fix(chart): fixes for ci tests

Thomas Lam · Thomas Lam · commit b1b21e3d0b88 · 2025-08-28T14:30:39.000-07:00
diff --git a/chart/templates/cleanup-webhook-job.yaml b/chart/templates/cleanup-webhook-job.yaml
@@ -21,6 +21,25 @@ spec:
         runAsUser: 10001
         seccompProfile:
           type: RuntimeDefault
+      volumes:
+      - name: kube-api-access
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              path: token
+              expirationSeconds: 3607
+          - configMap:
+              items:
+              - key: ca.crt
+                path: ca.crt
+              name: kube-root-ca.crt
+          - downwardAPI:
+              items:
+              - fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+                path: namespace
       containers:
       - name: cleanup
         image: {{ .Values.webhook.removalImage | default "bitnami/kubectl" }}{{- if .Values.webhook.removalDigest }}@{{ .Values.webhook.removalDigest }}{{- else }}:{{ .Values.webhook.removalTag | default "1.33.1" }}{{- end }}
@@ -29,8 +48,14 @@ spec:
           readOnlyRootFilesystem: true
           capabilities:
             drop:
-              - NET_RAW
-              - ALL
+            - NET_RAW
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
         resources:
           limits:
             cpu: {{ .Values.limitRange.default.cpu }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -110,6 +110,14 @@ spec:
         - containerPort: 9443
           name: webhook-server
           protocol: TCP
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
+        {{- if .Values.webhook.enable }}
+        - mountPath: /tmp
+          name: webhook-certs
+        {{- end }}
         readinessProbe:
           httpGet:
             path: /readyz
@@ -155,15 +163,41 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
         resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent 10 }}
         securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
           | nindent 10 }}
       imagePullSecrets:
         - name: {{ quote .Values.imagePullSecret }}
+      volumes:
+      - name: kube-api-access
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              path: token
+              expirationSeconds: 3607
+          - configMap:
+              items:
+              - key: ca.crt
+                path: ca.crt
+              name: kube-root-ca.crt
+          - downwardAPI:
+              items:
+              - fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+                path: namespace
+      {{- if .Values.webhook.enable }}
+      - name: webhook-certs
+        emptyDir: {}
+      {{- end }}
       securityContext:
         runAsNonRoot: true
         runAsUser: 10001
-        readOnlyRootFilesystem: true
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: {{ include "chart.fullname" . }}-controller-manager
@@ -179,7 +213,6 @@ metadata:
   name: {{ include "chart.fullname" . }}-controller-manager-pdb
 spec:
   minAvailable: {{ .Values.controllerManager.podDisruptionBudget.minAvailable }}
-  automountServiceAccountToken: false
   selector:
     matchLabels:
       app: {{ include "chart.fullname" . }}-controller-manager
diff --git a/k8s-tests/chainsaw/helm/helm-chart-test/assert-no-schedule.yaml b/k8s-tests/chainsaw/helm/helm-chart-test/assert-no-schedule.yaml
@@ -97,7 +97,7 @@ spec:
     env:
     - name: KUBERNETES_CLUSTER_DOMAIN
       value: cluster.local
-    image: quay.io/brancz/kube-rbac-proxy:v0.15.0
+    image: quay.io/brancz/kube-rbac-proxy@sha256:b6c3624aedb4b785b3f92ac0fbb5efb0b0572b00cebde6c752e8aac522f9669c
     name: kube-rbac-proxy
     ports:
     - containerPort: 8443
diff --git a/k8s-tests/chainsaw/helm/helm-chart-test/assert-scheduled.yaml b/k8s-tests/chainsaw/helm/helm-chart-test/assert-scheduled.yaml
@@ -49,6 +49,7 @@ spec:
   - command:
     - /manager
     ((env[?name == 'RUNTIME_REQUIRED_TAINT'].value)[0] == 'skyhook.nvidia.com=runtime-required:NoSchedule'): true
+    image: ghcr.io/nvidia/skyhook/operator:latest
     livenessProbe:
       failureThreshold: 3
       httpGet:
@@ -96,7 +97,7 @@ spec:
     env:
     - name: KUBERNETES_CLUSTER_DOMAIN
       value: cluster.local
-    image: quay.io/brancz/kube-rbac-proxy:v0.15.0
+    image: quay.io/brancz/kube-rbac-proxy@sha256:b6c3624aedb4b785b3f92ac0fbb5efb0b0572b00cebde6c752e8aac522f9669c
     name: kube-rbac-proxy
     ports:
     - containerPort: 8443
diff --git a/k8s-tests/chainsaw/helm/helm-chart-test/values.yaml b/k8s-tests/chainsaw/helm/helm-chart-test/values.yaml
@@ -27,5 +27,6 @@ controllerManager:
     image:
       repository: ghcr.io/nvidia/skyhook/operator
       tag: latest ## THIS should change to be like a tag so it can point at a specific commit
+      digest: ""
 webhook:
   enable: false
diff --git a/k8s-tests/chainsaw/helm/helm-node-affinity-test/values-conflict-test.yaml b/k8s-tests/chainsaw/helm/helm-node-affinity-test/values-conflict-test.yaml
@@ -29,5 +29,6 @@ controllerManager:
     image:
       repository: ghcr.io/nvidia/skyhook/operator
       tag: latest
+      digest: ""
 webhook:
   enable: false
diff --git a/k8s-tests/chainsaw/helm/helm-node-affinity-test/values-match.yaml b/k8s-tests/chainsaw/helm/helm-node-affinity-test/values-match.yaml
@@ -31,5 +31,6 @@ controllerManager:
     image:
       repository: ghcr.io/nvidia/skyhook/operator
       tag: latest ## THIS should change to be like a tag so it can point at a specific commit
+      digest: ""
 webhook:
   enable: false
diff --git a/k8s-tests/chainsaw/helm/helm-node-affinity-test/values-no-match.yaml b/k8s-tests/chainsaw/helm/helm-node-affinity-test/values-no-match.yaml
@@ -31,5 +31,6 @@ controllerManager:
     image:
       repository: ghcr.io/nvidia/skyhook/operator
       tag: latest ## THIS should change to be like a tag so it can point at a specific commit
+      digest: ""
 webhook:
   enable: false
diff --git a/k8s-tests/chainsaw/helm/helm-scale-test/values-scale.yaml b/k8s-tests/chainsaw/helm/helm-scale-test/values-scale.yaml
@@ -21,6 +21,7 @@ controllerManager:
     image:
       repository: ghcr.io/nvidia/skyhook/operator
       tag: latest ## THIS should change to be like a tag so it can point at a specific commit
+      digest: ""
 estimatedNodeCount: 400
 estimatedPackageCount: 5
 webhook:
diff --git a/k8s-tests/chainsaw/helm/helm-webhook-test/values.yaml b/k8s-tests/chainsaw/helm/helm-webhook-test/values.yaml
@@ -21,5 +21,6 @@ controllerManager:
     image:
       repository: ghcr.io/nvidia/skyhook/operator
       tag:  v0.7.6-1ec0890 ## TODO: update this to latest onces this is merged
+      digest: ""
 webhook:
   enable: true
