From d78b71d4c319958eacc253fc75387c0c024cfa01 Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Wed, 24 Jun 2026 19:40:20 +0600 Subject: [PATCH 1/9] Add pre-delete hook to strip GatewayClass finalizer on uninstall Signed-off-by: Md. Istiak --- charts/service-gateway/templates/_helpers.tpl | 33 ++++++++++++++ .../templates/cleaner/job.yaml | 43 +++++++++++++++++++ .../templates/cleaner/rbac.yaml | 34 +++++++++++++++ .../templates/cleaner/serviceaccount.yaml | 11 +++++ charts/service-gateway/values.yaml | 24 +++++++++++ 5 files changed, 145 insertions(+) create mode 100644 charts/service-gateway/templates/cleaner/job.yaml create mode 100644 charts/service-gateway/templates/cleaner/rbac.yaml create mode 100644 charts/service-gateway/templates/cleaner/serviceaccount.yaml diff --git a/charts/service-gateway/templates/_helpers.tpl b/charts/service-gateway/templates/_helpers.tpl index ad7f27450..03d30853c 100644 --- a/charts/service-gateway/templates/_helpers.tpl +++ b/charts/service-gateway/templates/_helpers.tpl @@ -81,3 +81,36 @@ Returns if ubi images are to be used {{- define "operator.ubi" -}} {{ ternary "-ubi" "" (list "operator" "all" | has (default (dig "ubi" "" (default dict .Values.distro)) .Values.global.distro.ubi)) }} {{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "appscode.serviceAccountName" -}} +{{- if .Values.global.serviceAccount.create }} +{{- default (include "service-gateway.fullname" .) .Values.global.serviceAccount.name }} +{{- else if .Values.serviceAccount }} +{{- default "default" .Values.serviceAccount.name }} +{{- else }} +{{- "default" }} +{{- end }} +{{- end }} + +{{/* +Returns the registry used for kubectl docker image +*/}} +{{- define "kubectl.registry" -}} +{{- list .Values.global.registryFQDN (default .Values.kubectl.registry .Values.global.registry) | compact | join "/" }} +{{- end }} + +{{/* +Returns the appscode image pull secrets +*/}} +{{- define "appscode.imagePullSecrets" -}} +{{- with .Values.global.imagePullSecrets -}} +imagePullSecrets: +{{- toYaml . | nindent 2 }} +{{- else -}} +imagePullSecrets: +{{- toYaml $.Values.imagePullSecrets | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/service-gateway/templates/cleaner/job.yaml b/charts/service-gateway/templates/cleaner/job.yaml new file mode 100644 index 000000000..b92df1e53 --- /dev/null +++ b/charts/service-gateway/templates/cleaner/job.yaml @@ -0,0 +1,43 @@ +{{- if .Values.cleaner.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook-weight": "0" + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 3 + template: + spec: + {{- include "appscode.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "service-gateway.fullname" . }}-gwclass-cleaner + automountServiceAccountToken: true + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + containers: + - name: kubectl + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + image: "{{ include "kubectl.registry" . }}/{{ .Values.kubectl.repository }}:{{ .Values.kubectl.tag }}" + imagePullPolicy: {{ .Values.kubectl.pullPolicy }} + command: + - /bin/sh + - -c + - | + kubectl patch gatewayclass {{ include "tenant.name" . }} --type=merge -p '{"metadata":{"finalizers":null}}' || true + restartPolicy: Never +{{- end }} diff --git a/charts/service-gateway/templates/cleaner/rbac.yaml b/charts/service-gateway/templates/cleaner/rbac.yaml new file mode 100644 index 000000000..412a4553f --- /dev/null +++ b/charts/service-gateway/templates/cleaner/rbac.yaml @@ -0,0 +1,34 @@ +{{- if .Values.cleaner.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner-{{ .Release.Namespace }} + annotations: + "helm.sh/hook-weight": "0" + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: ["get", "patch"] +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner-{{ .Release.Namespace }} + annotations: + "helm.sh/hook-weight": "0" + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/service-gateway/templates/cleaner/serviceaccount.yaml b/charts/service-gateway/templates/cleaner/serviceaccount.yaml new file mode 100644 index 000000000..ca7e84388 --- /dev/null +++ b/charts/service-gateway/templates/cleaner/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.cleaner.enabled .Values.global.