feat: limits enforcement in runtime installation (#495)

andrii-codefresh · web-flow · commit a073e2f71e15 · 2025-05-21T15:07:44.000+03:00
diff --git a/charts/gitops-runtime/templates/hooks/pre-install/helm-values-cm.yaml b/charts/gitops-runtime/templates/hooks/pre-install/helm-values-cm.yaml
@@ -0,0 +1,13 @@
+{{- if not (and .Values.installer.skipValidation .Values.installer.skipUsageValidation) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: helm-values-config
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "-10"
+data:
+  values.yaml: |
+{{ .Values | toYaml | indent 4 }}
+{{- end }}
diff --git a/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml b/charts/gitops-runtime/templates/hooks/pre-install/rbac.yaml
@@ -41,3 +41,48 @@ metadata:
     helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
     helm.sh/hook-weight: "-10"
 {{- end }}
+
+{{- if  not .Values.installer.skipUsageValidation }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: validate-usage-cr
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: validate-usage-crb
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: validate-usage-cr
+subjects:
+  - kind: ServiceAccount
+    name: validate-usage-sa
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: validate-usage-sa
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+{{- end }}
diff --git a/charts/gitops-runtime/templates/hooks/pre-install/validate-usage.yaml b/charts/gitops-runtime/templates/hooks/pre-install/validate-usage.yaml
@@ -0,0 +1,46 @@
+{{- if  not .Values.installer.skipUsageValidation }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: validate-usage
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
+    helm.sh/hook-weight: "10"
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      serviceAccountName: validate-usage-sa
+      restartPolicy: Never
+      containers:
+      - name: validate-usage
+        image: "{{ .Values.installer.image.repository }}:{{ .Values.installer.image.tag | default .Chart.Version }}"
+        imagePullPolicy: {{ .Values.installer.image.pullPolicy }}
+        env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        command: ["sh", "-c"]
+        args:
+        - |
+          cf account validate-usage --fail-condition=reached --subject=clusters --values /job_tmp/values.yaml --namespace ${NAMESPACE} --hook --log-level debug
+        volumeMounts:
+          - name: validate-usage-volume
+            mountPath: "/job_tmp"
+      volumes:
+        - name: validate-usage-volume
+          configMap:
+            name: helm-values-config
+      {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector: {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.installer.tolerations | default .Values.global.tolerations}}
+      tolerations: {{ toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.installer.affinity }}
+      affinity: {{ toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml b/charts/gitops-runtime/templates/hooks/pre-install/validate-values.yaml
@@ -1,17 +1,4 @@
 {{- if  not .Values.installer.skipValidation }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: validate-values-config
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
-    helm.sh/hook-weight: "-10"
-data:
-  values.yaml: |
-{{ .Values | toYaml | indent 4 }}
-
----
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -174,7 +161,7 @@ spec:
       volumes:
       - name: customized-values
         configMap:
-          name: validate-values-config
+          name: helm-values-config
       {{- with .Values.installer.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector: {{ toYaml . | nindent 8 }}
       {{- end }}
diff --git a/charts/gitops-runtime/tests/global_constraints_test.yaml b/charts/gitops-runtime/tests/global_constraints_test.yaml
@@ -436,6 +436,68 @@ tests:
               value: another-value
               effect: NoSchedule
 
+  - it: validate-usage job should have nodeSelector from .Values.global
+    values:
+      - ./values/global-constraints-values.yaml
+    template: hooks/pre-install/validate-usage.yaml
+    documentSelector:
+      path: kind
+      value: Job
+    asserts:
+      - equal:
+          path: spec.template.spec.nodeSelector
+          value:
+            some-key: some-value
+            extra-key: extra-value
+
+  - it: validate-usage job should have nodeSelector from .Values.installer and NOT from .Values.global
+    values:
+      - ./values/global-constraints-values.yaml
+      - ./values/subcharts-constraints-values.yaml
+    template: hooks/pre-install/validate-usage.yaml
+    documentSelector:
+      path: kind
+      value: Job
+    asserts:
+      - equal:
+          path: spec.template.spec.nodeSelector
+          value:
+            some-key: another-value
+            foo: bar
+
+  - it: validate-usage job should have tolerations from .Values.global
+    values:
+      - ./values/global-constraints-values.yaml
+    template: hooks/pre-install/validate-usage.yaml
+    documentSelector:
+      path: kind
+      value: Job
+    asserts:
+      - equal:
+          path: spec.template.spec.tolerations
+          value:
+            - key: some-key
+              operator: Equal
+              value: some-value
+              effect: NoSchedule
+
+  - it: validate-usage job should have tolerations from .Values.installer and NOT from .Values.global
+    values:
+      - ./values/global-constraints-values.yaml
+      - ./values/subcharts-constraints-values.yaml
+    template: hooks/pre-install/validate-usage.yaml
+    documentSelector:
+      path: kind
+      value: Job
+    asserts:
+      - equal:
+          path: spec.template.spec.tolerations
+          value:
+            - key: another-key
+              operator: Equal
+              value: another-value
+              effect: NoSchedule
+
 
   - it: cleanup-resources job should have nodeSelector from .Values.global
     values:
diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml
@@ -186,6 +186,8 @@ global:
 installer:
   # -- if set to true, pre-install hook will *not* run
   skipValidation: false
+  # -- if set to true, pre-install hook will *not* run
+  skipUsageValidation: false
   image:
     repository: quay.io/codefresh/gitops-runtime-installer
     tag: ""
diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile
@@ -8,7 +8,7 @@ FROM debian:12.10-slim
 
 RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
 
-ARG CF_CLI_VERSION=v0.2.6
+ARG CF_CLI_VERSION=v0.2.8
 ARG TARGETARCH
 
 RUN apt-get update && apt-get install curl jq -y
