates/deployment-api.yaml
++++ b/keystone/templates/deployment-api.yaml
+@@ -54,6 +54,12 @@ spec:
+ {{ dict "envAll" $envAll "podName" "keystone-api" "containerNames" (list "keystone-api") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+ spec:
+ {{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
++{{ with .Values.pod.priorityClassName.keystone_api }}
++ priorityClassName: {{ . }}
++{{ end }}
++{{ with .Values.pod.runtimeClassName.keystone_api }}
++ runtimeClassName: {{ . }}
++{{ end }}
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+ {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml
+index ad5b23a0..155dbae3 100644
+--- a/keystone/templates/pod-rally-test.yaml
++++ b/keystone/templates/pod-rally-test.yaml
+@@ -42,6 +42,12 @@ spec:
+ {{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
+ nodeSelector:
+ {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
++{{ with .Values.pod.priorityClassName.keystone_tests }}
++ priorityClassName: {{ . }}
++{{ end }}
++{{ with .Values.pod.runtimeClassName.keystone_tests }}
++ runtimeClassName: {{ . }}
++{{ end }}
+ serviceAccountName: {{ $serviceAccountName }}
+ initContainers:
+ {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
+diff --git a/keystone/values.yaml b/keystone/values.yaml
+index 27e767cf..c23a4ac0 100644
+--- a/keystone/values.yaml
++++ b/keystone/values.yaml
+@@ -158,6 +158,18 @@ dependencies:
+ service: local_image_registry
+
+ pod:
++ priorityClassName:
++ keystone_api: null
++ keystone_tests: null
++ keystone_credential_rotate: null
++ keystone_fernet_rotate: null
++ db_sync: null
++ runtimeClassName:
++ keystone_api: null
++ keystone_tests: null
++ keystone_credential_rotate: null
++ keystone_fernet_rotate: null
++ db_sync: null
+ security_context:
+ keystone:
+ pod:
+--
+2.34.1
+
diff --git a/releasenotes/notes/keystone-priority-runtime-class-3d41226e8815f369.yaml b/releasenotes/notes/keystone-priority-runtime-class-3d41226e8815f369.yaml
new file mode 100644
index 0000000..81ffbc2
--- /dev/null
+++ b/releasenotes/notes/keystone-priority-runtime-class-3d41226e8815f369.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - The Keystone role now allows users to configure the ``priorityClassName`` and
+ the ``runtimeClassName`` for all of the different components of the service.
diff --git a/roles/keystone/tests/priorityclass_test.yaml b/roles/keystone/tests/priorityclass_test.yaml
new file mode 100644
index 0000000..2af620a
--- /dev/null
+++ b/roles/keystone/tests/priorityclass_test.yaml
@@ -0,0 +1,72 @@
+suite: priorityclass
+tests:
+ - it: should support not having a priority class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/cron-job-credential-rotate.yaml
+ - templates/cron-job-fernet-rotate.yaml
+ - templates/pod-rally-test.yaml
+ - templates/job-db-sync.yaml
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.priorityClassName
+ - template: templates/cron-job-credential-rotate.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.jobTemplate.spec.template.spec.priorityClassName
+ - template: templates/cron-job-fernet-rotate.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.jobTemplate.spec.template.spec.priorityClassName
+ - template: templates/pod-rally-test.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.priorityClassName
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.priorityClassName
+
+ - it: should support setting a priority class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/cron-job-credential-rotate.yaml
+ - templates/cron-job-fernet-rotate.yaml
+ - templates/pod-rally-test.yaml
+ - templates/job-db-sync.yaml
+ set:
+ pod:
+ priorityClassName:
+ keystone_api: platform
+ keystone_tests: platform
+ keystone_credential_rotate: platform
+ keystone_fernet_rotate: platform
+ db_sync: platform
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.priorityClassName
+ value: platform
+ - template: templates/cron-job-credential-rotate.yaml
+ documentIndex: 5
+ equal:
+ path: spec.jobTemplate.spec.template.spec.priorityClassName
+ value: platform
+ - template: templates/cron-job-fernet-rotate.yaml
+ documentIndex: 5
+ equal:
+ path: spec.jobTemplate.spec.template.spec.priorityClassName
+ value: platform
+ - template: templates/pod-rally-test.yaml
+ documentIndex: 3
+ equal:
+ path: spec.priorityClassName
+ value: platform
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.priorityClassName
+ value: platform
diff --git a/roles/keystone/tests/runtimeclass_test.yaml b/roles/keystone/tests/runtimeclass_test.yaml
new file mode 100644
index 0000000..18db463
--- /dev/null
+++ b/roles/keystone/tests/runtimeclass_test.yaml
@@ -0,0 +1,72 @@
+suite: runtimeclass
+tests:
+ - it: should support not having a runtime class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/cron-job-credential-rotate.yaml
+ - templates/cron-job-fernet-rotate.yaml
+ - templates/pod-rally-test.yaml
+ - templates/job-db-sync.yaml
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.runtimeClassName
+ - template: templates/cron-job-credential-rotate.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.jobTemplate.spec.template.spec.runtimeClassName
+ - template: templates/cron-job-fernet-rotate.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.jobTemplate.spec.template.spec.runtimeClassName
+ - template: templates/pod-rally-test.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.runtimeClassName
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ notExists:
+ path: spec.template.spec.runtimeClassName
+
+ - it: should support setting a runtime class
+ templates:
+ - templates/deployment-api.yaml
+ - templates/cron-job-credential-rotate.yaml
+ - templates/cron-job-fernet-rotate.yaml
+ - templates/pod-rally-test.yaml
+ - templates/job-db-sync.yaml
+ set:
+ pod:
+ runtimeClassName:
+ keystone_api: kata-clh
+ keystone_tests: kata-clh
+ keystone_credential_rotate: kata-clh
+ keystone_fernet_rotate: kata-clh
+ db_sync: kata-clh
+ asserts:
+ - template: templates/deployment-api.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.runtimeClassName
+ value: kata-clh
+ - template: templates/cron-job-credential-rotate.yaml
+ documentIndex: 5
+ equal:
+ path: spec.jobTemplate.spec.template.spec.runtimeClassName
+ value: kata-clh
+ - template: templates/cron-job-fernet-rotate.yaml
+ documentIndex: 5
+ equal:
+ path: spec.jobTemplate.spec.template.spec.runtimeClassName
+ value: kata-clh
+ - template: templates/pod-rally-test.yaml
+ documentIndex: 3
+ equal:
+ path: spec.runtimeClassName
+ value: kata-clh
+ - template: templates/job-db-sync.yaml
+ documentIndex: 3
+ equal:
+ path: spec.template.spec.runtimeClassName
+ value: kata-clh