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook-weight": "0" + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- end }} diff --git a/charts/service-gateway/values.yaml b/charts/service-gateway/values.yaml index c5ee38167..d237a2f87 100644 --- a/charts/service-gateway/values.yaml +++ b/charts/service-gateway/values.yaml @@ -14,6 +14,18 @@ global: # Set operator or all to use ubi images ubi: "" + # Docker registry used to pull app related images + registry: "" + registryFQDN: ghcr.io + imagePullSecrets: [] + + serviceAccount: + create: true + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + clusterMetadata: uid: tbd name: tbd @@ -144,3 +156,15 @@ vaultServer: name: "vault" # Vault server namespace that exist on cluster namespace: "ace" + +kubectl: + registry: appscode + repository: kubectl-nonroot + tag: "1.34" + pullPolicy: IfNotPresent + +# Pre-delete hook that strips the GatewayClass finalizer so the chart uninstalls cleanly. +# Disabled by default. Enable when the envoy-gateway controller is deployed as a sub-chart +# and shuts down before it can remove the finalizer. +cleaner: + enabled: false From 81e282c319d4b2b73ee9594785b1f6efd9f8578f Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Thu, 25 Jun 2026 12:21:36 +0600 Subject: [PATCH 2/9] Make cleaner job securityContext OpenShift-compatible Signed-off-by: Md. Istiak --- .../templates/cleaner/job.yaml | 25 +++++++++---------- charts/service-gateway/values.yaml | 15 +++++++++++ 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/charts/service-gateway/templates/cleaner/job.yaml b/charts/service-gateway/templates/cleaner/job.yaml index b92df1e53..84f43f71a 100644 --- a/charts/service-gateway/templates/cleaner/job.yaml +++ b/charts/service-gateway/templates/cleaner/job.yaml @@ -15,23 +15,22 @@ spec: {{- include "appscode.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "service-gateway.fullname" . }}-gwclass-cleaner automountServiceAccountToken: true + {{- if eq "true" ( include "distro.openshift" . ) }} securityContext: - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault + {{- toYaml (omit .Values.cleaner.podSecurityContext "runAsUser" "runAsGroup" "fsGroup" "supplementalGroups") | nindent 8 }} + {{- else }} + securityContext: + {{- toYaml .Values.cleaner.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: kubectl + {{- if eq "true" ( include "distro.openshift" . ) }} + securityContext: + {{- toYaml (omit .Values.cleaner.securityContext "runAsUser" "runAsGroup" "fsGroup" "supplementalGroups") | nindent 12 }} + {{- else }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault + {{- toYaml .Values.cleaner.securityContext | nindent 12 }} + {{- end }} image: "{{ include "kubectl.registry" . }}/{{ .Values.kubectl.repository }}:{{ .Values.kubectl.tag }}" imagePullPolicy: {{ .Values.kubectl.pullPolicy }} command: diff --git a/charts/service-gateway/values.yaml b/charts/service-gateway/values.yaml index d237a2f87..6877719e2 100644 --- a/charts/service-gateway/values.yaml +++ b/charts/service-gateway/values.yaml @@ -168,3 +168,18 @@ kubectl: # and shuts down before it can remove the finalizer. cleaner: enabled: false + podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault From 12e31a21f480e8e125e178d309707efba397d856 Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Thu, 25 Jun 2026 15:33:06 +0600 Subject: [PATCH 3/9] Use post-delete hook with ordered weights for GatewayClass cleanup Signed-off-by: Md. Istiak --- charts/service-gateway/templates/cleaner/job.yaml | 2 +- charts/service-gateway/templates/cleaner/rbac.yaml | 8 ++++---- .../service-gateway/templates/cleaner/serviceaccount.yaml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/service-gateway/templates/cleaner/job.yaml b/charts/service-gateway/templates/cleaner/job.yaml index 84f43f71a..88780d7bc 100644 --- a/charts/service-gateway/templates/cleaner/job.yaml +++ b/charts/service-gateway/templates/cleaner/job.