feat(minio): add podLabels, serviceAccount and priorityClass to post-job#1217
Closed
ixxeL2097 wants to merge 7 commits intoCloudPirates-io:mainfrom
Closed
feat(minio): add podLabels, serviceAccount and priorityClass to post-job#1217ixxeL2097 wants to merge 7 commits intoCloudPirates-io:mainfrom
ixxeL2097 wants to merge 7 commits intoCloudPirates-io:mainfrom
Conversation
…on (#5) Add a Python script and GitHub Action for generating scoped changelogs per Helm chart in a monorepo. Addresses CloudPirates-io#844. Script (scripts/generate-changelog.py): - CLI powered by click with subcommands: generate, release-notes, list, inspect - Path-filtered commits (only changes touching the chart directory) - Version grouping from Chart.yaml at each commit - Noise filtering (changelog updates, merge commits) - Empty bump detection (version-only changes) - Conventional commit classification - PR linking to GitHub GitHub Action (.github/actions/generate-changelog): - Two modes: generate (CHANGELOG.md files) and release-notes (single version for GitHub Release body) - Auto-detects repo URL, fetches full history - Outputs changed charts list and release notes file path Workflow (.github/workflows/changelog.yaml): - Triggers on push to main when charts/ change - Detects unreleased chart versions (no matching git tag) - Generates release notes and creates GitHub Release with tag per chart - Matrix strategy for parallel releases - Manual dispatch with dry-run support Co-authored-by: Frederic Spiers <frederic.spiers@gitguardian.com>
…e workflow Replace the changelog-update job (committed CHANGELOG.md files) with a post-release step that updates GitHub Release notes via gh release edit. Changes to changelog-and-release.yaml: - Remove changelog-update job entirely (no more bot commits) - Remove workflow_dispatch inputs for changelog regeneration - Add 'Install tools' step (python + click + gitpython + pyyaml) - Add 'Update release notes with scoped changelog' step after OCI push - Sanitize all github.event.inputs via env vars (injection prevention) Remove standalone changelog.yaml workflow (superseded). The flow is now: detect → chart-releaser (tag + release + package) → OCI push + cosign → update release notes with scoped changelog.
Single replica means downtime during pod restarts or node drains. Default to 2 replicas for basic HA out of the box. Co-authored-by: Frederic Spiers <frederic.spiers@gitguardian.com>
Allow the pipeline to pass on forks without registry secrets. Steps that require credentials (registry login, OCI push, cosign) now use continue-on-error: true. The critical steps (detect, chart-releaser, release notes) still fail normally.
…tion (#9) Without internalTrafficPolicy: Local, traffic may be routed to nginx pods on other nodes, losing the client source IP. Setting it to Local ensures traffic stays on the same node, preserving X-Forwarded-For. Co-authored-by: Frederic Spiers <frederic.spiers@gitguardian.com>
The post-job (bucket initialization) template was missing several features compared to the Deployment template: - podLabels injection (needed for ArgoCD / service mesh sidecar control) - commonLabels propagation to pod template (minio.labels instead of minio.selectorLabels) - serviceAccountName (needed for IRSA/Workload Identity) - priorityClassName support
Signed-off-by: cloudpirates-bot <cloudpirates-bot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The post-job (bucket initialization) template is missing several features that the Deployment template already supports. This creates issues for users deploying with ArgoCD, service meshes (Istio), or using Workload Identity.
Changes
bucketInitJob.podLabels— new value to inject custom labels into the job's pod spec (e.g.sidecar.istio.io/inject: "false")commonLabelspropagation — pod template now usesminio.labelsinstead ofminio.selectorLabels, socommonLabelsare propagated to job pods (needed for network policies, Kyverno/OPA)serviceAccountName— the job now uses the chart's ServiceAccount (needed for IRSA/Workload Identity)priorityClassName— support priority class on the job pods0.11.0→0.12.0values.schema.jsonMotivation
Reported by a customer deploying on OpenShift with ArgoCD:
podLabelsvalues set underbucketInitJobwere not rendered in the pod spec because the template didn't consume them.Test plan
helm unittest charts/minio/— all tests passhelm lint charts/minio/— no errors