Add ofen-daemon resources: create ClusterRole, ClusterRoleBinding, DaemonSet, and ServiceAccount; update values.yaml for service account and image configurations

zeroalphat · zeroalphat · commit 3216a7ccce35 · 2025-08-06T13:33:28.000+09:00
Signed-off-by: zeroalphat &lt;taichi-takemura@cybozu.co.jp&gt;
diff --git a/charts/ofen/templates/ofen-daemon/clusterrole.yaml b/charts/ofen/templates/ofen-daemon/clusterrole.yaml
@@ -2,9 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: ofend
-  labels:
-    app.kubernetes.io/part-of: ofend
+  name: {{ template "ofen.fullname" . }}-daemon-clusterrole
 rules:
 - apiGroups:
   - ""
diff --git a/charts/ofen/templates/ofen-daemon/clusterrole_binding.yaml b/charts/ofen/templates/ofen-daemon/clusterrole_binding.yaml
@@ -1,13 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: ofend
-  labels:
-    app.kubernetes.io/part-of: ofend
+  name: {{ template "ofen.fullname" . }}-daemon-clusterrolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: ofend
+  name: {{ template "ofen.fullname" . }}-daemon-clusterrole
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.serviceAccount.ofend.name }}
diff --git a/charts/ofen/templates/ofen-daemon/daemonset.yaml b/charts/ofen/templates/ofen-daemon/daemonset.yaml
@@ -1,22 +1,22 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: ofend
+  name: ofend-daemon
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/part-of: ofen
-    app.kubernetes.io/name: ofend
+    app.kubernetes.io/component: daemon
+    app.kubernetes.io/name: {{ include "ofen.name" . }}-daemon
     {{- include "ofen.labels" . | nindent 4  }}
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/part-of: ofen
-      app.kubernetes.io/name: ofend
+      app.kubernetes.io/component: daemon
+      app.kubernetes.io/name: {{ include "ofen.name" . }}-daemon
   template:
     metadata:
       labels:
-        app.kubernetes.io/part-of: ofen
-        app.kubernetes.io/name: ofend
+        app.kubernetes.io/component: daemon
+        app.kubernetes.io/name: {{ include "ofen.name" . }}-daemon
     spec:
       containers:
         - name: ofend
diff --git a/charts/ofen/templates/ofen-daemon/service_account.yaml b/charts/ofen/templates/ofen-daemon/service_account.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    {{- include "ofen.labels" . | nindent 4 }}
+  name: {{ .Values.serviceAccount.daemon.name }}
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/ofen/templates/ofend/service_account.yaml b/charts/ofen/templates/ofend/service_account.yaml
diff --git a/charts/ofen/values.yaml b/charts/ofen/values.yaml
@@ -7,20 +7,20 @@ controller:
   replicas: 2
 
   image:
-    # image.repository -- ofen-controller image repository to use.
+    # controller.image.repository -- ofen-controller image repository to use.
     repository: ghcr.io/cybozu-go/ofen
   
-    # image.pullPolicy -- ofen-controller image pulling policy.
+    # controller.image.pullPolicy -- ofen-controller image pulling policy.
     pullPolicy: IfNotPresent
   
-    # image.tag -- ofen-controller image tag to use.
+    # controller.image.tag -- ofen-controller image tag to use.
     # @default -- `{{ .Chart.AppVersion }}`
     tag:  # 0.1.0
   
-  # imagePullSecrets -- Secrets for pulling ofen-controller image from private repository.
+  # controller.imagePullSecrets -- Secrets for pulling ofen-controller image from private repository.
   imagePullSecrets: []
 
-  # controller.resources -- Specify resources.
+  # controller.resources -- Resource requests and limits for the ofen-controller deployment.
   resources:
     requests:
       cpu: 100m
@@ -31,42 +31,43 @@ controller:
 
 daemon:
   image:
-    # image.repository -- ofend image repository to use.
+    # daemon.image.repository -- ofen-daemon image repository to use.
     repository: ghcr.io/cybozu-go/ofend
   
-    # image.pullPolicy -- ofend image pulling policy.
+    # daemon.image.pullPolicy -- ofen-daemon image pulling policy.
     pullPolicy: IfNotPresent
   
-    # image.tag -- ofend image tag to use.
+    # daemon.image.tag -- ofen-daemon image tag to use.
     # @default -- `{{ .Chart.AppVersion }}`
     tag:  # 0.1.0
 
-  # imagePullSecrets -- Secrets for pulling ofend image from private repository.
+  # daemon.imagePullSecrets -- Secrets for pulling ofen-daemon image from private repository.
   imagePullSecrets: []
 
-  # resources -- resources used by ofend.
+  # daemon.resources -- resources used by ofen-daemon.
   resources:
     requests:
       cpu: 100m
       memory: 20Mi
 
-  # extraArgs -- Additional command line flags to pass to ofend binary.
+  # daemon.extraArgs -- Additional command line flags to pass to ofen-daemon binary.
   extraArgs: []
-  
-  # containerdSockPath -- Path to the containerd socket.
+ 
+  # daemon.containerdSockPath -- Path to the containerd socket.
   containerdSockPath: /run/containerd/containerd.sock
   
-  # containerdHostDirPath -- Path to the host directory for containerd.
+  # daemon.containerdHostDirPath -- Path to the host directory for containerd.
   containerdHostDirPath: /etc/containerd/certs.d
 
 serviceAccount:
   controller:
-    # serviceAccount.ofen.name -- Name of the ServiceAccount for ofen-controller.
+    # serviceAccount.controller.name -- Name of the ServiceAccount for ofen-controller.
     name: ofen-controller
   
-  ofend:
-    # serviceAccount.ofend.name -- Name of the ServiceAccount for ofend DaemonSet
-    name: ofend-daemon
+  daemon:
+    # serviceAccount.daemon.name -- Name of the ServiceAccount for ofen-daemon DaemonSet
+    name: ofen-daemon
 
 vap:
-  enabled: true
+  # vap.enabled -- Enable ValidatingAdmissionPolicy for enhanced security.
+  enabled: false