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook-weight": "0" - "helm.sh/hook": pre-delete + "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: backoffLimit: 3 diff --git a/charts/service-gateway/templates/cleaner/rbac.yaml b/charts/service-gateway/templates/cleaner/rbac.yaml index 412a4553f..8fa54a61a 100644 --- a/charts/service-gateway/templates/cleaner/rbac.yaml +++ b/charts/service-gateway/templates/cleaner/rbac.yaml @@ -4,8 +4,8 @@ kind: ClusterRole metadata: name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner-{{ .Release.Namespace }} annotations: - "helm.sh/hook-weight": "0" - "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-4" + "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded rules: - apiGroups: @@ -20,8 +20,8 @@ kind: ClusterRoleBinding metadata: name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner-{{ .Release.Namespace }} annotations: - "helm.sh/hook-weight": "0" - "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-4" + "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/charts/service-gateway/templates/cleaner/serviceaccount.yaml b/charts/service-gateway/templates/cleaner/serviceaccount.yaml index ca7e84388..db33c4ba6 100644 --- a/charts/service-gateway/templates/cleaner/serviceaccount.yaml +++ b/charts/service-gateway/templates/cleaner/serviceaccount.yaml @@ -5,7 +5,7 @@ metadata: name: {{ include "service-gateway.fullname" . }}-gwclass-cleaner namespace: {{ .Release.Namespace }} annotations: - "helm.sh/hook-weight": "0" - "helm.sh/hook": pre-delete - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-5" + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-succeeded {{- end }} From 2e89187885642ecfbef2b30fbb6258a7eb9c03ac Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Thu, 25 Jun 2026 19:11:51 +0600 Subject: [PATCH 4/9] Address review: move kubectl under cleaner, remove global additions Signed-off-by: Md. Istiak --- charts/service-gateway/templates/_helpers.tpl | 33 ------------------- .../templates/cleaner/job.yaml | 12 ++----- .../templates/cleaner/serviceaccount.yaml | 4 +-- charts/service-gateway/values.yaml | 30 ++++------------- 4 files changed, 10 insertions(+), 69 deletions(-) diff --git a/charts/service-gateway/templates/_helpers.tpl b/charts/service-gateway/templates/_helpers.tpl index 03d30853c..ad7f27450 100644 --- a/charts/service-gateway/templates/_helpers.tpl +++ b/charts/service-gateway/templates/_helpers.tpl @@ -81,36 +81,3 @@ Returns if ubi images are to be used {{- define "operator.ubi" -}} {{ ternary "-ubi" "" (list "operator" "all" | has (default (dig "ubi" "" (default dict .Values.distro)) .Values.global.distro.ubi)) }} {{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "appscode.serviceAccountName" -}} -{{- if .Values.global.serviceAccount.create }} -{{- default (include "service-gateway.fullname" .) .Values.global.serviceAccount.name }} -{{- else if .Values.serviceAccount }} -{{- default "default" .Values.serviceAccount.name }} -{{- else }} -{{- "default" }} -{{- end }} -{{- end }} - -{{/* -Returns the registry used for kubectl docker image -*/}} -{{- define "kubectl.registry" -}} -{{- list .Values.global.registryFQDN (default .Values.kubectl.registry .Values.global.registry) | compact | join "/" }} -{{- end }} - -{{/* -Returns the appscode image pull secrets -*/}} -{{- define "appscode.imagePullSecrets" -}} -{{- with .Values.global.imagePullSecrets -}} -imagePullSecrets: -{{- toYaml . | nindent 2 }} -{{- else -}} -imagePullSecrets: -{{- toYaml $.Values.imagePullSecrets | nindent 2 }} -{{- end }} -{{- end }} diff --git a/charts/service-gateway/templates/cleaner/job.yaml b/charts/service-gateway/templates/cleaner/job.yaml index 88780d7bc..a7d61bbae 100644 --- a/charts/service-gateway/templates/cleaner/job.yaml +++ b/charts/service-gateway/templates/cleaner/job.yaml @@ -12,16 +12,8 @@ spec: backoffLimit: 3 template: spec: - {{- include "appscode.