From 10487dc61cc3c97bc452bf9dfcfdcf44b87bcf65 Mon Sep 17 00:00:00 2001 From: Bogdan-Adrian Burciu Date: Wed, 11 Jun 2025 13:53:42 +0300 Subject: [PATCH 1/2] Feat: Add helm values for cert-generator Job pod placement --- charts/nginx-gateway-fabric/README.md | 6 +++- .../templates/certs-job.yaml | 16 ++++++++++ .../nginx-gateway-fabric/values.schema.json | 30 +++++++++++++++++++ charts/nginx-gateway-fabric/values.yaml | 12 ++++++++ 4 files changed, 63 insertions(+), 1 deletion(-) diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md index 65a006b592..49e62768d6 100644 --- a/charts/nginx-gateway-fabric/README.md +++ b/charts/nginx-gateway-fabric/README.md @@ -252,11 +252,15 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | Key | Description | Type | Default | |-----|-------------|------|---------| -| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"agentTLSSecretName":"agent-tls","annotations":{},"overwrite":false,"serverTLSSecretName":"server-tls"}` | +| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[]}` | +| `certGenerator.affinity` | The affinity of the cert-generator pod. | object | `{}` | | `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` | | `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` | +| `certGenerator.nodeSelector` | The nodeSelector of the cert-generator pod. | object | `{}` | | `certGenerator.overwrite` | Overwrite existing TLS Secrets on startup. | bool | `false` | | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` | +| `certGenerator.tolerations` | Tolerations for the cert-generator pod. | list | `[]` | +| `certGenerator.topologySpreadConstraints` | The topology spread constraints for the cert-generator pod. | list | `[]` | | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` | | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` | | `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` | diff --git a/charts/nginx-gateway-fabric/templates/certs-job.yaml b/charts/nginx-gateway-fabric/templates/certs-job.yaml index 96da6289e2..16b47f8be8 100644 --- a/charts/nginx-gateway-fabric/templates/certs-job.yaml +++ b/charts/nginx-gateway-fabric/templates/certs-job.yaml @@ -153,4 +153,20 @@ spec: securityContext: fsGroup: 1001 runAsNonRoot: true + {{- if .Values.certGenerator.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.certGenerator.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.certGenerator.affinity }} + affinity: + {{- toYaml .Values.certGenerator.affinity | nindent 8 }} + {{- end }} + {{- if .Values.certGenerator.tolerations }} + tolerations: + {{- toYaml .Values.certGenerator.tolerations | nindent 6 }} + {{- end }} + {{- if .Values.certGenerator.nodeSelector }} + nodeSelector: + {{- toYaml .Values.certGenerator.nodeSelector | nindent 8 }} + {{- end }} ttlSecondsAfterFinished: 0 diff --git a/charts/nginx-gateway-fabric/values.schema.json b/charts/nginx-gateway-fabric/values.schema.json index f78fedae4d..5601513083 100644 --- a/charts/nginx-gateway-fabric/values.schema.json +++ b/charts/nginx-gateway-fabric/values.schema.json @@ -4,6 +4,12 @@ "certGenerator": { "description": "The certGenerator section contains the configuration for the cert-generator Job.", "properties": { + "affinity": { + "description": "The affinity of the cert-generator pod.", + "required": [], + "title": "affinity", + "type": "object" + }, "agentTLSSecretName": { "default": "agent-tls", "description": "The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely\ncommunicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the\nNGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway).", @@ -17,6 +23,12 @@ "title": "annotations", "type": "object" }, + "nodeSelector": { + "description": "The nodeSelector of the cert-generator pod.", + "required": [], + "title": "nodeSelector", + "type": "object" + }, "overwrite": { "default": false, "description": "Overwrite existing TLS Secrets on startup.", @@ -30,6 +42,24 @@ "required": [], "title": "serverTLSSecretName", "type": "string" + }, + "tolerations": { + "description": "Tolerations for the cert-generator pod.", + "items": { + "required": [] + }, + "required": [], + "title": "tolerations", + "type": "array" + }, + "topologySpreadConstraints": { + "description": "The topology spread constraints for the cert-generator pod.", + "items": { + "required": [] + }, + "required": [], + "title": "topologySpreadConstraints", + "type": "array" } }, "required": [], diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index cf8f826981..b44bf18cc7 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -479,6 +479,18 @@ certGenerator: # -- Overwrite existing TLS Secrets on startup. overwrite: false + # -- Tolerations for the cert-generator pod. + tolerations: [] + + # -- The nodeSelector of the cert-generator pod. + nodeSelector: {} + + # -- The affinity of the cert-generator pod. + affinity: {} + + # -- The topology spread constraints for the cert-generator pod. + topologySpreadConstraints: [] + # -- A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. gateways: [] From d7998f6a54160b6b8efe3287320041527336e93f Mon Sep 17 00:00:00 2001 From: Bogdan-Adrian Burciu Date: Wed, 11 Jun 2025 17:22:03 +0300 Subject: [PATCH 2/2] Address review: have all toYaml with same indentation --- charts/nginx-gateway-fabric/templates/certs-job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/nginx-gateway-fabric/templates/certs-job.yaml b/charts/nginx-gateway-fabric/templates/certs-job.yaml index 16b47f8be8..79953b24a2 100644 --- a/charts/nginx-gateway-fabric/templates/certs-job.yaml +++ b/charts/nginx-gateway-fabric/templates/certs-job.yaml @@ -155,7 +155,7 @@ spec: runAsNonRoot: true {{- if .Values.certGenerator.topologySpreadConstraints }} topologySpreadConstraints: - {{- toYaml .Values.certGenerator.topologySpreadConstraints | nindent 8 }} + {{- toYaml .Values.certGenerator.topologySpreadConstraints | nindent 6 }} {{- end }} {{- if .Values.certGenerator.affinity }} affinity: