feat(review): apply post review suggestions

Author: jastBytes

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/Chart.yaml

@@ -1,3 +1,3 @@
 apiVersion: v1
-name: stackit-pod-identity-webhook
+name: pod-identity-webhook
 version: 0.1.0

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/deployment.yaml

@@ -1,43 +1,66 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+  name: stackit-pod-identity-webhook
   namespace: {{ .Release.Namespace }}
   labels:
-    {{- include "stackit-pod-identity-webhook.labels" . | nindent 4 }}
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+    high-availability-config.resources.gardener.cloud/type: server
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      {{- include "stackit-pod-identity-webhook.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/name: stackit-pod-identity-webhook
   template:
     metadata:
       labels:
-        {{- include "stackit-pod-identity-webhook.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/name: stackit-pod-identity-webhook
         workload-identity.stackit.cloud/skip-pod-identity-webhook: "true"
         gardener.cloud/role: controlplane
-        high-availability-config.resources.gardener.cloud/type: controller
         networking.gardener.cloud/to-dns: allowed
-        networking.gardener.cloud/to-public-networks: allowed
-        networking.gardener.cloud/to-private-networks: allowed
         networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
     spec:
-      serviceAccountName: {{ .Values.serviceAccount.name | default (include "stackit-pod-identity-webhook.fullname" .) }}
-      {{- with .Values.podSecurityContext }}
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: "topology.kubernetes.io/zone"
+          whenUnsatisfiable: DoNotSchedule 
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: stackit-pod-identity-webhook
+        - maxSkew: 1
+          topologyKey: "kubernetes.io/hostname"
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: stackit-pod-identity-webhook
+      automountServiceAccountToken: false
+      podSecurityContext:
+        runAsNonRoot: true
+        runAsUser: 1239
+        runAsGroup: 1239
+        fsGroup: 1239
       securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      priorityClassName: {{ .Values.priorityClassName }}
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+          - ALL
+        readOnlyRootFilesystem: true
+      priorityClassName: gardener-system-200
       containers:
-        - name: {{ .Chart.Name }}
-          {{- with .Values.containerSecurityContext }}
+        - name: stackit-pod-identity-webhook
           securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
           image: {{ index .Values.images "stackit-pod-identity-webhook" }}
           args:
             - --cert-dir=/etc/webhook/certs
             - --port={{ .Values.webhook.port }}
+          env:
+          - name: KUBECONFIG
+            value: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
           ports:
             - name: https
               containerPort: {{ .Values.webhook.port }}
@@ -57,24 +80,35 @@ spec:
               path: /readyz
               port: health
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+              limits:
+                memory: 128Mi
+              requests:
+                cpu: 50m
+                memory: 64Mi
           volumeMounts:
             - name: certs
               mountPath: /etc/webhook/certs
               readOnly: true
+            - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig
+              name: kubeconfig
+              readOnly: true
       volumes:
         - name: certs
           secret:
             secretName: {{ .Values.webhook.tlsSecretName }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        - name: kubeconfig
+          projected:
+            defaultMode: 420
+            sources:
+            - secret:
+                items:
+                  - key: kubeconfig
+                    path: kubeconfig
+                name: {{ .Values.global.genericTokenKubeconfigSecretName }}
+                optional: false
+            - secret:
+                items:
+                  - key: token
+                    path: token
+                name: shoot-access-pod-identity-webhook
+                optional: false

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/helpers.tpl

@@ -1,13 +1,13 @@
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
-  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+  name: stackit-pod-identity-webhook
   namespace: {{ .Release.Namespace }}
   labels:
-    {{- include "stackit-pod-identity-webhook.labels" . | nindent 4 }}
+    app.kubernetes.io/name: stackit-pod-identity-webhook
 spec:
   maxUnavailable: 1
   selector:
     matchLabels:
-      {{- include "stackit-pod-identity-webhook.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/name: stackit-pod-identity-webhook
   unhealthyPodEvictionPolicy: AlwaysAllow

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/poddisruptionbudget.yaml

@@ -1,18 +1,21 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "stackit-pod-identity-webhook.fullname" . }}
+  name: stackit-pod-identity-webhook
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Chart.Name }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+    endpoint-slice-hints.resources.gardener.cloud/consider: "true"
+  annotations:
+    networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":{{ .Values.webhook.port }}}]'
+    service.kubernetes.io/topology-mode: auto
 spec:
-  type: {{ .Values.service.type }}
+  type: ClusterIP
   ports:
-    - port: {{ .Values.service.port }}
-      targetPort: {{ .Values.service.targetPort }}
+    - port: 443
+      targetPort: {{ .Values.webhook.port }}
       protocol: TCP
       name: https
   selector:
-    app.kubernetes.io/name: {{ .Chart.Name }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: stackit-pod-identity-webhook
+  trafficDistribution: PreferClose

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/rbac.yaml

@@ -0,0 +1,21 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: stackit-pod-identity-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: stackit-pod-identity-webhook
+  updatePolicy:
+    updateMode: Auto
+  resourcePolicy:
+    containerPolicies:
+    - containerName: stackit-pod-identity-webhook
+      minAllowed:
+        memory: 80M
+      maxAllowed:
+        cpu: {{ .Values.vpa.resourcePolicy.maxAllowed.cpu }}
+        memory: {{ .Values.vpa.resourcePolicy.maxAllowed.memory }}
+      controlledValues: RequestsOnly

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/service.yaml

@@ -1,55 +1,15 @@
 replicaCount: 2
 
-# String to override the name for the chart
-nameOverride: ""
-# String to fully override the fullname of the chart
-fullnameOverride: ""
+images:
+  stackit-pod-identity-webhook: image-repository:image-tag
 
 webhook:
   port: 9443
   # The secret name containing tls.crt and tls.key for the webhook server
-  # If certmanager.enabled is true, this secret will be created by cert-manager
   tlsSecretName: "stackit-pod-identity-webhook-certs"
 
-service:
-  type: ClusterIP
-  port: 443
-  targetPort: 9443
-
-resources:
-  limits:
-    memory: 128Mi
-  requests:
-    cpu: 50m
-    memory: 64Mi
-
-serviceAccount:
-  create: true
-  annotations: {}
-  name: "stackit-pod-identity-webhook"
-
-# PodSecurityContext holds pod-level security attributes and common container settings.
-podSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 1239
-  runAsGroup: 1239
-  fsGroup: 1239
-
-# SecurityContext holds security configuration that will be applied to a container.
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-    - ALL
-  readOnlyRootFilesystem: true
-
-# NodeSelector is a selector which must be true for the pod to fit on a node.
-nodeSelector: {}
-
-# Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints.
-tolerations: []
-
-# Affinity is a group of affinity scheduling rules.
-affinity: {}
-
-priorityClassName: gardener-system-300
+vpa:
+  resourcePolicy:
+    maxAllowed:
+      cpu: 1
+      memory: 512Mi

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/templates/vpa.yaml

@@ -19,3 +19,6 @@ dependencies:
   repository: http://localhost:10191
   version: 0.1.0
   condition: stackit-alb-controller-manager.enabled
+- name: pod-identity-webhook
+  repository: http://localhost:10191
+  version: 0.1.0

charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/values.yaml

@@ -1,3 +1,3 @@
 apiVersion: v1
-name: stackit-pod-identity-webhook
+name: pod-identity-webhook
 version: 0.1.0