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "service-gateway.fullname" . }}-gwclass-cleaner automountServiceAccountToken: true - {{- if eq "true" ( include "distro.openshift" . ) }} - securityContext: - {{- toYaml (omit .Values.cleaner.podSecurityContext "runAsUser" "runAsGroup" "fsGroup" "supplementalGroups") | nindent 8 }} - {{- else }} - securityContext: - {{- toYaml .Values.cleaner.podSecurityContext | nindent 8 }} - {{- end }} containers: - name: kubectl {{- if eq "true" ( include "distro.openshift" . ) }} @@ -31,8 +23,8 @@ spec: securityContext: {{- toYaml .Values.cleaner.securityContext | nindent 12 }} {{- end }} - image: "{{ include "kubectl.registry" . }}/{{ .Values.kubectl.repository }}:{{ .Values.kubectl.tag }}" - imagePullPolicy: {{ .Values.kubectl.pullPolicy }} + image: "{{ .Values.cleaner.kubectl.registry }}/{{ .Values.cleaner.kubectl.repository }}:{{ .Values.cleaner.kubectl.tag }}" + imagePullPolicy: {{ .Values.cleaner.kubectl.pullPolicy }} command: - /bin/sh - -c diff --git a/charts/service-gateway/templates/cleaner/serviceaccount.yaml b/charts/service-gateway/templates/cleaner/serviceaccount.yaml index db33c4ba6..c300c25f1 100644 --- a/charts/service-gateway/templates/cleaner/serviceaccount.yaml +++ b/charts/service-gateway/templates/cleaner/serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.cleaner.enabled .Values.global.serviceAccount.create -}} +{{- if .Values.cleaner.enabled -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -7,5 +7,5 @@ metadata: annotations: "helm.sh/hook-weight": "-5" "helm.sh/hook": post-delete - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-succeeded + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded {{- end }} diff --git a/charts/service-gateway/values.yaml b/charts/service-gateway/values.yaml index 6877719e2..076d89e2b 100644 --- a/charts/service-gateway/values.yaml +++ b/charts/service-gateway/values.yaml @@ -14,18 +14,6 @@ global: # Set operator or all to use ubi images ubi: "" - # Docker registry used to pull app related images - registry: "" - registryFQDN: ghcr.io - imagePullSecrets: [] - - serviceAccount: - create: true - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - clusterMetadata: uid: tbd name: tbd @@ -157,22 +145,16 @@ vaultServer: # Vault server namespace that exist on cluster namespace: "ace" -kubectl: - registry: appscode - repository: kubectl-nonroot - tag: "1.34" - pullPolicy: IfNotPresent - -# Pre-delete hook that strips the GatewayClass finalizer so the chart uninstalls cleanly. +# Post-delete hook that strips the GatewayClass finalizer so the chart uninstalls cleanly. # Disabled by default. Enable when the envoy-gateway controller is deployed as a sub-chart # and shuts down before it can remove the finalizer. cleaner: enabled: false - podSecurityContext: - runAsNonRoot: true - runAsUser: 65534 - seccompProfile: - type: RuntimeDefault + kubectl: + registry: ghcr.io/appscode + repository: kubectl-nonroot + tag: "1.34" + pullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: From 1a69365b7c182af053dcf697c08254968cbc36ca Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Fri, 26 Jun 2026 12:11:02 +0600 Subject: [PATCH 5/9] Add CleanerSpec API type and flatten kubectl fields under cleaner Signed-off-by: Md. Istiak --- .../v1alpha1/service_gateway_types.go | 11 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++++++++--- .../templates/cleaner/job.yaml | 4 +-- charts/service-gateway/values.yaml | 9 +++---- 4 files changed, 39 insertions(+), 10 deletions(-) diff --git a/apis/installer/v1alpha1/service_gateway_types.go b/apis/installer/v1alpha1/service_gateway_types.go index 963018540..591e83ffc 100644 --- a/apis/installer/v1alpha1/service_gateway_types.go +++ b/apis/installer/v1alpha1/service_gateway_types.go @@ -19,6 +19,7 @@ package v1alpha1 import ( catgwapi "go.bytebuilders.dev/catalog/api/gateway/v1alpha1" + core "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -48,6 +49,7 @@ type ServiceGatewaySpec struct { FullnameOverride string `json:"fullnameOverride"` ClusterMetadata StashClusterMetadata `json:"clusterMetadata"` GatewayClass GatewayClassSpec `json:"gatewayClass"` + Cleaner CleanerSpec `json:"cleaner"` catgwapi.GatewayValues `json:",inline,omitempty"` } @@ -56,6 +58,15 @@ type GatewayClassSpec struct { Description string `json:"description"` } +type CleanerSpec struct { + Enabled bool `json:"enabled"` + Registry string `json:"registry"` + Repository string `json:"repository"` + Tag string `json:"tag"` + PullPolicy core.PullPolicy `json:"pullPolicy"` + SecurityContext *core.SecurityContext `json:"securityContext,omitempty"` +} + // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // ServiceGatewayList is a list of ServiceGateways diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go index 5be877f4b..7a87bbc06 100644 --- a/apis/installer/v1alpha1/zz_generated.deepcopy.go +++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go @@ -22,11 +22,9 @@ package v1alpha1 import ( "encoding/json" - wizardsv1alpha1 "go.bytebuilders.dev/ui-wizards/apis/wizards/v1alpha1" - installerv1alpha1 "go.openviz.dev/installer/apis/installer/v1alpha1" - v1 "k8s.io/api/core/v1" + "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/runtime" autoscaling_k8s_iov1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" @@ -3118,6 +3116,26 @@ func (in *CertificateIssuerRef) DeepCopy() *CertificateIssuerRef { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CleanerSpec) DeepCopyInto(out *CleanerSpec) { + *out = *in + if in.SecurityContext != nil { + in, out := &in.SecurityContext, &out.SecurityContext + *out = new(v1.SecurityContext) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanerSpec. +func (in *CleanerSpec) DeepCopy() *CleanerSpec { + if in == nil { + return nil + } + out := new(CleanerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CloudProviderOptions) DeepCopyInto(out *CloudProviderOptions) { *out = *in @@ -11516,6 +11534,7 @@ func (in *ServiceGatewaySpec) DeepCopyInto(out *ServiceGatewaySpec) { *out = *in out.ClusterMetadata = in.ClusterMetadata in.GatewayClass.DeepCopyInto(&out.GatewayClass) + in.Cleaner.DeepCopyInto(&out.Cleaner) in.GatewayValues.DeepCopyInto(&out.GatewayValues) } diff --git a/charts/service-gateway/templates/cleaner/job.yaml b/charts/service-gateway/templates/cleaner/job.yaml index a7d61bbae..af3c73cbd 100644 --- a/charts/service-gateway/templates/cleaner/job.yaml +++ b/charts/service-gateway/templates/cleaner/job.yaml @@ -23,8 +23,8 @@ spec: securityContext: {{- toYaml .Values.cleaner.securityContext | nindent 12 }} {{- end }} - image: "{{ .Values.cleaner.kubectl.registry }}/{{ .Values.cleaner.kubectl.repository }}:{{ .Values.cleaner.kubectl.tag }}" - imagePullPolicy: {{ .Values.cleaner.kubectl.pullPolicy }} + image: "{{ .Values.cleaner.registry }}/{{ .Values.cleaner.repository }}:{{ .Values.cleaner.tag }}" + imagePullPolicy: {{ .Values.cleaner.pullPolicy }} command: - /bin/sh - -c diff --git a/charts/service-gateway/values.yaml b/charts/service-gateway/values.yaml index 076d89e2b..7f7bcf893 100644 --- a/charts/service-gateway/values.yaml +++ b/charts/service-gateway/values.yaml @@ -150,11 +150,10 @@ vaultServer: # and shuts down before it can remove the finalizer. cleaner: enabled: false - kubectl: - registry: ghcr.io/appscode - repository: kubectl-nonroot - tag: "1.34" - pullPolicy: IfNotPresent + registry: ghcr.io/appscode + repository: kubectl-nonroot + tag: "1.34" + pullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false capabilities: From 1133910376f8899b3c727f643ae8e1cfb84c7293 Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Fri, 26 Jun 2026 12:37:01 +0600 Subject: [PATCH 6/9] update Signed-off-by: Md. Istiak --- charts/service-gateway/README.md | 11 +++ .../values.openapiv3_schema.yaml | 92 +++++++++++++++++++ 2 files changed, 103 insertions(+) diff --git a/charts/service-gateway/README.md b/charts/service-gateway/README.md index 85979e994..fb519231e 100644 --- a/charts/service-gateway/README.md +++ b/charts/service-gateway/README.md @@ -104,6 +104,17 @@ The following table lists the configurable parameters of the `service-gateway` c | echoserver.securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | | vaultServer.name | Vault server name that exist on cluster | "vault" | | vaultServer.namespace | Vault server namespace that exist on cluster | "ace" | +| cleaner.enabled | | false | +| cleaner.registry | | ghcr.io/appscode | +| cleaner.repository | | kubectl-nonroot | +| cleaner.tag | | "1.34" | +| cleaner.pullPolicy | | IfNotPresent | +| cleaner.securityContext.allowPrivilegeEscalation | | false | +| cleaner.securityContext.privileged | | false | +| cleaner.securityContext.readOnlyRootFilesystem | | true | +| cleaner.securityContext.runAsNonRoot | | true | +| cleaner.securityContext.runAsUser | | 65534 | +| cleaner.securityContext.seccompProfile.type | | RuntimeDefault | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/service-gateway/values.openapiv3_schema.yaml b/charts/service-gateway/values.openapiv3_schema.yaml index eb885c60a..c8a5361eb 100644 --- a/charts/service-gateway/values.openapiv3_schema.yaml +++ b/charts/service-gateway/values.openapiv3_schema.yaml @@ -1,4 +1,95 @@ properties: + cleaner: + properties: + enabled: + type: boolean + pullPolicy: + type: string + registry: + type: string + repository: + type: string + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + tag: + type: string + required: + - enabled + - pullPolicy + - registry + - repository + - tag + type: object cluster: properties: tls: @@ -4677,6 +4768,7 @@ properties: - name type: object required: +- cleaner - cluster - clusterMetadata - echoserver From ccf7f4cc8e19d5235f7a47c3b75894b91a970dfb Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Fri, 26 Jun 2026 12:55:02 +0600 Subject: [PATCH 7/9] update Signed-off-by: Md. Istiak --- apis/installer/v1alpha1/zz_generated.deepcopy.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go index 7a87bbc06..36ed54685 100644 --- a/apis/installer/v1alpha1/zz_generated.deepcopy.go +++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go @@ -22,9 +22,11 @@ package v1alpha1 import ( "encoding/json" + wizardsv1alpha1 "go.bytebuilders.dev/ui-wizards/apis/wizards/v1alpha1" + installerv1alpha1 "go.openviz.dev/installer/apis/installer/v1alpha1" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/runtime" autoscaling_k8s_iov1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" From 80d2e053125b73f2a2c9d92f7aba9c187b34b0f5 Mon Sep 17 00:00:00 2001 From: "Md. Istiak" Date: Fri, 26 Jun 2026 17:58:17 +0600 Subject: [PATCH 8/9] update Signed-off-by: Md. Istiak --- charts/service-gateway-presets/README.md | 11 +++++++++++ charts/service-gateway-presets/values.yaml | 17 +++++++++++++++++ charts/service-gateway/README.md | 2 +- charts/service-gateway/values.yaml | 2 +- 4 files changed, 30 insertions(+), 2 deletions(-) diff --git a/charts/service-gateway-presets/README.md b/charts/service-gateway-presets/README.md index 9265e37cd..eb03a3bfb 100644 --- a/charts/service-gateway-presets/README.md +++ b/charts/service-gateway-presets/README.md @@ -110,6 +110,17 @@ The following table lists the configurable parameters of the `service-gateway-pr | chart.sourceRef.kind | | HelmRepository | | chart.sourceRef.name | | appscode-charts-oci | | chart.sourceRef.namespace | | kubeops | +| cleaner.enabled | | true | +| cleaner.registry | | ghcr.io/appscode | +| cleaner.repository | | kubectl-nonroot | +| cleaner.tag | | "1.34" | +| cleaner.pullPolicy | | IfNotPresent | +| cleaner.securityContext.allowPrivilegeEscalation | | false | +| cleaner.securityContext.privileged | | false | +| cleaner.securityContext.readOnlyRootFilesystem | | true | +| cleaner.securityContext.runAsNonRoot | | true | +| cleaner.securityContext.runAsUser | | 65534 | +| cleaner.securityContext.seccompProfile.type | | RuntimeDefault | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/service-gateway-presets/values.yaml b/charts/service-gateway-presets/values.yaml index 0abdf198c..2d7ec1b2b 100644 --- a/charts/service-gateway-presets/values.yaml +++ b/charts/service-gateway-presets/values.yaml @@ -151,3 +151,20 @@ chart: kind: HelmRepository name: appscode-charts-oci namespace: kubeops + +cleaner: + enabled: true + registry: ghcr.io/appscode + repository: kubectl-nonroot + tag: "1.34" + pullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault \ No newline at end of file diff --git a/charts/service-gateway/README.md b/charts/service-gateway/README.md index fb519231e..3ebead715 100644 --- a/charts/service-gateway/README.md +++ b/charts/service-gateway/README.md @@ -104,7 +104,7 @@ The following table lists the configurable parameters of the `service-gateway` c | echoserver.securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | | vaultServer.name | Vault server name that exist on cluster | "vault" | | vaultServer.namespace | Vault server namespace that exist on cluster | "ace" | -| cleaner.enabled | | false | +| cleaner.enabled | | true | | cleaner.registry | | ghcr.io/appscode | | cleaner.repository | | kubectl-nonroot | | cleaner.tag | | "1.34" | diff --git a/charts/service-gateway/values.yaml b/charts/service-gateway/values.yaml index 7f7bcf893..8fcc7a07f 100644 --- a/charts/service-gateway/values.yaml +++ b/charts/service-gateway/values.yaml @@ -149,7 +149,7 @@ vaultServer: # Disabled by default. Enable when the envoy-gateway controller is deployed as a sub-chart # and shuts down before it can remove the finalizer. cleaner: - enabled: false + enabled: true registry: ghcr.io/appscode repository: kubectl-nonroot tag: "1.34" From 17a13b0c7b4195df2fc7fb3d943b30c10c4da9b7 Mon Sep 17 00:00:00 2001 From: Arnob kumar saha Date: Fri, 26 Jun 2026 18:07:58 +0600 Subject: [PATCH 9/9] Use shared CleanerSpec from catalog API in service-gateway charts Signed-off-by: Arnob kumar saha --- .../v1alpha1/service_gateway_types.go | 11 --- .../v1alpha1/zz_generated.deepcopy.go | 21 ----- .../values.openapiv3_schema.yaml | 92 +++++++++++++++++++ go.mod | 2 +- go.sum | 4 +- .../gateway/v1alpha1/gatewayconfig_types.go | 11 +++ .../gateway/v1alpha1/zz_generated.deepcopy.go | 21 +++++ vendor/modules.txt | 2 +- 8 files changed, 128 insertions(+), 36 deletions(-) diff --git a/apis/installer/v1alpha1/service_gateway_types.go b/apis/installer/v1alpha1/service_gateway_types.go index 591e83ffc..963018540 100644 --- a/apis/installer/v1alpha1/service_gateway_types.go +++ b/apis/installer/v1alpha1/service_gateway_types.go @@ -19,7 +19,6 @@ package v1alpha1 import ( catgwapi "go.bytebuilders.dev/catalog/api/gateway/v1alpha1" - core "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -49,7 +48,6 @@ type ServiceGatewaySpec struct { FullnameOverride string `json:"fullnameOverride"` ClusterMetadata StashClusterMetadata `json:"clusterMetadata"` GatewayClass GatewayClassSpec `json:"gatewayClass"` - Cleaner CleanerSpec `json:"cleaner"` catgwapi.GatewayValues `json:",inline,omitempty"` } @@ -58,15 +56,6 @@ type GatewayClassSpec struct { Description string `json:"description"` } -type CleanerSpec struct { - Enabled bool `json:"enabled"` - Registry string `json:"registry"` - Repository string `json:"repository"` - Tag string `json:"tag"` - PullPolicy core.PullPolicy `json:"pullPolicy"` - SecurityContext *core.SecurityContext `json:"securityContext,omitempty"` -} - // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // ServiceGatewayList is a list of ServiceGateways diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go index 36ed54685..5be877f4b 100644 --- a/apis/installer/v1alpha1/zz_generated.deepcopy.go +++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go @@ -3118,26 +3118,6 @@ func (in *CertificateIssuerRef) DeepCopy() *CertificateIssuerRef { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CleanerSpec) DeepCopyInto(out *CleanerSpec) { - *out = *in - if in.SecurityContext != nil { - in, out := &in.SecurityContext, &out.SecurityContext - *out = new(v1.SecurityContext) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanerSpec. -func (in *CleanerSpec) DeepCopy() *CleanerSpec { - if in == nil { - return nil - } - out := new(CleanerSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CloudProviderOptions) DeepCopyInto(out *CloudProviderOptions) { *out = *in @@ -11536,7 +11516,6 @@ func (in *ServiceGatewaySpec) DeepCopyInto(out *ServiceGatewaySpec) { *out = *in out.ClusterMetadata = in.ClusterMetadata in.GatewayClass.DeepCopyInto(&out.GatewayClass) - in.Cleaner.DeepCopyInto(&out.Cleaner) in.GatewayValues.DeepCopyInto(&out.GatewayValues) } diff --git a/charts/service-gateway-presets/values.openapiv3_schema.yaml b/charts/service-gateway-presets/values.openapiv3_schema.yaml index 53f02f7a2..fc798bfaa 100644 --- a/charts/service-gateway-presets/values.openapiv3_schema.yaml +++ b/charts/service-gateway-presets/values.openapiv3_schema.yaml @@ -30,6 +30,97 @@ properties: - name - sourceRef type: object + cleaner: + properties: + enabled: + type: boolean + pullPolicy: + type: string + registry: + type: string + repository: + type: string + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + appArmorProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + capabilities: + properties: + add: + items: + type: string + type: array + x-kubernetes-list-type: atomic + drop: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + tag: + type: string + required: + - enabled + - pullPolicy + - registry + - repository + - tag + type: object cluster: properties: tls: @@ -4693,6 +4784,7 @@ properties: - name type: object required: +- cleaner - cluster - clusterMetadata - echoserver diff --git a/go.mod b/go.mod index 5474caf19..6f4fe522e 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module go.bytebuilders.dev/installer go 1.25.6 require ( - go.bytebuilders.dev/catalog v0.0.23 + go.bytebuilders.dev/catalog v0.0.25-0.20260626115826-a5d44c24f104 go.bytebuilders.dev/resource-model v0.4.0 go.bytebuilders.dev/ui-wizards v0.35.0 go.openviz.dev/installer v0.0.0-20260619044110-702becd1dd97 diff --git a/go.sum b/go.sum index 5db3830a5..5f8dd5975 100644 --- a/go.sum +++ b/go.sum @@ -211,8 +211,8 @@ github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= go.appscode.dev/alerts v0.2.1-0.20260516020454-00c8e56b1991 h1:juyyBSMLxf/D/py8QidUT0wZUIhisivkdeCIvwXvob8= go.appscode.dev/alerts v0.2.1-0.20260516020454-00c8e56b1991/go.mod h1:oG1OnN2JTilTTqGAHv4CCoqnvT3u0J8c7YgNny0Rj7g= -go.bytebuilders.dev/catalog v0.0.23 h1:C2QLyWa5e32WfhhJLvXgorPwQ1LvEVqT6Ox4GSY2Rf8= -go.bytebuilders.dev/catalog v0.0.23/go.mod h1:o+3cekrGPUeG95FPtGfDMNiX0k4Lz0vK0Bc8b4F4S9U= +go.bytebuilders.dev/catalog v0.0.25-0.20260626115826-a5d44c24f104 h1:DDdpXghpMjyJn6Alu9i3n5FJdQtYTmIXcFn/oJAULwA= +go.bytebuilders.dev/catalog v0.0.25-0.20260626115826-a5d44c24f104/go.mod h1:zXAS4yNzCueduM3glK0JDuPuJd2MDvCx2PtauRtzT7I= go.bytebuilders.dev/resource-model v0.4.0 h1:wDXg4SGYn3zNRuOj17gGo0qeSE//ytdzGPSxkHa8JvA= go.bytebuilders.dev/resource-model v0.4.0/go.mod h1:wGndjj3y+Yjh7+e8Wjc6joqzZCC16WZfKNx9adAFVkw= go.bytebuilders.dev/ui-wizards v0.35.0 h1:/JFbHqPFP/n57Igsg54ShFFENGcROiJHv+ENnE4nMqM= diff --git a/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/gatewayconfig_types.go b/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/gatewayconfig_types.go index f5d462aa6..4a4d88627 100644 --- a/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/gatewayconfig_types.go +++ b/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/gatewayconfig_types.go @@ -45,6 +45,17 @@ type GatewaySpec struct { Echoserver EchoserverSpec `json:"echoserver"` // +optional VaultServer kmapi.ObjectReference `json:"vaultServer"` + Cleaner CleanerSpec `json:"cleaner"` +} + +type CleanerSpec struct { + Enabled bool `json:"enabled"` + Registry string `json:"registry"` + Repository string `json:"repository"` + Tag string `json:"tag"` + PullPolicy core.PullPolicy `json:"pullPolicy"` + // +optional + SecurityContext *core.SecurityContext `json:"securityContext,omitempty"` } type GatewayValues struct { diff --git a/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/zz_generated.deepcopy.go b/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/zz_generated.deepcopy.go index 7905a2873..26be9f41f 100644 --- a/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/go.bytebuilders.dev/catalog/api/gateway/v1alpha1/zz_generated.deepcopy.go @@ -43,6 +43,26 @@ func (in *AzureDNSAuth) DeepCopy() *AzureDNSAuth { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CleanerSpec) DeepCopyInto(out *CleanerSpec) { + *out = *in + if in.SecurityContext != nil { + in, out := &in.SecurityContext, &out.SecurityContext + *out = new(v1.SecurityContext) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanerSpec. +func (in *CleanerSpec) DeepCopy() *CleanerSpec { + if in == nil { + return nil + } + out := new(CleanerSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CloudDNSAuth) DeepCopyInto(out *CloudDNSAuth) { *out = *in @@ -469,6 +489,7 @@ func (in *GatewaySpec) DeepCopyInto(out *GatewaySpec) { out.Cluster = in.Cluster in.Echoserver.DeepCopyInto(&out.Echoserver) out.VaultServer = in.VaultServer + in.Cleaner.DeepCopyInto(&out.Cleaner) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewaySpec. diff --git a/vendor/modules.txt b/vendor/modules.txt index 98151e179..fd23ddfd7 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -317,7 +317,7 @@ github.com/zeebo/xxh3 ## explicit; go 1.25 go.appscode.dev/alerts/apis/alerts go.appscode.dev/alerts/apis/alerts/v1alpha1 -# go.bytebuilders.dev/catalog v0.0.23 +# go.bytebuilders.dev/catalog v0.0.25-0.20260626115826-a5d44c24f104 ## explicit; go 1.25.6 go.bytebuilders.dev/catalog/api/gateway/v1alpha1 # go.bytebuilders.dev/resource-model v0.4.0